Your SlideShare is downloading. ×
Forbidden fruits of Active Directory  –  Cloning, snapshotting, virtualization
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization

739
views

Published on

More info on http://techdays.be.

More info on http://techdays.be.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
739
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Windows Server 2012Forbidden fruits of Active DirectoryCloning – Snapshotting - Safe Virtualization
  • 2. Forbidden fruits of Active DirectoryCloning – Snapshotting - VirtualizationBenjamin LogistWim HenderyckxPremier Field Engineer – Microsoft Services
  • 3. Agenda
  • 4. Agenda
  • 5. Importance of Virtualization in ITWell-established & still growing trend widely adopted across all market segmentsOften, a business-decision driven by cost savings fewer machines require less space and power consolidate server hardware for optimal hardware utilization … also provides numerous technological conveniencesVirtualization paves the way toward private-cloud deployments reduces deployment and management complexity offers redundancy and dynamic-scale capabilities
  • 6. Agenda
  • 7. Virtualization of Domain ControllersPre-Windows Server 2012DCs successfully deployed on virtualization platforms for many years according to a set of well-defined best-practices best-practices advised against actions that could disrupt Active DirectoryBest-practices guidance cautioned against: applying snapshots on virtual domain controllers exporting a virtual machine that is running a domain controller copying virtual hard disks (VHDs)Hypervisor admins not necessarily aware of Active Directory’srequirements or best practices
  • 8. Virtualization ChallengesVirtual machines offer snapshot capabilities potentially problematic for distributed applicationsWhy? applications experience a logical-clock shift operations happen outside of the OS’/application’s awareness Active Directory’s logical clock is its USN (update sequence number)
  • 9. How Domain Controllers are ImpactedImpact to replication  lingering objects  inconsistent passwords  inconsistent attribute values  schema mismatches if the Schema FSMO is rolled backPotential for security principals to be created with duplicate SIDs  resulting in unauthorized access to resources for a period of time  the affected users will no longer be able to logon
  • 10. How Domain Controllers are Impacted
  • 11. Agenda
  • 12. Safe Domain Controller VirtualizationWindows Server 2012 virtual DCs able to detect when: snapshots are applied a VM is copiedDetection built off a VM-generation identifier (VM-generation ID) VM-generation ID is changed when features such as VM-snapshot are used
  • 13. Active Directory’s Safe VirtualizationVM-Generation ID provided by the hypervisor platform a unique 128-bit identifier that guest operating systems and applications can leverage made available to applications through Windows Server 2012 driverWindows Server 2012 virtual DCs track the VM-Generation ID allows the DC to detect changes and protect Active Directory
  • 14. Safe Domain Controller Virtualization DC1(A)@USN = 200 DC1(A)@USN = 200 DC1(A)@USN = 250 USN re-use avoided and USN rollback PREVENTED : all 250 users converge correctly across both DCs
  • 15. Agenda
  • 16. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Prepare the environment 1. Validate that the hypervisor supports VM-Generation ID. 2. Select a valid Source DC running W2K12. 3. Verify that the PDCE FSMO is Windows 2012.
  • 17. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Prepare the source DC 4. Authorize a DC for cloning. 5. Remove incompatible components. 6. Take the source DC offline.
  • 18. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Create the cloned DC 7. Copy or export the source VM and add the XML if not already copied. 8. Create a new VM from the copy. 9. Start the new VM to commence cloning.
  • 19. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)
  • 20. DCCloneConfig.xml sample
  • 21. Rapid Deployment: Cloning FlowClone Windows 2012 PDC
  • 22. Rapid Deployment: Cloning Decision Flow BOOT Generation ID No Does DCCloneConfig.xml available? exist? Yes Yes Does DCCloneConfig.xmlNo No Has Generation exist? REBOOT INTO ID changed? DSRM Yes Yes Rename No DCCloneConfig.xml Does DCCloneConfig.xml exist? BOOT Yes NORMALLY INITIATE CLONING
  • 23. Cautionary NotesOnly Windows Server 2012 virtual Domain Controllers can be clonedRequires PDC FSMO to be Windows Server 2012 DCDeploying clone DCs on virtualization platforms that don’t provide VM-Generation ID will: with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM) without DCCloneConfig – potentially introduce a USN bubble and duplicate SIDs  disrupts the Active Directory environmentDo not change/swap/switch VHDs on existing VMs VM-Generation ID does not change in Windows Server 2012 Hyper-V
  • 24. SummaryWindows Server 2012 enables a much richer Active Directoryvirtualization experience domain controllers can be virtualized without the concerns of the pastEnables the rapid deployment of domain controllers by leveraging thevirtualized platform’s native capabilities Saves critical time during forest/domain recovery Trivializes scale-out to meet the needs of the environment