Yes, it can be done. The appropriateness for doing so is up for debate.
- Make sure time stays synced! This is very important. A DC with incorrect time can cause havoc.
- Disable and do not use snapshots. Reverting to an old snapshot in a domain with many DCs will result in massive chaos.
- Do not suspend/pause the domain controller.
- Make sure your VM server does not get overloaded.
- I suggest you run at least one DC within your domain on real hardware, if you have a larger network.
Could you explain the snapshot chaos
point? Isn’t reverting to a snapshot
going to act like restoring from
backup, i.e. it will sync recent
changes from the other DCs?
The active directory is not designed to support that. Once an update has been replicated, it will not be re-replicated. Normally if you are restoring the active directory you need to go through a special procedure. (http://technet.microsoft.com/en-us/library/cc779573.aspx). The KB article Sam Cogan, and gharper mentioned specifically address this point.
In particular, Active Directory does
not support any method that restores a
snapshot of the operating system or
the volume the operating system
resides on. This kind of method causes
an update sequence number (USN)
rollback. When a USN rollback occurs,
the replication partners of the
incorrectly restored domain controller
may have inconsistent objects in their
Active Directory databases. In this
situation, you cannot make these
objects consistent.We also do not support using “undo”
and “differencing” features in Virtual
PC on operating system images for
domain controllers that run in virtual
hosting environments.
The Microsoft AD team just posted a new article about how to virtualize domain controllers which includes several recommendations.