AD DS, depends upon two logical increasing values :
a) USN (Update Sequence Number) that is assigned to transactions on each domain controller
b) InvocationID that is the Active Directory database GUID, used to identify the database instance (version of the database).
Note : InvocationID is stored in an attribute on the NTDS Settings object
How the Active Directory Replication Model Works
The InvocationID of a domain controller and its USN together are unique in the forest and are used to determine what changes need to be replicated to other domain controllers.
Certain Hypervisor capabilities (for example you are able to create and apply snapshots in time) that when used with domain controllers may introduce a permanently divergent state (in the previous example, you could have an USN used twice and replication
will never converge).
(Image from Samuel Devasahayam TechEd 2012 presentation “Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012”)
SIA317 - Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012
Windows Server 2012 introduces “virtualization safeguards”.
Virtual DC are able to detect when snapshots are applied or a VM is copied using an identifier called VM-Generation ID.
This value is saved in the msDS-GenerationID attribute during domain controller promotion.
VM-Generation ID is stored in the Active Directory database (directory information tree -DIT) and is a non-replicated attribute stored on DC’s computer object.
When processing any subsequent transactions, the current value of the VM GenerationID from the virtual machine is compared against the value in the DIT.
Each time the domain controller is rebooted AD DS also compares the current value of the VM GenerationID from the virtual machine against the value in the DIT and, if different, it resets the invocationID, discards the RID pool and updates the DIT with
the new value.
These safeguards enable AD DS administrators to benefit from the unique advantages of deploying and managing domain controllers in a virtualized environment.
1) If there is a roll-back of a DC FSMO role-holders delay servicing FSMO-functions until a replication cycle is completed.
2) One DC per domain MUST be hosted on VM-generation-ID-aware virtual platform because VM-Generation ID provided by the hypervisor platform.