Hi,

it’s been a while that I was able to write a blog post (busy, busy, busy). But since I’ve got a little spare time left, I couldn’t resist to talk to you about a feature that I’m actually very excited about.

As most of you know by now, Windows 8 will bring a lot of (good) changes to us. Not only will we be getting Hyper-V 3.0 but also some other enhancements under the hood.

I previously blogged about some changes in Windows 8 Active Directory and today I would like to add something to that list: support for cloning and snapshotting a Domain Controller.

USN Rollback

Currently, snapshotting a virtualized Domain Controller is not possible because reverting to a snapshot you’ve taken earlier would cause a so-called USN rollback.

If you want more information on what that is, take a look here: USN and USN Rollback

Generation ID

The ability to support both snapshotting/cloning isn’t an accomplishment solely from Windows 8. It also needs a new functionality from the Hypervisor that it’s running on: Generation ID. Unfortunately, there is not much (public) information out there on this new functionality…

The Generation ID is an attribute that is generated by the Hypervisor to indicate the version of the VM that is running. If you apply an older snapshot, that ID needs to get updated/changed as well. Windows 8 will leverage this functionality and “copy” the value of the Generation ID into a new AD-attribute: ms-ds-Generation-ID. This value will be stored locally on the server. Before carrying out any transactions (e.g. due to replication), the DC will check the value stored in the VM (ms-ds-Generation-ID) with the value that Hyper-V has stored. If the value is the same, the transactions is carried out. However, if the value is different, the DC assumes it has been reset to an older state and will not carry out that transaction. Instead it will change it’s Invocation ID (more info in the “USN and USN Rollback”-article); notifying other DCs that it is on a previous version. What happens next is quite similar as to what happens if you do a restore of AD from a backup.

Currently only Hyper-V supports the Generation ID attribute, but Microsoft is working on getting this available throughout other hypervisors (like ESX, XenServer,…) as well.

Note: I found an interesting article on the internet (in German) that states if a difference in the Generation ID is detected, the DC will also take some other actions to make sure that it will not service any client requests until it is back up-to-date. However; I wasn’t able to verify that information. Nonetheless, what is described there seems quite logical to me and I don’t have any reasons to believe the information would be wrong:

http://www.faq-o-matic.net/2011/12/05/ad-in-windows-server-8-was-wahrscheinlich-kommt/

See you later!

Michael