{"id":13171,"date":"2012-07-24T18:06:00","date_gmt":"2012-07-24T17:06:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=13171"},"modified":"2012-07-24T18:06:00","modified_gmt":"2012-07-24T17:06:00","slug":"virtual-domain-controllers-and-windows-server-2012-improvements","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=13171","title":{"rendered":"Virtual Domain Controllers and Windows Server 2012 Improvements"},"content":{"rendered":"<p>There have been a number of concerns when it comes to virtualising domain controllers.&#160; The biggest of these is <a href=\"http:\/\/support.microsoft.com\/kb\/888794\" target=\"_blank\">KB888794<\/a>, which is an updated version of an article that I first encountered years previously, maybe in 2004.<\/p>\n<p><strong><u>USN Rollback<\/u><\/strong><\/p>\n<p>Basically, we had to treat any virtual domain controller like it was a physical installation.&#160; That meant:<\/p>\n<ul>\n<li>No snapshots<\/li>\n<li>No recovering the DC from VM (host\/storage level) backups<\/li>\n<li>Don\u2019t do anything to manipulate the virtual DC\u2019s VM storage, such as copy\/clone\/etc<\/li>\n<\/ul>\n<p>This was because the VM would \u201ctime travel\u201d, effectively <a href=\"http:\/\/technet.microsoft.com\/library\/dd363553(WS.10).aspx#usn_and_usn_rollback\" target=\"_blank\">screwing up the USNs<\/a> that are used to track AD object replication and possible cause the reuse of RID pools \u2013 in other words, completely frakking your AD and making you wish that you had paid up for that Microsoft Premier support contract.<\/p>\n<p><strong><u>Physical DC Required<\/u><\/strong><\/p>\n<p>One of the frustrating things, especially for small medium enterprises (SMEs) or smaller branch offices was that they need a local physical domain controller to enable a Hyper-V cluster.&#160; This company might only need to hosts, but had to add another physical machine (small as it was) to enable the cluster to function.<\/p>\n<p>That was the scenario up to now.&#160; Enter Windows Server 2012.<\/p>\n<p><strong><u>Bootstrapping<\/u><\/strong><\/p>\n<p>Windows Server 2012 Failover Clusters have a new feature called bootstrapping.&#160; It\u2019s been mentioned in public but I\u2019ve not seen any documentation on it yet.&#160; In short, this allows a failover cluster to power up and start working without the presence of a physical domain controller.&#160; The premise is that you instead run virtual domain controllers, hosted on the Hyper-V cluster itself.<\/p>\n<p>That means that you don\u2019t need the physical domain controller.&#160; That\u2019s a major saver for the SME or the branch office.<\/p>\n<p><strong><u>Virtual DCs are OK<\/u><\/strong><\/p>\n<p>If we\u2019re OK with the idea of virtual domain controllers, then how do we deal with them?&#160; How do we back them up easily?&#160; In a true cloud where there might be a one-size-fits-all backup policy, how do admins (with zero knowledge of VM contents\/roles) safely backup virtual domain controllers that might be created legitimate by the cloud\u2019s tenants?<\/p>\n<p><strong><u>VM-GenerationID and Safe DC Virtualisation<\/u><\/strong><\/p>\n<p>Microsoft has come up with a new mechanism called <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/hh831734.aspx#safe_virt_dc\" target=\"_blank\">VM-GenerationID<\/a> (also seen documented on TechNet and blogged as Generation ID, VM Generation ID, VM-Generation ID and GenID).&#160; It is an attribute called msDS-GenerationID of the DC\u2019s computer object in AD.&#160; This is normally kept in sync with the directory information tree (DIT) if everything is OK with the replication of the DC.<\/p>\n<p>If something happens to the DC VM like a snapshot is applied or a backup of the VM is restored, then the VM effectively travels back in time, potentially causing a USN rollback and enabling RID reuse.&#160; But, the DC compares the VM-GenerationID and the DIT version number.&#160; If they are different then the DC is aware there is a problem.&#160; The RID pool is discarded, a new one created, and a USN rollback is prevented.<\/p>\n<p>Windows Server 2012 Hyper-V is the only hypervisor at this time to support this feature, and the virtual DCs must be running Windows Server 2012.<\/p>\n<p><strong><u>But There\u2019s More \u2013 Rapid Deployment of DCs<\/u><\/strong><\/p>\n<p>Wouldn\u2019t it be nice if you could clone domain controllers?&#160; Normally you cannot.&#160; But this new VM-GenerationID feature, combined with some other work done by Microsoft in WS2012, enabled you to export\/import virtual DCs to <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/hh831734.aspx#steps_deploy_vdc\" target=\"_blank\">clone<\/a> new DCs with very little effort.<\/p>\n<p>The process is simple enough:<\/p>\n<ol>\n<li>Have a PDC Emulator that is running WS2012.&#160; This DC will not be cloned.<\/li>\n<li>Create a new virtual DC running WS2012.&#160; <\/li>\n<li>Add the new template DC to a domain security group called Cloneable Domain Controllers.&#160; This allows domain admins to restrict which (if any) DCs can be cloned.<\/li>\n<li>On the template DC Run <em>Get-ADDCCloningExcludedApplicationList<\/em> to see if any installed programs\/services on the DC can be cloned (check with vendors).&#160; Uninstall any that cannot support cloning.<\/li>\n<li>Run <em>Get-ADDCCloningExcludedApplicationList \u2013GenerateXml<\/em> on the template DC<\/li>\n<li>Back on the template DC, run New-ADDCCloneConfigFile to create an XML answer file to configure name, IP, etc, for the new DC VM that you are about to create.#<\/li>\n<li>The last step creates a file called DCCloneConfig.xml.&#160; Place this in either the directory where the DIT resides, <em>%windir%NTDS<\/em>, or the root of a removable media drive (<em>maybe a SCSI attached blank VHD?)<\/em><\/li>\n<li>Stop and export the template VM.<\/li>\n<li>Import the VM to crate a new DC VM.<\/li>\n<li>Start the new VM, and you should now have a new DC.<\/li>\n<\/ol>\n<p>I haven\u2019t had a chance to try this out yet.&#160; I\u2019ll try to update this if I find the MSFT <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/hh831734.aspx#virtualized_dc_cloning\" target=\"_blank\">TechNet page<\/a> is lacking.<\/p>\n<p><strong><u>Summary<\/u><\/strong><\/p>\n<p>What all this means is that with Windows Server 2012 and a hypervisor that is VM-GenerationID aware (WS2012 Hyper-V) then you can safely virtualise your domain controllers, and treat them just like any other VM, something that is of great importance in a true cloud.<\/p>\n<p>&#160;<\/p>\n<div style=\"padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px\" id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:e787e2c0-4fd0-40f3-8dd7-07c65d899a44\" class=\"wlWriterEditableSmartContent\">Technorati Tags: <a href=\"http:\/\/technorati.com\/tags\/Active+Directory\" rel=\"tag\">Active Directory<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Windows+Server+2012\" rel=\"tag\">Windows Server 2012<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Hyper-V\" rel=\"tag\">Hyper-V<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Virtualisation\" rel=\"tag\">Virtualisation<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Backup\" rel=\"tag\">Backup<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>There have been a number of concerns when it comes to virtualising domain controllers.&#160; The biggest of these is KB888794, which is an updated version of an article that I first encountered years previously, maybe in 2004. USN Rollback Basically, we had to treat any virtual domain controller like it was a physical installation.&#160; That &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=13171\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Virtual Domain Controllers and Windows Server 2012 Improvements&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[2],"tags":[169,55,181,195,118],"class_list":["post-13171","post","type-post","status-publish","format-standard","hentry","category-active-directory","tag-active-directory","tag-backup","tag-hyper-v","tag-virtualisation","tag-windows-server-2012"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/13171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13171"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/13171\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}