Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization


Published on

More info on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization

  1. 1. Windows Server 2012Forbidden fruits of Active DirectoryCloning – Snapshotting - Safe Virtualization
  2. 2. Forbidden fruits of Active DirectoryCloning – Snapshotting - VirtualizationBenjamin LogistWim HenderyckxPremier Field Engineer – Microsoft Services
  3. 3. Agenda
  4. 4. Agenda
  5. 5. Importance of Virtualization in ITWell-established & still growing trend widely adopted across all market segmentsOften, a business-decision driven by cost savings fewer machines require less space and power consolidate server hardware for optimal hardware utilization … also provides numerous technological conveniencesVirtualization paves the way toward private-cloud deployments reduces deployment and management complexity offers redundancy and dynamic-scale capabilities
  6. 6. Agenda
  7. 7. Virtualization of Domain ControllersPre-Windows Server 2012DCs successfully deployed on virtualization platforms for many years according to a set of well-defined best-practices best-practices advised against actions that could disrupt Active DirectoryBest-practices guidance cautioned against: applying snapshots on virtual domain controllers exporting a virtual machine that is running a domain controller copying virtual hard disks (VHDs)Hypervisor admins not necessarily aware of Active Directory’srequirements or best practices
  8. 8. Virtualization ChallengesVirtual machines offer snapshot capabilities potentially problematic for distributed applicationsWhy? applications experience a logical-clock shift operations happen outside of the OS’/application’s awareness Active Directory’s logical clock is its USN (update sequence number)
  9. 9. How Domain Controllers are ImpactedImpact to replication  lingering objects  inconsistent passwords  inconsistent attribute values  schema mismatches if the Schema FSMO is rolled backPotential for security principals to be created with duplicate SIDs  resulting in unauthorized access to resources for a period of time  the affected users will no longer be able to logon
  10. 10. How Domain Controllers are Impacted
  11. 11. Agenda
  12. 12. Safe Domain Controller VirtualizationWindows Server 2012 virtual DCs able to detect when: snapshots are applied a VM is copiedDetection built off a VM-generation identifier (VM-generation ID) VM-generation ID is changed when features such as VM-snapshot are used
  13. 13. Active Directory’s Safe VirtualizationVM-Generation ID provided by the hypervisor platform a unique 128-bit identifier that guest operating systems and applications can leverage made available to applications through Windows Server 2012 driverWindows Server 2012 virtual DCs track the VM-Generation ID allows the DC to detect changes and protect Active Directory
  14. 14. Safe Domain Controller Virtualization DC1(A)@USN = 200 DC1(A)@USN = 200 DC1(A)@USN = 250 USN re-use avoided and USN rollback PREVENTED : all 250 users converge correctly across both DCs
  15. 15. Agenda
  16. 16. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Prepare the environment 1. Validate that the hypervisor supports VM-Generation ID. 2. Select a valid Source DC running W2K12. 3. Verify that the PDCE FSMO is Windows 2012.
  17. 17. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Prepare the source DC 4. Authorize a DC for cloning. 5. Remove incompatible components. 6. Take the source DC offline.
  18. 18. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)Create the cloned DC 7. Copy or export the source VM and add the XML if not already copied. 8. Create a new VM from the copy. 9. Start the new VM to commence cloning.
  19. 19. Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)
  20. 20. DCCloneConfig.xml sample
  21. 21. Rapid Deployment: Cloning FlowClone Windows 2012 PDC
  22. 22. Rapid Deployment: Cloning Decision Flow BOOT Generation ID No Does DCCloneConfig.xml available? exist? Yes Yes Does DCCloneConfig.xmlNo No Has Generation exist? REBOOT INTO ID changed? DSRM Yes Yes Rename No DCCloneConfig.xml Does DCCloneConfig.xml exist? BOOT Yes NORMALLY INITIATE CLONING
  23. 23. Cautionary NotesOnly Windows Server 2012 virtual Domain Controllers can be clonedRequires PDC FSMO to be Windows Server 2012 DCDeploying clone DCs on virtualization platforms that don’t provide VM-Generation ID will: with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM) without DCCloneConfig – potentially introduce a USN bubble and duplicate SIDs  disrupts the Active Directory environmentDo not change/swap/switch VHDs on existing VMs VM-Generation ID does not change in Windows Server 2012 Hyper-V
  24. 24. SummaryWindows Server 2012 enables a much richer Active Directoryvirtualization experience domain controllers can be virtualized without the concerns of the pastEnables the rapid deployment of domain controllers by leveraging thevirtualized platform’s native capabilities Saves critical time during forest/domain recovery Trivializes scale-out to meet the needs of the environment