To virtualize the PDCe or not to virtualize the PDCe…
The question isn’t can you, but should you virtualize the Primary Domain Controller emulator (PDCe) FMSO role holder. And of course, the answer is, ‘It depends’. Of course it does, why wouldn’t it be black or white? Because there are too many options to consider.
Finding the PDCe: There are a few different ways to find the PDCe: PowerShell, Netdom, or ADSIEdit. Once you know where it is, you need to decide where to locate it.
Virtualization: Performance is not a concern in a well-managed virtualization environment. With Microsoft’s investments in Azure it would be strange if we did not regard virtualized DCs as a first-class solution.
While virtualizing Domain Controllers and even the PDC role is fully supported, this may not be the optimal configuration for your specific infrastructure. Microsoft recommends avoiding single points of failure and having a physical DC is one way to achieve this, and the PDCe would be the primary candidate for that use case.
The current discussion is very simple. You may want to avoid a SPoF (Single Point of Failure) by decoupling one DC from the others in as many ways as possible: platform, storage, networking, and maybe even location. Hence one choice for a physical machine selection, instead of all DC’s virtualized, if you are using a single location data center to host DC’s.
Dependencies: If you do virtualize the PDCe, make sure there are no dependencies that could be impacted by having the FSMO role virtualized. One situation that can occur, is if the SAN falls down that hosts the DC’s that allow the Storage Area Network (SAN) to post any of it is Common Internet File System (CIFS) shares. I worked with a customer once, they had a smaller environment where all 4 (virtual) DCs were on a single SAN environment hosted by several front-end hosts. And we all know, SAN’s never fall-down.
Now if you have multiple SAN’s, in multiple datacenters, in multiple locations, then sure, it could make sense to completely virtualize your entire Domain Controller infrastructure. But that is the question, DO YOU have the redundancies in place to comfortably sleep well at night, knowing there are enough redundancies in place to provide plenty of fault tolerant services for your IT infrastructure.
Given that, pick the one DC in the domain that is the best candidate: the PDC of course. It should be centrally placed, is the one with the external time service, is responsible for external services such as GPO editing, trust maintenance, etc.
GPO to set time source: Many people either don’t know or forgot, but you can set a GPO to automatically update the time source of authority within a domain, where the FSMO role of PDCe is located: https://theitbros.com/configure-ntp-time-sync-group-policy/
But even in larger environments, whether Hyper-V or VMware, if there is a failure within the virtualization fabric, and all your DCs run in one location, just how well does their recovery process address the chicken/egg issue of what has to be restored first if your virtualization platform is AD integrated…just having a single physical available avoids the extra complications associated with such an disaster recovery plan.
So there you go, make sure you are fully aware of any dependences and the options you have when you choose to virtualize your PDCe role.