AD domain Controller Virtualization complete Chapter

Source: Internet
Author: User


AD domain Controller Virtualization complete Chapter



I. On the issue of AD DC virtualization



1, time synchronization problem


Because Kerberos authentication relies on reliable time, it is important that time synchronization in the domain be synchronized with the Hyper-V host if DC virtualization is in place, thus creating a series of problems, so it is recommended to disable the time Synchronization service to ensure that there is a correct time synchronization configuration.


2. Virtual machine Snapshot rollback


A virtual machine snapshot rollback can produce two problems:

1) USN (Update Sequence number)

The USN is used by the ad to provide accurate replication of directory changes, with each DC maintaining a 64-bit number, and any changes made to the ad object on the DC, the USN will increase. The size of the USN is compared when DC2 initiates replication from the DC1. If the USN of an object on the DC1 is larger than its own, the description changes and the copy changes. If a DC virtual machine is rolled back to a previous state using a snapshot, the USN value may become smaller, and other DCs will assume that the creation action has been replicated and deny replication, causing ad database inconsistencies and replication failures between DCs.

2) RID Pool

The DC is guaranteed to be unique in order to assign SIDS to new users or other objects. DCs in the domain request a pool, the range of SIDS, for the RID master to be allocated for the new object. For example, a pool range of 101-600, used for a period of time, means that some users have already obtained the SID number from this pool, but also synchronized to the other DC. If the snapshot is rolled back at this point, it can cause duplicate allocations to the ID in the pool.


Ii. improvements in Windows Server 2012


A new identifier, Vm-generation ID, is introduced in Windows Server 2012 so that the virtual DC will get a vm-generation ID with built-in identifiers, but hypervisor support is required. The value of Vm-generationid is saved as part of the computer object in AD, and is also saved in the virtual machine configuration file.

    • In AD, the value of Vm-generationid is stored in the Msds-generationid attribute (attribute) of the domain controller computer object (computer objects).

    • In the virtual machine configuration file, the value of Vm-generationid is saved in the virtual machine configuration file (. vmx), which is represented by the configuration Vm.genid. All Windows Server 2012 servers, whether DC or not, will have this configuration value in the VMX.

In this scenario, if the virtual DC uses snapshot rollback, such as a rollback ID of 1000, and a rollback with an ID of 500. At this point, the Vm-generation ID in AD is not the same as the Vm-generation ID in the virtual machine configuration file, and another unique identifier called invocationID is reset, which in turn prevents the USN from being reused, emptying the RID Pool. Initiates a synchronization of the ad database after emptying, and copies the authoritative version of an ad database back from the other DCs.


Third, the AD domain controller virtualization



1. Prerequisites for virtualized DCS:


1) must be a member of Domain Admins group

2) At least one Hyper-V host running version 2012 or higher

3) have local administrators permissions on the Hyper-V host

4) A DC that hosts the PDC emulator FSMO role and runs Windows Server 2012 or later (you can use the NETDOM query FSMO to see which DC in the domain hosts this role) this server can be used primarily for authentication and security audits, not part of the cloning Oh.

5) virtual DC in the same domain as the PDC emulator, for cloning, and running Windows Server 2012 or later.

6) DHCP, AD CS, adlds roles cannot be run on the DC to be cloned (these three roles do not support cloning)

7) Eject the virtual floppy drive on the DC to be cloned because the connection will be problematic when trying to import a new VM.


2. Join the security group


Step 1: on the hosted PDC emulator DC, open AD Users and Computers, expand, locate the Cloneable Domain Controllers security group under the Users folder.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/80/28/wKioL1c5q-yAaCh2AAD4DJuwe18313.png "/>

This group is used to control which DCs can be cloned.

Step 2: In the Members tab, add the DC computer that you want to clone, and Server02 is included in this example.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/2A/wKiom1c5qwbDObUEAAAx5-q-T1o788.png "/>


3. Create a Dccloneconfig.xml file


Step 1: Check if the application supports cloning. In PowerShell, enter:

Get-addccloningexcludedapplicationlist Generatexml

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/28/wKioL1c5q-3zdTnTAABKuZGC5SI579.png "/>

Step 2: Configure the required parameters for the newly cloned DC:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/2A/wKiom1c5qwfyRM3jAAGfpqDr44c481.png "/>

This command creates and saves the Dccloneconfig.xml files required by the clone.


4. Export the cloned DC


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/80/28/wKioL1c5q--Rlg9gAABL7O0SL7M309.png "/>


5. Import on the Hyper-V host


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/80/28/wKioL1c5q-_j0KZmAABHapo2tkE545.png "/>

Right-click in Hyper-V Manager, select Import virtual Machine, and then import it easily according to the wizard.


If in doubt, need to exchange please add teacher Liu Number:

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/80/2C/wKiom1c53GCSRCZWAAGePRoin8E535.jpg "title=". jpg " alt= "Wkiom1c53gcsrczwaageproin8e535.jpg"/>

This article is from the "Liu Daojun blog" blog, make sure to keep this source http://ldj027.blog.51cto.com/401017/1774034

AD domain Controller Virtualization complete Chapter

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.