Home > vSphere > Active Directory VM Generation IDs

Active Directory VM Generation IDs

Virtual machine snapshot and cloning technologies provide us with a way of rolling back changes and duplicating virtual machines that can aid in testing and troubleshooting.
However, these technologies can present challenges in production environments when used, particularly when used with Active Directory Domain Controllers.

With the release of Active Directory with Server 2012, Microsoft have provided a nice new feature that can help cope with Active Directory replication between servers that may have been rolled back to a previous snapshot, or clones called the VM Generation ID, that eliminates conditions where replication is not possible.

The Problem

To ensure correct replication of changes, Active Directory uses a combination of USN (Update Sequence Numbers) updated with each replication, and Invocation IDs which are the Domain Controller’s internal references numbers. These are collectively used to uniquely reference changes to the database, and must be unique within the forest.
The “issue” is when a virtual machine is rolled back to a previous version (usually using snapshot technologies) which causes the USN to in effect be “reused” for a different change. Replication cannot continue, as the replication identification (the Invocation ID and USN combination) are the same as a previous change.

The Solution

With Active Directory in Server 2012, the VM Generation ID is stored in the domain controllers computer account object in the attribute msDS-GenerationID, this is tracked by a driver inside Windows in the VM. When an Administrator reverts to a previous snapshot, Windows compares the VM Generation ID with the ID held in its computer object in ADS (Active Directory Services), and if the two values are different, the InvocationID is reset and RID (relative ID) pool is discarded to avoid the same USN combination being reused. If the values of the VM Generation ID and hat stored in the computer object are the same, the transaction is committed as normal.

This helps to avoid situations where Active Directory Replication fails due to Administrators rolling back Domain Controllers by using snapshot and cloning technologies.

For more information check out the Microsoft document Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)

This feature is supported in ESXi versions from 5.0 build 821926 onwards as detailed in VMware ESXi 5.0, Patch ESXi-5.0.0-20120904001-standard.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: