Historically Microsoft Active Directory domain controllers have had some compatibility issues with features and functionality of virtualization. So much so in fact that Microsoft released a list of official “operational considerations for virtualized domain controllers” including recommending that administrators not use functions such as clones, snapshots and full-system backups of domain controllers. These recommendations left administrators with a different set of procedures for domain controllers such as system-state backups in lieu of full-system backups, and relying on rebuild procedures in the event of system outages.
The concern with any of these methods is known as USN Rollback. Active Directory domain controllers track the current database version with an Update Sequence Number (USN) to ensure replication and synchronization between domain controllers. In the event that a domain controller is restored to a previous version, it will attempt to sync the active directory database to an outdated USN, thereby possibly serving outdated information to the user community and corrupting Active Directory objects by responding incorrectly. More information here: ://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#usn_and_usn_rollback
Fortunately domain controllers have detection methods in place to identify if a USN rollback has occurred. In the event that USN rollback is detected the domain controller will automatically disable all Active Directory functionality until an administrator demotes and promotes the DC. Often then is preceded by hours of troubleshooting and searching for event ID’s before the condition is identified and remediated.
There are cases in which the USN rollback would not be detected however; such as the USN’s aligning due to an equivalent number of changes occurring prior to replication on a restored domain controller. In this case, objects may exist that linger in AD and cause very difficult to discover and troubleshoot issues within Active Directory.
But, Microsoft has offered relief to this issue in Windows Server 2012 that will allow administrators to treat Active Directory servers just like any other in Backup/Recovery, and snapshot/clone-ability. This feature is the VM-GenerationID. On supported Hypervisors, the VM-GenerationID will be assigned, and updated whenever an operation occurs on the virtual machine that may cause a USN rollback (i.e. – snapshot, clone, etc…) In the event that one of these operations occurs, a clone for example, the VM-GenerationID will be compared against the value in the Directory Information Tree (DIT), and if the values do not match the server will dump existing information and re-synchronize with valid domain controllers. This way the domain controller will not serve any requests until this check is completed, and the risk of USN Rollback is removed.
More information here: ://technet.microsoft.com/en-us/library/hh831734.aspx
This functionality is an exciting one that allows administrators to treat Active Directory like other applications enabling admins to clone domain controllers for rapid provisioning and perform backup/restore during DR scenarios without issue. In addition, the elasticity of Active Directory for cloud-based infrastructure just got a lot easier to manage with AD servers able to be spun up/down without incident or special precautions.
As I said earlier, this function is currently only available in supported Hypervisors, which consists of a short list of Hyper-V currently. However, with VMworld right around the corner, the incorporation of this feature into vSphere 5.1 is suspected.
by Jim Joseph