Windows Server 8 AD Cloning, Virtualization, and Snapshots Warning ~ My blog about Active Directory and everything else

Monday, March 19, 2012

Windows Server 8 AD Cloning, Virtualization, and Snapshots Warning

Windows Server 8 Beta has a lot of nice features.  Two features that are getting a lot of buzz in the Active Directory World are the ability to easily clone domain controllers and the support to restore Active Directory using snapshots.

Using snapshots can cause USN Rollback and other problems.  Mark Ramey from the Microsoft AD team has an excellent blog entry that you can read for more info.

I added the word Warning to the title of this blog because I've seen a few blogs, posts, and articles that may lead people to believe that this can all be done with a few mouse clicks.  This is not the case, it is not hard but there are some major prerequisites and steps that people have to be aware of.

A few screenshots from my lab using VMware workstation.  These options exist in most hypervisor  products.

Cloning in VMware Workstation 8


Snapshot in VMWare Workstation 8



***WARNING***  You can't just use the GUI and start cloning and taking snapshots without causing issues in a domain/forest with multiple DCs.  You can't manually copy the virtual machine files.  VMWare workstation 8 and the current VMWare products don't support these features.

To take advantage of these features the virtualization host must support VM Generation ID.   I'm guessing by the time Windows 8 is released all major vendors will support this but that means most folks will have to upgrade their hypervisor.

Microsoft currently has two really good documents that are a must read for anyone interested in these new features

Test Lab Guide:  Demonstrate Virtualized Domain  Controller (VDC) in Windows Server "8" Beta

Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta  - written by Ned Pyle - Outstanding document!!

I won't repeat the documents but some important sections


Steps to deploy a cloned virtualized domain controller


1.       Create the customized DcCloneConfig.xml file on a source domain controller
2.       Detect incompatible programs on the source domain controller
3.       Ensure the PDC emulator runs Windows Server "8" Beta, is not the clone source, and is available
4.       Authorize the source domain controller for cloning
5.       Shutdown the source domain controller and copy its disk
6.       Create a new clone virtual machine using the copied disks
7.       Start the source and cloned domain controller, then allow cloning to occur


For those that are fans of the GUI
There is no task-oriented graphical management program for VDC cloning in Windows Server "8" Beta; the provisioning steps are performed manually or using Windows PowerShell 


 Steps to restore a DC snapshot


1.       Take snapshot of DC
2.       Create a new Group Policy
3.       Validate GP replication (SYSVOL replication)
4.       Restore DC Snapshot



You can read the the documents to get a lot more info.   Ned's document is 162 pages...Ned is the king of documentation and writing :)

As I start using this feature more and eventually use this in production in the future I hope to write more on these features.  I won't try to replicate Ned's excellent document but there is going to be more to come.

4 comments:

  1. Hello Mike,

    that's really good you pointed out that this action cannot be performed 'just like that'. Many of us probably heard about this new feature and thought 'Hey! I can simply clone and restore DC from snapshot' but it is not so simple :)

    and I would suggest that less experienced administrators shouldn't do that in production before they would test it in their own test environment. This may save a lot of time with cleaning up a USN Rollback as you mentioned at the beginning of this post and many new posts to solve on forums ;)

    In bigger virtualized environments, I still suggest using templates to deploy new server (and promote it as DC then) i.e. in ESX or XenServer

    Good job, Mike! I really like your blog! Thanks for writting.

    Regards,
    Krzysztof

    ReplyDelete
  2. Thanks Krystof, I saw one blog where they person said people could just copy VHD files and that's it with Windows 8. I can imagine future versions making it a bit easier. I agree with you about templates.

    Thanks for the nice words, I appreciate that a lot!

    ReplyDelete
  3. Hello Mike, First congratulations for the blog. That's a really interesting topic about the new WS 2012. I have a question regardingt DC Cloning with WS 2K12, I am having problems with the final step of the cloning, I believe it is the simplest step I am missing somewhere during the step process.
    My First question is:

    My scenario is:

    1DC01 - (PDC)
    1DC02 - (Source DC)

    1 - It is mandatory to have a CustomDCCloneAllowList file within the NTDS.DIT Directory for the cloning process to work or can I only put the DCCloneConfig File (I mean, I've run the cmdlet to find any program and it returns nothing)?

    2 - I am doing everything on my source DC (Pasting the file on the right path, editing the file with the specific informations, copying or exporting the VM or the VHDx file. Evething like Microsoft suggest, but I cannot finish the Cloning.

    When I boot the source VM, it works great, normally, however when I first boot the Cloned one, it shows those informations bellow:

    "Getting devices ready"
    after a few minutes,(there is no message "Domain Controller Cloning is in.. " it reboots.
    After reboots, it shows the "please wait" and finally it allows me to put my credentials, however when I try to logon as a Domain Admin, it show the error message "There are Currently no logon servers available to service the logon request"
    If I decided to log as a Local Administrator, it logs in in SAFE MODE.
    When I look for the informations, it's got the same source Hostname, but everything is similar to a brand new machine. No IP Configuration Changes (instead, it clears the IP Configuration, now it is DHCP), No Names Changed, Etc.

    What am I doing wrong, you have any idea?

    Thanks a lot

    ReplyDelete
  4. Hello Mike, First congratulations for the blog. That's a really interesting topic about the new WS 2012. I have a question regardingt DC Cloning with WS 2K12, I am having problems with the final step of the cloning, I believe it is the simplest step I am missing somewhere during the step process.
    My First question is:

    My scenario is:

    1DC01 - (PDC)
    1DC02 - (Source DC)

    1 - It is mandatory to have a CustomDCCloneAllowList file within the NTDS.DIT Directory for the cloning process to work or can I only put the DCCloneConfig File (I mean, I've run the cmdlet to find any program and it returns nothing)?

    2 - I am doing everything on my source DC (Pasting the file on the right path, editing the file with the specific informations, copying or exporting the VM or the VHDx file. Evething like Microsoft suggest, but I cannot finish the Cloning.

    When I boot the source VM, it works great, normally, however when I first boot the Cloned one, it shows those informations bellow:

    "Getting devices ready"
    after a few minutes,(there is no message "Domain Controller Cloning is in.. " it reboots.
    After reboots, it shows the "please wait" and finally it allows me to put my credentials, however when I try to logon as a Domain Admin, it show the error message "There are Currently no logon servers available to service the logon request"
    If I decided to log as a Local Administrator, it logs in in SAFE MODE.
    When I look for the informations, it's got the same source Hostname, but everything is similar to a brand new machine. No IP Configuration Changes (instead, it clears the IP Configuration, now it is DHCP), No Names Changed, Etc.

    What am I doing wrong, you have any idea?

    Thanks a lot

    ReplyDelete