Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (4MVP, Microsoft Partne)
  • When: 3 Jul 2012 7:50 AM
  • Last revision by (cMVP, Microsoft Community Contributo)
  • When: 2 Feb 2013 10:03 AM
  • Revisions: 3
  • Comments: 3
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Windows Server 2012 : Virtualization Safeguards

Windows Server 2012 : Virtualization Safeguards

Windows Server 2012 : Virtualization Safeguards

Table of Contents



One of the new features in Windows Server 2012 AD DS is the presence of “virtualization safeguards”.

USN and InvocationID

AD DS, depends upon two logical increasing values :

a) USN (Update Sequence Number) that is assigned to transactions on each domain controller

b) InvocationID  that is the Active Directory database GUID, used to identify the database instance (version of the database).

Note : InvocationID is stored in an attribute on the NTDS Settings object

How the Active Directory Replication Model Works

The InvocationID of a domain controller and its USN together are unique in the forest and are used to determine what changes need to be replicated to other domain controllers.

Certain Hypervisor capabilities (for example you are able to create and apply snapshots in time) that when used with domain controllers may introduce a permanently divergent state (in the previous example, you could have an USN used twice and replication will never converge).

(Image from Samuel Devasahayam TechEd 2012 presentation “Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012”)

SIA317 - Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012
Windows Server 2012 introduces “virtualization safeguards”.

VM-Generation ID

Virtual DC are able to detect when snapshots are applied or a VM is copied using an identifier called VM-Generation ID.

This value is saved in the msDS-GenerationID attribute during domain controller promotion.

VM-Generation ID is stored in the Active Directory database (directory information tree  -DIT) and is a non-replicated attribute stored on DC’s computer object.

When processing any subsequent transactions, the current value of the VM GenerationID from the virtual machine is compared against the value in the DIT.

  • If the two values are different, the invocationID is reset and the RID pool discarded(preventing USN re-use). The transaction is then committed.
  • If the values are the same, the transaction is committed as normal.

Each time the domain controller is rebooted AD DS also compares the current value of the VM GenerationID from the virtual machine against the value in the DIT  and, if different, it resets the invocationID, discards the RID pool and updates the DIT with the new value.

 These safeguards enable AD DS administrators to benefit from the unique advantages of deploying and managing domain controllers in a virtualized environment.

Notes

1) If there is a roll-back of a DC FSMO role-holders delay servicing FSMO-functions until a replication cycle is completed.

2) One DC per domain MUST be hosted on VM-generation-ID-aware virtual platform because VM-Generation ID provided by the hypervisor platform.

, , , , , , , , [Edit tags]
Leave a Comment
  • Please add 1 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 2 Feb 2013 10:03 AM

    Richard Mueller edited Revision 1. Comment: Removed (en-US) from title, added tags

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
Page 1 of 1 (3 items)