1 / 37

Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012

SIA317. Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012. Manu Pushpendran Program Manager Microsoft Corporation. Agenda. Importance of Virtualization in IT. Virtualization Challenges with Active Directory Today.

mckile
Download Presentation

Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SIA317 Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012 Manu Pushpendran Program Manager Microsoft Corporation

  2. Agenda • Importance of Virtualization in IT • Virtualization Challenges with Active Directory Today • Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012 • Rapid Deployment of Virtual Domain Controllers through Cloning • elastic scale, faster disaster recovery, etc.

  3. Agenda Importance of Virtualization in IT Virtualization Challenges with Active Directory Today Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012 Rapid Deployment of Virtual Domain Controllers through Cloning elastic scale, faster disaster recovery, etc.

  4. Importance of Virtualization in IT Well-established & still growing trend • widely adopted across all market segments Often, a business-decision driven by cost savings • fewer machines require less space and power • consolidate server hardware for optimal hardware utilization … also provides numerous technological conveniences Virtualization paves the way toward private-cloud deployments • reduces deployment and management complexity • offers redundancy and dynamic-scale capabilities

  5. Agenda • Importance of Virtualization in IT • Virtualization Challenges with Active Directory Today • Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012 • Rapid Deployment of Virtual Domain Controllers through Cloning • elastic scale, faster disaster recovery, etc.

  6. Virtualization of Domain ControllersPre-Windows Server 2012 • Pre-Windows Server 2012 DCs successfully deployed on virtualization platforms for many years • according to a set of well-defined best-practices • best-practices advised against actions that could disrupt Active Directory Best-practices guidance cautioned against: • applying snapshots on virtual domain controllers • exporting a virtual machine that is running a domain controller • copying virtual hard disks (VHDs) Hypervisor admins not necessarily aware of Active Directory’s requirements or best practices

  7. Virtualization Challenges for Distributed Workloads Virtual machines offer snapshot capabilities • potentially problematic for distributed applications Why? • applications experience a logical-clock shift • operations happen outside of the OS’/application’s awareness • logical-clock used to track updates • Active Directory’s logical clock is its USN (update sequence number) • USNs record the sequence of updates made on each DC • the DC is uniquely identified by its InvocationID Logical Clock 0 1 2 3 4 5 6 7 4 5 6 7 8 9 Take snapshot Apply snapshot

  8. How Domain Controllers are Impacted (1 of 2) Timeline of events DC2 DC1 TIME: T1 Create Snapshot USN: 100 ID: A RID Pool: 500 - 1000 • USN rollback NOT detected: only 50 users converge across the two DCs • All others are either on one or the other DC • 100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs +100 users added TIME: T2 USN: 200 ID: A RID Pool: 600- 1000 DC2 receives updates: USNs >100 DC1(A)@USN = 200 TIME: T3 T1Snapshot Applied! USN: 100 ID: A RID Pool: 500- 1000 +150 more users created TIME: T4 USN: 250 DC1(A)@USN = 250 ID: A RID Pool: 650- 1000 DC2 receives updates: USNs >200

  9. How Domain Controllers are Impacted (2 of 2) Impact to replication • introduces USN bubbles leading to a (potentially permanent) divergent state causing: • lingering objects • inconsistent passwords • inconsistent attribute values • schema mismatches if the Schema FSMO is rolled back Potential exists for security principals to be created with duplicate SIDs • resulting in unauthorized access to resources for a period of time • ultimately, though, the affected users will no longer be able to logon

  10. Agenda • Importance of Virtualization in IT • Virtualization Challenges with Active Directory Today • Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012 • Rapid Deployment of Virtual Domain Controllers through Cloning • elastic scale, faster disaster recovery, etc.

  11. Safe Domain Controller Virtualization Windows Server 2012 virtual DCs able to detect when: • snapshots are applied • a VM is copied Detection built off a VM-generation identifier (VM-generation ID) • VM-generation ID is changed when features such as VM-snapshot are used NOTE: taking snapshots is not a supported alternative for backing up virtual domain controllers • use Windows Server Backup (or other VSS-writer-based) backup solution

  12. Active Directory’s Safe Virtualization Design (1 of 2) VM-Generation ID provided by the hypervisor platform • a unique 128-bit identifier that guest operating systems and applications can leverage • made available to applications through Windows Server 2012 driver Windows Server 2012 virtual DCs track the VM-Generation ID • allows the DC to detect changes and protect Active Directory

  13. Active Directory’s Safe Virtualization Design (2 of 2) VM-Generation ID stored in Active Directory database (DIT) • non-replicated attribute stored on DC’s computer object Before committing updates to local DIT, domain controllers will: • compare VM-Generation ID in DIT against real-time VM-Generation ID from driver • if different resets DC’s invocation ID and invalidates RID pool  commits update How do we handle FSMOs when an earlier snapshot rolls a DC back in time • FSMO role-holders delay servicing FSMO-functions until a replication cycle is completed • similar to the feature introduced in Windows Server 2003 known as initial synchronization (INITSYNC) During machine boot • compares VM-Generation ID in DIT against VM-Generation ID from driver • if different  resets DC’s invocation ID and invalidates RID pool

  14. Virtual Machine Generation ID semantics If a virtualization operation WILL cause an Active Directory execution context (the metadata from a previous point in time) to be re-executed/re-used • the virtualization system MUST provide a new generation ID If a virtualization operation WILL NOT cause an Active Directory execution context to be re-executed/re-used • the virtualization system MUST NOT provide a new generation ID If it is unclear whether a virtualization operation will cause an Active Directory execution context to be re-executed/re-used • the virtualization system MUST provide a new generation ID

  15. Safe Virtualization Design using VM-Generation ID Timeline of events DC2 DC1 Create Snapshot USN: 100 ID: A savedVMGID: G1 VMGID: G1 TIME: T1 +100 users added USN: 200 ID: A savedVMGID: G1 VMGID: G1 TIME: T2 DC1(A)@USN = 200 DC2 receives updates: USNs >100 T1Snapshot Applied! USN: 100 ID: A • savedVMGID: G1 • VMGID: G2 TIME: T3 … missing users replicate back to DC1 +150 users created: VM generation ID difference detected: EMPLOY SAFETIES DC2 again accepts updates: USNs >100 USN: 101-250 DC1(A)@USN = 200 DC1(A)@USN = 250 ID: B savedVMGID: G2 VMGID: G2 TIME: T4 USN re-use avoided and USN rollback PREVENTED: all 250 users converge correctly across both DCs

  16. Agenda • Importance of Virtualization in IT • Virtualization Challenges with Active Directory Today • Enabling a Seamless Virtualized Active Directory Experience in Windows Server 2012 • Rapid Deployment of Virtual Domain Controllers through Cloning • elastic scale, faster disaster recovery, etc.

  17. Active Directory Disaster Recovery Experiencepre-Windows Server 2012 First domain controller restored using latest server backup DC1 First domain controller restored using latest server backup DC1 Second domain controller deployed from SYSPREP’ed server image and promoted as new domain controller DC2 Second domain controller deployed from SYSPREP’ed server image and promoted as new domain controller corp.contoso.com Subsequent domain controllers deployed from SYSPREP’ed server image and promoted as new domain controller DC2 DC3 Subsequent domain controllers deployed from SYSPREP’ed server image and promoted as new domain controller DC3 First domain controller restored using latest server backup DC1 Second domain controller deployed from SYSPREP’ed server image and promoted as new domain controller DC2 asia.corp.contoso.com europe.corp.contoso.com Subsequent domain controllers deployed from SYSPREP’ed server image and promoted as new domain controller DC3 contoso.com

  18. Leveraging Virtualization During Disaster Recovery Requires one replica DC per domain that MUST be hosted on VM-generation-ID-aware virtual platform • used to seed the recovery process Additional replicas provisioned through cloning • by copying the virtual DC’s VHD/VM to quickly scale-out and restore functionality

  19. DR Experience with Windows Server 2012 First domain controller restored using latest server backup DC1 First domain controller restored using latest server backup DC1 Second and subsequent domain controllers deployed from clone of DC1 DC2 Second and subsequent domain controllers deployed from clone of DC1 corp.contoso.com DC2 DC3 DC3 First domain controller restored using latest server backup DC1 Second and subsequent domain controllers deployed from clone of DC1 DC2 asia.corp.contoso.com europe.corp.contoso.com DC3 contoso.com

  20. Rapid Deployment of Virtualized Replica DCs Note we use the term replica • because you can’t deploy the first DC in a domain through cloning Promote and configure ONLY once • create additional replicas by copying VMs/VHDs Easier and faster to deploy replica DCs Minimizes dependencies/interactions between hypervisor administrators and Active Directory administrators when deploying DCs • authorization remains under the Active Directory administrator’s control

  21. Some Additional Scenarios New HQ or branch-office deployments Elastic provisioning capability to support: • increased authentication demands to accommodate growth or anticipated spikes • increased application load • private-cloud capabilities Setting up test labs • the usual requirements and caveats still apply • i.e. ensure resulting test environment remains isolated – forever!

  22. Procedure to Deploy a Replica DC using Cloning Prepare source media • Identify suitable source virtual DC • Authorize source DC by adding it to ‘Cloneable Domain Controllers’ group • Pre-provisioned with Control Access Right (CAR) on domain-NC object (domain head) • Run New-ADDCCloneConfigfile • Verifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this) • Let’s you specify name, IP address, DNS servers, site, etc. • Provide an empty file to auto-generate values • Sample file provided in box at %windir%\system32\SampleDCCloneConfig.xml • Schema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd • Run Get-ADDCCloningExcludedApplicationList • Identify suitable source virtual DC • Authorize source DC by adding it to ‘Cloneable Domain Controllers’ group • Pre-provisioned with Control Access Right (CAR) on domain-NC object (domain head) • Run New-ADDCCloneConfigfile • Verifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this) • Verifies authorization (by checking group membership) • Let’s you specify name, IP address, DNS servers, site, etc. • Provide an empty file to auto-generate values • Sample file provided in box at %windir%\system32\SampleDCCloneConfig.xml • Schema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd • Run Get-ADDCCloningExcludedApplicationList[-generateXML] • Shutdown and export source DC • Restart source DC • Import clone of source DC as many times as desired and start clone VMs

  23. DCCloneConfig.xml sample <?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName>VirtualDC3</ComputerName> <SiteName>REDMOND</SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address>10.0.0.115</Address> <SubnetMask>255.255.0.0</SubnetMask> <DefaultGateway>10.0.0.1</DefaultGateway> <DNSResolver>10.0.0.101</DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings> </d3c:DCCloneConfig>

  24. Services/Programs supported for cloning Limited set of programs and services supported on source DC out-of-the-box Commonplace Windows Server 2012 services co-located with DCs are supported: • e.g. DNS, FRS, DFSR • listed in DefaultDCCloneAllowList.XML located in %windir%\system32\ Run Get-ADDCCloningExcludedApplicationListon source domain controller • confirm the resulting services and programs (if any) are suitable for cloning, i.e. • does the service or program rely on machine identity, such as account, name, password? Test! • does the service or program store state locally that might affect its functionality on the clone? Test! • add supported services and programs to admin-extensible ‘Allowed List’ using –generateXML switch

  25. File Locations and Precedence DCCloneConfig.xml • DIT folder • %windir%\NTDS • Root of any and all removable media (ordered by drive letter) CustomDCCloneAllowList.xml • Registry: HKLM\System\CurrentControlSet\Services\NTDS\Parameters: AllowListFolder • DIT folder • %windir%\NTDS • Root of removable media (ordered by drive letter)

  26. demo Domain Controller Cloning

  27. Demonstration of Domain Controller Cloning Clone1 Hyper-V Clone2 PDC Clone3 Source demo.lab

  28. Virtual DC Cloning Design Review Uses VM-generation ID to detect and trigger the process Relies on presence of DCCloneConfig file to indicate cloning intent • … and distinguish from the application of a snapshot Creates new machine identity • calls SYSPREP providers for select components to cleanup machine state Uses source machine identity for authorization Resets database identifier (invocationID) to ensure replication convergence Invalidates RID pool eliminating potential for duplicate SIDs Discards FSMO ownership if the source held any FSMO roles

  29. Rapid Deployment: Cloning Decision Flow BOOT DoesDCCloneConfig.xmlexist? No Generation ID available? Yes Yes Does DCCloneConfig.xml exist? Has Generation ID changed? No REBOOT INTO DSRM No Yes Rename DCCloneConfig.xml Yes Does DCCloneConfig.xml exist? Yes INITIATE CLONING BOOT NORMALLY No

  30. Rapid Deployment: Cloning Flow Windows 8 PDC Clone VM NTDS starts IDL_DRSAddCloneDC Configure network settings Obtain current VM-GenID Check authorization Locate PDC If different from value in DIT CN=Configuration |--CN=Sites |---CN=<site name> |---CN=Servers |---CN=<DC Name> |---CN=NTDS Settings Create new DC object by duplicating source DC objects (NTDSDSA, Server, Computer instances) Call _IDL_DRSAddCloneDC(name, site) Reset InvocationID, discard RID pool Save clone state (new name, password, site) Generate new DC machine account and password DCCloneConfig.xml available? Promote as replica (IFM) Dcpromo /fixclone Run (specific) sysprepproviders Parse DCCloneConfig.xml Reboot

  31. Cautionary Notes Only Windows Server 2012 virtual Domain Controllers can be cloned Requires PDC FSMO to be Windows Server 2012 DC Deploying clone DCs on virtualization platforms that don’t provide VM-Generation ID will: • with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM) • without DCCloneConfig– potentially introduce a USN bubble and duplicate SIDs • disrupts the Active Directory environment Do not change/swap/switch VHDs on existing VMs • VM-Generation ID does not change in Windows Server 2012 Hyper-V • operational semantics don’t cover this scenario, yet

  32. Summary Windows Server 2012 enables a much richer Active Directory virtualization experience • domain controllers can be virtualized without the concerns of the past Enables the rapid deployment of domain controllers by leveraging the virtualized platform’s native capabilities • Saves critical time during forest/domain recovery • Trivializes scale-out to meet the needs of the environment

  33. Related Content • Breakout Sessions • SIA312 What's New in Active Directory in Windows Server 2012 • SIA404 Deep Dive on Windows Server Active Directory PowerShell • SIA319 The Evolution of Active Directory Recovery • SIA402 How to (un)Destroy Your Active Directory: Reloaded • SIA207 Windows Server 2012 Dynamic Access Control Overview • SIA341 Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies Hands-on Labs SIA11-HOL  Windows Server 2012 Active Directory Deployment and Management Enhancements SIA21-HOL  Using Dynamic Access Control to Automatically and Centrally Secure Data in Windows Server 2012 • Find Me Later At • Windows Server 2012 Active Directory and Dynamic Access Control booth • manupu@microsoft.com

  34. SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched

  35. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

  36. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related