Domain controller snapshots

This has come up twice in the last few months – and amazed me each time…. i just always thought it was commonly knowledge that taking snapshot of a DC is jsut something you dont do…. but apparently not.

So – in order to point out that its not just me – here’s a couple of links!

http://support.microsoft.com/kb/888794

http://www.windowsitpro.com/blog/virtualization-pro-tips-blog-35/virtualization2/never-snapshot-a-domain-controller–heres-why-137306

http://www.sole.dk/post/how-to-configure-your-virtual-domain-controllers-and-avoid-simple-mistakes-with-resulting-big-problems/?p=387

http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx

http://blogs.virtualizationadmin.com/lowe/2011/03/15/dont-snapshot-domain-controllers/

http://blogs.technet.com/b/vikasma/archive/2008/07/24/hyper-v-best-practices-quick-tips-2.aspx

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006764

If your wondering why all these people are saying dont do it… well your probably need to brush up on your AD understanding a little. Its to do with USN’s and computer password expiry in particular and some of the above articles can assist with that understanding.

Anyhoo – what i wanted to address was the reasons i hear for using a snapshot:

Q1) What if AD becomes corrupt?

A1) If a specific DC database becomes corrupt, then the result is that the directory services will not be able to start. I have never had, heard of, nor been able to find on google an instance of a corrupt AD database replicating to other DC’s. So demote the corrupt DC and then repromote it… ta-da! DC that now isnt corrupt. No need for a snapshot there.

Q2) But i only have 1 DC!?

A2) If your using virtualisation, its a fair bet that your of a reasonable size – hence why you have virtualisation in the first place, therefore, why the fuck would you only have one DC? You’d have to be insanely stupid… “give all our posessions away because some religious nutcase said the world is going to end” level stupid…

Q3) What if our site burns down?

A3) Well, firstly, is your primary concern going to be your AD? Anyhoo…. for those with a Hot/live/active (choose your favourite term) DR site, the obvious answer is to place a DC at your DR site. If you do not have a DR site or it is a cold DR site, then your best bet is system state backups. why? simply because using system state to perform a directory restore is a supported method of restoring your AD – a snapshot is not. So if you do get into trouble, you can call on us or MS or who-ever and know that you can get your AD back.

Q4) Im going to snapshot all 3 (or 7 or whatever) of my DCs!

A4) that sounds useful….. 3 copies of the same information!

 

In short – as per all the other articles…. no, do not snapshot your DC’s – no its not useful in any way, shape or form.