Microsoft released a KnowledgeBase article titled “ADDSDeployment module with the -Whatif argument shows incorrect DNS results”

This KnowledgeBase article describes unexpected behavior in the PowerShell Cmdlets within the ADDSDeployment PowerShell module when you use the -WhatIf argument without specifying the -installdns argument.

The situation

When you use one of the PowerShell Cmdlets from the Windows PowerShell ADDSDeployment module (notably Install-AddsForest, Install-AddsDomain or Install-AddsDomainController with the -WhatIf argument, incorrect results are displayed for the output for a Domain Name System (DNS) server.

For example, when you use the following PowerShell line:

Install-ADDSForest –WhatIf –DomainName corp.domain.tld SafeModeAdministratorPassword: Secr3ts4All

The output would look like:

What if: Create a new Active Directory forest with the name 'corp.domain.tld'. Configure this server as the first Active Directory domain controller in a new forest. The new domain name is "corp.domain.tld". This is also the name of the new forest.

The NetBIOS name of the domain: Automatically calculated
Forest Functional Level: DefaultDomain
Functional Level: Automatically calculated
Additional Options: Global catalog: Yes DNS Server: No Database folder: C:\Windows\NTDS Log file folder: C:\Windows\NTDS SYSVOL folder: C:\Windows\SYSVOL

The password of the new domain Administrator will be the same as the password of the local Administrator of this computer.

Notice in this output that the entry for DNS Server is No. Despite this output, the DNS server is installed and configured as expected when the forest is created.

What really happens

The promotion process calculates a DNS server installation automatically if you do not specify the -installdns:$true or -installdns:$false arguments. However, the -whatif output is not displayed correctly when you don’t specify the -installdns argument. The output is correct only when the -installdns argument is explicitly specified.

Despite the output when the -installdns argument is not specified, the following actions regarding installing DNS Servers are true:

• For a new forest, DNS server is always configured.
• For a new domain or for an additional domain controller in an existing domain, the DNS server is configured if the domain or parent domain Start of Authority (SOA) records are hosted in an existing Active Directory Domain Services (AD DS) zone.

Related KnowledgeBase articles

AddsDeployment module with the -Whatif argument shows incorrect DNS results     

Related Posts

New features in AD DS in Windows Server 2012, Part 2: New Promotion Process  
New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets  
You can only set the DFL to Windows Server 2012 when you create a new domain tree on a Windows Server 2012-based computer   
"Access is denied" error message when you create a child domain remotely by using Install-ADDSDomain   

Further reading

Install-ADDSDomain 
Add Windows Server 2012 as a Domain Controller 
Creating a new AD forest 
Windows 8 Active Directory : New AD DS Deployment Cmdlets 
Windows 8 Active Directory: New Deployment PowerShell Cmdlets 
The PowerShell Modules In Windows Server 8 Beta       
PoS v3 and Windows 8    
Windows Server 2012 “dcpromo” 
How to create a new AD Forest with Windows 2012 Server Core  
Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)  
Install a New Windows Server 2012 Active Directory Forest (Level 200)     
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)  Demoting Domain Controllers and Domains (Level 200)

Yesterday, Microsoft Netherlands organized a free event for roughly 800 members of the Microsoft Partner Network, where they launched Windows 8 and Windows Server 2012, together with Ingram Micro, Copaco, Actebis and Tech Data, and a lot of their OEM Partners like Dell, Samsung, HP, Asus, Acer, Toshiba and Fujitsu.

As I posted earlier, I was invited by Microsoft to present on this event on our experiences migrating to Windows 8 and Windows Server 2012, focusing both on making the most of Windows 8 and Windows Server 2012 implementations and the cross- and upsell opportunities within the Microsoft Windows and Office families of products.

The event started with a keynote by Daniel van Soest and Tony Krijnen, followed by a 15-minute walkthrough of a Windows 8 device-wall by Marcel Nieuwpoort. People were standing in the back because the venue was packed (over 750 people attended) and people wanted to avoid missing anything from these two presentations:

After a short break, people were invited to the eight available 1-hour partner presentations and dive deeper sessions. Marcel Nieuwpoort (Microsoft) performed a session in dome 1 on the ‘3 screens and a cloud’ vision, Wouter Jansen (Microsoft) dove deeper in Windows 8 in dome 2, Jeffrey Vermeulen (Microsoft) told more about Windows Server 2012 and Hans van der Meer (Microsoft) showed off more of Office 2013. On the partner end, Rob Oud (Cad & Company) explained more about App Development, Peter Sterk (PQR) explained VDI, Micha Commeren (Resoluut) showed their Windows 8 apps and actually built an app on stage during his session and I presented on the experiences we had on deploying, managing and selling Windows 8 to customers in dome 8:

With the help of Michiel Hoogenboom (who also gave me a ride to the event), I performed the session twice. (Due to event timing issues, the timetable was adjusted.) Michiel took the following photos:

After the break-out sessions, Arjan Oude Kotte climbed the main stage with Lauren Verster to give away eight Windows 8 tablets:

The event closed with drinks, and of course, Daniel, Tony and I teamed up, as we’re the three IT Professionals Evangelists in the Netherlands, and had some fun:

Related blogposts

I’ll be presenting at Objectives 2012, the Dutch Windows 8 and Windows Server 2012 Partner Launch Event     

Further reading

Microsoft Evenementen – Objectives 2012
Microsoft Partner Network - Objectives 2012: Ontdek nieuwe kansen met Windows 8

Last month, around the time Microsoft released Windows Server 2012, I published twenty blogposts on the new features in Active Directory Domain Services (AD DS) in Windows Server 2012.

Many people were positive on the extent of the information in these blogposts and many websites linked to the blogposts. Some people urged me to publish these blogposts as a single download.

Today, I finished editing on the 110-page whitepaper, covering the new features in Active Directory Domain Services (AD DS) in Windows Server 2012. As a consequence, you can now download this information:

What’s new in Active Directory Domain Services in Windows Server 2012

How your organization can benefit from the new features in Active Directory Domain Services and Windows Server 2012

The whitepaper is available for download here.

Further reading

New features in AD DS in Windows Server 2012, Part 1: Overview 
New features in AD DS in Windows Server 2012, Part 2: New Promotion Process 
New features in AD DS in Windows Server 2012, Part 3: New Upgrade Process 
New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets 
New features in AD DS in Windows Server 2012, Part 5: PowerShell History Viewer 
New features in AD DS in Windows Server 2012, Part 6: Active Directory Recycle Bin GUI 
New features in AD DS in Windows Server 2012, Part 7: Fine-grained Password Policy GUI 
New features in AD DS in Windows Server 2012, Part 8: Group MSAs (gMSAs) 
New features in AD DS in Windows Server 2012, Part 9: Connected Accounts 
New features in AD DS in Windows Server 2012, Part 10: Improved KCD 
New features in AD DS in Windows Server 2012, Part 11: Kerberos Armoring (FAST) 
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning  
New features in AD DS in Windows Server 2012, Part 14: RID improvements 
New features in AD DS in Windows Server 2012, Part 15: Deferred Index Creation 
New features in AD DS in Windows Server 2012, Part 16: Active Directory-based Activation 
New features in AD DS in Windows Server 2012, Part 17: LDAP Enhancements 
New features in AD DS in Windows Server 2012, Part 18: DNTs Exposed  
New features in AD DS in Windows Server 2012, Part 19: Offline Domain Join Improvements New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC)

I’ve written before on Active Directory-based Activation. This new activation method allows domain-joined Windows 8 clients and Windows Server 2012-based member servers to be activated and deactivated automatically based on their domain membership.

I’m very fond of this feature. However, for many enterprise organizations, Active Directory-based Activation is beyond their reach for numerous reasons.

Why not use Active Directory-based Activation

Organizations may not be able to use Active Directory-based Activation, because:

• They do not want to manage two activation environments 
  Only Windows 8, Windows Server 2012 and Office 2013 can be activated through Active Directory-based Activation. When an organization is planning to support both the latest and greatest and earlier versions, KMS will be needed for these older versions and administrators might not opt to manage two solutions.
    
• They use an alternative Directory Service
  When an organization doesn’t use Active Directory, it doesn’t mean they can’t have centralized activation. It just means they can’t use Active Directory-based Activation.
    
• They want to restructure their Active Directory environment
  When an organization is planning to restructure their Active Directory environment with the Active Directory Migration Tool (ADMT), the organization may be better off holding off their Active Directory-based Activation implementation until after the restructuring.
    
• Activation is not part of the Active Directory team’s responsibilities
  When an organization has strictly separated responsibilities between teams, activation will not be part of the responsibilities of the Active Directory team. Depending on the situation, Active Directory admins will not respond favorably to these added responsibilities and the person(s) responsible for activation will need to stick with their current activation solution.

Stick with Key Management Services (KMS)

In most of these cases, Key Management Services (KMS) will remain the default Windows Activation method.

In order for these organizations, however, to activate Windows 8 and Windows Server 2012, their existing Key Management Services (KMS) infrastructure may need to be updated. They can either be upgraded to Windows 8 or Windows Server 2012 KMS Hosts, or updated with the update from Microsoft KnowledgeBase article 2757817.

This update applies to:

• Windows Vista with Service Pack 2
• Windows Server 2008 with Service Pack 2
• Windows 7 with Service Pack 1
• Windows Server 2008 R2 with Service Pack 1

Note:
A KMS host key that is associated with Windows client operating systems cannot be installed on Windows server operating systems, and vice-versa. This is true for all Windows operating systems except for Windows Server 2003.

Note:
Windows Server 2003-based KMS Hosts are no longer supported to activate Windows 8 and/or Windows Server 2012-based hosts.

  

Related KnowledgeBase article

Update adds support for Windows 8 and Windows Server 2012 to Windows Server 2008, Windows 7, and Windows Server 2008 R2 KMS hosts

Related Posts

Windows 8 Migration Checklist  
Whitepaper: What’s New in Active Directory Domain Services in Windows Server 2012 
New features in AD DS in Windows Server 2012, Part 16: Active Directory-based Activation

Every good Active Directory Domain Services implementation started with sizing Domain Controllers appropriately for the environment in which they needed to be able to service clients for a period of four to five years.

For years, we’ve been using adsizer.exe, a part of the Windows 2000 Resource Kit for this purpose. This tool was released for Windows 2000 Server and provides ballpark estimates for number of Domain Controllers, Active Directory Database (ntds.dit) sizes for both non-Global Catalogs and Global Catalogs, processor requirements and network bandwidth:

However, 2000 is a long time ago and all this time, adsizer.exe was never updated with the new bandwidth- and database-minimalizing technologies in newer Windows Server versions or with newer hardware configurations. (its estimates are based on Domain Controllers, equipped with Intel Pentium 2 and Pentium 3 ranging from 400 MHz to 933 MHz)

Note:
Although adsizer.exe feels quite antiquated, you can still install it on the most recent versions of Windows and Windows Server.

Last week, the Active Directory team introduced new information on sizing Domain Controllers for an Active Directory environment, titled Capacity Planning for Active Directory Domain Services.

This information is not published in the form of a new adsizer.exe or a Microsoft Excel document (as the Exchange guys seem to prefer), but instead as an online resource, accessible without any required download.

I’m excited with this new information, since capacity planning guidance for scale-up systems in general has changed dramatically in the last years.. Changes in system architectures, such as the change from 32-bit to 64-bit server platforms, virtualization versus non-virtualized scenarios, attention to power consumption, the industry moving from spindle-based to SSD storage, and cloud scenarios have challenged fundamental assumptions about designing and scaling a service. The new information, thus, contains pointers to size virtualized Domain Controllers, to analyze the impact of multiple cores and hyper threading and to determine required iops to choose between normal spindle-based disks and SSDs.

Concluding

When sizing Windows Server 2012-based Domain Controllers, use the information on TechNet to perform capacity planning for Active Directory Domain Services.

Related KnowledgeBase Articles

Windows 2000 Resource Kit Tools for administrative tasks 

Related Downloads

Active Directory Sizer   

Further reading

Updated Active Directory capacity planning guidance published    
Microsoft Adsizer tool works out your Active Directory domain    
Active Directory Sizing tool for Windows 2008 R2  
Active Directory Sizer Tool

Last week, Microsoft introduced a new Active Directory-related KnowledgeBase article, titled Event ID 46 and 7023 logged during startup of Windows Server 2008 R2 or Windows Server 2012. This article relates to the Windows Time (W32Time) service and the Netlogon (netlogon) service and their startup sequence.

The situation

On Windows Server 2008 R2 and Windows Server 2012-based Domain Controllers, after a reboot, you encounter the following two error events in the System log:

The cause

This can occur if the Netlogon (netlogon) service is not explicitly started before the Windows Time (W32Time) service is started. In both Windows Server 2008 R2 and Windows Server 2012, the Windows Time (W32Time) service is not marked as a dependency for the Netlogon (netlogon) service.

The resolution

You can safely ignore these errors, as the Windows Time (W32Time) service will attempt to start again if it does not start the first time.

Related KnowledgeBase articles

Event ID 46 and 7023 logged during startup of Windows Server 2008 R2 or Windows Server 2012

For a while, Microsoft’s KnowledgeBase article 976424, titled Error code when the kpasswd protocol fails after you perform an authoritative restore: "KDC_ERROR_S_PRINCIPAL_UNKNOWN", has been available to solve issues with unexpected behavior after authoritatively restoring  the krbtg account on Windows Server 2008 and Windows Server 2008 R2-based Domain Controllers.

The KnowledgeBase article doesn’t state this KnowledgeBase applies to Windows Server 2012. This is true, but it does affect Windows Server 2012.

Robert Smit, a Dutch Microsoft MVP on Fail-over Clustering and my friend, pointed out to me you need to have this hotfix applied to all Domain Controllers running Windows Server 2008 and Windows Server 2008 R2 to be able to add Windows Server 2012-based fail-over clusters to the domain.

These days, most fail-over clusters are deployed to provide a robust, scalable and highly-available virtualization platform using Hyper-V. If you plan a Windows Server 2012-based Fail-over Cluster in your environment running Windows Server 2008 or Windows Server 2008 R2-based Domain Controllers, apply this hotfix during the next service window.

Note:
Domain Controllers need to restart to apply this hotfix.

In this series

Active Directory in Hyper-V environments, Part 1 
Active Directory in Hyper-V environments, Part 2 
Active Directory in Hyper-V environments, Part 3 
Active Directory in Hyper-V environments, Part 4 
Active Directory in Hyper-V environments, Part 5 
Active Directory in Hyper-V environments, Part 6 

Related KnowledgeBase articles

Error code when the kpasswd protocol fails after you perform an authoritative restore: "KDC_ERROR_S_PRINCIPAL_UNKNOWN"  
The kpasswd protocol fails with a KDC_ERR_S_PRINCIPAL_UNKNOWN error after you perform an authoritative restore on the krbtgt account in a Windows Server 2008 domain  

Further reading

The System Center Connector Robert Smit Cluster MVP

Microsoft has been hosting Datacenter Virtualization IT Camps globally for the past few months. These no cost, hands-on technical training events for IT professionals have been a great success around the world.

Microsoft subsidiaries over the world have created their own event template and approach, ranging from invite-only and online-only to open-for-everyone and in-person.

Microsoft Netherlands has been hosting Datacenter Virtualization IT Camps since the spring of 2012 and their approach has been widely different to the approach taken by other subsidiaries: The approach by Daniel van Soest and Tony Krijnen, aimed at 1-day in-person events, has been to have people reuse their laptops as Hyper-V hosts using Boot from VHD technology and join them to an Active Directory domain, install the Hyper-V role, connect them to shared storage and then create Fail-over Clusters. The Dutch Datacenter Virtualization IT Camps have gathered numerous nicknames in the past months, including “Guinnes Book record attempts to create the largest Hyper-V Fail-over clusters in one day”.

After the release of Windows Server 2012, Microsoft Netherlands has been transferring their Datacenter Virtualization IT Camps from Windows Server 2008 R2 to Windows Server 2012. Already, several Datacenter Virtualization IT Camps have been delivered in the past two months in Utrecht, Eindhoven and Veenendaal in this new format.

Earlier this month, a series of new dates for the Datacenter Virtualization IT Camps was announced, kicking off on Tuesday December 11, 2012 at the Van der Valk Hotel in Duiven from 10AM to 4PM.

I will be hosting the Microsoft Datacenter Virtualization IT Camp with Tony Krijnen at Van der Valk Duiven on Tuesday December 11, 2012.

I’m looking forward to it, and I hope to see you there.

Register now, because seats are limited to 64, of course.  

Further Reading

Microsoft IT Camps Homepage 
Register for an IT Camp near you   

Related events

Datacenter Virtualization IT Camp December 18, 2012 (WTC Expo, Leeuwarden)  
Datacenter Virtualization IT Camp January 8, 2013 (Chateau Gilbert, Wijnandsrade)  Datacenter Virtualization IT Camp January 15, 2013 (Van der Valk, Hengelo) 
Datacenter Virtualization IT Camp January 17, 2013 (Van der Valk, Vught) 
Datacenter Virtualization IT Camp January 24, 2013 (Van der Valk, Ridderkerk) 
Datacenter Virtualization IT Camp February 13, 2013 (Hampshire - Hotel Plaza, Groningen)
Datacenter Virtualization IT Camp March 19, 2013 (Postillion, Deventer) 
Datacenter Virtualization IT Camp March 26, 2013 (Van der Valk, Breukelen)

Designing and implementing an Hyper-V environment can be challenging. Placement of Active Directory Domain Controllers requires additional consideration, especially in Hyper-V Failover Cluster scenarios where Active Directory membership for the cluster nodes is strictly needed.

Windows Server 2012, in Active Directory terms, is a big step forward. We’ve been over the majority of the new features in Active Directory Domain Services on this blog before, so now it’s time to talk about the implications on support policies.

In this blog post, I’ll discuss the newly supported setups in terms of Hyper-V Failover Clustering, beyond the need to apply the hotfix from KnowledgeBase article 2784261, as discussed in Part 7 of this series.

Active Directory Domain Services and Failover Clustering

Failover Cluster nodes require Active Directory membership. In environments without Domain Controllers and/or extra physical iron to place Domain Controllers onto, this poses a challenge.

The old guidance

Microsoft has advised against re-using Failover Cluster nodes as Domain Controllers for years. Their official stance was:

1. It is not recommend to combine the Active Directory Domain Services role and the Failover Cluster feature.
2. It is not supported for a Failover Cluster running Microsoft Exchange Server or Microsoft SQL Server to be a Domain Controller.
3. It is recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines.

4 years ago, I kicked off this series with a blog post with the recommendation to not re-use Hyper-V Failover Cluster nodes as Domain Controllers from both an architectural and performance point of view. While this blogpost offers a workaround for the third recommendation above, my recommendations have been identical to Microsofts.

These recommendation still apply largely to the Windows Server Operating Systems of those days. However, with Windows Server 2012, Microsofts recommendations have changed and I feel it’s time to review my recommendations.

The updated guidance

Now, in KnowledgeBase article 281662, Microsoft updates the above guidance with information on Windows Server 2012. The Windows Server 2012-specific changes are listed below:

1. It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
2. It is no longer recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines in Windows Server 2012.

AD DS Role and Failover Cluster Feature no longer supported

While combining the Active Directory Domain Services Server Role and Failover Clustering Server Feature on one host have not been recommended in Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2, it is now no longer supported.

Now, don’t misinterpret the above. You can still install the Failover Clustering Server Feature on an existing Windows Server 2012-based Domain Controller. The change in guidance is not reflected in Server Manager. However, if you want to add an existing Domain Controller to a Failover Cluster as a cluster node, the configuration will not pass the Cluster Validation:

Now, as you might be aware, if a configuration doesn’t pass the Configuration Validation, Microsoft will not offer support on it. In the help file for Failover Clustering, Microsoft states:

Microsoft support of Failover Cluster Solutions

Microsoft support a failover cluster solution only if it meets the following requirements:

• All hardware components in the failover cluster solution are certified for Windows Server 2012. For more information, see Requirements and Steps for Creating a Failover Cluster or Adding a Node.
   
• The complete cluster configuration (servers, network, and storage) can pass all tests in the Validate a Configuration Wizard. For more information, see Failover Cluster Validation Tests.
   
• The hardware manufacturers’ recommendations for firmware updates and software updates have been followed. Usually, this means that the latest firmware and software updates have been applied.
  Occasionally, a manufacturer might recommend specific updates other than the latest updates.

Note:
In Windows Server 2008 and Windows Server 2008 R2, the configuration would pass the Cluster Validation.

Bare metal Domain Controller recommendation

In previous versions of Windows Server, the Cluster Service (clussvc) communicated with Active Directory to gather information on the Cluster object when starting. The implication is, the Failover Clustering Service and all the highly available workloads on top if wouldn’t start when an Active Directory Domain Controller is not available: All VMs would not be started after a site-wide power failure when the Domain Controllers would run on top of the Hyper-V platform as highly-available VMs…

In Windows Server 2012, the Cluster Service (clussvc) still attempts to communicate with a Domain Controller when it starts, but when it doesn’t find one, it will start and try to communicate with Active Directory later. This way, the dependency on Active Directory Domain Controllers outside of the cluster is taken away. This feature is known as Active Directory-less Cluster Bootstrapping.

Concluding

Two of the guidance points for Active Directory in Hyper-V Failover Cluster environments have been changed with Windows Server 2012.

You can no longer re-use a Domain Controller as the parent partition of a Hyper-V Cluster node in a supported way. This configuration is no longer officially supported by Microsoft.

Active Directory-less Cluster Bootstrapping eliminates the need for communicating with a Domain Controller for a Failover Cluster node’s Cluster Service at startup, before it can bring its highly-available resources online.

Further reading

Windows Server 2012 Failover Cluster – Enhanced Integration with Active Directory (AD)
Running Domain Controllers in Hyper-V 
Hyper-V role and Active Directory Service in same server? 
Active Directory and DNS on Hyper-V host 
Installing Domain Controller on Hyper-V Host    

Related KnowledgeBase articles

281662 How to use Windows Server cluster nodes as domain controllers 
888794 Things to consider when you host Active Directory domain controllers in virtual hosting environments 

Related posts

Active Directory in Hyper-V environments, Part 1 
Active Directory in Hyper-V environments, Part 2 
Active Directory in Hyper-V environments, Part 3 
Active Directory in Hyper-V environments, Part 4 
Active Directory in Hyper-V environments, Part 5 
Active Directory in Hyper-V environments, Part 6 
Active Directory in Hyper-V environments, Part 7

As Christoffer Andersson, a fellow Directory Services MVP explained in the 4th post of his Inside NTDS.dit series, some deletions do not end up in the Active Directory Recycle Bin and as an Active Directory admin you might still need to perform restores using Directory Services Restore Mode (DSRM).

The Directory Services Restore Mode isn’t new. It has been around since Windows 2000 Server, where you would press F8 during boot to enter the Advanced Boot Options screen. Throughout versions of Windows Server the way to reboot into the Directory Services Restore Mode has changed. For instance, last year I blogged on how to add a DSRM startup option to the Advanced Boot Options screen in Windows Server 2008 and Windows Server 2008 R2, because by default it’s not present.

Today, in Windows Server 2012, Microsoft has changed rebooting into Directory Services Restore Mode from within Windows and has made it far easier.

Note:
When Windows detects a problem and needs to reboot, it will automatically display the Advanced Boot Options screen.

The following two ways now exist to reboot into Directory Services Restore Mode from within Windows:

1. Type shutdown –o –r
   After a couple of seconds the system will display a ribbon:
     
   
      
   Quickly thereafter, the system will reboot. 
    
        Note:
        This method works on both Full Installations and Server Core installations.
    
2. On a Full installation of Windows Server 2012 open the Charms Bar with Win+C, then click the cog representing Settings, left-click on Power and press and hold down the Shift key while you click Restart. 
        
   
      
Select one of the two Operating System: Recovery options as they seem to be the reasons that best describe why you want to restart. Then click Continue.

After the system has rebooted, it will display the following screen, instead of the normal boot screen:

Choose Troubleshoot - Refresh or reset your PC, or use advanced tools.

The Advanced options screen will appear:

Choose Startup Settings - Change Windows startup behavior.

The Startup Settings screen will appear:

Click Restart.

The server will restart a second time. This time it will display the Advanced Boot Options screen:

On this screen, select Directory Services Repair Mode.

When confronted with the Windows Server 2012 logon screen, determine the appropriate set of logon credentials, depending on your DSRM Admin Logon Behavior settings and remaining Domain Controllers within your environment. Logon and perform the appropriate actions.

Concluding

Today, in Windows Server 2012, Microsoft has changed rebooting into Directory Services Restore Mode and has made it far easier. Note, however, that easier in this case does not mean more straightforward.

Further reading

Restartable AD DS Step-by-Step Guide
Securing the Directory Services Restore Mode Account
What Username and Password Do I Need to Use for Directory Services Restore Mode
Directory Services Restore to Virtual from Physical

Related Posts

And you will keep your password updated … 
How to add a DSRM startup option in Windows Server 2008 and Windows Server 2008 R2

Microsoft KnowledgeBase article 2737880, titled "The service cannot be started" error during AD DS configuration describes an issue where promotion of a Windows Server 2012-based server to a Domain Controller and demotion of a Windows Server 2012-based Domain Controller is unable to finish.

Its root cause is a policy or an administrator that prevents the DS Role Server service (DsRoleSvc) from starting.

About the DS Role Server service

The DS Role Server service (DsRoleSvc) is new to Active Directory Domain Services in Windows Server 2012 and is used to install or remove Active Directory or to clone Domain Controllers. It is not present by default on Windows Server 2012, but gets installed when the Active Directory Domain Services Server Role is installed, either through Server Manager or the Install-WindowsFeature PowerShell Cmdlet.

The situation

In Windows Server 2012, you try to:

• Configure a new Domain Controller by using Server Manager and the Active Directory Domain Services Configuration Wizard
• Configure a new Domain Controller using the Install-ADDSForest, Install-ADDSDomain, or Install-ADDSDomainController PowerShell Cmdlets from the AddsDeployment Windows PowerShell module
• Remove Active Directory Domain Services from an existing Domain Controller by using Server Manager and the Active Directory Domain Services Configuration Wizard
• Remove Active Directory Domain Services from an existing Domain Controller by using the Uninstall-ADDSDomainController PowerShell Cmdlet from the AddsDeployment Windows PowerShell module
• Clone a virtualized Domain Controller by using dccloneconfig.xml 

The configuration change fails, and you receive an error, stating that the service cannot be started, either because it is disabled or because it has no enabled devices associated with it:

When you try and perform the actions above through PowerShell, you receive the following error:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Additionally, you see that C:\Windows\Debug\dcpromoui.log contains the following line of text:

Enter GetErrorMessage 80070422

The cause

This error occurs because a policy or an administrator prevents the DS Role Server service (DsRoleSvc) from starting. A common configuration is to disable the service:

Note:
This does not occur because of the Security Configuration Wizard (scw.exe). Although the Security Configuration Wizard offers security configuration and is capable of service lockdown through Group Policies, based on current roles and services, installed on a reference server the DS Role Service is not affected by it.

The resolution

The KnowledgeBase article states to simply enable the service by setting its startup type to manual, either in the Services MMC Snap-in (services.msc) or by issuing the following command on an elevated command prompt:

sc.exe config dsrolesvc start= demand

Related KnowledgeBase articles

"The service cannot be started" error during AD DS configuration

In many organizations, Active Directory is the identity and access corner stone to their networking environments. No wonder then, organizations want extended control and auditing on admins and their whereabouts.

Many 3rd party solutions exist to help organizations achieve these goals, but most of them rely on a system where Domain Controllers have agents, communicating with a centralized control and/or auditing server. In these cases, you’d want to limit Domain Controller promotions and demotions.

In Windows Server 2012, limiting Domain Controller promotions and demotions is easier than ever.

Pre-Windows Server 2012

If you wanted to prevent Domain Controller promotions in Windows 2000 Server, Windows Server 2003 (R2) and Windows Server 2008 (R2) environments, you’d use on these methods:

1. Limiting membership of the Domain Admins group.
     
2. Use Delegation of Control to prevent people from creating computer objects in the Domain Controllers Organizational Unit (OU).
     
        Note:
        This is a quick fix, that I’ve seen applied a couple of times, but should really be
        part of a broader Delegation of Control and ACL’ing inside Active Directory, based
        on the information here.
    
3. Modify the NTFS Access Control List (ACL) on dcpromo.exe through your (virtual) server installation template and/or Group Policy Preferences.
    
4. Create IPSec rules for Replication traffic between known Domain Controllers, preventing new Domain Controllers from replicating.

Preventing Domain Controller demotions, however, is a different story. Even if you’re able to prevent it using the methods above, a rogue admin can still demote the server using dcpromo.exe /forceremoval…

Note:
Domain Controller cloning is not available in previous versions of Windows Server, prior to Windows Server 2012.

Windows Server 2012

Now, in Windows Server 2012, all of the methods above still work, although method 3 would not achieve much, since dcpromo.exe merely exists for legacy scripting.

Note:
Domain Controller promotions are now performed using the Install-ADDSDomainController, Install-ADDSDomain and Install-ADDSForest PowerShell Cmdlets, while demotions are now performed with Uninstall-ADDSDomainController.

Instead, a separate Service has been created to perform Domain Controller promotions, cloning and demotions. In Windows Server 2012, all these actions are performed by the DS Role Server Service (dsrolesvc).

Through Group Policy, this service can be set to disabled:

Additional security can be added by clicking the Edit Security… button and specifying who has Full, Write, Delete, Read and/or Start, stop and pause access. This way, the (group of) people able to promote, demote and clone Domain Controllers can be defined.

Note:
Since a Windows Server 2012-based Active Directory environment has NTLM authentication disabled by default, proposed Windows Server 2012-based Domain Controllers need to be joined to the domain, before they can be promoted to Domain Controllers.

Note:
When the Active Directory forest is operated on the Windows Server 2012 Forest Functional Level (FFL), the promotion of  pre-Windows Server 2012 Domain Controllers will be unavailable.

Now, of course, since we’re using Group Policies, we’ll also need to look at the security of the Group Policy itself. The Group Policy Management Console (GPMC) should be your tool of choice here, too. Locate the Group Policy you’ve created earlier under the Group Policy Objects node in the left pane and click on the Delegation tab in the right pane. Next, click the Advanced… button in the bottom right corner.

When you apply the Group Policy, make sure the link between the Group Policy and the Organizational Unit (OU), Active Directory site or Active Directory domain is Enforced, when admins have the ability to create other (disagreeing) Group Policies on lower levels.

Note:
In the Group Policy Management Console, you can define who can create Group Policy Objects. By default, the Domain Admins and Group Policy Creator Owners will have these permissions. These permissions can be changed on the Delegation tab of the Group Policy Objects node.

With the Group Policy in place, we can utilize our 3rd party auditing solution to monitor changes to this Group Policy itself and new computer objects in the Domain Controllers Organizational Unit (OU).

Concluding

In Windows Server 2012, Active Directory admins gain an important new tool to restrict Domain Controller promotions, demotions and cloning: the DS Role Server Service (dsrolesvc).

When combining strict access to starting this service and the methods already available from before, a Security admin has full control over its servers operating as Domain Controllers.

Further reading

HOW TO: Delegate the ability to add a domain controller to the domain (using minimum permissions)   
DS Role Service Disabled   
Troubleshooting Domain Controller Deployment 

Related Posts

New features in AD DS in Windows Server 2012, Part 2: New Promotion Process 
KnowledgeBase: "The service cannot be started" error during Active Directory Domain Services configuration

As announced in an earlier blogpost, I hosted a Microsoft Netherlands Datacenter Virtualization IT Camp with Tony Krijnen on December 11, 2012. We had a lot of fun and in this blogpost I’ll try and share some of the fun.

During the Datacenter Virtualization IT Camps, IT Pro attendees, work their way through a series of exercises to explore a few of the possibilities of the new Windows Server 2012 Operating System, with the main focus on what’s new in Hyper-V 3.0.

The labs were categorized into groups covering the server infrastructure, new Windows Server 2012 functionality and the new features in Hyper-V virtualization. In the final lab a Failover cluster is featured.  The first part of the labs could be done individually by the attendees on their own laptops (which we politely asked to bring), but for the second part they needed to team up with a fellow IT Pro attendee to join their machines and do labs together and perform Shared Nothing Live Migrations, and the like.

The room was arranged in a cabaret meets classroom style with tables. Tables were set with two seats, but attendees quickly changed some of the prearranged seating to their needs. The room was packed:

Since the venue was a hotel, lunch was fantastic!

After lunch, I gave my presentation on Domain Controller Cloning with Windows Server 2012. It had been 8 months, since I gave that presentation (last time was at the Dutch OS Day), so I had to do some work on the slides. Also, this was the first time I performed this demo on Windows 8 as the virtualization host. As it turns out, even Hyper-V on the client supports VMGeneration-ID, so my Domain Controller cloned without a hitch.

At the end of the day, Tony demoed his 2-node Hyper-V cluster, based on shared storage offered by a 3-node Scale-out File Server cluster. All his machines were running Windows Server 2012, of course.

Further reading

Tony Krijnen blog    
Microsoft Evenementen - IT Camp - Datacenter VirtualisatieDutch 
Verslag IT Camp Windows Server 2012: in één dag helemaal op de hoogteDutch 
Extra data voor IT Camp Windows Server 2012Dutch

Related Posts

I’ll be hosting a Microsoft Netherlands Datacenter Virtualization IT Camp with Tony Krijnen  
Upcoming Speaking Engagements (March & April 2012) 
New features in AD DS in Wndows Server 2012, Part 12: Virtualization-safe Active Directory  New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning

System Center 2012 was released in April 2012, well before Windows 8 and Windows Server 2012 were released. As a consequence, these Operating Systems weren't supported. This functionality was slated for System Center 2012 with ServicePack 1, among other new exciting new functionality. This makes ServicePack 1 for System Center 2012 not just an ordinary ServicePack.

Per December 20, 2012, TechNet and MSDN subscribers can download System Center 2012 with ServicePack 1 in the following packages:

• System Center 2012 – Virtual Machine Manager with SP1
  (x64, ISO file, 1320 MB)
   
• System Center 2012 – Data Protection Manager with SP1
  (x64, ISO file, 4721 MB)
   
• System Center 2012 – Configuration Manager and Endpoint Protection with SP1
  (x86 and x64, ISO file, 904 MB)
   
• System Center 2012 – Service Manager with SP1
  (x64, ISO file, 404 MB)
   
• System Center 2012 – Operations Manager with SP1
  (x86 and x64, ISO file, 1059 MB)
   
• System Center 2012 – Orchestrator with SP1
  (x86, ISO file, 157 MB)
   
• System Center 2012 – App Controller with SP1
  (x64, ISO file, 77 MB)

All these downloads include the Chinese-Simplified, English, French, German, Italian, Japanese, Portuguese-Brazil, Russian, and Spanish languages, except for Configuration Manager and Endpoint Protection (this download doesn’t include the Italian, Portuguese-Brazil and Spanish language) and both Operations Manager and Orchestrator (English only).

What’s New

Service Pack 1 for System Center 2012 is not just a maintenance release, it also includes a lot of new features:

• What’s New in System Center 2012 - App Controller SP1
• What’s New in System Center 2012 - Configuration Manager SP1
• What’s New in System Center 2012 - Data Protection Manager SP1
• What’s New in System Center 2012 - Operations Manager SP1
• What’s New in System Center 2012 - Orchestrator SP1
• What’s New in System Center 2012 - Service Manager SP1
• What’s New in System Center 2012 - Virtual Machine Manager (VMM) SP1

Further reading

Deploying Windows 8? Not with ConfigMgr 2007…   
System Center 2012 SP1 RTM download available on TechNet and MSDN   
What’s new in System Center Service Pack 1 
Microsoft finalizes System Center 2012 Service Pack 1    
System Center 2012 Service Pack 1 RTM & Download 
System Center 2012 SP1 Hits RTM, Arriving 'Early January' 
System Center 2012 SP1 is RTM and partly available      
Hyper-V 3.0 tools won't emerge until System Center 2012 SP1  
System Center 2012 w/SP1 is now available to download – RTM

When you build test environments regularly, at some point you’ll want to fill your Active Directory quickly. If, for instance, you have a data set with Organizational Units (OUs), user accounts and groups, you’ll want to quickly import this data. If, on the other hand, in your business you’re allowed to use the user information from a production Active Directory environment in your test environment, you might even opt to export and import this information.

Besides restoring backups from Domain Controllers to the test environment, Microsoft offers three tools to import exported data:

• Import-CSV & New-ADOrganizationalUnit
• Csvde.exe
• Ldifde.exe

From the surface, these three tools seem to enable you to achieve the same goal, but they don’t. The end result after importing and exporting data is not the same between these three tools.

When you use the New-ADOrganizationalUnit PowerShell Cmdlet (together with the Import-CSV Cmdlet in this case) in a script, unless you specify otherwise, the created Organizational Units will be protected from accidental deletion.

When you use ldifde.exe or csvde.exe tool to (export and) import Organizational Units (OUs), these OUs will be created without protection from accidental deletion.

Note:
The Active Directory Best Practices Analyzer will display a warning when not all Organizational Units (OUs) are protected from accidental deletion.
More info

Protection from accidental deletion looks like a simple checkmark in the properties of an Active Directory object, but it’s not. Underlying is a set of ACLs that prevent anyone from deleting the object. But since PowerShell has the logic inside for Protection from accidental deletion, to fix the newly created Organizational Units, use the following PowerShell one-liner:

Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Concluding

With new functionality in new Operating Systems and Active Directory levels, don’t expect the old tooling you’ve learned to trust and love, to be updated.

Related Posts

Preventing OUs and Containers from Accidental Deletion

Further reading

Protect an Organizational Unit from Accidental Deletion 
All OUs in this domain should be protected from accidental deletion
Protect Objects from accidential deletion 
Protecting OU from accidental deletion 
Protection from Accidental Deletion 
Windows Server 2008 Protection from Accidental Deletion

Windows Server 2012 introduces a new Group Policy feature: ‘Infrastructure Status’. This feature is present in the Group Policy Management Console (GPMC) on Windows Server 2012 and in the Remote Server Administration Tools (RSAT) package for Windows 8, and introduces a Status tab for the domain level.

This tab is shown in the screenshot below:

The situation

When you use the Detect Now button, you might continually see an error on the Status tab, stating that Domain Controllers report ‘replication in progress’ as in the screenshot below:

Additionally, when you examine the system volume (SYSVOL) shares on the domain controllers in the environment, you notice that administrative template (ADM) files are not present in the system volume (SYSVOL) shares on the domain controllers, except on the Domain Controller holding the Primary Domain Controller (PDC) emulator Flexible Single Master Operations (FSMO) role.

The cause

Additional examination shows that SYSVOL was previously configured by an administrator to filter out ADM files in order to minimize the size of system volumes on Domain Controllers and/or reduce the number of files and amount of data that must be replicated between Domain Controllers, as described in Microsoft KnowledgeBase article 813338.

The GPMC Infrastructure Status option does not examine files in SYSVOL by type or capability and does not follow customized File Replication Service (FRS) or Distributed File Service Replication (DFSR) filtering rules. Any file count, hash, or security differences in the SYSVOL Policies folder contents between domain controllers are flagged as "replication in progress."

This behavior is by design.

The workaround

There are several ways to work around this behavior:

If your environment no longer contains Windows XP client, Windows Server 2003 Member servers, Windows Server 2003 Domain Controllers or domain-joined earlier versions of Windows and Windows Server, and you haven’t created or imported non-Microsoft custom ADM files, you can delete the existing ADM files from the System volume (SYSVOL) on the Domain Controller holding the Primary Domain Controller (PDC) emulator Flexible Single Master Operations (FSMO) role.

Depending on your needs you can create a centralized ADMX store together with filters or use local copies of ADMX files (This is the default behavior.) 

If the error on the Status tab bothers you in environments that still contain Windows XP and Windows Server 2003 member servers, you can switch to another tool to check for replication status (do not use gpotool.exe) or remove the previously applied filters, and let ADM files replicate to all Domain Controllers.

Related KnowledgeBase articles

How to minimize SYSVOL size by removing administrative templates (.adm files)  
ADM files are not present in SYSVOL in the GPMC Infrastructure Status option 

Further reading

Group Policy in Windows Server 2012: Infrastructure Status 
What’s new with Group Policy in Windows 8 
Group Policy in Windows Server 2012: Overview 
TechNet - What's New in Group Policy 
3 ways Windows Server 2012 makes Group Policy easier 
Windows 8 Group Policy changes – Part 1

Many Active Directory admins consider it unsafe to display the last users logon name on the Logon Screen, since it provides information on naming conventions, etc. to possible malicious people. Others change the default Logon Screen to accommodate for presentation PCs, flexworker desktops and other commonly shared IT equipment.

Do Not Display Last User Name

Microsoft offers a couple of Group Policy settings you can use to change the default Logon Screen. They are located in Computer Configuration, under Windows Settings, Security Settings, Local Policies, Security Options:

Some of these have been around for a long time, like the Interactive logon: Do not display last user name group policy setting.

The setting can be applied to Organizational Units, containing computer accounts. With the right Organizational Unit structure, it can be applied to presentation PCs, but not to normal desktops, to accommodate users in their personal computing experience, where appropriate.

Windows Vista and Windows 7

In Windows Vista and Windows 7, when you apply this Group Policy setting, the Logon Screen, by default, will display an empty avatar and the two common fields to enter credentials. (among other options) It looks like this on Windows 7:

Windows 8

In Windows 8, the Logon Screen has changed. Its fields are enlarged to accommodate selection by touch. You will still find the options to enable accessibility options, change the keyboard layout and turn off the PC and the two input fields:

But, one large difference between the logon screen in Windows 7 and Windows 8 is the label above the input fields: The Windows 7 Logon Screen does not display a label, where the Windows 8 Logon Screen suddenly describes your Logon attempts as attempts to log on as an Other user.

In Windows Server 2012, the same label is given to logon attempts when the Interactive logon: Do not display last user name Group Policy setting is applied.

This can be really confusing for users and admins, so Microsoft has decided to publish a KnowledgeBase article, describing the label as ‘by design’…

Related KnowledgeBase articles

2741622 You can only log on as "Other user" when the "Do not display last user name" Group Policy setting is enabled in Windows 8 or Windows Server 2012 

Related blogposts

Five must-have Group Policy settings to make people productive with Windows 8 on day 1 
Five must-have Group Policy settings to create an uniform look for your Windows 8 clients 
Five must-have Group Policy settings when your colleagues use 3G / 4G connections   
Five must-have Group Policy settings to protect peoples privacy in Windows 8 and IE 10

On October 6, 2011 I wrote about the updated Active Directory Domain Services Management Pack for System Center. Then, it was updated to version 6.0.7670.0. Today, I want to point you to another big update for the Active Directory Domain Services Management Pack for System Center: the 6.0.8070.0 update

About System Center Operations Manager

With Microsoft System Center Operations Manager (SCOM) you can leave the monitoring and alerting to software in a confident, fast and robust way. Now you can simply create an availability or replication bandwidth report by pressing a single button. No longer do you have to follow tedious routines to check up on your servers: The products in the System Center were created to do those things for you. Before Operations Manager became a part of the System Center family, it was known as Microsoft Operations Manager (MOM).

System Center Operations Manager (SCOM) comes with the basic set of monitoring tools to monitor Windows Servers. These basic monitoring capabilities can be extended using Monitoring Packs for specific Server Roles and Server Products. Even more, Operations Manager features an extensibility framework to allow any 3rd party developer to write Monitoring Packs. Packs have been written to manage UPS’s and even Linux hosts. Of course, monitoring is of little use in big environments with repeating errors, so System Center Operations Manager is designed to work together with the other members of the System Center family of products, like System Center Configuration Manager (formerly known as SMS Server) and System Center Orchestrator (formerly known as Opalis).

About the Active Directory Monitoring Pack

Active Directory Domain Services is a Server Role in Windows Server and Microsoft has deemed it fit to have its own Monitoring Pack. Even more, Microsoft has dedicated valuable time to actively maintain the Monitoring Pack for Active Directory.

Update

The version of the Active Directory Monitoring Pack, released on January 17th, 2013, is 6.0.8070.0 and is the seventh version of the Monitoring Pack since it’s original version (6.0.5000.0).

This update is conveniently referred to as the December 2012 revision.

What’s new in this release?

This release focuses fixing problems reported by customers. The accompanying guide mentions:

• Added Windows Server 2012 Support
• Product Knowledge improvements
• Client Monitoring alerts identify problematic Domain Controllers in the description.
• Inter-domain trust alert identifies which trust is broken in the alert description.
• More specific action recommendations added to alert for “Could not determine FSMO role holder” and alert for “Domain Controller’s Ops Master is inconsistent.”
• KnowledgeBase article information added to alert for “The Active Directory database is corrupt.”
• KnowledgeBase article information added to alert for “Two replication partners have an inconsistent view of the FSMO role holders.”
• Some rules with names that begin “Client Side script…“ but were not actually executed by client-side monitors were renamed.
• More specific action recommendation added to description for Event ID 1000.
• Excessive alert fixes
• A duplicate alert that appears when a computer authentication fails was removed.
• Repetitive alerts for UserEnv and Netlogon were replaced with a single alert that includes a count of the number of occurrences.
• The alert for the number of allowable replication partners was increased from 100 to the maximum number of replication connections.
• The alert of FSMO role holder availability was refined so that it is issued less frequently in cases where operations master role holder is temporarily unavailable.
• Active Directory processor overload monitor was removed because it duplicates an existing monitor in the operating system management pack.
• Duplicate alerts for KDC errors and trust verification failures were removed.
• Informational alert was disabled for rule “The default security settings for the NTFS file systems have not been applied to Active Directory directory folders.”
• Script error fixes
• Multiple script errors were fixed to improve Active Directory site topology discovery, DNS verification, operation master role discovery, and other improvements.
• Rule error fixes
• Multiple rule errors were fixed to improve error handling, event logging, and server state reporting.

Download

You can download the update here.

Further reading

New Version: Active Directory Domain Services Management Pack for System Center 
[OpsMgr 2007 R2] Active Directory Domain Services Management Pack for System Center 
MP versions and release dates 
[SCOM] Mise à jour (6.0.8070.0) du pack d’administration Active Directory 
Active Directory Domain Services Management Pack for System Center 6.0.8070.0

I’m very excited to announce I’m listed to speak on the TechDays event, hosted by Microsoft Netherlands on March 7 and March 8, 2013 at the World Forum in The Hague.

About TechDays NL 2013

TechDays is an international series of Microsoft events, hosted by Microsoft subsidiaries around the world. Microsoft Netherlands, this year, has decided to make the event a 2-day event, filled with both IT Professionals and Developers content.

Together with the Belgian subsidiary, which is running the Belgian TechDays event on March 6 and March 7, 2013 at the Kinepolis filmtheatre in Antwerpen, Microsoft Netherlands has arranged for several highly rated international speakers, like John Craddock, Bryon Surace, Chris Jackson, Daniel Pearson,Johan Arwidmark, Vijay Tewari and Paula Januszkiewicz to present sessions, next to our own heroes Maarten Goet, Ronald Beekelaar, Ruben Spruijt, Steven van Houttum, Jeff Wouters, Kenneth van Surksum, Roel van Bueren and Alex De Jong.

About my session

My session, titled ‘Two of a kind: Virtualization-safe Active Directory & DC Cloning’ is a one-hour session on Active Directory Domain Services in Windows Server 2012. Specifically, I will be explaining and demoing the way Active Directory Domain Services leverage VMGeneration-ID to prevent problems commonly associated with reverting snapshots, like USN Rollbacks and Lingering Objects, and how organizations benefit when deploying Windows Server 2012-based Domain Controller virtually.

My session is planned in the first timeslot of the event, on March 7, 2013 between 9:15 AM and 10:30 AM.

Will I see you there?

Related blogposts

New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning 
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

TechDays NL - Speaker Bio Sander BerkouwerDutch
TechDays NL - Session abstract Two of a kind: Virtualization-safe AD & DC Cloning Dutch 
TechDays NL - Making PowerShell sexy

Microsoft introduced the VM-GenerationID in Windows Server 2012, to enable Virtual Machines (VMs) to notice when they’re snapshotted, restored and/or cloned. Active Directory is the first technology to put the VM-GenerationID to good use.

The following Hypervisors support VM-GenerationID:

• Windows Server 2012 Standard Edition (Hyper-V)
• Windows Server 2012 Enterprise Edition (Hyper-V)
• Hyper-V Server 2012  (Hyper-V)
• Windows 8 Professional (Hyper-V)
• Windows 8 Enterprise (Hyper-V)
• VMware Workstation 9.0
• VMware vSphere 5.0 with Update 4
• VMware vSphere 5.1

Version History

Posted on blogs.dirteam.com on January 22, 2013

Related Blogposts

New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning 
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

Windows Server 2012 VM-Generation ID Support in vSphere 
Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100) 
Virtual Domain Controller Cloning in Windows Server 2012 
Virtualized Domain Controller Architecture   
Virtualize your Windows Server 2012 domain controllers 
Virtualization-Safe Active Directory in Windows Server 2012 
Cloning Virtual Domain Controllers in Windows Server 2012