Windows Server 2012 – Virtualized Domain Controller

#server, #server-2012 edit this page

Hello, welcome and a very happy new year!

During Windows Server 8 Beta times, I wrote about virtualizing Domain Controllers and the VM-GenerationID attribute, since the old post was in German and about the beta version, this will be an updated translation.


The problem in Active Directory versions before 2012 was, that the restore of a snapshot would introduce a condition known as USN-Rollback, breaking replication between Domain Controllers. For that reason, DCs could not leverage all features of a modern, virtualized environment. Cloning a DC was pretty much unthinkable. Until now!

VDC Safe Restore

The Active Directory replication model assigns an ongoing number to every transaction (Update Sequence Number). DCs keep track of these numbers, along with a unique identifier (Invocation ID) for each replication partner. If a DC was rolled back in time (applying a snapshot), that DC would start reusing aged USNs and, therefore, replication partners would refuse the updates and terminate the replication partnership. The only resolution for this problem was to manually remove the DC from the Active Directory.

Now, Windows 2012 introduces a feature to tackle that problem. The Hypervisor exposes a VM-Generation ID through the ACPI table, this ID is saved in the Domain Controllers memory. If the VM-Generation ID changes (e.g. when a snapshot is applied), the restored DC knows that something happened and resets it’s invocation ID.


As replication partners have never heard of the new Invocation ID before, they don’t care about USN reuse and replicate like it was a new relationship. Apart from resetting the Invocation ID, the DC also, non-authoritatively restores SYSVOL and logs the following Event to the “Directory Services” Event Log.

The new Active Directory attribute used to store the VM-Generation ID is ms-DS-Generation-Id, find more information about that attribute on MDSN.

There is no need (and no way) to configure VDC Safe Restore, as long as the Hypervisor supports VM-Generation ID, it automatically works. In a recent blog post VMware announced support for VM-Generation ID for it’s vSphere platform, so now you can choose Hyper-V 2012 and VMware’s ESXi as Hypervisor for your Domain Controllers.

A word of caution at the end, never, and I mean NEVER, stop taking regular (AD aware) backups! The feature discussed in this post is meant just to solve the USN-Rollback issue, it is in no way a replacement for a backup as the DC is restored in a non-authoritative way.

Stay tuned for DC cloning :)


so long, have a nice weekend!