Should I migrate Domain Controllers using HCX?

28 October 2024 Leave a comment

Whilst HCX is a perfectly suitable to migrate most workloads, there are some which require careful consideration and planning such as SQL Clusters, Oracle (or other database servers), load balancers, and even Active Directory Domain Controllers.

Domain Controllers definitely fall into the category of requiring extra consideration before migrating them with HCX. Whilst it is supported to vMotion DCs, and you would be able to use HCX RAV, HAV, and HCX vMotion without issue with the migration itself, the questions remains whether you should. The answer, well, it depends but in most cases I would advise against it.

Typically we use HCX to completely move workloads to a new environment, or it can be used to extend into a new environment, as an example by leveraging a hybrid on-prem and public cloud deployments. The networks our workloads are on are stretched into the cloud side NSX overlay, and then after all workloads are moved, the gateway is moved and the network is unextended.

Many of the operations rely on DCs being available, as they provide critical services such as LDAP(S), DNS, Certificate Authority, time etc (depending on the roles installed). As there is a small period of downtime when moving a gateway, these services may fail and disrupt vital services. There are additional factors to consider too, such as firewall rules, routes, and potentially latency. In addition, DCs are usually deployed in AD sites, each geographical site having its own (ideally) pair of DCs providing services to domain objects. Moving a DC to a new geographical site may have impacts to these services. Then also consider that whilst a domain controller is on an extended network, if there are any issues with that stretch (or underlying network infrastructure) it may have severe ramifications.

I would recommend that new DCs are deployed in the target site, with new IP addresses, joined to the domain, and if necessary move the FSMO roles to the new DCs. Then reconfigure any domain critical services as required. Then test everything! If you are decommissioning the original site, follow the Microsoft documentation for removing a DC from a domain.

As an example, here is a step by step overview::

  1. Pre-Migration Checklist:
    • Inventory of existing DCs and their roles.
    • Document all settings and configurations.
    • Ensure backups are current.
  2. Deploying New DCs:
    • Set up new DCs in the target environment with new IP addresses.
    • Join the new DCs to the existing domain.
  3. Move FSMO Roles and time configuration:
    • Use the ntdsutil tool to transfer FSMO roles if necessary.
    • Set correct Time configuration on the new PDC Emulator.
  4. Testing and Validation:
    • Verify replication status and test critical services to ensure they function correctly post-migration.
Post Views: 3,052

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.