3

I have several RODC on remote sites, and sometimes power failures corrupts ADDS database which takes some time to recover. I'd like to move RODC to virtual machine (on same server) to be able in case of failure just rollback to previous checkpoint. I know that it should not be done in case of writeable DC, but can't find any mentions about RODC.

OS: Windows 2008R2 Standard

VM: Hyper-V

Summary: Can RODC be rolled back to saved state on hyper-v? What should I do to force synchronization after such rollback?

Somescout
  • 176
  • 9

1 Answers1

3

IIRC Hyper-V snapshots are supported in Windows Server 2012. In all cases, snapshots are equivalent to "restore from backup". So you should honor general rules of restoring AD from backup. The most important parameter is the TSL (Tombstone Life Time). I.e. restoring a snapshot older than TSL can cause a lot of troubles. It's better and easier to rebuild the RODS in that case.

UPDATE:

Some of the Microsoft's recommendations:

"...Do not use the Snapshot feature as a backup to restore a virtual machine that was configured as a domain controller. Problems will occur with replication when you revert the virtual machine to an earlier state. For more information, see USN and USN Rollback. Although using a snapshot to restore a read-only domain controller (RODC) will not cause replication issues, this method of restoration is still not recommended..."

Found under: Backup and restore practices to avoid

iPath
  • 622
  • 4
  • 11
  • In case of writeable DC - yes, this is all correct. What I am trying to figure is are these rules applied to read only DC: do any information get replicated from them (or stored in domain configuration) and will cause malfunction if VM rolled back to checkpoint? – Somescout Aug 04 '15 at 09:03
  • @Somescout see the updated answer. I think RODCs will not be affected so much of a checkpoint restore if you honor TSL rules. Anyway - snapshots are not recommended way of restoring a DC. – iPath Aug 05 '15 at 10:31
  • Thanks. Problem is that RODC deployed on virtual machine on remote server, server could lose power or reboot due to hardware issues and sometimes this cause Active Directory database on RODC to become corrupt, in which case VM will not boot. So there is two solutions - boot VM in active directory restore mode, foreceremove domain controller (I've tried to repair database couple of times - no luck), cleanup it's metadata from AD, rejoin VM, repromote it to RODC... uh... or just revert to checkpoint. So I'm trying to find is it safe. – Somescout Aug 06 '15 at 07:31
  • @Somescout it is safe for a RODC to be restored from a checkpoint, but is not best practice. So I would suggest to perform metadata cleanup and rebuild the DC. This is the cleanest an **supported** way. I emphasize "supported", because if you have a support case for a RODC, restored with checkpoint, Microsoft may refuse to help or it can cost more money to resolve the case. – iPath Aug 06 '15 at 07:37