Snapshot Server 2012 Domain Controllers

In a previous post I advised not taking snapshots of Server 2003/2008/R2 Domain Controllers. The reason was that reverting them to a previous snapshot could potentially corrupt AD.

With the launch of Server 2012 comes the ability to apply snapshots on Domain Controllers. This is made possible by VM Generation IDs.

The following video shows how snapshots are handled in Server 2012 Domain Controllers in Hyper-V. The video instructor is Paul Gregory, a Principal Technologist working for QA. I attended a Server 2012 training course he was instructing which was where I first learned about the VM Generation ID feature:

In a scenario whereby a reversion to a previously taken snapshot is initiated, Windows compares the VM Generation ID with the msDS-GenerationID attribute stored within the Domain Controller’s computer object in AD. If there are no differences between the two values the restore transactions proceed as normal. If they are different, the Domain Controller’s InvocationID is reset and RID pool is deleted to avoid creating objects with duplicate ID’s and it will enter recovery mode (just like a Non-Authoritative restore) and will receive replicated objects from other Domain Controllers to roll its database forward after which normal operation will resume.

This VM Generation ID feature helps to avoid AD problems such as replication failures and general corruption but is only possible when using Windows Server 2012 Hyper-V (see this link) or VMware ESXi version 5.0 build 821926 and above which is detailed here.

Don’t snapshot Server 2003/2008/R2 Domain Controllers

I see requests to take snapshots of Domain Controllers all the time. My answer is always the same – don’t do it! It is not advisable as it is likely to cause corruption of AD, here’s why:

You take a snapshot of domain controller DC1 and then make several changes to AD. Each subsequent change causes the USN (update sequence number) of the AD database on DC1 to increment and this information is replicated to each domain controller in the forest and their respective USNs increment accordingly.

A patch installed on the domain controller causes it to crash frequently so you choose to revert to the previously taken snapshot. DC1 would now be in a state whereby the USN is lower (as it has been restored to a previous state) than what is expected by the other DCs in the forest. As they have seen the older USN before they ignore it. Due to the inconsistent state of DC1 and the other DCs do not replicate with it. This state is called USN rollback and can have a severely detrimental impact to your environment – imagine your production SQL cluster going offline intermittently because the domain user account SQL Server uses has password inconsistencies between DC1 & DC2. There are many different scenarios that could arise as a result of ‘USN rollback’ some aren’t that severe and are fixable and some can be be almost irrecoverable. Basically, it’s not a road you want to go down so avoid it.

The following Microsoft KB describes how to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

To prevent the ability to take snapshots you can configure the Domain Controllers’ disks as Persistent. To do this perform the following steps:

  1. Shutdown the VM.
  2. Right-click on the VM and then click Edit Settings.
  3. Select the Hard Disk then under the Mode settings check Independent and select Persistent.
  4. Apply the changes and then power on the VM.

The screenshot below show the Hard Disk properties of a Domain Controller that has it configured as Persistent. The settings are greyed out as the VM was powered on when the screenshot was taken:

20130413111607

So when attempting to snapshot the VM it fails:

20130413115747

It is worth noting that this applies to Windows Server 2003, 2008 & 2008 R2 only. Windows Server 2012 however, does support DC cloning as well as snapshot restoration of domain controllers. This feature is only possible when using Windows Server 2012 Hyper-V, see this link and this link for more info and in ESXi version 5.0 build 821926 and above as detailed in VMware ESXi 5.0, Patch ESXi-5.0.0-20120904001-standard.