Historically Microsoft Active Directory domain controllers have
had some compatibility issues with features and functionality of
virtualization. So much so in fact that Microsoft released a list of
official "operational considerations for virtualized domain
controllers" including recommending that administrators not use functions
such as clones, snapshots and full-system backups of domain controllers.
These recommendations left administrators with a different set of
procedures for domain controllers such as system-state backups in lieu of
full-system backups, and relying on rebuild procedures in the event of system
outages.
The concern with
any of these methods is known as USN Rollback. Active Directory domain
controllers track the current database version with an Update Sequence Number
(USN) to ensure replication and synchronization between domain controllers. In
the event that a domain controller is restored to a previous version, it will
attempt to sync the active directory database to an outdated USN, thereby
possibly serving outdated information to the user community and corrupting
Active Directory objects by responding incorrectly. More information
here:
http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#usn_and_usn_rollback
Fortunately domain
controllers have detection methods in place to identify if a USN rollback has
occurred. In the event that USN rollback is detected the domain
controller will automatically disable all Active Directory functionality until
an administrator demotes and promotes the DC. Often then is preceded by
hours of troubleshooting and searching for event ID's before the condition is
identified and remediated.
There are cases in
which the USN rollback would not be detected however; such as the USN's
aligning due to an equivalent number of changes occurring prior to replication
on a restored domain controller. In this case, objects may exist that
linger in AD and cause very difficult to discover and troubleshoot issues
within Active Directory.
But, Microsoft has
offered relief to this issue in Windows Server 2012 that will allow
administrators to treat Active Directory servers just like any other in
Backup/Recovery, and snapshot/clone-ability. This feature is the
VM-GenerationID. On supported Hypervisors, the VM-GenerationID will be
assigned, and updated whenever an operation occurs on the virtual machine that
may cause a USN rollback (i.e. - snapshot, clone, etc...) In the event
that one of these operations occurs, a clone for example, the VM-GenerationID
will be compared against the value in the Directory Information Tree (DIT), and
if the values do not match the server will dump existing information and
re-synchronize with valid domain controllers. This way the domain
controller will not serve any requests until this check is completed, and the
risk of USN Rollback is removed.
This functionality
is an exciting one that allows administrators to treat Active Directory like
other applications enabling admins to clone domain controllers for rapid
provisioning and perform backup/restore during DR scenarios without issue.
In addition, the elasticity of Active Directory for cloud-based
infrastructure just got a lot easier to manage with AD servers able to be spun
up/down without incident or special precautions.
As I said earlier,
this function is currently only available in supported Hypervisors, which
consists of a short list of Hyper-V currently. However, with VMworld
right around the corner, the incorporation of this feature into vSphere 5.1 is
suspected.
Labels: AD, GenerationID, Microsoft