Virtualization-safe(r) Active Directory in VMware environments, Part 2

Reading Time: 3 minutes

In the first post of this series, I’ve shown how to uncover the VM-GenerationID, the random value that unlocks all that Windows Server 2012 Active Directory Domain Services magic, on VMware’s vSphere and Workstation virtualization solutions.

Today, I’m showing you how to interpret this value and how this value might be different between versions of the VMware solutions used and the version of the VMware tools used.

 

You’ll need specific versions of VMware ESXi

First of all, if you want to run Windows Server 2012 on VMware vSphere, you’ll need at least ESXi 5.0 Update 1, since this is the first version of the hypervisor on which VMware supports Windows Server 2012.

But, VMware has implemented the VM-GenerationID functionality, as designed by Microsoft, into its products in the summer of 2012. It used the whitepaper and example code shared by Microsoft in its products. It did not finish this work prior to March, thus ESXi 5.0 Update 1 (released March 15, 2012) does not include the VM-GenerationID functionality.

These VMware ESXi versions support the VM-GenerationID functionality:

  • VMware ESXi 5.0 Update 2 (Build 914586) and subsequent updates to ESXi 5.0
  • VMware ESXi 5.1 (Build 799733) and subsequent updates to ESXi 5.1
  • VMware ESXi 5.5 (Build 1331820) and subsequent updates to ESXi 5.5

One thing to know, however, is the VM-GenerationID functionality in ESXi 5.0 Update 2 was implemented (and released on December 20, 2012), based on a draft of the VM-GenerationID whitepaper. Microsoft made a significant update to this whitepaper and the example code it shared with VMware and Citrix, before making it final:

In the draft version of the VM-GenerationID whitepaper, the VM-GenerationID value was defined as a random 64bit value. In the final version of the VM-GenerationID whitepaper, the VM-GenerationID value was defined as a random 128bit value.

This means you will find significant smaller values in the virtual machine configuration (*.vmx) file on the host and in the (hidden) Microsoft Hyper-V Generation Counter system device in virtual machines running on top of VMware ESXi 5.0 Update 2, compared to virtual machines running on top of later versions of ESXi, including ESXi 5.0 Update 3 (released October 17, 2013).

You’ll need VMware Tools

Without the VMware Tools installed, a virtual machine running Windows Server 2012 (or up) will not be able to benefit from the VM-GenerationID capabilities, since the VM-GenerationID value will not be put in the virtual machine’s RAM.

Without the VM-GenerationID in RAM, a virtual Domain Controller will not be able to see when it is reverted to snapshot or cloned and you will not benefit from the virtualization safeguards in Active Directory Domain Services that make it virtualization-safe(r).

Of course, updating to a more recent version of the hypervisor, requires upgrading the VMware Tools in virtual machines running atop the hypervisor, to be upgraded, too, to remain in a supported state.

Besides running in an unsupported state, running virtual machines with version 5.0 Update 1 of the VMware Tools on top of ESXi 5.0 Update 2 (or up) will not enable the VM-GenerationID functionality, since 5.0 Update 1 of the VMware Tools does not support it yet.

 

Concluding

When you want to utilize the VM-GenerationID functionality in a networking environment, virtualized with VMware products, in a supported manner, you will need to:

  • Run ESXi 5.0 Update 2 (or up), ESXi 5.1, ESXi 5.5 as the hypervisor.
  • Have the VMware tools installed in the virtual machines.
  • Have the VMware tools version installed, corresponding to your hypervisor version.

 

Related blogposts

Virtualization-safe(r) Active Directory in VMware environments, Part 1
List of Hypervisors supporting VM-GenerationID
Citrix XenServer joins the VM-GenerationID family
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

Cloning Windows Server 2012 Domain Controllers on vSphere 5
Windows Server 2012 VM-Generation ID Support in vSphere

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.