Exporting a VM running as a Domain Controller

The core of the issue lies around the way each domain controller is uniquely identified by the domain, and how domain information is replicated through the system.

It's vital that:

A) Each domain controller retain its own unique ID, unchanged, at all times. Operations that clone a DC or alter its SID will break this.

B) New DCs are only added to the domain via the DCPROMO process. The domain depends on the information that this process adds into the domain, to identify a DC on the network. Any operation which brings a machine online which appears to be a valid DC, but has not been uniquely promoted in the domain, is going to cause all kinds of headaches.

C) A DC is never restored to a point backwards-in-time. So no snapshots etc. This is because the domain relies on an increasing ticket number type system to identify changes to the domain. A DC reverted to a previous state will have a lower ticket ID while the domain is on a higher ticket ID. this gets you into the USN rollback scenario that Grizly described.

So summary: Running virtual DCs is possible but you must take extra care not to perform VM operations which will violate DC operational requirements.


I think I found the KB you are referring to,http://technet.microsoft.com/sv-se/library/dd348452%28WS.10%29.aspx

All these recommendations are made to help avoid the possibility of an update sequence number (USN) rollback.

USN Info: http://technet.microsoft.com/sv-se/library/dd348479%28WS.10%29.aspx