• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Forbidden fruits of Active Directory  –  Cloning, snapshotting, virtualization
 

Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization

on

  • 848 views

More info on http://techdays.be.

More info on http://techdays.be.

Statistics

Views

Total Views
848
Views on SlideShare
848
Embed Views
0

Actions

Likes
0
Downloads
38
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Forbidden fruits of Active Directory  –  Cloning, snapshotting, virtualization Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization Presentation Transcript

    • Windows Server 2012Forbidden fruits of Active DirectoryCloning – Snapshotting - Safe Virtualization
    • Forbidden fruits of Active DirectoryCloning – Snapshotting - VirtualizationBenjamin LogistWim HenderyckxPremier Field Engineer – Microsoft Services
    • Agenda
    • Agenda
    • Importance of Virtualization in ITWell-established & still growing trend widely adopted across all market segmentsOften, a business-decision driven by cost savings fewer machines require less space and power consolidate server hardware for optimal hardware utilization … also provides numerous technological conveniencesVirtualization paves the way toward private-cloud deployments reduces deployment and management complexity offers redundancy and dynamic-scale capabilities
    • Agenda
    • Virtualization of Domain ControllersPre-Windows Server 2012DCs successfully deployed on virtualization platforms for many years according to a set of well-defined best-practices best-practices advised against actions that could disrupt Active DirectoryBest-practices guidance cautioned against: applying snapshots on virtual domain controllers exporting a virtual machine that is running a domain controller copying virtual hard disks (VHDs)Hypervisor admins not necessarily aware of Active Directory’srequirements or best practices
    • Virtualization ChallengesVirtual machines offer snapshot capabilities potentially problematic for distributed applicationsWhy? applications experience a logical-clock shift operations happen outside of the OS’/application’s awareness Active Directory’s logical clock is its USN (update sequence number)
    • How Domain Controllers are ImpactedImpact to replication  lingering objects  inconsistent passwords  inconsistent attribute values  schema mismatches if the Schema FSMO is rolled backPotential for security principals to be created with duplicate SIDs  resulting in unauthorized access to resources for a period of time  the affected users will no longer be able to logon
    • How Domain Controllers are Impacted
    • Agenda
    • Safe Domain Controller VirtualizationWindows Server 2012 virtual DCs able to detect when: snapshots are applied a VM is copiedDetection built off a VM-generation identifier (VM-generation ID) VM-generation ID is changed when features such as VM-snapshot are used
    • Active Directory’s Safe VirtualizationVM-Generation ID provided by the hypervisor platform a unique 128-bit identifier that guest operating systems and applications can leverage made available to applications through Windows Server 2012 driverWindows Server 2012 virtual DCs track the VM-Generation ID allows the DC to detect changes and protect Active Directory
    • Safe Domain Controller Virtualization DC1(A)@USN = 200 DC1(A)@USN = 200 DC1(A)@USN = 250 USN re-use avoided and USN rollback PREVENTED : all 250 users converge correctly across both DCs
    • Agenda
    • Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Prepare the environment 1. Validate that the hypervisor supports VM-Generation ID. 2. Select a valid Source DC running W2K12. 3. Verify that the PDCE FSMO is Windows 2012.
    • Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Prepare the source DC 4. Authorize a DC for cloning. 5. Remove incompatible components. 6. Take the source DC offline.
    • Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Create the cloned DC 7. Copy or export the source VM and add the XML if not already copied. 8. Create a new VM from the copy. 9. Start the new VM to commence cloning.
    • Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)
    • DCCloneConfig.xml sample
    • Rapid Deployment: Cloning FlowClone Windows 2012 PDC
    • Rapid Deployment: Cloning Decision Flow BOOT Generation ID No Does DCCloneConfig.xml available? exist? Yes Yes Does DCCloneConfig.xmlNo No Has Generation exist? REBOOT INTO ID changed? DSRM Yes Yes Rename No DCCloneConfig.xml Does DCCloneConfig.xml exist? BOOT Yes NORMALLY INITIATE CLONING
    • Cautionary NotesOnly Windows Server 2012 virtual Domain Controllers can be clonedRequires PDC FSMO to be Windows Server 2012 DCDeploying clone DCs on virtualization platforms that don’t provide VM-Generation ID will: with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM) without DCCloneConfig – potentially introduce a USN bubble and duplicate SIDs  disrupts the Active Directory environmentDo not change/swap/switch VHDs on existing VMs VM-Generation ID does not change in Windows Server 2012 Hyper-V
    • SummaryWindows Server 2012 enables a much richer Active Directoryvirtualization experience domain controllers can be virtualized without the concerns of the pastEnables the rapid deployment of domain controllers by leveraging thevirtualized platform’s native capabilities Saves critical time during forest/domain recovery Trivializes scale-out to meet the needs of the environment