forbidden fruits of active directory – cloning, snapshotting, virtualization
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
Windows Server 2012Forbidden fruits of Active DirectoryCloning – Snapshotting - Safe Virtualization
Forbidden fruits of Active Directory Cloning – Snapshotting - Virtualization
Benjamin LogistWim Henderyckx
Premier Field Engineer – Microsoft Services
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Active Directory Today
Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012
Rapid Deployment of Virtual Domain Controllers through Cloning
elastic scale, faster disaster recovery, etc.
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Active Directory Today
Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012
Rapid Deployment of Virtual Domain Controllers through Cloning
elastic scale, faster disaster recovery, etc.
Well-established & still growing trend widely adopted across all market segments
Often, a business-decision driven by cost savings fewer machines require less space and power consolidate server hardware for optimal hardware utilization
… also provides numerous technological conveniences
Virtualization paves the way toward private-cloud deployments reduces deployment and management complexity offers redundancy and dynamic-scale capabilities
Importance of Virtualization in ITImportance of Virtualization in IT
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Active Directory Today
Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012
Rapid Deployment of Virtual Domain Controllers through Cloningelastic scale, faster disaster recovery, etc.
DCs successfully deployed on virtualization platforms for many years according to a set of well-defined best-practices best-practices advised against actions that could disrupt Active Directory
Best-practices guidance cautioned against: applying snapshots on virtual domain controllers exporting a virtual machine that is running a domain controller copying virtual hard disks (VHDs)
Hypervisor admins not necessarily aware of Active Directory’s requirements or best practices
Importance of Virtualization in ITVirtualization of Domain ControllersPre-Windows Server 2012
Virtual machines offer snapshot capabilities potentially problematic for distributed
applications
Why? applications experience a logical-clock shift operations happen outside of the
OS’/application’s awareness Active Directory’s logical clock is its USN
(update sequence number)
Importance of Virtualization in ITVirtualization Challenges
0 1 2 3 4 5 6 7 4 5 6 7 8 9
Take snapshot
Apply snapshot
Logical Clock
Impact to replication lingering objects inconsistent passwords inconsistent attribute values schema mismatches if the Schema FSMO is rolled back
Potential for security principals to be created with duplicate SIDs resulting in unauthorized access to resources for a period of time the affected users will no longer be able to logon
Importance of Virtualization in ITHow Domain Controllers are Impacted
How Domain Controllers are ImpactedTim
elin
e o
f even
ts
TIME: T2
TIME: T3
TIME: T4
CreateSnapsho
t
T1 SnapshotApplied!
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 250ID: A
RID Pool: 650 - 1000
+150 more users created
DC1(A)@USN = 200
DC2 receives updates: USNs >200
DC1(A)@USN = 250
USN: 200ID: A
RID Pool: 600- 1000
+100 users added
DC2 receives updates: USNs >100
DC
1
DC
2
TIME: T1
USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs
Breaking AD 101
Restoring Snapshot of a Domain Controller (Without W2K12 Virtualization Safeguards)
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Active Directory Today
Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012
Rapid Deployment of Virtual Domain Controllers through Cloning
elastic scale, faster disaster recovery, etc.
Windows Server 2012 virtual DCs able to detect when: snapshots are applied a VM is copied
Detection built off a VM-generation identifier (VM-generation ID) VM-generation ID is changed when features such as VM-snapshot are used
Importance of Virtualization in ITSafe Domain Controller Virtualization
VM-Generation ID provided by the hypervisor platform a unique 128-bit identifier that guest operating systems and applications can leverage made available to applications through Windows Server 2012 driver
Windows Server 2012 virtual DCs track the VM-Generation ID allows the DC to detect changes and protect Active Directory
Importance of Virtualization in ITActive Directory’s Safe Virtualization
Safe Domain Controller Virtualization
Tim
elin
e o
f even
ts
TIME: T2
TIME: T3
TIME: T4
CreateSnapsho
t
T1 SnapshotApplied!
USN: 101-250ID: B
+150 users created: VM generation ID difference detected: EMPLOY SAFETIES
USN: 100 ID: A
savedVMGID: G1
USN: 100 ID: A
DC1(A)@USN = 200
USN: 200ID: A
+100 users added
DC2 receives updates: USNs >100
DC
1
DC
2
TIME: T1
savedVMGID: G2
VMGID: G2
VMGID: G1
savedVMGID: G1
VMGID: G1
savedVMGID: G1
VMGID: G2
USN re-use avoided and USN rollback PREVENTED : all 250 users converge correctly across both DCs
… missing users replicate back to DC1
DC1(A)@USN = 200DC1(A)@USN = 250
DC2 again accepts updates: USNs >100
VM-ID at work
Restoring Snapshot of a Domain Controller (With W2K12 Virtualization Safeguards)
Importance of Virtualization in ITAgenda
Importance of Virtualization in IT
Virtualization Challenges with Active Directory Today
Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012
Rapid Deployment of Virtual Domain Controllers through Cloning
elastic scale, faster disaster recovery, etc.
Importance of Virtualization in ITCloning Architecture
Prepare the environment1. Validate that the hypervisor supports VM-Generation ID.2. Select a valid Source DC running W2K12.3. Verify that the PDCE FSMO is Windows 2012.
VDC Cloning at 30,000 Feet (Nine Steps)
Prepare the source DC4. Authorize a DC for cloning.5. Remove incompatible components.6. Take the source DC offline.
Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)
Create the cloned DC7. Copy or export the source VM and add the XML
if not already copied.8. Create a new VM from the copy.9. Start the new VM to commence cloning.
Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)
Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)
Go and multiply!
Cloning Domain Controllers
DCCloneConfig.xml sample
<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName>VirtualDC3</ComputerName> <SiteName>REDMOND</SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address>10.0.0.115</Address> <SubnetMask>255.255.0.0</SubnetMask> <DefaultGateway>10.0.0.1</DefaultGateway> <DNSResolver>10.0.0.101</DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings></d3c:DCCloneConfig>
NTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
Rapid Deployment: Cloning Flow
Rapid Deployment: Cloning Decision Flow
BOOT
Does DCCloneConfig.xml
exist?
No
Has Generation ID
changed?
Yes
Does DCCloneConfig.xml
exist?
Yes
REBOOT INTODSRM
YesDoes DCCloneConfig.xml
exist?No
Rename DCCloneConfig.x
ml
Yes
No
BOOT NORMALLY
No
Generation ID available?
Yes
INITIATE CLONING
Cautionary NotesOnly Windows Server 2012 virtual Domain Controllers can be cloned
Requires PDC FSMO to be Windows Server 2012 DC
Deploying clone DCs on virtualization platforms that don’t provide VM-Generation ID will: with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM) without DCCloneConfig – potentially introduce a USN bubble and duplicate SIDs
disrupts the Active Directory environment
Do not change/swap/switch VHDs on existing VMs VM-Generation ID does not change in Windows Server 2012 Hyper-V
SummaryWindows Server 2012 enables a much richer Active Directory virtualization experience domain controllers can be virtualized without the concerns of the past
Enables the rapid deployment of domain controllers by leveraging the virtualized platform’s native capabilities Saves critical time during forest/domain recovery Trivializes scale-out to meet the needs of the environment
Thank You!
REM: If you now stand-up and applaude, we win a crate of beer that we are willing to share with you!!!