Don’t snapshot Server 2003/2008/R2 Domain Controllers

I see requests to take snapshots of Domain Controllers all the time. My answer is always the same – don’t do it! It is not advisable as it is likely to cause corruption of AD, here’s why:

You take a snapshot of domain controller DC1 and then make several changes to AD. Each subsequent change causes the USN (update sequence number) of the AD database on DC1 to increment and this information is replicated to each domain controller in the forest and their respective USNs increment accordingly.

A patch installed on the domain controller causes it to crash frequently so you choose to revert to the previously taken snapshot. DC1 would now be in a state whereby the USN is lower (as it has been restored to a previous state) than what is expected by the other DCs in the forest. As they have seen the older USN before they ignore it. Due to the inconsistent state of DC1 and the other DCs do not replicate with it. This state is called USN rollback and can have a severely detrimental impact to your environment – imagine your production SQL cluster going offline intermittently because the domain user account SQL Server uses has password inconsistencies between DC1 & DC2. There are many different scenarios that could arise as a result of ‘USN rollback’ some aren’t that severe and are fixable and some can be be almost irrecoverable. Basically, it’s not a road you want to go down so avoid it.

The following Microsoft KB describes how to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

To prevent the ability to take snapshots you can configure the Domain Controllers’ disks as Persistent. To do this perform the following steps:

  1. Shutdown the VM.
  2. Right-click on the VM and then click Edit Settings.
  3. Select the Hard Disk then under the Mode settings check Independent and select Persistent.
  4. Apply the changes and then power on the VM.

The screenshot below show the Hard Disk properties of a Domain Controller that has it configured as Persistent. The settings are greyed out as the VM was powered on when the screenshot was taken:

20130413111607

So when attempting to snapshot the VM it fails:

20130413115747

It is worth noting that this applies to Windows Server 2003, 2008 & 2008 R2 only. Windows Server 2012 however, does support DC cloning as well as snapshot restoration of domain controllers. This feature is only possible when using Windows Server 2012 Hyper-V, see this link and this link for more info and in ESXi version 5.0 build 821926 and above as detailed in VMware ESXi 5.0, Patch ESXi-5.0.0-20120904001-standard.

Error HRESULT:0x800F0818 after installing Windows updates

I saw this specific issue after Windows updates had run on my cloud server. The Features & Roles sections within Server Manager were failing to display the relevant information, see below for the exact issue encountered:

When clicking on the Add Features or Add Roles buttons I would then see error HRESULT:0x800F0818:

The Fix

Thankfully the resolution was very straight-forward – the first two hits from a Google search on HRESULT:0x800F0818 prescribed the correct fix. I used this link:

http://blogs.technet.com/b/roplatforms/archive/2010/05/12/how-to-fix-server-manager-errors-after-installing-updates-hresult-0x800f0818-hresult-0x800b0100.aspx

For me the issue was resolved by re-applying some files from the Windows6.1-KB947821-v14-x64.msu package. The Mircosft Update Readiness Tool will find the corrupt packages so you will know which packages to find and re-apply.