[Freeipa-users] Virtualising FreeIPA domain controller

[Simo Sorce]

On Fri, 2012-03-02 at 12:37 +0100, Ondrej Valousek wrote:
> I just got an information that it is a very bad idea to have virtual
> Domain controllers in Active Directory - server's (and potentially the
> whole AD) metadata gets corrupted once you 'pause' the machine - just
> to get a snapshot or backup.
> 
> I am just wondering - there are many similarities between IPA and
> Active Directory - can we be affected by this, too?
> Thanks,

Well I do not know about just 'pausing' it sounds not plausible to me,
except wrt clock skew which may cause krb auth and replication to fail.

But if you restore such a snapshot after the original machine had a
fatal accident then it may come with issues.

I think the issue is due to the fact that the directory service in AD is
not being shut down before the snapshot. This results in you
snapshotting the underlying database in a potentially unclean state.
You could run in similar issues if you do this with FreeIPA and you do
not ipactl stop right before taking the snapshot, the DS database will
be in an open state and potentially in the middle of a transaction.

Normally if you recover such backup all that should happen is that at
start-up DS will act as if an unclean shutdown was performed and simply
recover.

However you also need to put this in the context of multi-master
replication. You cannot just try to recover a replica by simply
restoring days old backup. The reason is that all other replicas have
recorded that they have already sent you all the data that has changed
since the backup and will not attempt to bring you up to speed. So
you'll have potentially stale replication agreements and also an
outdated and inconsistent (wrt the rest of the domain) database.
And as soon as new replication messages will come in your "restored"
replica will be unable to process some of the changes because they
depend on other changes that it has never seen.

That all said it is easy to recover from this situation in FreeIPA, just
run a force resync from an up-to-date master and the replica will be
brought up to speed immediately (at least wrt the main LDAP directory,
if you also have a CA clone you will need to resync that too). I think
this functionality is not available in AD, which is why restoring a
snapshotted image may cause issues.

Also another minor issue is that you need to make sure you sync the time
of your replica if the snapshot take more then a few seconds. Ntpd will
not be able to adjust the clock if the time is too skewed, so you may
want to force a ntpdate command right after you resume operations after
the snapshot.


This may not be an exhaustive list of things you need to take care of,
depending on which service you run on your machine, but is all I can
think of.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York