NVP-vProxy: Restore of AD domain controller VMs does not increment the GenerationID

NetWorker VMware Protection integration is configured with the vProxy Appliance. The restore of a Windows 2012 or newer Active Directory domain controller Virtual Machine (VM) does not update the msDS-GenerationId values. During domain controller startup, the msDS-GenerationId is evaluated to verify if the state of the VM has changed. As the msDS-GenerationId values remain the same as of the point of backup, this could potentially cause a USN rollback in the domain.

This is a known limitation in NetWorker. This information is documented in the "vProxy limitations and unsupported features" section of the Dell NetWorker VMware Integration Guide.

Request For Enhancement NW-I-649 has been opened regarding this functionality. Contact the Dell Sales Account Representative for more information.

Workaround:

1. Run "Restore as New" recovery of the Active Directory VM and do not choose the option to "power on automatically".
2. Allow the restore process to complete.
3. Take a snapshot when it is in the "powered off" state.
4. Run a revert to the snapshot and delete the snapshot.
5. Start the VM and the generationID updates.

The following Windows PowerShell command may be used to obtain the msDS-GenerationId values:

Import-module activedirectory ; (Get-ADObject "CN=,OU=Domain Controllers,DC=,DC=" -server dc -property msds-generationid).'msds-generationid'

Example output:

PS C:\Users\Administrator> Import-module activedirectory ; (Get-ADObject "CN=mydcname,OU=Domain Controllers,DC=mydomain,DC=com" -server mydcname.mydomain.com -property msds-generationid).'msds-generationid'
110
114
149
23
240
38
236
204

For more information, see VMware Virtualizing Active Directory Domain Services On VMware vSphere: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/virtualizing-active-directory-domain-services-on-vmware-vsphere.pdf