posted

13 Comments

Update 1/25/2013: The vSphere versions required for VM-Generation ID support have been updated below.

Active Directory Domain Services has been one of those applications that, to the naked eye, seemed like it was a no brainer to virtualize. Why not? In most environments it’s a fairly low utilization workload, rarely capable of efficiently using the resources found in many of the enterprise-class servers that have been available for the past few years. Many organizations have adopted this way of thinking and have successfully virtualized all of their domain controllers. What about the hold-outs? What is it about Active Directory that has left so many AD administrators and architects keeping their infrastructure, or at least a portion of it on physical servers?

Until recently, a couple of limitations, some argued, diminished the advantages of virtualization. These limitations included support for cloning domain controllers and the inability to use features such as snapshots due to the risk of roll-back.

With the release of Windows Server 2012, Microsoft has validated the role virtualization plays in the data center by adding functionality that effectively lifts these limitations. The feature known as VM-Generation ID allows hypervisor vendors to expose a virtual machine identifier that Windows Server 2012 domain controllers can use to detect the state of a virtual machine and trigger new Active Directory safeguards. These safeguards protect the Active Directory from the dreaded USN roll-back if a virtual machine is reverted to a snapshot or rolled back by other mechanisms.

Besides protecting Active Directory from unintentional roll-back, these new safeguards and VM-Generation ID allow administrators to safely clone Windows Server 2012 domain controllers. When properly prepared, a Windows Server 2012 domain controller may be used as a source for new domain controllers. Not only does this eliminate the additional tasks of preparing a base virtual machine for becoming a domain controller, it reduces the time required for replication of a new copy of the Active Directory database.

VM-Generation ID functionality requires the hypervisor vendor to create the virtual machine identifier and expose it to the guest. VMware has provided this functionality in the following releases of vSphere:

  • VMware vSphere 5.0 Update 2 (vCenter Server and ESXi must both be at 5.0 Update 2)
  • VMware vSphere 5.1 (ESXi must be at least 5.0 Update 2)

More information on VM-Generation ID, supported methods for cloning domain controllers, and domain controller safeguards can be found at the following TechNet links:

Introduction to Active Directory Domain Services Virtualization (Level 100): http://technet.microsoft.com/en-us/library/hh831734.aspx

Virtualized Domain Controller Technical Reference (Level 300): http://technet.microsoft.com/en-us/library/jj574214.aspx

-alex