forbidden fruits of active directory – cloning, snapshotting, virtualization

Windows Server 2012Forbidden fruits of Active DirectoryCloning – Snapshotting - Safe Virtualization

Forbidden fruits of Active Directory Cloning – Snapshotting - Virtualization

Benjamin LogistWim Henderyckx

Premier Field Engineer – Microsoft Services

Agenda

Importance of Virtualization in IT

Virtualization Challenges with Active Directory Today

Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012

Rapid Deployment of Virtual Domain Controllers through Cloning

elastic scale, faster disaster recovery, etc.

Well-established & still growing trend widely adopted across all market segments

Often, a business-decision driven by cost savings fewer machines require less space and power consolidate server hardware for optimal hardware utilization

… also provides numerous technological conveniences

Virtualization paves the way toward private-cloud deployments reduces deployment and management complexity offers redundancy and dynamic-scale capabilities

Importance of Virtualization in ITImportance of Virtualization in IT

Agenda




Rapid Deployment of Virtual Domain Controllers through Cloningelastic scale, faster disaster recovery, etc.

DCs successfully deployed on virtualization platforms for many years according to a set of well-defined best-practices best-practices advised against actions that could disrupt Active Directory

Best-practices guidance cautioned against: applying snapshots on virtual domain controllers exporting a virtual machine that is running a domain controller copying virtual hard disks (VHDs)

Hypervisor admins not necessarily aware of Active Directory’s requirements or best practices

Importance of Virtualization in ITVirtualization of Domain ControllersPre-Windows Server 2012

Virtual machines offer snapshot capabilities potentially problematic for distributed

applications

Why? applications experience a logical-clock shift operations happen outside of the

OS’/application’s awareness Active Directory’s logical clock is its USN

(update sequence number)

Importance of Virtualization in ITVirtualization Challenges

0 1 2 3 4 5 6 7 4 5 6 7 8 9

Take snapshot

Apply snapshot

Logical Clock

Impact to replication lingering objects inconsistent passwords inconsistent attribute values schema mismatches if the Schema FSMO is rolled back

Potential for security principals to be created with duplicate SIDs resulting in unauthorized access to resources for a period of time the affected users will no longer be able to logon

Importance of Virtualization in ITHow Domain Controllers are Impacted

How Domain Controllers are ImpactedTim

elin

e o

f even

ts

TIME: T2

TIME: T3

TIME: T4

CreateSnapsho

t

T1 SnapshotApplied!

USN: 100 ID: A

RID Pool: 500 - 1000

USN: 100 ID: A

RID Pool: 500 - 1000

USN: 250ID: A

RID Pool: 650 - 1000

+150 more users created

DC1(A)@USN = 200

DC2 receives updates: USNs >200

DC1(A)@USN = 250

USN: 200ID: A

RID Pool: 600- 1000

+100 users added


DC

1

DC

2

TIME: T1

USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs

Breaking AD 101

Restoring Snapshot of a Domain Controller (Without W2K12 Virtualization Safeguards)

Agenda






Windows Server 2012 virtual DCs able to detect when: snapshots are applied a VM is copied

Detection built off a VM-generation identifier (VM-generation ID) VM-generation ID is changed when features such as VM-snapshot are used

Importance of Virtualization in ITSafe Domain Controller Virtualization

VM-Generation ID provided by the hypervisor platform a unique 128-bit identifier that guest operating systems and applications can leverage made available to applications through Windows Server 2012 driver

Windows Server 2012 virtual DCs track the VM-Generation ID allows the DC to detect changes and protect Active Directory

Importance of Virtualization in ITActive Directory’s Safe Virtualization

Safe Domain Controller Virtualization

Tim

elin

e o

f even

ts

TIME: T2

TIME: T3

TIME: T4

CreateSnapsho

t

T1 SnapshotApplied!

USN: 101-250ID: B

+150 users created: VM generation ID difference detected: EMPLOY SAFETIES

USN: 100 ID: A

savedVMGID: G1

USN: 100 ID: A

DC1(A)@USN = 200

USN: 200ID: A

+100 users added


DC

1

DC

2

TIME: T1

savedVMGID: G2

VMGID: G2

VMGID: G1

savedVMGID: G1

VMGID: G1

savedVMGID: G1

VMGID: G2

USN re-use avoided and USN rollback PREVENTED : all 250 users converge correctly across both DCs

… missing users replicate back to DC1

DC1(A)@USN = 200DC1(A)@USN = 250

DC2 again accepts updates: USNs >100

VM-ID at work

Restoring Snapshot of a Domain Controller (With W2K12 Virtualization Safeguards)

Importance of Virtualization in ITAgenda






Importance of Virtualization in ITCloning Architecture

Prepare the environment1. Validate that the hypervisor supports VM-Generation ID.2. Select a valid Source DC running W2K12.3. Verify that the PDCE FSMO is Windows 2012.

VDC Cloning at 30,000 Feet (Nine Steps)

Prepare the source DC4. Authorize a DC for cloning.5. Remove incompatible components.6. Take the source DC offline.

Cloning ArchitectureVDC Cloning at 30,000 Feet (Nine Steps)

Create the cloned DC7. Copy or export the source VM and add the XML

if not already copied.8. Create a new VM from the copy.9. Start the new VM to commence cloning.


Go and multiply!

Cloning Domain Controllers

DCCloneConfig.xml sample

<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName>VirtualDC3</ComputerName> <SiteName>REDMOND</SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address>10.0.0.115</Address> <SubnetMask>255.255.0.0</SubnetMask> <DefaultGateway>10.0.0.1</DefaultGateway> <DNSResolver>10.0.0.101</DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings></d3c:DCCloneConfig>

NTDS starts

Obtain current VM-GenID

If different from value in DIT

Reset InvocationID, discard RID pool

DCCloneConfig.xml available?

Dcpromo /fixclone

Parse DCCloneConfig.xml

Configure network settings

Locate PDC

Call _IDL_DRSAddCloneDC(name, site)

Check authorization

Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)

Generate new DC machine account and password

Save clone state (new name, password, site)

Promote as replica (IFM)

Run (specific) sysprep providers

Reboot

Clone VM Windows 2012 PDC

IDL_DRSAddCloneDC

CN=Configuration|--CN=Sites

|---CN=<site name>|---CN=Servers

|---CN=<DC Name> |---CN=NTDS Settings

Rapid Deployment: Cloning Flow

Rapid Deployment: Cloning Decision Flow

BOOT

Does DCCloneConfig.xml

exist?

No

Has Generation ID

changed?

Yes

Does DCCloneConfig.xml

exist?

Yes

REBOOT INTODSRM

YesDoes DCCloneConfig.xml

exist?No

Rename DCCloneConfig.x

ml

Yes

No

BOOT NORMALLY

No

Generation ID available?

Yes

INITIATE CLONING

Cautionary NotesOnly Windows Server 2012 virtual Domain Controllers can be cloned

Requires PDC FSMO to be Windows Server 2012 DC

Deploying clone DCs on virtualization platforms that don’t provide VM-Generation ID will: with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM) without DCCloneConfig – potentially introduce a USN bubble and duplicate SIDs

disrupts the Active Directory environment

Do not change/swap/switch VHDs on existing VMs VM-Generation ID does not change in Windows Server 2012 Hyper-V

SummaryWindows Server 2012 enables a much richer Active Directory virtualization experience domain controllers can be virtualized without the concerns of the past

Enables the rapid deployment of domain controllers by leveraging the virtualized platform’s native capabilities Saves critical time during forest/domain recovery Trivializes scale-out to meet the needs of the environment

Thank You!

REM: If you now stand-up and applaude, we win a crate of beer that we are willing to share with you!!!

forbidden fruits of active directory – cloning, snapshotting, virtualization

Documents