Array Performance and Data Protection
1748226 Members
4593 Online
108759 Solutions
New Discussion юеВ

Domain Controller snapshot

 
SOLVED
Go to solution
jason_485
Occasional Contributor

Domain Controller snapshot

Should windows domain controllers not be snapshot with Nimble? I am reading conflicting information.

Im not trying to restore a DC from a nimble snapshot its just that I don't have any volumes that don't replicate at this point. Id rather not have to recreate all volumes to make room for a new one.

Im just concerned about damaging AD.

Thanks

5 REPLIES 5
jzygmunt70
Valued Contributor

Re: Domain Controller snapshot

I can't imagine a scenario where snapshotting itself would cause a problem with a DC.  The problem is that the whole idea of snapshotting is to use that snapshot for something.   In using the snapshot, considerations would include the version of Windows and the intended use of the snapshot.  If you ever intend to use the replica/snapshot in your production environment (except for some very specific DR cases), you will very likely run into a USN rollback issue, effectively making your DC somewhat worthless.  The exception here is Windows 2012 which now includes safeguards (see https://technet.microsoft.com/en-us/library/hh831734.aspx#virtualized_dc_cloning).

I suppose I could imagine two scenarios with a Windows 2008 DC where utilizing a snapshot would be okay.  1)  Brining up the snapshotted DC in an isolated sandbox for testing or development purposes would likely be okay as long as it was absolutely certain that communication would never be established with the original production DCs.  Even that scenario would still require considerations for things like the FSMO roles (making sure you bring up a snapshot of the FSMO role holder or seize the roles) and 2) A DR scenario (say replication to another site or perhaps a rather thorough destruction of data from a virus or maliciousness) where all DCs have been lost.  In this case bringing up only one snapshotted DC might be expedient, again with the same considerations for things like FSMO roles.

jleonardini58
Advisor

Re: Domain Controller snapshot

Have to agree with Jonathan. A recovered AD snapshot will be out of sync with the rest of the environment so no one in the domain would use it again.  Snapshotting it in crash consistent fashion would not hurt it at all, snapshotting a DC Virtual Machine with vCenter synchronization should not hurt it either.  Problem is that a recovered clone or snapshot would not be usable by a running domain as it is out of sync. Theoretical uses like test/dev might make sense, a AD recovery after a widespread corruption killed ALL of the DCs in the environment is definitely doable (I've done it) from a AD VM, but it's a pretty narrow use case.  Then again, snapshot functionality is included in your Nimble so no good reason not to do it...just don't think that those snapshots are a compleat protection story in this case. 

This isn't a Nimble exclusive issue - I do not know of any technology that can recover a DC from a snapshot then put it back in a running AD in a fully functional mode.

I preach deploying N+1 minimum DCs, and relying on the built in tools and application level replication between the DCs as the best way to protect the active domain. No matter what storage platform you are using, I would consider that a best practice.

jason_485
Occasional Contributor

Re: Domain Controller snapshot

As my OP post states:

"Im not trying to restore a DC from a nimble snapshot its just that I don't have any volumes that don't replicate at this point."

I have plenty of DCs in my network and already use other means to back up the AD database. My issues is that all of my volumes are already created and set for replication on the nimble. This means that any VM including my DCs that sits on  Nimble volume will be snapshoted. I am unable to svmotion and resize volumes at this point as I would neeed to re-replicate all the vms that are svmotioned around. (Side note: I wish nimble would be smart enough to know that the same vm is on the other side and not have to re-replicate the entire vm after a svmotion)

A number of articles that I can post later have made note that using either VMware or MS VSS to snapshot a DC is dangerous by itself. I am not talking about restoring a DC from a snapshot just evoking the snapshot itself.

So i guess the better question is: How safe is the action itself of snapshotting a DC. If you have to snapshot a DC is it safer to use MS VSS or Vmware VSS.

jzygmunt70
Valued Contributor
Solution

Re: Domain Controller snapshot

VMware tools simply call the Microsoft VSS providers.  Perhaps you're talking about the VMware SYNC driver, which I believe you can still force the use of if you really want to (though my memory is a bit hazy on the SYNC driver).  To my recollection, even good old NTBackup used Microsoft VSS backup to backup active directory, so I figure if it was safe enough for Microsoft, it's safe enough for me.

jleonardini58
Advisor

Re: Domain Controller snapshot

Once again, +1 Jonathan. No VSS available on Nimble for DC's, only for SQL and Exchange.  So the only option for sync would be vCenter synced, which calls the VSS provider in VMTools that are hopefully installed..  I personally have not had an issue with this methodology with AD. but my lab is small and AD is a minor part of it - I'm more an OpenDirectory guy at this point.  If others have, I will defer to their experience.

Not to change subject but - this sounds a bit like the best practice for vCenter - which definitely is DO NOT USE vCenter synced snapshots on the datastore that holds the vCenter.  That will break the vCenter sooner or later and probably sooner.  Best practice is to set up a datastore with no synchronization and run the vCenter on that guy.  If you have that datastore set up, Vmotion those AD machines to that crash consistent (no sync) datastore and relax.