SolutionBase: Build a virtual Active Directory lab with VMware

When the City of Portland's IT team decided that they needed to set up an elaborate testing network to prepare for Active Directory, they found the cost to be prohibitive. See how they used VMware GSX Server to do it and saved a bundle.

In developing a design for a Windows Server 2003 Active Directory, the Bureau of Technology Services of the City of Portland, Oregon, had a number of questions that the IT staff felt could best be answered by building a working Active Directory lab. Doing so however, would present some logistical problems. To achieve the level of sophistication required in this Active Directory laboratory, our team concluded that we would require two forests, each with three domains, and a total of sixteen domain controllers.

The problem was that we did not have sixteen servers that we could dedicate to a lab, nor could we afford to spend approximately $80,000 to purchase them. Instead, the person responsible for research and testing was able to build a virtual lab, using only two physical servers and VMware GSX Server. I'm going to show you how this lab was created.

Questions of design
The security requirements of our enterprise network demand that the data and directory objects of two organizations within the enterprise be protected from the other organizations. Among the other organizations, the requirements are not quite so stringent. Given this, the main questions were:
  1. Will a single forest satisfy these security requirements?
  2. If not, and a separate security forest is required, what problems might this entail for interoperability between the two forests, particularly with e-mail?
  3. How might these problems be overcome?
  4. How would the use of a firewall between forests affect Active Directory?

We decided that the best way to answer these questions would be to build a test lab that contained two forests. Within each forest we would create an empty root domain, and two child domains. One domain in each forest would contain four domain controllers and the other domains would each contain two domain controllers. Appropriate roles would then be assigned to various servers, including global catalog, DNS, WINS, DHCP and file/print. In addition, we would install a Microsoft Exchange 2003 Server in each forest. Each forest would also get Microsoft Identity Integration Server 2003 and a firewall (using Check Point).

VMware to the rescue
Normally, such a lab would be prohibitively expensive, but by using VMware GSX Server (at a cost of $2,500 for the VMware license) you can turn a single physical server into eight separate virtual servers. In this case the entire lab was built using only two existing servers.

VMware GSX Server works by partitioning and isolating servers into separate, secure virtual machines. The operating systems and applications on each virtual machine are isolated, while system resources are delivered as needed to any virtual machine.

First, you install on the server what VMware calls the "host operating system," which can be one of several versions of Windows or Linux. Next, you install the VMware software. Once that is done, you can create virtual machines, and on each virtual machine you can install a "guest operating system" that is different from (or the same as) the host operating system. The guest operating systems can be any of the server and desktop versions of Windows, a version of Linux, and/or Novell NetWare.

The only caveat to be aware of is that the more virtual machines you create within VMware, the greater the system resources that are required. In our case, we found that we required 4 GB of RAM in each of the two physical servers to provide an adequate (although not great) response. Keep in mind that some RAM will be required for use by the host operating system and VMware itself.

Creating the design
The IT department determined that because a number of persons in various locations would need to access the virtual machines that comprise the lab, it would be best to have those people access them via Windows Terminal Services. In order to isolate the virtual lab from the production network, yet still make it accessible from the production network, we used Network Address Translation (NAT) at the firewall. Thus each virtual server would have its IP address within the virtual segment, but also a corresponding RDP IP address for use with Terminal Services.

With this scheme in mind, we designed the two forests as shown in Figure A.

Figure A

Each of the two physical servers is a test bed, with its own IP address and hosting one forest; each has three domains and a total of eight virtual servers operating in assigned roles.

Once VMware is installed, you can create and configure virtual servers with the Web-based VMware Management Interface. You can access the VMware Management Interface via a Web browser, by typing the IP address and the default VMware port 8222 of the physical server in the locator bar, as shown in Figure B.

Figure B

After logging in to the Management Interface, Figure C shows all of the virtual servers created in one forest of the virtual lab.

Figure C

Once you have created each virtual server, you can install the guest operating system on it, and any additional software just as you would on a physical server.

Saving the bottom line
VMWAre GSX Server turned out to be a resource multiplier for us. We were able to create our lab for Active Directory testing at a significant cost savings, thanks to VMware. In using only two physical servers, rather than sixteen, we not only saved the cost of fourteen servers, but also saved the rack space those servers would have used, which is another cost factor. And yet, this virtual lab turns out to be every bit as useful for the tasks that we needed to accomplish in our testing.