Andy Fox | 30 January 2013
Virtual Machine snapshot and cloning technologies provide us with a way of rolling back changes and duplicating VMs that can aid in testing and troubleshooting. However, these technologies can present challenges in production environments when used, particularly when used with Active Directory Domain Controllers.
With the release of Active Directory with Server 2012, Microsoft
have provided a great new feature that can help cope with
Active Directory replication between servers that may have been
rolled back to a previous snapshot, or clones called the VM
Generation ID, that eliminates conditions where replication is not
To ensure correct replication of changes, Active Directory uses a combination of USN (Update Sequence Numbers) updated with each replication, and Invocation IDs which are the Domain Controller's internal references numbers. These are collectively used to uniquely reference changes to the database, and must be unique within the forest.
The "issue" is when a virtual machine is rolled back to a previous version (usually using snapshot technologies) which causes the USN to in effect be "reused" for a different change. Replication cannot continue, as the replication identification (the Invocation ID and USN combination) are the same as a previous change.
With Active Directory in Server 2012, the VM Generation ID is stored in the domain controllers computer account object in the attribute msDS-GenerationID, this is tracked by a driver inside Windows in the VM.
When an Administrator reverts to a previous snapshot, Windows compares the VM Generation ID with the ID held in its computer object in ADS (Active Directory Services), and if the two values are different, the InvocationID is reset and RID (relative ID) pool is discarded to avoid the same USN combination being reused.
If the values of the VM Generation ID and hat stored in the computer object are the same, the transaction is committed as normal.
This helps to avoid situations where Active Directory Replication fails due to Administrators rolling back Domain Controllers by using snapshot and cloning technologies.
For more information check out the Microsoft document: Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100) .
This feature is supported in ESXi versions from 5.0 build 821926 onwards as detailed in VMware ESXi 5.0, Patch ESXi-5.0.0-20120904001-standard .