Considerations when hosting Active Directory Domain Controllers on Virtual Machines
Just to share my experience on this topic, it mean be good to take these points into considerations when you are planning to deploy a domain controller on a Hyper-V machine.
Point number 1:
As a precaution, do not take snapshot of a Active Directory Domain Controller Virtual Machine. This is to prevent accidental or unplanned roll back of your Active Directory contents. Remember a snapshot is not a valid backup of your system state data. If you apply a snapshot of your Active Directory Domain Controller Virtual Machine, this causes an update sequence number (USN) rollback.
Point number 2:
If you take snapshot, a differencing disk AVHD file is created. And this AVHD will merge with the primary VHD file when you do a proper shutdown of the virtual machine. The duration of the merging depends on the size of the AVHD file. Now, imagine if you are unaware of this and shutdown your physical Hyper-V server machine before the merging can complete. Then you want to move, copy or migrate this domain controller virtual machine and you copy the files to a new Hyper-V server. Unknowingly, you load the unmerged VHD file on your new Hyper-V server and disaster strikes.
Point number 3:
Disable Time synchronization on your Domain Controller Virtual Server. This is to prevent time skewed. Authentication problems will occurred when your time is out of sync.
Upgrading Active Directory Domain Service to Windows 2008 R2
I know this might mean just running adprep /forestprep to most of you. But with Windows 2008 R2 shipped in 64bit, it does create some challenge to my 32bit FSMO roles Domain Controllers.
If your FSMO role masters are currently running 32bit Windows Servers, you can still upgrade your schema to R2. You can use adprep32.exe command for 32bit machines.
Misleading report on Black Screen of Death.
I would like to bring your attention to inaccurate stories following a report by a British company claiming that customers who deployed the Windows 7 November Security updates have experienced the so-called “Black Screens” that would render the system unbootable and unusable due to changes in the registry.
Here’s the background for your reference:
- Microsoft has found these reports to be inaccurate. Comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports. Microsoft’s support organization is also not seeing this as an issue. The claims also do not match any known issues that have been documented in our security bulletins.
- On December 1, Prevx, the company which issued the report, posted an apology to Microsoft which stated the following:
“Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.”
- According to Microsoft’s blog post, the real culprit is a piece of malware that clears desktops and produces a black screen on infected PCs; various security vendors have tools for removing this malware. There is no fix or update necessary for this, but customers should keep their anti-virus software up-to-date as a preventative measure. So far, Microsoft is not seeing a massive occurrence of this particular issue in our support channels. If customers do encounter an issue with a security update, contact our Customer Service and Support group for no-charge assistance at http://support.microsoft.com/security.
- The protection and well-being of our customers’ PCs through the deployment of Security Updates is the ultimate goal of the Microsoft Security Response Center. Because of this, we continually work with our Customer Service and Support teams to keep a close eye for issues that may impact customers’ deployment of security updates.
You may use the following statement if asked by your customers and we encourage you to use this as an opportunity to educate customers on the importance of keeping up to date with security patches:
“The reports on the so called “Black Screens” was investigated by Microsoft and found to be inaccurate. The company which issued the report has apologized and made a full retraction. Windows 7 security updates was not the cause of the black screens. There is no fix or update necessary for this, but customers should keep their anti-virus software up-to-date as a preventative measure. So far, Microsoft is not seeing an occurrence of this particular issue in our support channels locally.