5 Replies Latest reply: Jul 16, 2015 10:26 AM by John Leonardini RSS

    Domain Controller snapshot

    Jay G Newbie

      Should windows domain controllers not be snapshot with Nimble? I am reading conflicting information.

       

      Im not trying to restore a DC from a nimble snapshot its just that I don't have any volumes that don't replicate at this point. Id rather not have to recreate all volumes to make room for a new one.

       

      Im just concerned about damaging AD.

       

      Thanks

        • Re: Domain Controller snapshot
          Jonathan Zygmunt Adventurer

          I can't imagine a scenario where snapshotting itself would cause a problem with a DC.  The problem is that the whole idea of snapshotting is to use that snapshot for something.   In using the snapshot, considerations would include the version of Windows and the intended use of the snapshot.  If you ever intend to use the replica/snapshot in your production environment (except for some very specific DR cases), you will very likely run into a USN rollback issue, effectively making your DC somewhat worthless.  The exception here is Windows 2012 which now includes safeguards (see https://technet.microsoft.com/en-us/library/hh831734.aspx#virtualized_dc_cloning).

           

          I suppose I could imagine two scenarios with a Windows 2008 DC where utilizing a snapshot would be okay.  1)  Brining up the snapshotted DC in an isolated sandbox for testing or development purposes would likely be okay as long as it was absolutely certain that communication would never be established with the original production DCs.  Even that scenario would still require considerations for things like the FSMO roles (making sure you bring up a snapshot of the FSMO role holder or seize the roles) and 2) A DR scenario (say replication to another site or perhaps a rather thorough destruction of data from a virus or maliciousness) where all DCs have been lost.  In this case bringing up only one snapshotted DC might be expedient, again with the same considerations for things like FSMO roles.

          • Re: Domain Controller snapshot
            John Leonardini Wayfarer

            Have to agree with Jonathan. A recovered AD snapshot will be out of sync with the rest of the environment so no one in the domain would use it again.  Snapshotting it in crash consistent fashion would not hurt it at all, snapshotting a DC Virtual Machine with vCenter synchronization should not hurt it either.  Problem is that a recovered clone or snapshot would not be usable by a running domain as it is out of sync. Theoretical uses like test/dev might make sense, a AD recovery after a widespread corruption killed ALL of the DCs in the environment is definitely doable (I've done it) from a AD VM, but it's a pretty narrow use case.  Then again, snapshot functionality is included in your Nimble so no good reason not to do it...just don't think that those snapshots are a compleat protection story in this case. 

             

            This isn't a Nimble exclusive issue - I do not know of any technology that can recover a DC from a snapshot then put it back in a running AD in a fully functional mode.

             

            I preach deploying N+1 minimum DCs, and relying on the built in tools and application level replication between the DCs as the best way to protect the active domain. No matter what storage platform you are using, I would consider that a best practice.

              • Re: Domain Controller snapshot
                Jay G Newbie

                As my OP post states:

                 

                "Im not trying to restore a DC from a nimble snapshot its just that I don't have any volumes that don't replicate at this point."

                 

                I have plenty of DCs in my network and already use other means to back up the AD database. My issues is that all of my volumes are already created and set for replication on the nimble. This means that any VM including my DCs that sits on  Nimble volume will be snapshoted. I am unable to svmotion and resize volumes at this point as I would neeed to re-replicate all the vms that are svmotioned around. (Side note: I wish nimble would be smart enough to know that the same vm is on the other side and not have to re-replicate the entire vm after a svmotion)

                 

                A number of articles that I can post later have made note that using either VMware or MS VSS to snapshot a DC is dangerous by itself. I am not talking about restoring a DC from a snapshot just evoking the snapshot itself.

                 

                So i guess the better question is: How safe is the action itself of snapshotting a DC. If you have to snapshot a DC is it safer to use MS VSS or Vmware VSS.

                  • Re: Domain Controller snapshot
                    Jonathan Zygmunt Adventurer

                    VMware tools simply call the Microsoft VSS providers.  Perhaps you're talking about the VMware SYNC driver, which I believe you can still force the use of if you really want to (though my memory is a bit hazy on the SYNC driver).  To my recollection, even good old NTBackup used Microsoft VSS backup to backup active directory, so I figure if it was safe enough for Microsoft, it's safe enough for me.

                    • Re: Domain Controller snapshot
                      John Leonardini Wayfarer

                      Once again, +1 Jonathan. No VSS available on Nimble for DC's, only for SQL and Exchange.  So the only option for sync would be vCenter synced, which calls the VSS provider in VMTools that are hopefully installed..  I personally have not had an issue with this methodology with AD. but my lab is small and AD is a minor part of it - I'm more an OpenDirectory guy at this point.  If others have, I will defer to their experience.

                       

                      Not to change subject but - this sounds a bit like the best practice for vCenter - which definitely is DO NOT USE vCenter synced snapshots on the datastore that holds the vCenter.  That will break the vCenter sooner or later and probably sooner.  Best practice is to set up a datastore with no synchronization and run the vCenter on that guy.  If you have that datastore set up, Vmotion those AD machines to that crash consistent (no sync) datastore and relax.