Paul Gregory | 29 October 2012
With Windows Server 2012 Microsoft have introduced technologies they are branding as Safe Virtualization features. These features revolve around Domain Controllers (DC) and include being able to clone a DC and rolling a DC back to a snapshot safely.
DC cloning can be read about here.
First and foremost I think it is important so state that I would not recommend snapshotting a Domain Controller the same as any database based service. My recommendations would always be to have the correct testing facilities and recovery processes and practices in place. I also understand some organisations like to have as many get out of jail options as possible and therefore might also wish to use DC snapshotting as an option when performing high risk operations like applying service packs.
DC snapshotting only works with Windows Server 2012 DC's and hypervisors which support the VM GenerationID attribute, these include Hyper-V3.0 and ESX 5.1, I am sure all vendors will enable these features very soon. When a DC starts for the first time and it detects that it is running as a virtual machine and it queries the hypervisor for the VM GenerationID and stores this as an attribute with the computer object within Active Directory for the DC. While everything is all fine the ID does not change.
If during the life of the VM a snapshot is taken and the VM is rolled back to the snapshot the Hypervisor will change the VM GenerationID presented to the VM. When Active Directory starts on the VM it will query for the VM GenerationID and detect that it has changed at this point the DC will delete its RID pool (so it cannot create objects with duplicate ID's) the DC will be reset its Invocation ID and will enter recovery mode (just like a Non-Authorative restore) and will receive objects from its partner DC's to roll is database forward. Once complete the DC will continue as normal. Within Event Viewer you can see the VM GenerationID events being raised and there the detection of a snapshot being applied.