IronPort ESA best practice for DNS servers?

Similar Messages

• ACE best practice for proxy servers

  Dear,
  I would like to know which is the best practice scenario to load balance proxy servers:
  1- Best practice to have transparent proxy or proxy setting on the web browser?
  2- for transparent proxy: best practice to use ip wccp or route-map pointing to the ACE VIP?
  3- What are the advantages and disadvantages of transparent proxy V/S web browser proxy setting.
  Regards,
  Pierre

  Hi,
  Sorry, that seem to be an internal link.
  You can also check the below post where a sample config is posted here for transparent cache.
  https://supportforums.cisco.com/thread/129106
                 Best practice :
  VIP would be a catch all address.
  To optimize the caching predictor hash url is used.
  You can also use mac-sticky on interface so proper flow persistence is used within ACE
  The mode is transparent so we preserve the destination ip address.
  Regards,
  Siva

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• Best Practices for AD and Windows Environment

  Hello Everyone,
  I need to create a document having the best practices for AD containing best practices for DNS, DHCP, AD Structure, Group Policy, Trust Etc.
  I just need the best practices irrespective of what is implemented in our company.
  I just need to create a document for analysis as of now. I searched over the internet but could not find much. I would request you all to pour in your suggestions from where i can find those.
  If anyone could send me or point me the link. I am pretty new to the technology, so need your help.
  Thanks in Advance

  I have an article where I shared the best practices to use to avoid known AD/DNS issues: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23
  However, you need first to identify your requirements and based on these requirements, you can identify what should be implemented on your environment and how to manage it. The basics here is that you need to have at least two DC/DNS/GC servers per AD domain
  for the High Availability. You need also to take a system state backup of at least one DC/DNS/GC server in your domain. As for DHCP, you can use 50/50 or 80/20 DHCP rule depending on your setup.
  You can also refer to that: https://technet.microsoft.com/en-us/library/cc754678%28v=ws.10%29.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Best practices for 2 x DNS servers with 2 x sites

  I am curious if someone can help me with best practices for my DNS servers.  Let me give my network layout first.
  I have 1 site with 2 x Windows 2012 Servers (1 GUI - 10.0.0.7, the other CORE - 10.0.0.8) the 2nd site connected via VPN has 2 x Windows 2012R2 Servers (1 GUI - 10.2.0.7, the other CORE - 10.2.0.8)  All 4 servers are promoted to DC's and have DNS services
  running.
  Here goes my questions:
  Site #1
  DC-01 - NIC IP address for DNS server #1 set to 10.0.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.0.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  Site #2
  DC-01 - NIC IP address for DNS server #1 set to 10.2.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.2.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local
  > properties > Name Servers should I have all of my other DNS servers, or should I have my WAN DNS servers? In a single server scenario I always put my WAN DNS server but a bit unsure in this scenario. 
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > General > Type should all servers be set to
  Active Directory - Integrated > Primary Zone? Should any of these be set to
  Secondary Zone?
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > Zone Transfers should I allow zone transfers?
  Would the following questions be identical to the Forward Lookup Zone mydomain.local as well?

  I am curious if someone can help me with best practices for my DNS servers.  Let me give my network layout first.
  I have 1 site with 2 x Windows 2012 Servers (1 GUI - 10.0.0.7, the other CORE - 10.0.0.8) the 2nd site connected via VPN has 2 x Windows 2012R2 Servers (1 GUI - 10.2.0.7, the other CORE - 10.2.0.8)  All 4 servers are promoted to DC's and have DNS services
  running.
  Here goes my questions:
  Site #1
  DC-01 - NIC IP address for DNS server #1 set to 10.0.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.0.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  Site #2
  DC-01 - NIC IP address for DNS server #1 set to 10.2.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.2.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local
  > properties > Name Servers should I have all of my other DNS servers, or should I have my WAN DNS servers? In a single server scenario I always put my WAN DNS server but a bit unsure in this scenario. 
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > General > Type should all servers be set to
  Active Directory - Integrated > Primary Zone? Should any of these be set to
  Secondary Zone?
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > Zone Transfers should I allow zone transfers?
  Would the following questions be identical to the Forward Lookup Zone mydomain.local as well?
  Site1
  DC1: Primary 10.0.0.7. Secondary 10.0.0.8. Tertiary 127.0.0.1
  DC2: Primary 10.0.0.8.  Secondary 10.0.0.7. Tertiary 127.0.0.1
  Site2
  DC1: Primary 10.2.0.7.  Secondary 10.2.0.8. Tertiary 127.0.0.1
  DC2: Primary 10.2.0.8.  Secondary 10.2.0.7. Tertiary 127.0.0.1
  The DC's should automatically register in msdcs.  Do not register external DNS servers in msdcs or it will lead to issues. Yes, I recommend all zones to be set to AD-integrated. No need to allow zone transfers as AD replication will take care
  of this for you.  Same for mydomain.local.
  Hope this helps.  

• DNS best practices for hub and spoke AD Architecture?

  I have an Active Directory Forest with a forest root such as joe.co and the root domain of the same name, and root DNS servers (Domain Controllers) dns1.joe.co and dns2.joe.co
  I have child domains with names in the form region1.joe.com, region2.joe.co and so on, with dns servers dns1.region1.joe.co and so on.
  Each region has distribute offices that may have a DC in them, servers named in the form dns1branch1.region1.joe.co
  Over all my DNS tests out okay, but I want to get the general guidelines for setting up new DCs correct.
  Configuration:
  Root DC/DNS server dns1.joe.co adapter settings points DNS to itself, then two other root domain DNS/DCs dns2.joe.co and dns3.joe.co.
  The other root domain DNS/DCs adapter settings point to root server dns1.joe.co and then to itself dns2.joe.co, and then 127.0.0.1
  The regional domains have a root dns server dns1.region1.joe.co with adapter that that points to root server dns1.joe.co then to itself.
  The additional region domain DNS/DCs adapter settings point to dns1.region1.joe.co then to itself then to dn1.joe.co
  What would you do to correct this topology (and settings) or improve it?
  Thanks in advance
  just david

  Hi,
  According to your description, my understanding is that you need suggestion about your DNS topology.
  In theory, there is no obvious problem. Except for the namespace and server plaining for DNS, zone is also needed to consideration. If you place DNS server on each domain and subdomain, confirm that if the traffic browsed by DNS will affect the network performance.
  Besides, fault tolerance and security are also necessary.
  We usually recommend that:
  DC with DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. And when referencing a DNS server on itself, a DNS client
  should always use a loopback address and not a real IP address. detailed information you may reference:
  What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
  http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
  How To Split and Migrate Child Domain DNS Records To a Dedicated DNS Zone
  http://blogs.technet.com/b/askpfeplat/archive/2013/12/02/how-to-split-and-migrate-child-domain-dns-records-to-a-dedicated-dns-zone.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Best Practice for the Service Distribution on multiple servers

  Hi,
  Could you please suggest as per the best practice for the above.
  Requirements : we will use all features in share point ( Powerpivot, Search, Reporting Service, BCS, Excel, Workflow Manager, App Management etc)
  Capacity : We have  12 Servers excluding SQL server.
  Please do not just refer any URL, Suggest as per the requirements.
  Thanks 
  srabon

  How about a link to the MS guidance!
  http://go.microsoft.com/fwlink/p/?LinkId=286957

• What is best recommendstion for DNS LB for lync 2013 Edge servers

  What is best recommendation for DNS LB for lync 2013 Edge servers ?. We have F5 LB for edge and want to decide if we can go with DNS base LB for Edge servers.
  Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

  It will be better to Use Hardware Load balancing (F5).
  If you choose to use DNS load balancing for a pool but still need to implement hardware load balancers for traffic such as HTTP traffic, the administration of the hardware load balancers is greatly simplified. For example, configuring the hardware load balancer
  will be simpler as it will only manage the HTTP and HTTPS traffic, while all other protocols will be managed by DNS load balancing
  Also for more info., you can check below links
  http://technet.microsoft.com/en-us/library/gg615011.aspx
  http://technet.microsoft.com/en-us/library/gg398634.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Url category best practices for ESA 8.5.6-074

  In the new version  8.5.6-074 of ESA C170, what are the best practices for applying the new URL Category?
  Is it possible to crate filters that quarantine mails based on URL filtering? Is so could you upload sample script (for example quarantine emails that have adult links in body)

  You should be able to do it with a content filter. You have some conditions based on URL and categories.

• Best Practices For Household IOS's/Apple IDs

  Greetings:
  I've been searching support for best practices for sharing primarily apps, music and video among multple iOS's/Apple IDs.  If there is a specific article please point me to it.
  Here is my situation: 
  We currently have 3 iPads (2-kids, 1-dad) in the household and one iTunes account on a win computer.  I previously had all iPads on single Apple ID/credit card and controlled the kids' downloads thru the Apple ID password that I kept secret.  As the kids have grown older, I found myself constantly entering my password as the kids increased there interest in music/apps/video.  I like this approach because all content was shared...I dislike because I was constantly asked to input password for all downloads.
  So, I recently set up an individual account for them with the allowance feature at iTunes that allows them to download content on their own (I set restrictions on their iPads).  Now I have 3 Apple IDs under one household.
  My questions:
  With the 3 Apple IDs, what is the best way to share apps,music, videos among myself and the kids?  Is it multiple accounts on the computer and some sort of sharing? 
  Thanks in advance...

  Hi Bonesaw1962,
  We've had our staff and students run iOS updates OTA via Settings -> Software Update. In the past, we put a DNS block on Apple's update servers to prevent users from updating iOS (like last fall when iOS 7 was first released). By blocking mesu.apple com, the iPads weren't able to check for or install any iOS software updates. We waited until iOS 7.0.3 was released before we removed the block to mesu.apple.com at which point we told users if they wanted to update to iOS 7 they could do so OTA. We used our MDM to run reports periodically to see how many people updated to iOS 7 and how many stayed on iOS 6. As time went on, just about everyone updated on their own.
  If you go this route (depending on the number of devices you have), you may want to take a look at Caching Server 2 to help with the network load https://www.apple.com/osx/server/features/#caching-server . From Apple's website, "When a user on your network downloads new software from Apple, a copy is automatically stored on your server. So the next time other users on your network update or download that same software, they actually access it from inside the network."
  I wish there was a way for MDMs to manage iOS updates, but unfortunately Apple hasn't made this feature available to MDM providers. I've given this feedback to our Apple SE, but haven't heard if it is being considered or not. Keeping fingers crossed.
  Hope this helps. Let us know what you decide on and keep us posted on the progress. Good luck!!
  ~Joe

• Best practice for RDGW placement in RDS 2012 R2 deployment

  Hi,
  I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
  Farm works great for LAN and VPN users.
  Now i want to add two domain joined RDGW servers.
  The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
  Should i:
  - set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
  - place RDGW in the DMZ, opening all those required ports into the LAN
  - place the RDGW in the LAN, then port forward port 443 into it from internet
  Any help is greatly appreciated.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
  for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
  network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
  RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
  beneath article for more information.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Best practice for server configuration for iTunes U

  Hello all, I'm completely new to iTunes U, never heard of this until now and we have zero documentation on how to set it up. I was given the task to look at best practice for setting up the server for iTunes U, and I need your help.
  *My first question*: Can anyone explains to me how iTunes U works in general? My brief understanding is that you design/setup a welcome page for your school with sub categories like programs/courses, and within that you have things like lecture audio/video files and students can download/view them on iTunes. So where are these files hosted? Is it on your own server or is it on Apple's server? Where & how do you manage the content?
  *2nd question:* We have two Xserve(s) sitting in our server room ready to roll, my question is what is the best method to configure them so it meets our need of "high availability in active/active mode, load balancing, and server scaling". Originally I was thinking about using a 3rd party load balancing device to meet these needs, but I was told there is no budget for it so this is not going to happen. I know there is IP Failover but one server has to sit in standby mode which is a waste. So the most likely scenario is to setup DNS round robin and put both xserves in active/active. My question now is (this maybe related to question 1), say that all the content data like audio/video files are stored by us, (We are going to link a portion of our SAN space to Xserve for storage), if we are going with DNS round robin and put the 2 servers in Active/Active mode, can both servers access a common shared network space? or is this not possible and each server must have its own storage space? And therefore I must use something like RSYNC to make sure contents on both servers are identical? Should I use XSAN or is RSYNC good enough?
  Since I have no experience with iTunes U whatsoever, I hope you understand my questions, any advice and suggestion are most welcome, thanks!

  Raja Kondar wrote:
  wht is the Best Practice for having server pool i.e
  1) having a single large serverpool consisting of "n" number of guest vm
  2) having a multiple small serverpool consisting of less of number of guest vm I prefer option 1, as this gives me the greatest amount of resources available. I don't have to worry about resources in smaller pools. It also means there are more resources across the pool for HA purposes. Not sure if this is Official Best Practice, but it is a simpler configuration.
  Keep in mind that a server pool should probably have up to 20 servers in it: OCFS2 starts to strain after that.

• IOS Update Best Practices for Business Devices

  We're trying to figure out some best practices for doing iOS software updates to business devices.  Our devices are scattered across 24 hospitals and parts of two states. Going forward there might be hundreds of iOS devices at each facility.  Apple has tools for doing this in a smaller setting with a limited network, but to my knowledge, nothing (yet) for a larger implementation.  I know configurator can be used to do iOS updates.  I found this online:
  https://www.youtube.com/watch?v=6QPbZG3e-Uc
  I'm thinking the approach to take for the time being would be to have a mobile sync station setup with configurator for use at each facility.  The station would be moved throughout the facility to perform updates to the various devices.  Thought I'd see if anyone has tried this approach, or has any other ideas for dealing with device software updates.  Thanks in advance. 

  Hi Bonesaw1962,
  We've had our staff and students run iOS updates OTA via Settings -> Software Update. In the past, we put a DNS block on Apple's update servers to prevent users from updating iOS (like last fall when iOS 7 was first released). By blocking mesu.apple com, the iPads weren't able to check for or install any iOS software updates. We waited until iOS 7.0.3 was released before we removed the block to mesu.apple.com at which point we told users if they wanted to update to iOS 7 they could do so OTA. We used our MDM to run reports periodically to see how many people updated to iOS 7 and how many stayed on iOS 6. As time went on, just about everyone updated on their own.
  If you go this route (depending on the number of devices you have), you may want to take a look at Caching Server 2 to help with the network load https://www.apple.com/osx/server/features/#caching-server . From Apple's website, "When a user on your network downloads new software from Apple, a copy is automatically stored on your server. So the next time other users on your network update or download that same software, they actually access it from inside the network."
  I wish there was a way for MDMs to manage iOS updates, but unfortunately Apple hasn't made this feature available to MDM providers. I've given this feedback to our Apple SE, but haven't heard if it is being considered or not. Keeping fingers crossed.
  Hope this helps. Let us know what you decide on and keep us posted on the progress. Good luck!!
  ~Joe

• Best Practices for new iMac

  I posted a few days ago re failing HDD on mid-2007 iMac. Long story short, took it into Apple store, Genius worked on it for 45 mins before decreeing it in need of new HDD. After considering the expenses of adding memory, new drive, hardware and installation costs, I got a brand new iMac entry level (21.5" screen,
  2.7 GHz Intel Core i5, 8 GB 1600 MHz DDR3 memory, 1TB HDD running Mavericks). Also got a Superdrive. I am not needing to migrate anything from the old iMac.
  I was surprised that a physical disc for the OS was not included. So I am looking for any Best Practices for setting up this iMac, specifically in the area of backup and recovery. Do I need to make a boot DVD? Would that be in addition to making a Time Machine full backup (using external G-drive)? I have searched this community and the Help topics on Apple Support and have not found any "checklist" of recommended actions. I realize the value of everyone's time, so any feedback is very appreciated.

  OS X has not been officially issued on physical media since OS X 10.6 (arguably 10.7 was issued on some USB drives, but this was a non-standard approach for purchasing and installing it).
  To reinstall the OS, your system comes with a recovery partition that can be booted to by holding the Command-R keys immediately after hearing the boot chimes sound. This partition boots to the OS X tools window, where you can select options to restore from backup or reinstall the OS. If you choose the option to reinstall, then the OS installation files will be downloaded from Apple's servers.
  If for some reason your entire hard drive is damaged and even the recovery partition is not accessible, then your system supports the ability to use Internet Recovery, which is the same thing except instead of accessing the recovery boot drive from your hard drive, the system will download it as a disk image (again from Apple's servers) and then boot from that image.
  Both of these options will require you have broadband internet access, as you will ultimately need to download several gigabytes of installation data to proceed with the reinstallation.
  There are some options available for creating your own boot and installation DVD or external hard drive, but for most intents and purposes this is not necessary.
  The only "checklist" option I would recommend for anyone with a new Mac system, is to get a 1TB external drive (or a drive that is at least as big as your internal boot drive) and set it up as a Time Machine backup. This will ensure you have a fully restorable backup of your entire system, which you can access via the recovery partition for restoring if needed, or for migrating data to a fresh OS installation.

• (Request for:) Best practices for setting up a new Windows Server 2012 r2 Hyper-V Virtualized AD DC

  Could you please share your best practices for setting up a new Windows Server 2012 r2 Hyper-V Virtualized AD DC, that will be running on a new WinSrv 2012 r2 host server.   (This
  will be for a brand new network setup, new forest, domain, etc.)
  Specifically, your best practices regarding:
  the sizing of non virtual and virtual volumes/partitions/drives,  
  the use of sysvol, logs, & data volumes/drives on hosts & guests,
  RAID levels for the host and the guest(s),  
  IDE vs SCSI and drivers both non virtual and virtual and the booting there of,  
  disk caching settings on both host and guests.  
  Thanks so much for any information you can share.

  A bit of non essential additional info:
  We are small to midrange school district who, after close to 20 years on Novell networks, have decided to design and create a new Microsoft network and migrate all of our data and services
  over to the new infrastructure .   We are planning on rolling out 2012 r2 servers with as much Hyper-v virtualization as possible.
  During the last few weeks we have been able to find most of the information we need to undergo this project, and most of the information was pretty solid with little ambiguity, except for
  information regarding virtualizing the DCs, which as been a bit inconsistent.
  Yes, we have read all the documents that most of these posts tend point to, but found some, if not most are still are referring to performing this under Srvr 2008 r2, and haven’t really
  seen all that much on Srvr2012 r2.
  We have read these and others:
  Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100), 
  Virtualized Domain Controller Technical Reference (Level 300),
  Virtualized Domain Controller Cloning Test Guidance for Application Vendors,
  Support for using Hyper-V Replica for virtualized domain controllers.
  Again, thanks for any information, best practices, cookie cutter or otherwise that you can share.
  Chas.