Recently, I was helping someone with his virtual environment and I stumbled across something that made me pause - a snapshot of an Active Directory domain controller. I asked the person why the snapshot was there and he informed me that he took the snapshot before doing some major work on the domain controller so that he could easily revert if things went south. Bear in mind that this environment holds multiple domain controllers - all virtual - and this was the only one with a snapshot.
Here’s the problem: By relying on a snapshot as the sole Active Directory recovery method, this organization was leaving itself prone to AD corruption. First of all, Microsoft does not support any AD backup method that works like a snapshot. Instead, the company really wants to see you take a system state backup of the domain controller, which also captures the Active Directory database. Then, using appropriate tools, if necessary, you can recover a damaged Active Directory database using supported, native tools. The supported AD recovery method forces AD to take a look at the recovered domain controller and make sure that any transactions that it may have missed since the initial backup are replicated back.
When you revert to a snapshot, you basically erase one copy of AD and replace it with another. That newly replace AD server is never made aware of changes that may have been made to the AD database. So, in essence, you’re operating with one domain controller that might be seriously out of sync with the rest.
Sure, there are ways to safely snapshot and recover a domain controller, but what appears to be the quick and simple method can create major headaches! If you’re not sure, don’t do it.
If you’re interested in virtualizing a domain controller or two, Brien Posey has written an excellent article series on just this topic:
Solutions for Virtualizing Domain Controllers (Part 1)
Solutions for Virtualizing Domain Controllers (Part 2)
Solutions for Virtualizing Domain Controllers (Part 3)
Solutions for Virtualizing Domain Controllers (Part 4)
Solutions for Virtualizing Domain Controllers (Part 5)
Solutions for Virtualizing Domain Controllers (Part 6)
Solutions for Virtualizing Domain Controllers (Part 7)