Virtualizing Domain Controllers using Hyper-5

  • Article
  • 37 minutes to read

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This topic will be updated in society to make the guidance applicable to Windows Server 2016. Windows Server 2012 introduces many improvements for virtualized domain controllers (DCs), including safeguards to prevent USN rollback on virtual DCs and the ability to clone virtual DCs. For more information about these improvements, see Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100).

Hyper-V consolidates different server roles onto a single physical computer. This guide describes running domain controllers as 32-bit or 64-bit guest operating systems.

Planning to Virtualize Domain Controllers

This section covers hardware requirements for Hyper-v server, how to avoid single points of failure, selecting the appropriate type of configuration for your Hyper-V servers and virtual machines, and security and operation decisions.

Hyper-V requirements

To install and use the Hyper-V part, you must have the following:

  • An x64 processor
    • Hyper-V is bachelor in x64-based versions of Windows Server 2008 or subsequently.
  • Hardware-assisted virtualization
    • This feature is available in processors that include a virtualization choice, specifically, Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-5).
  • Hardware Data Execution Protection (DEP)
    • Hardware DEP must be available and enabled. Specifically, you lot must enable Intel XD flake (execute disable bit) or AMD NX bit (no execute bit).

Avoid creating single points of failure

You lot should endeavour to avoid creating potential single points of failure when you plan your virtual domain controller deployment. You can avoid introducing potential single points of failure by implementing system redundancy. For example, consider the post-obit recommendations while keeping in mind the potential for increases in the cost of administration:

  1. Run at least two virtualized domain controllers per domain on dissimilar virtualization hosts, which reduces the run a risk of losing all domain controllers if a unmarried virtualization host fails.
  2. As recommended for other technologies, diversify the hardware (using different CPUs, motherboards, network adapters, or other hardware) on which the domain controllers are running. Hardware diversification limits the damage that might be acquired past a malfunction that is specific to a vendor configuration, a commuter, or a single slice or type of hardware.
  3. If possible, domain controllers should be running on hardware that is located in unlike regions of the globe. This helps to reduce the touch on of a disaster or failure that affects a site at which the domain controllers are hosted.
  4. Maintain physical domain controllers in each of your domains. This mitigates the risk of a virtualization platform malfunction that affects all host systems that employ that platform.

Security considerations

The host estimator on which virtual domain controllers are running must be managed equally advisedly as a writeable domain controller, even if that computer is just a domain-joined or workgroup computer. This is an of import security consideration. A mismanaged host is vulnerable to an top-of-privilege attack, which occurs when a malicious user gains access and system privileges that were not authorized or legitimately assigned. A malicious user can use this type of attack to compromise all the virtual machines, domains, and forests that this computer hosts.

Be sure to go on the post-obit security considerations in listen when you are planning to virtualize domain controllers:

  • The local administrator of a reckoner that hosts virtual, writeable domain controllers should be considered equivalent in credentials to the default domain administrator of all the domains and forests that those domain controllers belong to.
  • The recommended configuration to avoid security and performance issues is a host running a Server Core installation of Windows Server 2008 or subsequently, with no applications other than Hyper-V. This configuration limits the number of applications and services that are installed on the server, which should effect in increased performance and fewer applications and services that could exist maliciously exploited to attack the computer or network. The effect of this type of configuration is known as a reduced attack surface. In a co-operative office or other locations that cannot be satisfactorily secured, a read-only domain controller (RODC) is recommended. If a separate management network exists, nosotros recommend that the host exist continued merely to the management network.
  • You tin employ Bitlocker with your domain controllers, since Windows Server 2016 you lot can employ the virtual TPM feature to also give the invitee fundamental material to unlock the system volume.
  • Guarded fabric and shielded VMs can provide additional controls to protect your domain controllers.

For information well-nigh RODCs, see Read-Only Domain Controller Planning and Deployment Guide.

For more information about securing domain controllers, see Best Practice Guide for Securing Active Directory Installations.

Security boundaries for dissimilar host and guest configurations

Using virtual machines makes it possible to have many dissimilar configurations of domain controllers. Conscientious consideration must be given to the way that virtual machines affect boundaries and trusts in your Active Directory topology. Possible configurations for an Active Directory domain controller and host (Hyper-5 server) and its guest computers (virtual machines running on the Hyper-V server) are described in the post-obit table.

Machine Configuration 1 Configuration two
Host Workgroup or member computer Workgroup or member reckoner
Invitee Domain controller Workgroup or member computer

Security boundaries diagram

  • The ambassador on the host estimator has the same access as a domain administrator on the writable domain controller guests and must be treated as such. In the case of an RODC guest, the administrator of the host computer has the same admission every bit a local administrator on the guest RODC.
  • A domain controller in a virtual automobile has authoritative rights on the host if the host is joined to the same domain. There is an opportunity for a malicious user to compromise all virtual machines if the malicious user first gains access to Virtual Machine 1. This is known as an attack vector. If there are domain controllers for multiple domains or forests, these domains should have centralized administration in which the administrator of 1 domain is trusted on all domains.
  • The opportunity for set on from Virtual Machine 1 exists even if Virtual Auto 1 is installed as an RODC. Although an administrator of an RODC does not explicitly have domain ambassador rights, the RODC tin can exist used to send policies to the host calculator. These policies might include startup scripts. If this operation is successful, the host computer tin can be compromised, and it tin so be used to compromise the other virtual machines on the host computer.

Security of VHD files

A VHD file of a virtual domain controller is equivalent to the physical difficult drive of a concrete domain controller. As such, it should be protected with the aforementioned amount of care that goes into securing the hard drive of a concrete domain controller. Make sure that but reliable and trusted administrators are allowed access to the domain controller's VHD files.

RODCs

Ane benefit of RODCs is the ability to place them at locations where concrete security cannot be guaranteed, such as at branch offices. You tin use Windows BitLocker Drive Encryption to protect VHD files themselves (not the file systems therein) from existence compromised on the host through theft of the physical deejay.

Operation

With the new microkernel 64-bit architecture, there are significant increases in Hyper-Five performance from previous virtualization platforms. For best host performance, the host should exist a Server Cadre installation of Windows Server 2008 or later, and it should not take server roles other than Hyper-V installed.

Functioning of virtual machines depends specifically on the workload. To guarantee satisfactory Active Directory functioning, exam specific topologies. Appraise the current workload over a period of time with a tool such as the Reliability and Performance Monitor (Perfmon.msc) or the Microsoft Assessment and Planning (MAP) toolkit. The MAP tool can as well exist valuable if you lot want to take an inventory of all of the servers and server roles that currently exist in your network.

To get a full general idea of the performance of virtualized domain controllers, the following performance tests were carried out with the Agile Directory Performance Testing Tool (ADTest.exe).

Lightweight Directory Access Protocol (LDAP) tests were run on a physical domain controller with ADTest.exe and so on a virtual machine that was hosted on a server that was identical to the physical domain controller. Simply one logical processor was used for the physical reckoner, and only i virtual processor was used for the virtual machine to easily attain 100-percent CPU utilization. In the following table, the letter and number in parenthesis after each test indicate the specific test in ADTest.exe. As this information shows, virtualized domain controller functioning was 88 to 98 per centum of the physical domain controller operation.

Measurement Test Concrete Virtual Delta
Searches/sec Search for common proper name in base scope (L1) 11508 10276 -ten.71%
Searches/sec Search for a prepare of attributes in base scope (L2) 10123 9005 -eleven.04%
Searches/sec Search for all attributes in base scope (L3) 1284 1242 -3.27%
Searches/sec Search for common name in subtree scope (L6) 8613 7904 -8.23%
Successful binds/sec Perform fast binds (B1) 1438 1374 -4.45%
Successful binds/sec Perform elementary binds (B2) 611 550 -ix.98%
Successful binds/sec Utilize NTLM to perform binds (B5) 1068 1056 -1.12%
Writes/sec Write multiple attributes (W2) 6467 5885 -9.00%

To ensure satisfactory performance, integration components (IC) were installed to let the guest operating system to employ "enlightenments," or hypervisor-enlightened synthetic drivers. During the installation procedure, it may exist necessary to utilise emulated Integrated Drive Electronics (IDE) or network adapter drivers. In production environments, you should supervene upon these emulated drivers with synthetic drivers to increase performance.

When you monitor performance of virtual machines with Reliability and Performance Manager (Perfmon.msc), within the virtual motorcar the CPU information will not exist entirely accurate equally a result of the fashion the virtual CPU is scheduled on the physical processor. When you lot want to obtain CPU information for a virtual machine that is running on a Hyper-V server, utilize the Hyper-Five Hypervisor Logical Processor counters in the host segmentation.

For more information about performance tuning of both AD DS and Hyper-Five, see Functioning Tuning Guidelines for Windows Server 2016.

Also, practice not plan to apply a differencing disk VHD on a virtual car that is configured as a domain controller because the differencing deejay VHD can reduce performance. To acquire more about Hyper-V disk types, including differencing disks, run into New Virtual Difficult Disk Wizard.

For additional information regarding AD DS in virtual hosting environments, encounter Things to consider when you host Active Directory domain controllers in virtual hosting environments in the Microsoft Noesis Base.

Deployment Considerations for Virtualized Domain Controllers

There are several mutual virtual automobile practices that you should avert when you deploy domain controllers, and special considerations for time synchronization and storage.

Virtualization deployment practices to avoid

Virtualization platforms, such as Hyper-5, offer a number of convenience features that make managing, maintaining, backing up, and migrating computers easier. Notwithstanding, the following mutual deployment practices and features should not exist used for virtual domain controllers:

  • To ensure durability of Active Directory writes, do not deploy a virtual domain controller'due south database files (the Active Directory database (NTDS.DIT), logs and SYSVOL) on virtual IDE disks. Instead, create a second VHD attached to a virtual SCSI controller and ensure that the database, logs, and SYSVOL are placed on the virtual machine's SCSI disk during domain controller installation.

  • Do not implement differencing disk virtual hard disks (VHDs) on a virtual machine that you are configuring as a domain controller. This makes it too easy to revert to a previous version, and information technology as well decreases performance. For more information nigh VHD types, run across New Virtual Hard Disk Wizard.

  • Do non deploy new Agile Directory domains and forests on a copy of a Windows Server operating system that was not first prepared using Organisation Preparation tool (Sysprep). For more information almost running the Sysprep, see Sysprep (System Preparation) Overview

    Alert

    Running Sysprep on a domain controller is not supported.

  • To aid prevent a potential update sequence number (USN) rollback state of affairs, do not use copies of a VHD file that represents an already deployed domain controller to deploy additional domain controllers. For more information about USN rollback, see USN and USN Rollback.

    • Windows Server 2012 and newer allows administrators to clone domain controller images if prepared properly when they desire to deploy additional domain controllers

  • Exercise non employ the Hyper-Five Consign feature to consign a virtual motorcar that is running a domain controller.

    • With Windows Server 2012 and newer, an export and import of a Domain Controller virtual invitee is handled similar a non-authoritative restore equally it detects a change of the Generation ID and it is non configured for cloning.
    • Ensure you are not using the guest that you exported anymore.
      • Yous may use Hyper-V Replication to go on a second inactive copy of a Domain Controller. If you get-go the replicated epitome, you also need to perform proper cleanup, for the same reason equally not using the source after exporting a DC guest epitome.

Physical-to-virtual migration

Organization Center Virtual Machine Managing director (VMM) 2008 provides unified management of physical machines and virtual machines. It also provides the ability to drift a physical machine to a virtual machine. This process is known equally physical-to-virtual car conversion (P2V conversion). During the P2V conversion process, the new virtual car and the concrete domain controller that is beingness migrated must non be running at the same time, to avoid a USN rollback state of affairs as described in USN and USN Rollback.

You lot should perform P2V conversion using offline fashion so that the directory information is consequent when the domain controller is turned back on. The offline mode selection is offered and recommended in the Convert Physical Server Wizard. For a description of the deviation between online fashion and offline fashion, see P2V: Converting Physical Computers to Virtual Machines in VMM. During P2V conversion, the virtual machine should non exist connected to the network. The network adapter of the virtual machine should exist enabled only later on the P2V conversion procedure is complete and verified. At this point, the physical source machine will be off. Do not bring the concrete source motorcar back onto the network again before you reformat the hd.

Note

At that place are safer options to create new virtual DCs that don't run the risks of creating a USN Rollback. You may setup a new virtual DC by regular promotion, promotion from Install from Media (IfM), and likewise using Domain Controller cloning, if you already have at least one virtual DC. This also helps avoiding problems with hardware or platform-related problems P2V-converted virtual guests may run across.

Alert

To prevent issues with Active Directory replication, ensure that only ane instance (physical or virtual) of a given domain controller exists on a given network at any betoken in time. Y'all tin lower the likelihood of the old clone being a trouble:

  • When the new virtual DC is running, change the computer business relationship password twice using: netdom resetpwd /Server:<domain-controller> …
  • Consign and import the new virtual guest to strength information technology condign a new Generation ID and hence a database invocation ID.

Using P2V Migration to Create Exam Environments

Y'all can use P2V migration through the VMM to create examination environments. Y'all can migrate production domain controllers from concrete machines to virtual machines to create a exam environs without permanently bringing down the production domain controllers. However, the examination environment must be on a different network from the production environment if two instances of the same domain controller are to be. Cracking intendance must be taken in the creation of test environments with P2V migration to avert USN rollbacks that can affect your test and product environments. The following is a method that you can use for creating test environments with P2V.

Ane in-product domain controller from each domain is migrated to a test virtual machine using P2V according to the guidelines stated in the Physical-to-virtual migration department. The concrete production machines and the test virtual machines must be in unlike networks when they are brought back online. To avoid USN rollbacks in the exam environment, all domain controllers that are to exist migrated from physical machines to virtual machines must be taken offline. (You can do this by stopping the ntds service or past restarting the computer in Directory Services Restore Mode (DSRM).) Afterward the domain controllers are offline, no new updates should exist introduced to the surroundings. The computers must remain offline during the P2V migration; none of the computers should be brought back online until all the computers accept been fully migrated. To larn more than about USN rollback, see USN and USN Rollback.

Subsequent test domain controllers should be promoted equally replicas in the exam surround.

Time service

For virtual machines that are configured as domain controllers, information technology is recommended that you disable time synchronization between the host system and guest operating arrangement acting as a domain controller. This enables your guest domain controller to synchronize time from the domain hierarchy.

To disable the Hyper-V time synchronization provider, close down the VM and clear the Time synchronization cheque box under Integration Services.

Note

This guidance has been recently updated to reflect the electric current recommendation to synchronize time for the guest domain controller from only the domain hierarchy, rather than the previous recommendation to partially disable fourth dimension synchronization between the host arrangement and guest domain controller.

Storage

To optimize the functioning of the domain controller virtual machine and ensure durability of Active Directory writes, use the post-obit recommendations for storing operating arrangement, Agile Directory, and VHD files:

  • Invitee storage. Store the Active Directory database file (Ntds.dit), log files, and SYSVOL files on a split virtual deejay from the operating organization files. Create a second VHD attached to a virtual SCSI controller and shop the database, logs, and SYSVOL on the virtual motorcar'southward virtual SCSI disk. Virtual SCSI disks provide increased functioning compared to virtual IDE and they support Forced Unit Access (FUA). FUA ensures that the operating system writes and reads data directly from the media bypassing any and all caching mechanisms.

    Note

    If you are planning to use Bitlocker for the virtual DC guest, y'all demand to make sure the additional volumes are configured for "auto unlock". More information near configuring auto unlock tin can be found in Enable-BitLockerAutoUnlock

  • Host storage of VHD files. Recommendations: Host storage recommendations address storage of VHD files. For maximum performance, practice not store VHD files on a disk that is used ofttimes by other services or applications, such as the system disk on which the host Windows operating system is installed. Store each VHD file on a separate partition from the host operating arrangement and any other VHD files. The ideal configuration is to store each VHD file on a separate concrete drive.

    The host concrete disk system must also satisfy at to the lowest degree i of the following criteria to see the requirements of virtualized workload data integrity:

    • The organisation uses server-class disks (SCSI, Fibre Channel).
    • The arrangement makes sure that the disks are connected to a battery-backed caching host bus adapter (HBA).
    • The system uses a storage controller (for example, a RAID organization) as the storage device.
    • The system makes sure that power to the disk is protected by an uninterruptible power supply (UPS).
    • The system makes sure that the disk's write-caching feature is disabled.

  • Stock-still VHD versus pass-through disks. There are many ways to configure storage for virtual machines. When VHD files are used, fixed-size VHDs are more efficient than dynamic VHDs because the memory for stock-still-size VHDs is allocated when they are created. Pass-through disks, which virtual machines can employ to access physical storage media, are even more than optimized for operation. Pass-through disks are essentially physical disks or logical unit numbers (LUNs) that are fastened to a virtual machine. Laissez passer-through disks do not support the snapshot feature. Therefore, laissez passer-through disks are the preferred hard disk drive configuration, because the use of snapshots with domain controllers is not recommended.

To reduce the risk of corruption of Agile Directory data, apply virtual SCSI controllers:

  • Apply SCSI concrete drives (as opposed to IDE/ATA drives) on Hyper-V servers that host virtual domain controllers. If you cannot utilize SCSI drives, ensure that write caching is disabled on the ATA/IDE drives that host virtual domain controllers. For more information, see Event ID 1539 – Database Integrity.
  • To guarantee the durability of Active Directory writes, the Active Directory database, logs, and SYSVOL must exist placed on a virtual SCSI disk. Virtual SCSI disks support Forced Unit Access (FUA). FUA ensures that the operating organization writes and reads information directly from the media bypassing whatever and all caching mechanisms.

Operational Considerations for Virtualized Domain Controllers

Domain controllers that are running on virtual machines have operational restrictions that do not apply to domain controllers that are running on physical machines. When you utilize a virtualized domain controller, in that location are some virtualization software features and practices that you should non use:

  • Do not interruption, stop, or store the saved state of a domain controller in a virtual motorcar for time periods longer than the tombstone lifetime of the forest and and so resume from the paused or saved land. Doing this can interfere with replication. To learn how to decide the tombstone lifetime for the forest, see Decide the Tombstone Lifetime for the Forest.
  • Do not re-create or clone virtual hard disks (VHDs). Even with the Safeguards in place for the guest VM, individual VHDs can still be copied and cause USN scroll-dorsum.
  • Practice not have or utilise a Snapshot of a virtual domain controller. Information technology is technically supported with Windows Server 2012 and newer, it is not a replacement for a expert fill-in strategy. There are few reasons for taking DC snapshots or restoring the snapshots.
  • Do non apply a differencing disk VHD on a virtual automobile that is configured as a domain controller. This makes reverting to a previous version too easy, and it also decreases performance.
  • Practise not utilize the Consign feature on a virtual car that is running a domain controller.
  • Practice not restore a domain controller or endeavor to roll dorsum the contents of an Agile Directory database by any ways other than using a supported backup. For more information, see Fill-in and Restore Considerations for Virtualized Domain Controllers.

All these recommendations are made to help avoid the possibility of an update sequence number (USN) rollback. For more information well-nigh USN rollback, run across USN and USN Rollback.

Fill-in and Restore Considerations for Virtualized Domain Controllers

Backing up domain controllers is a disquisitional requirement for whatsoever environment. Backups protect against data loss in the event of domain controller failure or administrative error. If such an event occurs, information technology is necessary to roll back the system land of the domain controller to a indicate in time before the failure or error. The supported method of restoring a domain controller to a healthy country is to apply an Active Directory–compatible backup application, such every bit Windows Server Backup, to restore a organisation state backup that originated from the electric current installation of the domain controller. For more information well-nigh using Windows Server Backup with Agile Directory Domain Services (Ad DS), see the Advertizing DS Fill-in and Recovery Footstep-by-Step Guide.

With virtual machine applied science, certain requirements of Active Directory restore operations take on added significance. For example, if y'all restore a domain controller past using a re-create of the virtual hard disk (VHD) file, yous bypass the critical step of updating the database version of a domain controller after it has been restored. Replication will keep with inappropriate tracking numbers, resulting in an inconsistent database among domain controller replicas. In most cases, this trouble goes undetected by the replication organization and no errors are reported, despite inconsistencies betwixt domain controllers.

There is one supported way to perform backup and restore of a virtualized domain controller:

  1. Run Windows Server Backup in the guest operating system.

With Windows Server 2012 and newer Hyper-V hosts and guests, you can take supported backups of domain controllers using snapshots, invitee VM export and import and likewise Hyper-V Replication. All of these nonetheless are not a good fit for creating a proper backup history, with the slight exception of guest VM export.

With Windows Server 2016 Hyper-5 there is support for "production snapshots" where the Hyper-V server triggers a VSS-based backup of the guest and when the guest is done with the snapshot, the host fetches the VHDs and stores them in the backup location.

While this works with Windows Server 2012 and newer, there is an incompatibility with Bitlocker:

  • When doing a VSS Snap-Shot, Advertizement wants to perform a post-snapshot task to mark the database as coming from a backup, or in the instance of preparing a IFM source for RODC, remove credentials from the database.
  • When Hyper-V mounts the snapshotted volume for this task, there is no facility that would unlock the Volume for unencrypted admission. And so the AD database engine fails accessing the database and somewhen fails the snapshot.

Note

The shielded VM project mentioned previously has a Hyper-V host driven backup every bit a not-goal for maximum data protection of the guest VM.

Backup and restore practices to avoid

Every bit mentioned, domain controllers that are running in virtual machines take restrictions that do not utilize to domain controllers that are running in concrete machines. When you lot dorsum upwardly or restore a virtual domain controller, there are certain virtualization software features and practices that yous should not use:

  • Practise not copy or clone VHD files of domain controllers instead of performing regular backups. If he VHD file is copied or cloned, information technology becomes stale. Then, if the VHD is started in normal mode, y'all will encounter a USN Rollback. You should perform proper backup operations that are supported past Agile Directory Domain Services (AD DS), such as using the Windows Server Fill-in feature.
  • Exercise not utilize the Snapshot feature as a backup to restore a virtual car that was configured every bit a domain controller. Problems will occur with replication when yous revert the virtual machine to an earlier country with Windows Server 2008 R2 and older. For more than information, see USN and USN Rollback. Although using a snapshot to restore a read-only domain controller (RODC) will not crusade replication issues, this method of restoration is all the same not recommended.

Restoring a virtual domain controller

To restore a domain controller when it fails, you must regularly backup organisation state. Organisation state includes Agile Directory data and log files, the registry, the system volume (SYSVOL folder), and various elements of the operating system. This requirement is the same for physical and virtual domain controllers. System land restore procedures that Active Directory–compatible backup applications perform are designed to ensure the consistency of local and replicated Active Directory databases after a restore process, including the notification to replication partners of invocation ID resets. However, using virtual hosting environments and disk or operating system imaging applications makes it possible for administrators to bypass the checks and validations that ordinarily occur when domain controller arrangement country is restore.

When a domain controller virtual automobile fails and an update sequence number (USN) rollback has not occurred, there are 2 supported situations for restoring the virtual motorcar:

  • If a valid system state information fill-in that predates the failure exists, you can restore system state by using the restore option of the backup utility that y'all used to create the fill-in. The organisation country data fill-in must accept been created using an Active Directory–compatible backup utility inside the span of the tombstone lifetime, which is by default, no more than than 180 days. You should back up your domain controllers at to the lowest degree every half tombstone lifetime. For instructions virtually how to determine the specific tombstone lifetime for your wood, run into Determine the Tombstone Lifetime for the Forest.
  • If a working copy of the VHD file is available, but no system state fill-in is available, you can remove the existing virtual machine. Restore the existing virtual auto by using a previous copy of the VHD, but be certain to start it in Directory Services Restore Mode (DSRM) and configure the registry properly, every bit described in the following department. Then, restart the domain controller in normal manner.

Use the process in the following illustration to determine the all-time way to restore your virtualized domain controller.

Diagram how to restore your virtualized domain controller

For RODCs, the restoration procedure and decisions are simpler.

Diagram how to restore your read-only domain controller

Restoring the organisation state backup of a virtual domain controller

If a valid system state backup exists for the domain controller virtual machine, you can safely restore the backup by post-obit the restore process prescribed by the fill-in tool that you used to support the VHD file.

Important

To properly restore the domain controller, y'all must start it in DSRM. You must non allow the domain controller to outset in normal mode. If you miss the opportunity to enter DSRM during organisation startup, turn off the domain controller's virtual machine before it can fully start in normal mode. It is important to kickoff the domain controller in DSRM because starting a domain controller in normal mode increments its USNs, even if the domain controller is disconnected from the network. For more data about USN rollback, see USN and USN Rollback.

To restore the system land backup of a virtual domain controller

  1. Kickoff the domain controller's virtual machine, and press F5 to access the Windows Kick Manager screen. If you are required to enter connection credentials, immediately click the Pause push on the virtual auto and then that it does non continue starting. Then, enter your connection credentials, and click the Play push on the virtual machine. Click inside the virtual motorcar window, and then press F5.

    If you do not see the Windows Kick Managing director screen and the domain controller begins to outset in normal fashion, plough off the virtual machine to preclude it from completing startup. Repeat this step as many times as necessary until you are able to access the Windows Boot Manager screen. You cannot access DSRM from the Windows Mistake Recovery carte. Therefore, turn off the virtual machine and effort once again if the Windows Fault Recovery menu appears.

  2. In the Windows Boot Manager screen, press F8 to admission advanced boot options.

  3. In the Advanced Boot Options screen, select Directory Services Restore Manner, and then press ENTER. This starts the domain controller in DSRM.

  4. Employ the appropriate restore method for the tool that you used to create the system state fill-in. If you used Windows Server Fill-in, see Performing a Nonauthoritative Restore of Advertizement DS.

Restoring a virtual domain controller when an appropriate arrangement state data backup is not available

If you do not accept a system land data backup that predates the virtual auto failure, you can use a previous VHD file to restore a domain controller that is running on a virtual machine. If you can, make a copy of the VHD, then that if you run across an upshot during the process or miss a step, you can try once more with the copied VHD.

Important

  • Yous should not consider using the following procedure equally a replacement for regularly planned and scheduled backups.
  • Restores that are performed with the following process are non supported by Microsoft and should exist used only when there is no other alternative.
  • Do not use this process if the re-create of the VHD that you are virtually to restore has been started in normal fashion by any virtual machine.

To restore a previous version of a virtual domain controller VHD without system state data backup

  1. Using the previous VHD, start the virtual domain controller in DSRM, as described in the previous section. Do non permit the domain controller to offset in normal manner. If you miss the Windows Boot Director screen and the domain controller begins to start in normal mode, turn off the virtual machine to prevent it from completing startup. See the previous section for detailed instructions for entering DSRM.

  2. Open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK. If the User Account Control dialog box appears, ostend that the action information technology displays is what you desire, and then click Yes. In Registry Editor, aggrandize the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Look for a value named DSA Previous Restore Count. If the value is at that place, make a note of the setting. If the value is not there, the setting is equal to the default, which is naught. Do not add together a value if you exercise not see i in that location.

  3. Right-click the Parameters key, click New, and then click DWORD (32-fleck) Value.

  4. Type the new proper name Database restored from backup, and and so press ENTER.

  5. Double-click the value that you just created to open the Edit DWORD (32-bit) Value dialog box, then type ane in the Value information box. The Database restored from backup entry option is bachelor on domain controllers that are running Windows 2000 Server with Service Pack 4 (SP4), Windows Server 2003 with the updates that are included in How to find and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 in the Microsoft Knowledge Base installed, and Windows Server 2008.

  6. Restart the domain controller in normal mode.

  7. When the domain controller restarts, open Event Viewer. To open Consequence Viewer, click Start, click Control Panel, double-click Authoritative Tools, and then double-click Event Viewer.

  8. Aggrandize Awarding and Services Logs, and then click the Directory Services log. Ensure that events announced in the details pane.

  9. Right-click the Directory Services log, so click Find. In Find what, type 1109, and and then click Find Adjacent.

  10. You should see at least an Event ID 1109 entry. If yous practise not see this entry, go on to the side by side step. Otherwise, double-click the entry, and then review the text confirming that the update was made to the InvocationID:

                      Active Directory has been restored from backup media, or has been configured to host an awarding partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the fill-in was created is <time>  InvocationID aspect (onetime value):<Previous InvocationID value> InvocationID aspect (new value):<New InvocationID value> Update sequence number:<USN>  The InvocationID is inverse when a directory server is restored from backup media or is configured to host a writeable awarding directory sectionalisation.

  11. Shut Event Viewer.

  12. Employ Registry Editor to verify that the value in DSA Previous Restore Count is equal to the previous value plus ane. If this is not the correct value and you cannot find an entry for Outcome ID 1109 in Event Viewer, verify that the domain controller's service packs are current. You cannot endeavour this procedure again on the same VHD. You tin try once again on a copy of the VHD or a different VHD that has not been started in normal mode by starting over at stride one.

  13. Close Registry Editor.

USN and USN Rollback

This department describes replication bug that tin occur as a event of an incorrect restoration of the Active Directory database with an older version of a virtual machine. For additional details about the Active Directory replication procedure, see Agile Directory Replication Concepts

USNs

Agile Directory Domain Services (Advert DS) uses update sequence numbers (USNs) to keep rails of replication of data between domain controllers. Each fourth dimension that a change is made to information in the directory, the USN is incremented to bespeak that a change has been made.

For each directory sectionalisation that a destination domain controller stores, USNs are used to track the latest originating update that a domain controller introduced to its database, as well as the status of every other domain controller that stores a replica of the directory partition. When domain controllers replicate changes to one some other, they query their replication partners for changes with USNs that are greater than the USN of the last change that the domain controller received from each partner.

The following two replication metadata tables incorporate USNs. Source and destination domain controllers use them to filter updates that the destination domain controller requires.

  1. Upwards-to-dateness vector: A tabular array that the destination domain controller maintains for tracking the originating updates that are received from all source domain controllers. When a destination domain controller requests changes for a directory sectionalization, it provides its up-to-dateness vector to the source domain controller. The source domain controller and so uses this value to filter the updates that it sends to the destination domain controller. The source domain controller sends its up-to-dateness vector to the destination at the completion of a successful replication cycle in lodge to ensure that the destination domain controller knows that information technology has synchronized with every domain controllers' originating updates and the updates are at the same level as the source.
  2. High h2o mark: A value that the destination domain controller maintains to keep rails of the virtually recent changes that information technology has received from a specific source domain controller for a specific partition. The high water marking prevents the source domain controller from sending out changes that by the destination domain controller has already received from it.

Directory database identity

In addition to USNs, domain controllers keep runway of the directory database of source replication partners. The identity of the directory database running on the server is maintained separately from the identity of the server object itself. The directory database identity on each domain controller is stored in the invocationID aspect of the NTDS Settings object, which is located nether the post-obit Lightweight Directory Access Protocol (LDAP) path: cn=NTDS Settings, cn=ServerName, cn=Servers, cn=SiteName, cn=Sites, cn=Configuration, dc=ForestRootDomain. The server object identity is stored in the objectGUID attribute of the NTDS Settings object. The identity of the server object never changes. Notwithstanding, the identity of the directory database changes when a system country restore process occurs on the server or when an awarding directory partition is added, then removed and later re-added from the server. (other scenario: when a HyperV instance triggers its VSS writers on a partitioning containing a virtual DC'southward VHD, the invitee in turn triggers its own VSS writers (the same mechanism used past backup/restore higher up) resulting in some other means by which the invocationID is reset)

Consequently, invocationID effectively relates a ready of originating updates on a domain controller with a specific version of the directory database. The up-to-dateness vector and the high water mark tables use the invocationID and DC GUID respectively so that domain controllers know from which copy of the Agile Directory database the replication information is coming.

The invocationID is a globally unique identifier (GUID) value that is visible near the elevation of the output after yous run the command repadmin /showrepl. The following text represents instance output from the command:

              Repadmin: running control /showrepl confronting full DC local host Default-Starting time-Site-Name\VDC1 DSA Options: IS_GC DSA object GUID: 966651f3-a544-461f-9f2c-c30c91d17818 DSA invocationID: b0d9208b-8eb6-4205-863d-d50801b325a9

When AD DS is properly restored on a domain controller, the invocationID is reset. As a outcome of this change, you volition experience an increment in replication traffic – the duration of which is relative to the size of the partition beingness replicated

For example, assume that VDC1 and DC2 are two domain controllers in the same domain. The following figure shows the perception of DC2 most VDC1 when the invocationID value is reset in a proper restore situation.

Diagram when the invocationID value is reset properly

USN rollback

USN rollback occurs when the normal updates of the USNs are circumvented and a domain controller tries to apply a USN that is lower than its latest update. USN rollback volition be detected and replication will exist stopped before divergence in the woods is created, in most cases.

USN rollback tin can be caused in many ways, for example, when old virtual hard disk (VHD) files are used or physical-to-virtual conversion (P2V conversion) is performed without ensuring that the physical machine stays offline permanently after the conversion. Accept the following precautions to ensure that USN rollback does non occur:

  • When not running Windows Server 2012 or newer, practice non take or use a snapshot of a domain controller virtual auto.
  • Do not copy the domain controller VHD file.
  • When non running Windows Server 2012 or newer, exercise not export the virtual motorcar that is running a domain controller.
  • Do not restore a domain controller or try to curl back the contents of an Agile Directory database past any other means than a supported backup solution, such equally Windows Server Backup.

In some cases, USN rollback may go undetected. In other cases, it may crusade other replication errors. In these cases, information technology is necessary to identify the extent of the trouble and have care of it in a timely manner. For information well-nigh how to remove lingering objects that may occur as a upshot of USN rollback, see Outdated Agile Directory objects generate event ID 1988 in Windows Server 2003 in the Microsoft Noesis Base.

USN rollback detection

In most cases, USN rollbacks without a corresponding reset of the invocationID caused by improper restore procedures are detected. Windows Server 2008 provides protections confronting inappropriate replication after an improper domain controller restore operation. These protections are triggered past the fact that an improper restore performance results in lower USNs that represent originating changes that the replication partners have already received.

In Windows Server 2008 and Windows Server 2003 SP1, when a destination domain controller requests changes by using a previously used USN, the response by its source replication partner is interpreted by the destination domain controller to hateful that its replication metadata is outdated. This indicates that the Active Directory database on the source domain controller has been rolled back to a previous state. For example, the VHD file of a virtual auto has been rolled back to a previous version. In this case, the destination domain controller initiates the following quarantine measures on the domain controller that has been identified as having undergone an improper restore:

  • AD DS pauses the Internet Logon service, which prevents user accounts and calculator accounts from changing account passwords. This action prevents the loss of such changes if they occur later on an improper restore.
  • AD DS disables entering and outbound Active Directory replication.
  • AD DS generates Consequence ID 2095 in the Directory Service result log to indicate the condition.

The post-obit analogy shows the sequence of events that occurs when USN rollback is detected on VDC2, the destination domain controller that is running on a virtual machine. In this illustration, the detection of USN rollback occurs on VDC2 when a replication partner detects that VDC2 has sent an up-to-dateness USN value that was seen previously by the destination domain controller, which indicates that VDC2's database has rolled back in time improperly.

Diagram showing what happens when USN rollback is detected

If the Directory Service event log reports Event ID 2095, complete the following procedure immediately.

To resolve Effect ID 2095

  1. Isolate the virtual machine that recorded the error from the network.

  2. Attempt to determine whether any changes originated from this domain controller and propagated to other domain controllers. If the event was a result of a snapshot or copy of a virtual machine existence started, try to determine the time the USN rollback occurred. You tin then check the replication partners of that domain controller to decide whether replication occurred since and then.

    You can apply the Repadmin tool to make this determination. For information about how to utilize Repadmin, run into Monitoring and Troubleshooting Active Directory Replication Using Repadmin. If you lot are non able to determine this yourself, contact Microsoft Support for assistance.

  3. Forcefully demote the domain controller. This involves cleaning upward the domain controller'due south metadata and seizing the operations principal (likewise known as flexible single chief operations or FSMO) roles. For more information, see the "Recovering from USN rollback" section of How to discover and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 in the Microsoft Knowledge Base.

  4. Delete all old VHD files for the domain controller.

Undetected USN rollback

USN rollback might not be detected in one of two circumstances:

  1. The VHD file is attached to different virtual machines that are running in multiple locations simultaneously.
  2. The USN on the restored domain controller has increased past the last USN that the other domain controller has received.

In the offset circumstance, other domain controllers might replicate with either one of the virtual machines, and changes might occur on either virtual car without being replicated to the other. This divergence of the forest is difficult to observe, and it volition cause unpredictable directory responses. This state of affairs might occur later a P2V migration if both the concrete and virtual machine are run on the same network. This could also happen if multiple virtual domain controllers are created from the same physical domain controller and and so run on the same network.

In the 2nd circumstance, a range of USNs applies to 2 different sets of changes. This tin go on for extended periods without being detected. Whenever an object that is created during that time is modified, a lingering object is detected and reported as Event ID 1988 in Upshot Viewer. The following illustration shows how USN rollback might not be detected in such a circumstance.

Diagram how USN rollback might not be detected

Read-but domain controllers

RODCs are domain controllers that host read-only copies of the partitions in an Active Directory database. RODCs avert about USN rollback problems because they do not replicate whatever changes to the other domain controllers. However, if an RODC replicates from a writeable domain controller that has been affected by USN rollback, the RODC is affected as well.

Restoring an RODC using a snapshot is not recommended. Restore an RODC using an Active Directory–compatible backup application. As well, as with writeable domain controllers, care must be taken to not let an RODC to be offline for more than tombstone lifetime. This status can result in lingering objects on the RODC.

For more data most RODCs, run into the Read-Simply Domain Controller Planning and Deployment Guide.