Tag Archives: Windows Server 2012

Quick Comment: Active Directory 2012 USN Rollback Protection. Finally safe virtualization?

So something that doesn’t seem to be getting much press is that Windows Server 2012 brings safe virtualization and protection from USN rollbacks.  Yes, it does.  All the docs say it, but Hyper-V 3.0 and PowerShell V3 get all the press.

Windows Server tried to detect USN rollbacks, but this error… which can kill a domain was really a real danger: and regularly occurred.  The more common ways a USN rollback might not be detected are: a virtual hard disk may be selected on more than one machine or more commonly, a snapshot of a VM is restored and it has an USN that has increased past the last USN that the other domain controller has received.

So while the first scenario might lead to domain controllers not replicating changes… and make things unstable and unpredictable, and kill your forest; the second can be really bad.  Lets just say bad.  Best case is an Event ID 1988 in Event Viewer for a lingering object.  Sometimes though you have corrupt data and wipe out the domain.

So, what mas my mantra again? Oh yeah. Let’s make the new modeus operendi: just say no to “blowing up” your Active Directory.  So give Windows Server 2012 a spin and let’s hear some attempts to kill it.

An excerpt from Microsoft discusses the new feature.  Don’t forget to follow the link and read the whole thing.

Excerpt from http://technet.microsoft.com/en-us/library/hh831734.aspx

“Virtual environments present unique challenges to distributed workloads that depend upon a logical clock-based replication scheme. AD DS replication, for example, uses a monotonically increasing value (known as a USN or Update Sequence Number) assigned to transactions on each domain controller. Each domain controller’s database instance is also given an identity, known as an InvocationID. The InvocationID of a domain controller and its USN together serve as a unique identifier associated with every write-transaction performed on each domain controller and must be unique within the forest.

AD DS replication uses InvocationID and USNs on each domain controller to determine what changes need to be replicated to other domain controllers. If a domain controller is rolled back in time outside of the domain controller’s awareness and a USN is reused for an entirely different transaction, replication will not converge because other domain controllers will believe they have already received the updates associated with the re-used USN under the context of that InvocationID.

For example, the following illustration shows the sequence of events that occurs in Windows Server 2008 R2 and earlier operating systems when USN rollback is detected on VDC2, the destination domain controller that is running on a virtual machine. In this illustration, the detection of USN rollback occurs on VDC2 when a replication partner detects that VDC2 has sent an up-to-dateness USN value that was seen previously by the replication partner, which indicates that VDC2’s database has rolled back in time improperly.

A virtual machine (VM) makes it easy for hypervisor administrators to roll back a domain controller’s USNs (its logical clock) by, for example, applying a snapshot outside of the domain controller’s awareness. For more information about USN and USN rollback, including another illustration to demonstrate undetected instances of USN rollback, see USN and USN Rollback.

Beginning with Windows Server 2012, AD DS virtual domain controllers hosted on hypervisor platforms that expose an identifier called VM-Generation ID can detect and employ necessary safety measures to protect the AD DS environment if the virtual machine is rolled back in time by the application of a VM snapshot. The VM-GenerationID design uses a hypervisor-vendor independent mechanism to expose this identifier in the address space of the guest virtual machine, so the safe virtualization experience is consistently available of any hypervisor that supports VM-GenerationID. This identifier can be sampled by services and applications running inside the virtual machine to detect if a virtual machine has been rolled back in time.”

A Visual Step by Step: Windows Server 2012, Active Directory 2012, time to build your first forest!

By Robert Meyers

 

Sometimes you just want to see how something is done. Well today, we are going to look at how to build a basic forest. This is for the first domain controller in your lab. Yes, I said lab. You want a lab. Why do you want a lab? This lets us see if anything is going to break? Or as close as we can ever get.

Now everyone, let’s work together to make the new IT modeus operendi: just say no to “blowing up” your Active Directory.

So, in sixty seven simple steps… let’s build the lab so we can make that new modeus operendi. Just follow the recorded steps.

Recorded Steps

 

 

Step 1: (‎9/‎6/‎2012 7:02:23 AM) User right click on “Server Manager (button)”
 

 

Step 2: (‎9/‎6/‎2012 7:02:25 AM) User right click on “Server Manager (list item)” in “Jump List”
 
Step 3: (‎9/‎6/‎2012 7:02:26 AM) User left click on “Run as administrator (menu item)”
 
Step 4: (‎9/‎6/‎2012 7:02:30 AM) User left click on “Add roles and features (button)” in “Server Manager”
 
Step 5: (‎9/‎6/‎2012 7:02:33 AM) User left click on “_Next > (text)” in “Add Roles and Features Wizard”
 
Step 6: (‎9/‎6/‎2012 7:02:35 AM) User left click on “_Next > (text)” in “Add Roles and Features Wizard”
 
Step 7: (‎9/‎6/‎2012 7:02:37 AM) User left click on “Microsoft Windows Server 2012 Standard Evaluation (text)” in “Add Roles and Features Wizard”
 
Step 8: (‎9/‎6/‎2012 7:02:38 AM) User left click on “_Next > (text)” in “Add Roles and Features Wizard”
 
Step 9: (‎9/‎6/‎2012 7:02:41 AM) User left click on “Active Directory Domain Services (tree view item)” in “Add Roles and Features Wizard”
 
Step 10: (‎9/‎6/‎2012 7:02:44 AM) User left click on “Add Features (text)” in “Add Roles and Features Wizard”
 
Step 11: (‎9/‎6/‎2012 7:02:47 AM) User left click on “_Next > (text)” in “Add Roles and Features Wizard”
 
Step 12: (‎9/‎6/‎2012 7:02:53 AM) User left click in “Add Roles and Features Wizard”
 
Step 13: (‎9/‎6/‎2012 7:02:57 AM) User left click on “_Next > (text)” in “Add Roles and Features Wizard”
 
Step 14: (‎9/‎6/‎2012 7:02:59 AM) User left click on “_Next > (text)” in “Add Roles and Features Wizard”
 
Step 15: (‎9/‎6/‎2012 7:03:02 AM) User left click on “Install (button)” in “Add Roles and Features Wizard”
 
Step 16: (‎9/‎6/‎2012 7:04:04 AM) User left click on “Export configuration settings (text)” in “Add Roles and Features Wizard”
 
Step 17: (‎9/‎6/‎2012 7:04:07 AM) User left click on “Page down (button)” in “Save As”
 
Step 18: (‎9/‎6/‎2012 7:04:08 AM) User left click on “Local Disk (C:) (tree item)” in “Save As”. You should always save a copy of a configuration that you are using.
 
Step 19: (‎9/‎6/‎2012 7:04:11 AM) User left click on “Save (button)” in “Save As”
 
Step 20: (‎9/‎6/‎2012 7:04:20 AM) User left click on “Promote this server to a domain controller (text)” in “Add Roles and Features Wizard”
 
Step 21: (‎9/‎6/‎2012 7:04:24 AM) User left click on “Add a new _forest (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 22: (‎9/‎6/‎2012 7:04:25 AM) User left click on “_Root domain name: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 23: (‎9/‎6/‎2012 7:04:28 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard” […]
 
Step 24: (‎9/‎6/‎2012 7:04:36 AM) User left click on “_Next > (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 25: (‎9/‎6/‎2012 7:05:10 AM) User left click on “Passwor_d: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 26: (‎9/‎6/‎2012 7:05:31 AM) User left click on “Passwor_d: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 27: (‎9/‎6/‎2012 7:05:34 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard” [… Shift … Tab …]
 
Step 28: (‎9/‎6/‎2012 7:05:42 AM) User left click on “_Next > (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 29: (‎9/‎6/‎2012 7:05:52 AM) User left click on “Show more (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 30: (‎9/‎6/‎2012 7:06:04 AM) User left click on “OK (button)” in “DNS Options”. Since it looks like an informative link, please take a moment and read it.
 
Step 31: (‎9/‎6/‎2012 7:06:06 AM) User left click on “_Next > (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 32: (‎9/‎6/‎2012 7:06:09 AM) User left click on “The NetBIOS domain name: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 33: (‎9/‎6/‎2012 7:06:21 AM) User left click on “_Next > (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 34: (‎9/‎6/‎2012 7:06:33 AM) User left click on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 35: (‎9/‎6/‎2012 7:06:34 AM) User left click on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 36: (‎9/‎6/‎2012 7:06:35 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard” […]
 
Step 37: (‎9/‎6/‎2012 7:06:40 AM) User left click on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 38: (‎9/‎6/‎2012 7:06:41 AM) User left click on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 39: (‎9/‎6/‎2012 7:06:43 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard” […]
 
Step 40: (‎9/‎6/‎2012 7:06:52 AM) User mouse drag start on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 41: (‎9/‎6/‎2012 7:06:53 AM) User mouse drag end on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 42: (‎9/‎6/‎2012 7:06:53 AM) User left click on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 43: (‎9/‎6/‎2012 7:06:54 AM) User mouse drag start on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 44: (‎9/‎6/‎2012 7:06:56 AM) User mouse drag end on “_Database folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 45: (‎9/‎6/‎2012 7:06:56 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard” […]
 
Step 46: (‎9/‎6/‎2012 7:07:00 AM) User mouse drag start on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 47: (‎9/‎6/‎2012 7:07:01 AM) User mouse drag end on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 48: (‎9/‎6/‎2012 7:07:01 AM) User left click on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 49: (‎9/‎6/‎2012 7:07:02 AM) User mouse drag start on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 50: (‎9/‎6/‎2012 7:07:05 AM) User mouse drag end on “_Log files folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 51: (‎9/‎6/‎2012 7:07:05 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard” […]
5
 
Step 52: (‎9/‎6/‎2012 7:07:08 AM) User left click on “S_YSVOL folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 

 

Previous
Next
Step 53: (‎9/‎6/‎2012 7:07:09 AM) User left click on “S_YSVOL folder: (edit)” in “Active Directory Domain Services Configuration Wizard”
 
Step 54: (‎9/‎6/‎2012 7:07:11 AM) User keyboard input on “Active Directory Domain Services Configuration Wizard (window)” in “Active Directory Domain Services Configuration Wizard”. I have never liked having important folders hidden among everything else. As such, I like to break out the NTDS locations.
 
Step 55: (‎9/‎6/‎2012 7:07:20 AM) User left click on “Next > (button)” in “Active Directory Domain Services Configuration Wizard”
 
Step 56: (‎9/‎6/‎2012 7:07:24 AM) User left click on “_View script (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 57: (‎9/‎6/‎2012 7:07:35 AM) User left click on “File (menu item)” in “tmpF8A.tmp – Notepad”
 
Step 58: (‎9/‎6/‎2012 7:07:37 AM) User left click on “Save As… (menu item)”
 
Step 59: (‎9/‎6/‎2012 7:07:41 AM) User keyboard input on “File name: (edit)” in “Save As” […]
 

 

Previous
Next
Step 60: (‎9/‎6/‎2012 7:07:54 AM) User left click on “Save (button)” in “Save As”
 
Step 61: (‎9/‎6/‎2012 7:07:57 AM) User left click on “Close (button)” in “ADDS Deployment – Notepad”. Once again, check out the script.
 
Step 62: (‎9/‎6/‎2012 7:08:00 AM) User left click on “_Next > (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 63: (‎9/‎6/‎2012 7:08:58 AM) User mouse drag start on “_View results (group)” in “Active Directory Domain Services Configuration Wizard”
 
Step 64: (‎9/‎6/‎2012 7:09:02 AM) User mouse drag end on “_View results (group)” in “Active Directory Domain Services Configuration Wizard”
 
Step 65: (‎9/‎6/‎2012 7:09:05 AM) User left click on “_Install (text)” in “Active Directory Domain Services Configuration Wizard”
 
Step 66: (‎9/‎6/‎2012 7:11:17 AM) User left click on “Close (button)” in “You’re about to be signed off”
 
Step 67: (‎9/‎6/‎2012 7:11:19 AM) User left click on “Steps Recorder – Recording Now (button)”. And we are done.
 

Technology Spotlight: Windows Server 2012, what does it mean to me?

By Robert Meyers

The release of WS12 is going to have a major impact on all of us who implement and manage Windows environments. There are major changes and we are all going to learn them or go the way of the dinosaur.  As someone who grew up in CP/M, trust me: it can be done.  So what are the big standouts on changes that I am going to have to worry about?

First off we have the interface, and for the first time since Windows NT 4, we have a major interface overhaul.  And I mean a major overhaul.  To me it seems like an amalgamation of Windows 2000, 3.0 (yes, 3.0) and Windows Phone 7.  Does it work?  Yes.  Do I consider the look somewhat hideous?  Yes.  Could I get used to it? You bet.

PowerShell V3 for the win. When you add domain functionality you get a link that lets you output the settings.  These are actually an output of a PowerShell script.  PowerShell is now everywhere… as it should be.  The days of DOS, PowerShell V1, PowerShell V2, Quest PowerShell and VBS being mixed everywhere is done.  When servers are 2012, PowerShell V3 rules the roost and renders the others inconsequential.  Now, if you are a VBS guy, well, as a CLI guy, I feel for you… but get over it.

While I am going to skip talking about all the incredible new features of 2012, let me just set one expectation: Active Directory Domain Serveries 2012 is a massive upgrade.  Not a minor update like 2008 R2, where you received great functionality with hideous management so people just ignored it.  No, you gain everything.  Features, functionality and most of all usability; Server 2012 has it all in the new version of Active Directory.  Think of all the pain we have all gone through trying to convert from Quest PowerShell to PowerShell V2 AD Cmdlts?  Well everything you do now is shown with its PowerShell syntax.

I really want to go over the new functionality like the new virtualization safe domain controller cloning or the death of the USN rollback… but let’s not get ahead of ourselves.  Download the OS and install it.  It took me 30 minutes to download, install and configure Active Directory.  How long do you want to wait to lab yours?

This site is using Web Stats, created by emailextractor14.com