Don’t snapshot domain controllers

Recently, I was helping someone with his virtual environment and I stumbled across something that made me pause – a snapshot of an Active Directory domain controller. I asked the person why the snapshot was there and he informed me that he took the snapshot before doing some major work on the domain controller so that he could easily revert if things went south. Bear in mind that this environment holds multiple domain controllers – all virtual – and this was the only one with a snapshot.

Here’s the problem: By relying on a snapshot as the sole Active Directory recovery method, this organization was leaving itself prone to AD corruption. First of all, Microsoft does not support any AD backup method that works like a snapshot. Instead, the company really wants to see you take a system state backup of the domain controller, which also captures the Active Directory database. Then, using appropriate tools, if necessary, you can recover a damaged Active Directory database using supported, native tools. The supported AD recovery method forces AD to take a look at the recovered domain controller and make sure that any transactions that it may have missed since the initial backup are replicated back.

When you revert to a snapshot, you basically erase one copy of AD and replace it with another. That newly replace AD server is never made aware of changes that may have been made to the AD database. So, in essence, you’re operating with one domain controller that might be seriously out of sync with the rest.

Sure, there are ways to safely snapshot and recover a domain controller, but what appears to be the quick and simple method can create major headaches! If you’re not sure, don’t do it.

If you’re interested in virtualizing a domain controller or two, Brien Posey has written an excellent article series on just this topic:

Solutions for Virtualizing Domain Controllers (Part 1)
Solutions for Virtualizing Domain Controllers (Part 2)
Solutions for Virtualizing Domain Controllers (Part 3)
Solutions for Virtualizing Domain Controllers (Part 4)
Solutions for Virtualizing Domain Controllers (Part 5)
Solutions for Virtualizing Domain Controllers (Part 6)
Solutions for Virtualizing Domain Controllers (Part 7)

1 thought on “Don’t snapshot domain controllers”

  1. In virtualized environments if your going to rely on host based replication for redundancy? I suggest using only one domain controller. Sure, you may lose transactions since the last replication / snapshot, But your system will at least come up and run. 100s of clients using VMware and I still have yet to see a corrupted domain controller, at least using VMware. It would not surprise me at all if Hyper V has some issues though. Make sure VMware tools is properly installed / updated on your PDC.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top