Yesterday, I talked about the new Active Directory virtualization safeguards in Windows Server 2012 (and beyond) and how Joe Richards triggered me to think about cases where the Active Directory virtualization safeguards (powered by the new VM-GenerationID) don’t help make Active Directory virtualization-safe(r).
In the first post, I talked about how the Active Directory virtualization safeguards are implemented at the hypervisor layer and showed you how changes in the storage layer (without changing anything at the hypervisor layer) could still mess up Active Directory through virtualization (exactly like it did in the non-virtual age).
In this second post, I’ll look into the small print of the Active Directory Virtualization Safeguards. As stated in my introduction blog post to Virtualization-Safe Active Directory, the following requirements apply:
- The virtualization platform used to run virtual Domain Controllers needs to support the VM-GenerationID feature.
- Virtual Domain Controllers need to run Windows Server 2012.
Well…
Actually, there’s one more requirement. 
The VM-GenerationID will only be observed by a virtual Domain Controller, when the Integration Components (ICs) or VMware Tools or XenTools are installed. Without this enlightenment, the virtual Domain Controller is not able to get the VM-GenerationID in its memory and, thus, cannot detect a change in VM-GenerationID. Also, out-of-date Integration Components might not be able to place the VM-GenerationID value in memory.
Suddenly, there is a whole range of cases where the Active Directory virtualization Safeguards don’t apply, because of missing or out-of-date enlightenment:
- When you convert a physical Windows Server 2012-based Domain Controller to a virtual Domain Controller (P2V’ing it) on a VM-GenerationID-capable hypervisor. (the enlightenment will only be installed at first virtual boot and only apply after the first reboot)
Tip!
You can install the Hyper-V Integration Components when a Hyper-V based virtual machine is not running with this great tip from Ben Armstrong.
- When you migrate a virtual Windows Server 2012-based Domain Controller from a non-VM-GenerationID-capable hypervisor to a VM-GenerationID-capable hypervisor, without updating the enlightenment (for instance, when you migrate or upgrade XenServer 6.1 to XenServer 6.2)
- When you run virtual Windows Server 2012-based Domain Controllers without enlightenment.
Concluding
Be sure to check the enlightenment on your virtual Windows Server 2012-based Domain Controllers to make sure they are protected by the virtualization safeguards.
Related blogposts
List of Hypervisors supporting VM-GenerationID
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory
Further reading
Windows Server 2012 AD VM-Generation ID functionality is not…
Introduction to Active Directory Domain Services (AD DS) Virtualization
How to install integration services when the virtual machine is not running
Considerations for virtualizing all Active Directory domain controllers
TechNet Wiki – Windows Server 2012 : Virtualization Safeguards
Virtualization Updates to Active Directory 2012
Cloning Virtual Domain Controllers in Windows Server 2012
Steps to create a Clone of Domain Controller in Windows 2012
Login