SIA317

7/26/2019 SIA317

1/37

Active Directory VirtualizationSafeguards and Domain Cont

Cloning with Windows Server

Manu PushpendranProgram ManagerMicrosoft Corporation

SIA317

7/26/2019 SIA317

2/37

Agenda

Importance of Virtualization in IT

Virtualization Challenges with Actie !irector" To

#na$ling a Seamless Virtualized Actie !irector"#%perience in &indows Serer '(1'

)apid !eplo"ment of Virtual !omain Controllers Cloning

elastic scale, faster disaster recovery, etc.

7/26/2019 SIA317

3/37

Agenda





elastic scale* faster disaster recoer"* etc+

7/26/2019 SIA317

4/37


&ell,esta$lished - still growing trendwidel" adopted across all mar.et segments

/ften* a $usiness,decision drien $" cost saingsfewer machines re0uire less space and power

consolidate serer hardware for optimal hardware utilization

also proides numerous technological coneniences

Virtualization paes the wa" toward priate,clouddeplo"ments

reduces deplo"ment and management comple%it"

o2ers redundanc" and d"namic,scale capa$ilities

7/26/2019 SIA317

5/37

Agenda




)apid !eplo"ment of Virtual !omain Controllers throughelastic scale* faster disaster recoer"* etc+

7/26/2019 SIA317

6/37

Virtualization of !omain ControllersPre,&indows Serer '(1'

Pre,&indows Serer '(1'!Cs successfull" deplo"ed on irtualization platformman" "ears

according to a set of well,dened $est,practices

$est,practices adised against actions that could disrupt Actie !irecto

4est,practices guidance cautioned against5appl"ing snapshots on irtual domain controllers

e%porting a irtual machine that is running a domain controller

cop"ing irtual hard dis.s 6V!s8

"perisor admins not necessaril" aware of Actie!irector"9s re0uirements or $est practices

7/26/2019 SIA317

7/37

Virtualization Challenges for !istri$uted &o

Virtual machines o2er snapshot

capa$ilitiespotentiall" pro$lematic for distri$utedapplications

&h":

applications e%perience a logical,cloc. shift

operations happen outside of the/S9;application9s awareness

logical,cloc. used to trac. updates

Actie !irector"9s logical cloc. is its USN6update se0uence num$er8

USsrecord the sequence of updates made on each!C

the !C is uni0uel" identied $" its InvocationID

( 1 ' 3 < = > 7

Ta.esnapshot

Logic

7/26/2019 SIA317

8/37

7/26/2019 SIA317

9/37

ow !omain Controllers are Impacof '8Impact to replication

introduces SB $u$$les leading to a 6potentiall" permanent8 diergencausing5

lingering o$Dects

inconsistent passwords

inconsistent attri$ute alues

schema mismatches if the Schema ESM/ is rolled $ac.

Potential e%ists for securit" principals to $e createdduplicate SI!s

resulting in unauthorized access to resources for a period of time

ultimatel"* though* the a2ected users will no longer $e a$le to logon

7/26/2019 SIA317

10/37

Agenda






7/26/2019 SIA317

11/37

Safe !omain Controller Virtualization

&indows Serer '(1' irtual !Cs a$le to detect whsnapshots are applied

a VM is copied

!etection $uilt o2 a VM,generation identier 6VM,gI!8

VM,generation I! is changed when features such as VM,snapshot are

B/T#5 ta.ing snapshots is not a supported alternat$ac.ing up irtual domain controllers

use &indows Serer 4ac.up 6or other VSS,writer,$ased8 $ac.up soluti

7/26/2019 SIA317

12/37

Actie !irector"9s Safe Virtualization !es

VM,Feneration I! proided $" the h"perisor platfoa uni0ue 1'?,$it identier that guest operating s"stems and applicatioleerage

made aaila$le to applications through &indows Serer '(1' drier

&indows Serer '(1' irtual !Cs trac. the VM,FenI!

allows the !C to detect changes and protect Actie !irector"

7/26/2019 SIA317

13/37

Actie !irector"9s Safe Virtualizatio!esign 6' of '8VM,Feneration I! stored in Actie !irector" data$ase 6!IT8

non,replicated attri$ute stored on !C9s computer o$Dect

4efore committing updates to local !IT* domain controllerscompare VM,Feneration I! in !IT against real,time VM,Feneration I! from dri

if di2erent resets !C9s inocation I! and inalidates )I! pool commits up

ow do we handle ESM/s when an earlier snapshot rolls a

timeESM/ role,holders dela" sericing ESM/,functions until a replication c"cle is co

similar to the feature introduced in &indows Serer '((3 .nown as initial s6IBITSGBC8

!uring machine $ootcompares VM,Feneration I! in !IT against VM,Feneration I! from drier

if di2erent resets !C9s inocation I! and inalidates )I! pool

7/26/2019 SIA317

14/37

Virtual Machine Feneration I! sem

If a irtualization operation &IHH cause an Actie !irector"

conte%t 6the metadata from a preious point in time8 to $e e%ecuted;re,used

the irtualization s"stem MST proide a new generation I!

If a irtualization operation &IHH B/T cause an Actie !irece%ecution conte%t to $e re,e%ecuted;re,used

the irtualization s"stem MST B/T proide a new generation I!

If it is unclear whether a irtualization operation will cause !irector" e%ecution conte%t to $e re,e%ecuted;re,used

the irtualization s"stem MST proide a new generation I!

7/26/2019 SIA317

15/37

7/26/2019 SIA317

16/37

Agenda






7/26/2019 SIA317

17/37

Actie !irector" !isaster )ecoer"#%periencepre,&indows Serer '(1'

corp+contoso+com

asia+corp+contoso+com europe+corp+contoso+com

Eirst domain controller restoredusing latest serer $ac.up

!C 1

!C 'Second domain controller depSGSP)#P9ed serer image anddomain controller

!C3Su$se0uent domain controSGSP)#P9ed serer image domain controller


!C 1

Second domain controller deplo"ed fromSGSP)#P9ed serer image and promoted as newdomain controller

!C '

Su$se0uent domain controllers deplo"ed fromSGSP)#P9ed serer image and promoted as newdomain controller

!C 3

!C 1Eirst domain controller restousing latest serer $ac.up

!C 'Second domain controllSGSP)#P9ed serer imagdomain controller

!C 3Su$se0uent domainSGSP)#P9ed serer domain controller

contoso+com

7/26/2019 SIA317

18/37

Heeraging Virtualization !uring !isa)ecoer")e0uires one replica !C per domain that MST $e

VM,generation,I!,aware irtual platformused to seed the recoer" process

Additional replicas proisioned through cloning$" cop"ing the irtual !C9s V!;VM to 0uic.l" scale,out and restore fu

7/26/2019 SIA317

19/37

!) #%perience with &indows Ser'(1'

corp+contoso+com

asia+corp+contoso+com europe+corp+contoso+com


!C 1

!C 'Second and su$se0uent domadeplo"ed from clone of !C1

!C3


!C 1

Second and su$se0uent domain controllersdeplo"ed from clone of !C1

!C '

!C 3

!C 1Eirst domain controller restousing latest serer $ac.up

!C 'Second and su$se0uentdeplo"ed from clone of

!C 3

contoso+com

7/26/2019 SIA317

20/37

)apid !eplo"ment of Virtualized )!CsBote we use the term replica

$ecause "ou can9t deplo" the rst !C in a domain through cloning

Promote and congure /BHG oncecreate additional replicas $" cop"ing VMs;V!s

#asier and faster to deplo" replica !Cs

Minimizes dependencies;interactions $etween h"perisor

administrators and Actie !irector" administrators when de!Cs

authorization remains under the Actie !irector" administrator9s control

7/26/2019 SIA317

21/37

Some Additional Scenarios

Bew or $ranch,oJce deplo"ments

#lastic proisioning capa$ilit" to support5increased authentication demands to accommodate growth or anticipa

increased application load

priate,cloud capa$ilities

Setting up test la$sthe usual re0uirements and caeats still appl"i+e+ ensure resulting test enironment remains isolated K foreerL

7/26/2019 SIA317

22/37

1+ Identif" suita$le source irtual !C

'+ Authorize source !C $" adding it to Clonea$le !omain Controllers9 Pre,proisioned with Control Access )ight 6CA)8 on domain,BC o$Dect 6domain head8

3+ )un Bew,A!!CCloneCongleVeries pre,re0uisites* e+g+ P!C ESM/ is running &indows Serer '(1' 6more later on

Het9s "ou specif" name* IP address* !BS serers* site* etc+Proide an empt" le to auto,generate alues

Sample le proided in $o% at NwindirNOs"stem3'OSample!CCloneCong+%ml

Schema le proided in $o% at NwindirNOs"stem3'O!CCloneCongSchema+%sd

7/26/2019 SIA317

23/37

!CCloneCong+%ml sample

irtualDC3

%&D'(!D

10.0.0.11-

10.0.0.1

10.0.0.101

S i ;P t d f l i

7/26/2019 SIA317

24/37

Serices;Programs supported for cloni

Himited set of programs and serices supported on souout,of,the,$o%

Commonplace &indows Serer '(1' serices co,locate!Cs are supported5

e+g+ !BS* E)S* !ES)

listed in Defau,tDCC,one(,,o/%ist% located in /indir3s4stem

)un Get-ADDCCloningExcludedApplicationList on sourccontroller

conrm the resulting serices and programs 6if an"8 are suita$le for clo

does the serice or program rel" on machine identit"* such as account* name!est#

does the serice or program store state locall" that might a2ect its functiona!est#

add supported serices and programs to admin,e%tensi$le Allowed HistgenerateQMH switch

Eil H ti d P d

7/26/2019 SIA317

25/37

Eile Hocations and Precedence

!CCloneCong+%ml

!IT folderNwindirNOBT!S

)oot of an" and all remoa$le media 6ordered $" drie letter8

Custom!CCloneAllowHist+%ml)egistr"5 HMOS"stemOCurrentControlSetOSericesOBT!SOParameter

(,,o/%ist)o,der

!IT folder

NwindirNOBT!S

)oot of remoa$le media 6ordered $" drie letter8

7/26/2019 SIA317

26/37

demo

Domain Controller

Cloning

! t ti f ! i C t ll

7/26/2019 SIA317

27/37

!emonstration of !omain ControllCloning

demo+la$

P!

C

Sou

rce

Clon

e

3

"per,V

Clon

e

'

Clon

e

1

Vi t l !C Cl i ! i ) i

7/26/2019 SIA317

28/37

Virtual !C Cloning !esign )eiew

ses VM,generation I! to detect and trigger the pr

)elies on presence of !CCloneCong le to indicatintent

and distinguish from the application of a snapshot

Creates new machine identit"calls SGSP)#P proiders for select components to cleanup mach

ses source machine identit" for authorization

)esets data$ase identier 6invocationID8 to ensurereplication conergence

Inalidates )I! pool eliminating potential for duplic

!iscards ESM/ ownership if the source held an" ES

)apid !eplo"ment Cloning Decision Fl

7/26/2019 SIA317

29/37

)apid !eplo"ment5 Cloning Decision Fl

!""#

!CCloBo

asFeneration

I! changed:

Ges

!oes!CCloneCong+%ml

e%ist:

Ges

$E!

!oes!CCloneCong+%ml

e%ist:Bo

)ename!CCloneCong+%

ml

Ges

Bo

!""#%"$'ALL(

Bo

FenerationI! aaila$le:

Ges

I%I#IA#E

CL"%I%G

)apid !eplo"ment5 Cloning Flo

7/26/2019 SIA317

30/37

BT!S starts

/$tain currentVM,FenI!

If di2erent from aluein !IT

)eset InocationI!*discard )I! pool

!CCloneCong+%mlaaila$le:

!cpromo ;%clone

Parse !CCloneCong+%ml

Congure networ. settings

Hocate P!C

Call I!H!)SAddClone!C6name*site8

Chec. authoriza

Create new !C oduplicating sourc6BT!S!SA* Serinstances8

Fenerate new !account and pas

Sae clone state 6new name*password* site8

Promote as replica 6IEM8

)un 6specic8 s"sprepproiders

)e$oot

Clone VM &ind

I!H!)SAddClon

CBUConguration,,CBUSites

,,,CBUWsite name,,,CBUSerers

,,,CBUW!C B

,,,CBUBT!

)apid !eplo"ment5 Cloning Flo

Cautionar" Botes

7/26/2019 SIA317

31/37

Cautionar" Botes

/nl" &indows Serer '(1' virtual!omain Controll$e cloned

)e0uires P!C ESM/ to $e &indows Serer '(1' !C

!eplo"ing clone !Cs on irtualization platforms thaproide VM,Feneration I! will5

it) DCCloneCon*gK cause clone !C to $oot into !irector" Ser

Mode 6!S)M8it)out DCCloneCon*g K potentiall" introduce a SB $u$$le andSI!s

disrupts the Actie !irector" enironment

!o not change;swap;switch V!s on e%isting VMsVM,Feneration I! does not change in &indows Serer '(1' "p

operational semantics don9t coer this scenario* "et

Summar"

7/26/2019 SIA317

32/37

Summar"

&indows Serer '(1' ena$les a much richer Actie

!irector" irtualization e%periencedomain controllers can $e irtualized without the concerpast

#na$les the rapid deplo"ment of domain controllerleeraging the irtualized platform9s natie capa$i

Saes critical time during forest;domain recoer"Triializes scale,out to meet the needs of the enironme

)elated Content

7/26/2019 SIA317

33/37

)elated Content

4rea.out SessionsSIA31' &hatYs Bew in Actie !irector" in &indows Serer '(1'

SIA

7/26/2019 SIA317

34/37

SIA* &SV* and VI) Trac. )esources

Tal. to our #%perts at the THC

\T#6sessioncode8

!/&BH/A!&indows Serer

'(1' )eleaseCandidate

microsoft+com;windowssererands,/n Ha$s

!/&B&indo

&indowsazteched

MS Tag

7/26/2019 SIA317

35/37

MS Tag

Scan the !agto ealuate thissession now onmy!echd.o3ile

7/26/2019 SIA317

36/37

] '(1' Microsoft Corporation+ All rights resered+ Microsoft* &indows* &indows Vista and other product names are or ma" $e registered trademar.s and;or trademar.s in the +S+ andThe information herein is for informational purposes onl" and represents the current iew of Microsoft Corporation as of the date of this presentation+ 4ecause Microsoft must respond to changing mar.et con

a commitment on thepart of Microsoft* and Microsoft cannot guarantee the accurac" of an" information proided after the date of this presentation+ MIC)/S/ET MA#S B/ &A))ABTI#S* #QP)#SS* IMPHI#! /) STATT/)G

P)#S#BTATI/B+

7/26/2019 SIA317

37/37

Documents

SIA317