Home > Blogs > Virtualize Business Critical Applications


Windows Server 2012 VM-Generation ID Support in vSphere

Update 1/25/2013: The vSphere versions required for VM-Generation ID support have been updated below.

Active Directory Domain Services has been one of those applications that, to the naked eye, seemed like it was a no brainer to virtualize. Why not? In most environments it’s a fairly low utilization workload, rarely capable of efficiently using the resources found in many of the enterprise-class servers that have been available for the past few years. Many organizations have adopted this way of thinking and have successfully virtualized all of their domain controllers. What about the hold-outs? What is it about Active Directory that has left so many AD administrators and architects keeping their infrastructure, or at least a portion of it on physical servers?

Until recently, a couple of limitations, some argued, diminished the advantages of virtualization. These limitations included support for cloning domain controllers and the inability to use features such as snapshots due to the risk of roll-back.

With the release of Windows Server 2012, Microsoft has validated the role virtualization plays in the data center by adding functionality that effectively lifts these limitations. The feature known as VM-Generation ID allows hypervisor vendors to expose a virtual machine identifier that Windows Server 2012 domain controllers can use to detect the state of a virtual machine and trigger new Active Directory safeguards. These safeguards protect the Active Directory from the dreaded USN roll-back if a virtual machine is reverted to a snapshot or rolled back by other mechanisms.

Besides protecting Active Directory from unintentional roll-back, these new safeguards and VM-Generation ID allow administrators to safely clone Windows Server 2012 domain controllers. When properly prepared, a Windows Server 2012 domain controller may be used as a source for new domain controllers. Not only does this eliminate the additional tasks of preparing a base virtual machine for becoming a domain controller, it reduces the time required for replication of a new copy of the Active Directory database.

VM-Generation ID functionality requires the hypervisor vendor to create the virtual machine identifier and expose it to the guest. VMware has provided this functionality in the following releases of vSphere:

  • VMware vSphere 5.0 Update 2 (vCenter Server and ESXi must both be at 5.0 Update 2)
  • VMware vSphere 5.1 (ESXi must be at least 5.0 Update 2)

More information on VM-Generation ID, supported methods for cloning domain controllers, and domain controller safeguards can be found at the following TechNet links:

Introduction to Active Directory Domain Services Virtualization (Level 100): http://technet.microsoft.com/en-us/library/hh831734.aspx

Virtualized Domain Controller Technical Reference (Level 300): http://technet.microsoft.com/en-us/library/jj574214.aspx

-alex

15 thoughts on “Windows Server 2012 VM-Generation ID Support in vSphere

  1. Pingback: Florian’s Blog » Generation-ID Supportability with "non-Hyper-V” hypervisors

  2. Pingback: joeware – never stop exploring… » Blog Archive » VM-Generation ID on VMWare

  3. joe richards

    Is there any documentation that indicates all of the triggers that will cause vmware to expose a new vmgenid to the guest to use? I.E. A table that lists things like Revert Snapshot, move guest from non-vmgenid-aware version to vmgenid-aware version, upgrade from non-vmgenid-aware version to one that is aware, copy file through vmware API, etc. Also, if someone messes with the files in the underlying filesystem outside of vmware (i.e. on a NAS/SAN via rollback or reverting a mirror or something) will a new vmgenid be supplied to the guest?

    Reply
    1. Alex FontanaAlex Fontana Post author

      Hey Joe, long time no see/speak/email.

      Short answer, no, or not yet. At this time we support the scenarios Microsoft has called out which include clone VM, copy disk, revert VM snapshot, which includes just about all ways you can accomplish (i.e. vmware api call, etc). Regarding movement from aware to non-aware and vice versa; if using vSphere 5.0 and hardware version 8 there is nothing stopping the VM from migrating to a non-aware version. If cloning or snapshotting occurs there this could be a problem so it is recommended to use at least vSphere 5.0 Update 2 across the board. If using vSPhere 5.1 or higher and VM version 9 then you cannot migrate to a non-aware version. We will be providing an updated active directory best practices guide in the near future that will get into this in more detail. Keep an eye on this blog for news of when that is available.
      -alex

      Alex Fontana
      Microsoft Solutions Architect, VMware

      Reply
      1. joe richards

        Yeah it has been awhile, I am thinking DEC at Red Rock sitting in the bar… Good times. :)

        Thanks for the info. Definitely keep me informed. As you know, virtualizing DCs is a sensitive topic and people need as much guidance and understanding as possible. People are doing it more and more now so I have been seeing and hearing more and more failures in that realm. I am also hearing and seeing more bad advice and folks implying things (including unfortunately MCS folks) that aren’t true which is really going to end up hurting someone. I think virtualization is cool and we will be able to do some cool things with it in the AD space, but I also don’t like my phone going off at 2AM and someone saying, we are really *&^#*&^, we need you to help out.

        joe

        Reply
    2. Alex FontanaAlex Fontana Post author

      Forgot your NAS/SAN rollback question; I haven’t tested it, but I’m pretty sure that would not cause a generation ID change due to the fact that it is not a new VM, or a clone, or a snapshot-revert initiated by VMware, where the vm genID code lives. I’ve noted it for the guide previously mentioned and will hopefully get an answer.
      -alex

      Reply
  4. Pingback: joeware – never stop exploring… » Blog Archive » What about VM-Generation ID on VMWare…

  5. Kamagra

    Here’s the excellent investigation in my opinion, Ought to disclose that you will be the most effective software program company I actually observed. Thank you for offering these practical services.

    Reply
  6. Pingback: Active Directory Considerations in Azure Virtual Machines and Virtual Networks Part 3 – Virtual DCs and AD File Placement - Building Clouds Blog - Site Home - TechNet Blogs

  7. Pingback: What is VMGeneration ID? | System Admin Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>