Updates from QA Training

Active Directory VM Generation IDs

Virtual Machine snapshot and cloning technologies provide us with a way of rolling back changes and duplicating VMs that can aid in testing and troubleshooting. However, these technologies can present challenges in production environments when used, particularly when used with Active Directory Domain Controllers.


Andy Fox | 30 January 2013

Virtual Machine snapshot and cloning technologies provide us with a way of rolling back changes and duplicating VMs that can aid in testing and troubleshooting. However, these technologies can present challenges in production environments when used, particularly when used with Active Directory Domain Controllers.

With the release of Active Directory with Server 2012, Microsoft have provided a great new feature that can help cope with Active Directory replication between servers that may have been rolled back to a previous snapshot, or clones called the VM Generation ID, that eliminates conditions where replication is not possible.

The Problem

To ensure correct replication of changes, Active Directory uses a combination of USN (Update Sequence Numbers) updated with each replication, and Invocation IDs which are the Domain Controller's internal references numbers. These are collectively used to uniquely reference changes to the database, and must be unique within the forest.

The "issue" is when a virtual machine is rolled back to a previous version (usually using snapshot technologies) which causes the USN to in effect be "reused" for a different change. Replication cannot continue, as the replication identification (the Invocation ID and USN combination) are the same as a previous change.

The Solution

With Active Directory in Server 2012, the VM Generation ID is stored in the domain controllers computer account object in the attribute msDS-GenerationID, this is tracked by a driver inside Windows in the VM.

When an Administrator reverts to a previous snapshot, Windows compares the VM Generation ID with the ID held in its computer object in ADS (Active Directory Services), and if the two values are different, the InvocationID is reset and RID (relative ID) pool is discarded to avoid the same USN combination being reused.

If the values of the VM Generation ID and hat stored in the computer object are the same, the transaction is committed as normal.

This helps to avoid situations where Active Directory Replication fails due to Administrators rolling back Domain Controllers by using snapshot and cloning technologies.

For more information check out the Microsoft document: Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100) .

This feature is supported in ESXi versions from 5.0 build 821926 onwards as detailed in VMware ESXi 5.0, Patch ESXi-5.0.0-20120904001-standard .

Andy-Fox

Andy Fox

Senior Learning Consultant

Andy has been a Consultant Instructor with QA for 10 years, and has 16 years IT Training experience. In his 25+ years in the IT industry he has gained experience working with Novell products and Microsoft from MS-DOS onwards. Since joining QA, his focus moved towards SuSE Linux where he gained CLP and CLE status. Over the past 4 years he has been engaged in the delivery of VMware vSphere training and has gained VCP, VCI and VCAP-DCA status.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.