customers. Even though it’s stated in many articles never to use snapshots with
domain controllers, it still happens.
Figure 6.8 Update sequence number problems when applying a snapshot to a
domain controller.
Windows Server 2012 fixed this through the use of a VM-generationID, which is
provided by the Windows Server 2012 Hyper-V hypervisor. This VM-generationID is
changed anytime something happens to a virtual machine that affects its point in
time, such as applying a snapshot or duplicating the virtual machine. Active Directory
stores the VM-generationID in the AD database, and every time an operation is
performed, such as creating or changing an object, the VM-generationID stored in the
AD database is compared against the VM-generationID provided by the hypervisor. If
the VM-generationIDs do not match, it means that something has happened to the
VM in logical time, and at this point the Active Directory service stops AD actions to
protect Active Directory and performs the following:
Discards the RID pool
Resets the invocation ID, which is a database identifier. This is reset to ensure that
no replication problems occur with other domain controllers. When the invocation
ID is reset, there is no USN reuse problem, because USNs are paired with the
invocation ID.
Reassert the INITSYNC requirement for flexible single-master operation (FSMO)
roles, which forces the domain controller to replicate with another domain
controller that holds a copy of the partition in which the FSMO role is maintained.These actions allow the domain controller to continue functioning without any risk to
ongoing replication or security ID duplication. Even with this technology, there is still
impact to the domain controller, because it has to take corrective actions. Therefore,
do not start using checkpoints with domain controllers, but rather feel more secure
that using them accidentally will not cause problems.