+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Thin Client and Virtual Machines Thread, DO NOT SNAPSHOT HYPER-V DC!!!!!!! in Technical; I just wanted to let others know my recent experience with our school DC's and hyper-v, and hope this will ...
  1. #1
    AWicher's Avatar
    Join Date
    Nov 2008
    Location
    Preston
    Posts
    317
    Thank Post
    58
    Thanked 40 Times in 31 Posts
    Rep Power
    18

    Exclamation DO NOT SNAPSHOT HYPER-V DC!!!!!!!

    I just wanted to let others know my recent experience with our school DC's and hyper-v, and hope this will help save some one the horror of almost losing AD.

    I will keep it short, (parts and steps may have been missed)

    We are running on 2 blade servers each one has a DC, replicating... The problem was when for a reason or other we needed to restore a backup. Now any one who uses VMWare, Hyper-v or indeed was at the last educonf will know you can take a snapshot of the server in its current state and then have the option to rollback to a previous state if you have a problem.

    Such a time came, so with out hesitation a rollback was done. This is when the problems started.

    Our first problem was we got an error stating netlogon was paused, and replication failed
    After several min of looking at logs... we decided another rollback (Still unaware this was the problem) and still not fixed the netlogon issue.

    We decided to isolate, demote and remove our backup DC then rebuild it. Having done so we rebooted both servers only to find on our DC had no users, workstations. Both of us (network manager n' me) in order then then

    At this point we found a few posts from other forums (Yes, shock to me that others are out there) but Edugeek FTW) that having a V-DC and using snapshots, rollbacks... would make issues like the one we where having.

    As we did not have a "Normal" backup of our DC another rollback was done on both to a time that where only a few min apart from each other, in the mind set well it cant get much worse then loosing ones AD.

    Thankfully, this worked. we where still in the same spot of not having a working netlogon and replication but all the users... where back.

    more digging and we found a simple command to fix the connection for replication.

    repadmin /options -DISABLE_INBOUND_REPL
    and
    repadmin /options -DISABLE_OUTBOUND_REPL

    both restored the connection and forcing the netlogon service to run, so users where back and they could log on

    now we are still having issues with the server and NM is in the proses of working out if a rebuild of the DC or some other option is out there, but what i want to tell you is definitely go for some sort of V-DC just to read this **LINK** before you attempt it.


    I hope i have helped some one buy sending out this warning, that or every one already knows the problem and it was an oversight on our part.

  2. 6 Thanks to AWicher:

    azrael78 (18th August 2009), Duke (19th August 2009), link470 (26th August 2009), speckytecky (19th August 2009), Theblacksheep (18th August 2009), ZeroHour (18th August 2009)

  3. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    Be careful with snapshots for backups too. Certainly for vmware keeping a snapshot for anything other than a short time is a bad idea due to the massive redo disks that can be generated which can then take a very long time or fail to merge.

    At minimum you want to do a system state backup of DCs even when using other imaging products for backup.

    As you have found, you never want to snapshot DCs if there are multiple, with a single you can just about get away with it.

  4. Thanks to DMcCoy from:

    speckytecky (19th August 2009)

  5. #3

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,746
    Thank Post
    915
    Thanked 1,334 Times in 814 Posts
    Blog Entries
    1
    Rep Power
    447
    Thanks for the info, I knew about the general snapshot limitations with DC's but the info about export etc is v useful.

    Cheers

  6. #4
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    21

    Smile

    Thanks for this - while we don't have any V-DC's yet, it's only a case of time before management decides to cut back on our server farm and request we virtualise even more... great idea, nice technology - but on some things, virtualising adds a few nice things (like snapshotting), great for workstations but I'm all for taking a full backup of a server and not using snapshot technology.

    However I will be sure to keep this article in mind when the day of V-DCs and someones' 'playing around with said DCs' happens...

    Az

  7. #5

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Microsoft have always said that you should never image a domain controller as a backup means. In the past, I'd guess it wasn't easy to do this (would have had to boot into WinPE or whatever to run Ghost etc) but snapshotting makes it much easier so this is a timely reminder that you mustn't ever try and use a snapshot/image type backup.

    I'd guess the only exception might be if you've had a total disaster and lost everything - bringing back one image could work. (It's also OK if you've only got one DC but no-one runs a real network like that :-))

  8. #6

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Microsoft have always said
    Yes they have but not very loudly... this precise topic has cropped up a couple of times on here to my knowledge.. suspect searching for USN will find them, but it's *definitely* worth repeating as it's clearly not widely understood and more and more folk will be getting involved with VMs.

    I reckon (YMMV) the safe way to do DC snapshots is to shut down all your DCs and then snapshot them - and if you do want to roll back and it's within the tombstone period, shut them down again and revert them all back to that set of snapshots, then of course start them up. Not sure how useful it is, but it's the kind of thing I might consider doing immediately before a round of serious upgrading.


    The other issue with snapshots is of course performance - can't comment on how much it hurts but I've been assured by a serious expert that it does (and the hit obviously increases with the number of snapshots).

  9. #7
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Couple of handy links here.

    Deployment Considerations for Virtualized Domain Controllers

    Virtualized Domain Controllers and Replication Issues
    http://technet.microsoft.com/fr-fr/l...79(WS.10).aspx

    How to detect and recover from a USN rollback in Windows Server 2003

    It's also worth remembering tombstone lifetime issues if restoring an old image or snapshot. As DMcCoy said a good system state backup is essential.
    Last edited by cookie_monster; 18th August 2009 at 08:43 PM.

  10. #8

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,653
    Thank Post
    1,257
    Thanked 781 Times in 678 Posts
    Rep Power
    236
    Quote Originally Posted by srochford View Post
    It's also OK if you've only got one DC but no-one runs a real network like that :-))
    Why not? Is there some performance issue with domain controllers? Surely all they're doing is checking whether a given username and password combination matches okay? Is there a rough limit to the number of clients you should have per DC?

    --
    David Hicks

  11. #9

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by dhicks View Post
    Why not? Is there some performance issue with domain controllers? Surely all they're doing is checking whether a given username and password combination matches okay? Is there a rough limit to the number of clients you should have per DC?
    Performance is a consideration, but usually:

    - maintain continuous service by failing over gracefully
    - protect you by sharing out the Master roles and keeping replicated copies
    - localise DCs to subnets to reduce backbone traffic, make DFS lookups sensible, etc

  12. Thanks to powdarrmonkey from:

    dhicks (19th August 2009)

  13. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Quote Originally Posted by dhicks View Post
    Why not? Is there some performance issue with domain controllers? Surely all they're doing is checking whether a given username and password combination matches okay? Is there a rough limit to the number of clients you should have per DC?

    --
    David Hicks
    Its not so much the performance that is the concern rather than the lack of duplication, having two means you have two integrated DNS servers and two copies of the database along with the ability to split the roles. In this way if something major happens to one of your DCs you can seize the roles to the other, keep all of your user accounts and computer accounts that are still completely up to date.

    You can restore snapshots and system state backups but that means more downtime and also many more possibilities for issues with users who have changed their passwords or been added since the last backup. Worse if some of the stations have aumotaticly refreshed their machine passwords in the background during that time kicking them unglamourously off the network (modern Windows OSs do this with some regularity in the background to increase security).

    AD itself although being a database is infact comparitivly light it is the the concern of consistancy and up to the minute data preservation that is a factor in many smaller environments.

  14. Thanks to SYNACK from:

    dhicks (19th August 2009)

  15. #11

    Join Date
    Jan 2006
    Location
    Hertfordshire
    Posts
    151
    Thank Post
    2
    Thanked 8 Times in 8 Posts
    Rep Power
    19

    Just like to add

    Hi,

    I just would like to add that you should never take a snapshot then try increase the vhd. This breaks the snapshot.

    Lucky for me I had a back up and could restore the VM.

    I must of been working without having a cup of tea that day as I thought I had merged the snapshot.

  16. #12
    apaton's Avatar
    Join Date
    Jun 2009
    Location
    Kings Norton
    Posts
    283
    Thank Post
    54
    Thanked 106 Times in 87 Posts
    Rep Power
    36
    The guys over at Veeam have a white paper about VSS backups for ESX based MS Windows environments, importantly they cover the issues of consistent restores for AD.

  17. #13
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Originally Posted by srochford
    It's also OK if you've only got one DC but no-one runs a real network like that :-))
    I would say that no one would run a large network like that I'm certain there are many thousands (possibly millions) of Windows SBS single server setups out there.

  18. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Quote Originally Posted by cookie_monster View Post
    I would say that no one would run a large network like that I'm certain there are many thousands (possibly millions) of Windows SBS single server setups out there.
    To be fair SBS networks are not real networks, each one is a conveniently disguised gateway to hell through which limitless evil flows.

  19. #15
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I take it you're not an SBS fan then? (the server software I mean not the crazy boat people)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Anyone using Hyper-V?
    By gshaw in forum Windows Server 2008
    Replies: 20
    Last Post: 30th September 2010, 09:43 AM
  2. Replies: 10
    Last Post: 19th August 2009, 10:18 PM
  3. Hyper-V Released
    By steve in forum Windows Server 2008
    Replies: 7
    Last Post: 6th March 2009, 01:17 PM
  4. Copy a VMware ESXi Snapshot into workstation?
    By ranj in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 5th March 2009, 09:02 PM
  5. Pocket pars not taking snapshot
    By dezt in forum MIS Systems
    Replies: 2
    Last Post: 7th November 2007, 11:00 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •