The msDS-GenerationId and the virtual device.
In a multi-master database system as Active Directory, it is paramount for the Domain Controllers to maintain a consistent state of the replicated AD database.
To achieve this, the Domain Controllers maintain their own Update Sequence Number (USN) counter. The USN counters are used to detect, and replicate, updated data between writable Domain Controllers (DCs). It is extremely critical that a USN counter ever increases in value and never is reduced. Typically, this is maintained by Active Directory, automatically increasing the USN counter for each database write/modification.
Unfortunately, for the early Windows 2000, 2003, and 2008 versions of Active Directory, any incorrectly restored backup or any kind of hypervisor-based snapshot restoration led to the DC, unknown to itself, suddenly possessed a reduced USN number. This was the dreaded “USN Rollback” state.
When the partner Domain Controllers detected a DC being snapshot-restored, they immediately disconnected the DC from the replication partnership. The faulted DC was forced to disable both incoming and outgoing replication, then wait to be decommissioned.
Due to the increased popularity of virtualized Domain Controllers and the number of faulted DCs as a result of snapshot restores, Microsoft added the “VM GenerationID” feature to Windows Server 2012.
Previously, without the new feature, the Domain Controller being snapshot-restored had no possibility to realize this event had taken place – until being forcefully removed from the replication partnership by the neighbor DCs.
The VM GenerationID looks to the guest Domain Controller as a small device on the system motherboard, just like any other component of a typical server motherboard. However, compared to most other virtualized hardware exposed to guest operating systems, there will never exist any physical VM GenerationID device on any physical server. The VM GenerationID component is a virtualization-only device.
(From Device Manager, with “Show hidden devices” enabled, on a virtual machine. Note that the virtual device is called “Microsoft Hyper-V Generation Counter” regardless if Hyper-V, VMware vSphere, or other hypervisor vendor is being used.)
The VM GenerationID acts as a hidden link between the “real world”, i.e., the hypervisor layer (e.g., Hyper-V or VMware ESXi) and the virtualized guest Domain Controller.
The device’s only purpose is to be able to transmit a signal to the guest Domain Controller that a snapshot restore has occurred.
Initially, the hypervisor will generate a large number (128 bits) called the VM GenerationID. On a VMware virtual machine configuration file, *.vmx, this entry will be called vm-genid. Hopefully, the DC will never encounter a snapshot-restore and this number will never need to be changed.
This initial number will be “written” to the single-purpose virtual hardware device attached to the VM. When the guest Domain Controller boots the first time, it will investigate the mystical device connected to the virtual motherboard and read the presented number.
At the first boot, event-id 2173 will be present in the EventViewer. The “failed” information is not an issue on the first reboot after promoting the machine to a Domain Controller. Instead, this is an expected behavior.
Event-id 2179 will inform that the number was acquired from the “hardware” device and written to the Active Directory msDS-GenerationID attribute.
The number is written, by the Domain Controller, inside the guest DC on the attribute msDS-GenerationId on its own Domain Controller object. This is a non-replicated attribute, only stored locally per DC.
(Note, for an administrator to read the value, the ADUC tool must be connected to the DC in scope.)
The msDS-GenerationId attribute stores the hypervisor-number in a little-endian byte hexadecimal representation. The numerical value is identical to the value present in the VMware vmx configuration file.
Summary of part 1:
- The VM-GenerationID is a virtual device presented from the hypervisor into the virtualized DC.
- Through the VM-GenerationID device, a numerical value can be signaled from the hypervisor into the Domain Controller.
- The DC will read the value from the “hardware” device on the motherboard and store the current value as a LDAP attribute on its own DC object.
In part 2 of the series, the various types of snapshot operations will be described.