[Windows 8 Server] Virtualized Domain Controller Part 2 (Safe Snapshot Restore)

Here's the second part of Virtualized Domain Controller new capabilities.
Today we'll see the Safe Snapshot Restore part.

You can found more informations in the Virtualized Domain Controller TLG and Virtualized Domain Controller UTG.
My lab is composed of 1 Hypervisor and 2 VM, all running Windows 8 Server Beta (prerequisite for Virtualized Domain Controller).


First here's the UTG explanation about restoring snapshot of Domain Controller and problems that it brings.

Virtualization creates unique challenges to distributed multi-master workloads that depend upon logical clock-based replication schemes. AD DS replication uses an increasing transaction value assigned to transactions on each domain controller, known as an Update Sequence Number. If a domain controller "rolls back" time during application of a snapshot, a USN may be reused an entirely different transaction; replication cannot converge since other domain controllers believe they already received the update.

Virtualization technology such as Hyper-V includes snapshot abilities, where you create an image of a domain controller at a point in time. Restoring the snapshot discards all changes made since that checkpoint and in previous operating systems, forces the domain controller to quarantine itself with a process called USN rollback protection. Once USN rollback protection is in place, a domain controller no longer replicates again and must be either forcibly demoted or manually restored non-authoritatively. In cases where the domain controller has originated changes since the snapshot was taken, it also leads to lingering objects.

Windows Server "8" Beta now detects rollbacks and non-authoritatively synchronizes the delta of changes between a domain controller and its partners for AD DS and SYSVOL. You can now use snapshots without risk of permanently crippling domain controllers and requiring manually forced demotion, metadata cleanup, and re-promotion. While this does not prevent other issues with snapshots - such as inconsistent databases for other technologies and applications - it does make domain controller virtualization safer.

So, first we take a snapshot of  the second DC.

After that, I create a new GPO and force the replication between the 2 DC.

Now I restore the snapshot.

And we can see what happened on the DC which was restored through logs.

After the restore, everything is ok. Dcdiag, repadmin don't show any errors.

Of course it can't be used as a backup of Active Directory but it will surely useful when something is wrong with the DC or to avoid problems due to a snapshot restore mistake.