Upload
itw-kmutt
View
215
Download
0
Embed Size (px)
Citation preview
7/26/2019 SIA317
1/37
Active Directory VirtualizationSafeguards and Domain Cont
Cloning with Windows Server
Manu PushpendranProgram ManagerMicrosoft Corporation
SIA317
7/26/2019 SIA317
2/37
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Actie !irector" To
#na$ling a Seamless Virtualized Actie !irector"#%perience in &indows Serer '(1'
)apid !eplo"ment of Virtual !omain Controllers Cloning
elastic scale, faster disaster recovery, etc.
7/26/2019 SIA317
3/37
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Actie !irector" To
#na$ling a Seamless Virtualized Actie !irector"#%perience in &indows Serer '(1'
)apid !eplo"ment of Virtual !omain Controllers Cloning
elastic scale* faster disaster recoer"* etc+
7/26/2019 SIA317
4/37
Importance of Virtualization in IT
&ell,esta$lished - still growing trendwidel" adopted across all mar.et segments
/ften* a $usiness,decision drien $" cost saingsfewer machines re0uire less space and power
consolidate serer hardware for optimal hardware utilization
also proides numerous technological coneniences
Virtualization paes the wa" toward priate,clouddeplo"ments
reduces deplo"ment and management comple%it"
o2ers redundanc" and d"namic,scale capa$ilities
7/26/2019 SIA317
5/37
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Actie !irector" To
#na$ling a Seamless Virtualized Actie !irector"#%perience in &indows Serer '(1'
)apid !eplo"ment of Virtual !omain Controllers throughelastic scale* faster disaster recoer"* etc+
7/26/2019 SIA317
6/37
Virtualization of !omain ControllersPre,&indows Serer '(1'
Pre,&indows Serer '(1'!Cs successfull" deplo"ed on irtualization platformman" "ears
according to a set of well,dened $est,practices
$est,practices adised against actions that could disrupt Actie !irecto
4est,practices guidance cautioned against5appl"ing snapshots on irtual domain controllers
e%porting a irtual machine that is running a domain controller
cop"ing irtual hard dis.s 6V!s8
"perisor admins not necessaril" aware of Actie!irector"9s re0uirements or $est practices
7/26/2019 SIA317
7/37
Virtualization Challenges for !istri$uted &o
Virtual machines o2er snapshot
capa$ilitiespotentiall" pro$lematic for distri$utedapplications
&h":
applications e%perience a logical,cloc. shift
operations happen outside of the/S9;application9s awareness
logical,cloc. used to trac. updates
Actie !irector"9s logical cloc. is its USN6update se0uence num$er8
USsrecord the sequence of updates made on each!C
the !C is uni0uel" identied $" its InvocationID
( 1 ' 3 < = > 7
Ta.esnapshot
Logic
7/26/2019 SIA317
8/37
7/26/2019 SIA317
9/37
ow !omain Controllers are Impacof '8Impact to replication
introduces SB $u$$les leading to a 6potentiall" permanent8 diergencausing5
lingering o$Dects
inconsistent passwords
inconsistent attri$ute alues
schema mismatches if the Schema ESM/ is rolled $ac.
Potential e%ists for securit" principals to $e createdduplicate SI!s
resulting in unauthorized access to resources for a period of time
ultimatel"* though* the a2ected users will no longer $e a$le to logon
7/26/2019 SIA317
10/37
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Actie !irector" To
#na$ling a Seamless Virtualized Actie !irector"#%perience in &indows Serer '(1'
)apid !eplo"ment of Virtual !omain Controllers Cloning
elastic scale* faster disaster recoer"* etc+
7/26/2019 SIA317
11/37
Safe !omain Controller Virtualization
&indows Serer '(1' irtual !Cs a$le to detect whsnapshots are applied
a VM is copied
!etection $uilt o2 a VM,generation identier 6VM,gI!8
VM,generation I! is changed when features such as VM,snapshot are
B/T#5 ta.ing snapshots is not a supported alternat$ac.ing up irtual domain controllers
use &indows Serer 4ac.up 6or other VSS,writer,$ased8 $ac.up soluti
7/26/2019 SIA317
12/37
Actie !irector"9s Safe Virtualization !es
VM,Feneration I! proided $" the h"perisor platfoa uni0ue 1'?,$it identier that guest operating s"stems and applicatioleerage
made aaila$le to applications through &indows Serer '(1' drier
&indows Serer '(1' irtual !Cs trac. the VM,FenI!
allows the !C to detect changes and protect Actie !irector"
7/26/2019 SIA317
13/37
Actie !irector"9s Safe Virtualizatio!esign 6' of '8VM,Feneration I! stored in Actie !irector" data$ase 6!IT8
non,replicated attri$ute stored on !C9s computer o$Dect
4efore committing updates to local !IT* domain controllerscompare VM,Feneration I! in !IT against real,time VM,Feneration I! from dri
if di2erent resets !C9s inocation I! and inalidates )I! pool commits up
ow do we handle ESM/s when an earlier snapshot rolls a
timeESM/ role,holders dela" sericing ESM/,functions until a replication c"cle is co
similar to the feature introduced in &indows Serer '((3 .nown as initial s6IBITSGBC8
!uring machine $ootcompares VM,Feneration I! in !IT against VM,Feneration I! from drier
if di2erent resets !C9s inocation I! and inalidates )I! pool
7/26/2019 SIA317
14/37
Virtual Machine Feneration I! sem
If a irtualization operation &IHH cause an Actie !irector"
conte%t 6the metadata from a preious point in time8 to $e e%ecuted;re,used
the irtualization s"stem MST proide a new generation I!
If a irtualization operation &IHH B/T cause an Actie !irece%ecution conte%t to $e re,e%ecuted;re,used
the irtualization s"stem MST B/T proide a new generation I!
If it is unclear whether a irtualization operation will cause !irector" e%ecution conte%t to $e re,e%ecuted;re,used
the irtualization s"stem MST proide a new generation I!
7/26/2019 SIA317
15/37
7/26/2019 SIA317
16/37
Agenda
Importance of Virtualization in IT
Virtualization Challenges with Actie !irector" To
#na$ling a Seamless Virtualized Actie !irector"#%perience in &indows Serer '(1'
)apid !eplo"ment of Virtual !omain Controllers Cloning
elastic scale* faster disaster recoer"* etc+
7/26/2019 SIA317
17/37
Actie !irector" !isaster )ecoer"#%periencepre,&indows Serer '(1'
corp+contoso+com
asia+corp+contoso+com europe+corp+contoso+com
Eirst domain controller restoredusing latest serer $ac.up
!C 1
!C 'Second domain controller depSGSP)#P9ed serer image anddomain controller
!C3Su$se0uent domain controSGSP)#P9ed serer image domain controller
Eirst domain controller restoredusing latest serer $ac.up
!C 1
Second domain controller deplo"ed fromSGSP)#P9ed serer image and promoted as newdomain controller
!C '
Su$se0uent domain controllers deplo"ed fromSGSP)#P9ed serer image and promoted as newdomain controller
!C 3
!C 1Eirst domain controller restousing latest serer $ac.up
!C 'Second domain controllSGSP)#P9ed serer imagdomain controller
!C 3Su$se0uent domainSGSP)#P9ed serer domain controller
contoso+com
7/26/2019 SIA317
18/37
Heeraging Virtualization !uring !isa)ecoer")e0uires one replica !C per domain that MST $e
VM,generation,I!,aware irtual platformused to seed the recoer" process
Additional replicas proisioned through cloning$" cop"ing the irtual !C9s V!;VM to 0uic.l" scale,out and restore fu
7/26/2019 SIA317
19/37
!) #%perience with &indows Ser'(1'
corp+contoso+com
asia+corp+contoso+com europe+corp+contoso+com
Eirst domain controller restoredusing latest serer $ac.up
!C 1
!C 'Second and su$se0uent domadeplo"ed from clone of !C1
!C3
Eirst domain controller restoredusing latest serer $ac.up
!C 1
Second and su$se0uent domain controllersdeplo"ed from clone of !C1
!C '
!C 3
!C 1Eirst domain controller restousing latest serer $ac.up
!C 'Second and su$se0uentdeplo"ed from clone of
!C 3
contoso+com
7/26/2019 SIA317
20/37
)apid !eplo"ment of Virtualized )!CsBote we use the term replica
$ecause "ou can9t deplo" the rst !C in a domain through cloning
Promote and congure /BHG oncecreate additional replicas $" cop"ing VMs;V!s
#asier and faster to deplo" replica !Cs
Minimizes dependencies;interactions $etween h"perisor
administrators and Actie !irector" administrators when de!Cs
authorization remains under the Actie !irector" administrator9s control
7/26/2019 SIA317
21/37
Some Additional Scenarios
Bew or $ranch,oJce deplo"ments
#lastic proisioning capa$ilit" to support5increased authentication demands to accommodate growth or anticipa
increased application load
priate,cloud capa$ilities
Setting up test la$sthe usual re0uirements and caeats still appl"i+e+ ensure resulting test enironment remains isolated K foreerL
7/26/2019 SIA317
22/37
1+ Identif" suita$le source irtual !C
'+ Authorize source !C $" adding it to Clonea$le !omain Controllers9 Pre,proisioned with Control Access )ight 6CA)8 on domain,BC o$Dect 6domain head8
3+ )un Bew,A!!CCloneCongleVeries pre,re0uisites* e+g+ P!C ESM/ is running &indows Serer '(1' 6more later on
Het9s "ou specif" name* IP address* !BS serers* site* etc+Proide an empt" le to auto,generate alues
Sample le proided in $o% at NwindirNOs"stem3'OSample!CCloneCong+%ml
Schema le proided in $o% at NwindirNOs"stem3'O!CCloneCongSchema+%sd
7/26/2019 SIA317
23/37
!CCloneCong+%ml sample
irtualDC3
%&D'(!D
10.0.0.11-
10.0.0.1
10.0.0.101
S i ;P t d f l i
7/26/2019 SIA317
24/37
Serices;Programs supported for cloni
Himited set of programs and serices supported on souout,of,the,$o%
Commonplace &indows Serer '(1' serices co,locate!Cs are supported5
e+g+ !BS* E)S* !ES)
listed in Defau,tDCC,one(,,o/%ist% located in /indir3s4stem
)un Get-ADDCCloningExcludedApplicationList on sourccontroller
conrm the resulting serices and programs 6if an"8 are suita$le for clo
does the serice or program rel" on machine identit"* such as account* name!est#
does the serice or program store state locall" that might a2ect its functiona!est#
add supported serices and programs to admin,e%tensi$le Allowed HistgenerateQMH switch
Eil H ti d P d
7/26/2019 SIA317
25/37
Eile Hocations and Precedence
!CCloneCong+%ml
!IT folderNwindirNOBT!S
)oot of an" and all remoa$le media 6ordered $" drie letter8
Custom!CCloneAllowHist+%ml)egistr"5 HMOS"stemOCurrentControlSetOSericesOBT!SOParameter
(,,o/%ist)o,der
!IT folder
NwindirNOBT!S
)oot of remoa$le media 6ordered $" drie letter8
7/26/2019 SIA317
26/37
demo
Domain Controller
Cloning
! t ti f ! i C t ll
7/26/2019 SIA317
27/37
!emonstration of !omain ControllCloning
demo+la$
P!
C
Sou
rce
Clon
e
3
"per,V
Clon
e
'
Clon
e
1
Vi t l !C Cl i ! i ) i
7/26/2019 SIA317
28/37
Virtual !C Cloning !esign )eiew
ses VM,generation I! to detect and trigger the pr
)elies on presence of !CCloneCong le to indicatintent
and distinguish from the application of a snapshot
Creates new machine identit"calls SGSP)#P proiders for select components to cleanup mach
ses source machine identit" for authorization
)esets data$ase identier 6invocationID8 to ensurereplication conergence
Inalidates )I! pool eliminating potential for duplic
!iscards ESM/ ownership if the source held an" ES
)apid !eplo"ment Cloning Decision Fl
7/26/2019 SIA317
29/37
)apid !eplo"ment5 Cloning Decision Fl
!""#
!CCloBo
asFeneration
I! changed:
Ges
!oes!CCloneCong+%ml
e%ist:
Ges
$E!
!oes!CCloneCong+%ml
e%ist:Bo
)ename!CCloneCong+%
ml
Ges
Bo
!""#%"$'ALL(
Bo
FenerationI! aaila$le:
Ges
I%I#IA#E
CL"%I%G
)apid !eplo"ment5 Cloning Flo
7/26/2019 SIA317
30/37
BT!S starts
/$tain currentVM,FenI!
If di2erent from aluein !IT
)eset InocationI!*discard )I! pool
!CCloneCong+%mlaaila$le:
!cpromo ;%clone
Parse !CCloneCong+%ml
Congure networ. settings
Hocate P!C
Call I!H!)SAddClone!C6name*site8
Chec. authoriza
Create new !C oduplicating sourc6BT!S!SA* Serinstances8
Fenerate new !account and pas
Sae clone state 6new name*password* site8
Promote as replica 6IEM8
)un 6specic8 s"sprepproiders
)e$oot
Clone VM &ind
I!H!)SAddClon
CBUConguration,,CBUSites
,,,CBUWsite name,,,CBUSerers
,,,CBUW!C B
,,,CBUBT!
)apid !eplo"ment5 Cloning Flo
Cautionar" Botes
7/26/2019 SIA317
31/37
Cautionar" Botes
/nl" &indows Serer '(1' virtual!omain Controll$e cloned
)e0uires P!C ESM/ to $e &indows Serer '(1' !C
!eplo"ing clone !Cs on irtualization platforms thaproide VM,Feneration I! will5
it) DCCloneCon*gK cause clone !C to $oot into !irector" Ser
Mode 6!S)M8it)out DCCloneCon*g K potentiall" introduce a SB $u$$le andSI!s
disrupts the Actie !irector" enironment
!o not change;swap;switch V!s on e%isting VMsVM,Feneration I! does not change in &indows Serer '(1' "p
operational semantics don9t coer this scenario* "et
Summar"
7/26/2019 SIA317
32/37
Summar"
&indows Serer '(1' ena$les a much richer Actie
!irector" irtualization e%periencedomain controllers can $e irtualized without the concerpast
#na$les the rapid deplo"ment of domain controllerleeraging the irtualized platform9s natie capa$i
Saes critical time during forest;domain recoer"Triializes scale,out to meet the needs of the enironme
)elated Content
7/26/2019 SIA317
33/37
)elated Content
4rea.out SessionsSIA31' &hatYs Bew in Actie !irector" in &indows Serer '(1'
SIA
7/26/2019 SIA317
34/37
SIA* &SV* and VI) Trac. )esources
Tal. to our #%perts at the THC
\T#6sessioncode8
!/&BH/A!&indows Serer
'(1' )eleaseCandidate
microsoft+com;windowssererands,/n Ha$s
!/&B&indo
&indowsazteched
MS Tag
7/26/2019 SIA317
35/37
MS Tag
Scan the !agto ealuate thissession now onmy!echd.o3ile
7/26/2019 SIA317
36/37
] '(1' Microsoft Corporation+ All rights resered+ Microsoft* &indows* &indows Vista and other product names are or ma" $e registered trademar.s and;or trademar.s in the +S+ andThe information herein is for informational purposes onl" and represents the current iew of Microsoft Corporation as of the date of this presentation+ 4ecause Microsoft must respond to changing mar.et con
a commitment on thepart of Microsoft* and Microsoft cannot guarantee the accurac" of an" information proided after the date of this presentation+ MIC)/S/ET MA#S B/ &A))ABTI#S* #QP)#SS* IMPHI#! /) STATT/)G
P)#S#BTATI/B+
7/26/2019 SIA317
37/37