...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory
Domain Controller

When Virtual Machines Go Wrong

Thursday, January 08, 2009 in Technical Articles (Views: 3281)
So, I've blogged on how great virtual machines were. But, what happens when they go wrong, and how can you mess up a VM environment?

Some actually believe you can't mess up a VM environment. But those could be the kind of people you may want to hurry and sell Alaskan swampland to while it's still cheap. One such example from the real world happened today... This is an example of how a simple Active Directory extension can go horribly wrong, when VM's aren't managed correctly.

Goal: To update the schema using the Config Manager extadsch.exe tool.

Problem: Errors are returned in Active Directory saying the schema cannot be written to the domain controller.

This is a legitimate error, if you are running at a Windows 2000 domain level. You simply click a checkbox to make the schema writable to the domain controller to resolve this. Unfortunately, a Windows Server 2003 domain level (or fortunately), doesn't have this checkbox, by default the schema is writable.

The domain controller in question was a virtual machine. One hard thing about this, is that it's hard to tell if a VM has been rolled back. I do believe this was true in this case, as the schema may have been written to, and then rolled back for a restore of a VM. The problem? The schema master was missing from Active Directory, as the best I can put it back together, wasn't installed prior to the rollback.

Solution: Seize the schema master role, and then extend the schema. By the way, this guy got lucky... :)

This is one example of how a VM can go bad. But, why would having VM's be a bad idea?

1. Machines need to stay in sync.

One great example is restoring a tombstoned domain controller. After about 60 days, that can cause serious replication havoc on your domain, causing it to in some cases, completely collapse.

2. Along point 1, applications may also need to stay in sync

Some applications have several servers. If one server goes down, would certain things that have been restored cause errors? Some errors could be things like orphaned database records, out of sync files, settings that may not exist?

3. Does anyone know what happens to AD Computer passwords?

Some applications require a computer to be domain joined. Some, such as Config Manager, don't support changing domain membership. Computer passwords do change automatically every 30 days by default, unannounced to anyone. If a computer password changes, and the system is rolled back to a time prior to the change, the trust relationship is broken between that system and Active Directory. You would then have to rejoin that system to the domain, giving it a different SID. This could cause programs not to work, and in some cases, they would be completely unsupported.

4. There is no point 4. Every 3 must have a 4... :)

Overall, if well managed, VM's are a blessing.. But, be careful. Not paying attention to your VM's can also be a nightmare...


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.