Windows 7

Cloning virtualized domain controllers

Windows Server 2012 includes enhancements that ensure virtualized domain controllers work properly. After you virtualize the first domain controller in a domain, you can clone the machine to easily add additional domain controllers to the domain.

Using clones of virtualized domain controllers

When you clone a domain controller, you make a copy of an existing virtual domain controller's virtual hard disk or virtual machine. The clone domain controller determines that it is a copy because the value of the VM-Generation ID supplied by the virtual machine will be different from the value of the VM-Generation ID stored in the directory.

The clone also looks for a DCCloneConfig.xml file in the directory where the directory resides, %windir%\NTDS, or the root of a removable media drive. This triggers an update whereby the new VM-Generation ID is stored in the directory, the clone's invocationID is reset, and any update sequence numbers (USNs) previously allocated from the RID pool are discarded.

The clone then continues provisioning itself. Using the security context of the domain controller whose copy it represents, the clone contacts the PDC emulator, which also must be running Windows Server 2012 but doesn't have to be running in a virtualized environment. The PDC emulator verifies that the requesting domain controller is authorized for cloning.

Once the PDC emulator verifies the clone, the PDC emulator creates a new machine identity-including a new security identifier, account, and password that identifies the clone as a replica domain controller-and then sends this information back to the clone. The clone uses this information to finalize the configuration of Active Directory Domain Services.

Note:
You can create multiple clones at the same time in batches. Generally, you should not try to create more than 16 clones at the same time. This number is controlled by the maximum number of outbound replication connections, which is 16 by default for Distributed File System Replication.

Creating a clone virtualized domain controller

Deploying a clone virtualized domain controller is a multistep process that involves the following steps:

  1. Granting the source virtualized domain controller the permission to be cloned. Any virtualized domain controller in the same domain as the domain controller can be prepared for cloning. In Active Directory Administrative Center, press and hold or right-click the source virtualized domain controller and then choose Add To Group. In the Select Groups dialog box, type Cloneable Domain Controllers and then click OK. Once the group membership change is replicated to the PDC emulator, you can continue. If the Cloneable Domain Controllers group is not found, the PDC emulator might not be hosted on a domain controller that runs Windows Server 2012, which is a prerequisite.

    Remember:
    Don't add servers to the Cloneable Domain Controllers group until you are ready to perform cloning operations. After cloning operations are complete and you verify the operation, remove the servers from the Cloneable Domain Controllers group.

  2. On the source virtualized domain controller, run the Get-ADDCCloningExcludedApplicationList cmdlet at an elevated PowerShell prompt to identify installed applications or services on the source domain controller that have not been evaluated for cloning. Either correct any issues with these applications and services or remove them prior to cloning. For any remaining applications and services that can be safely cloned, run the command again with the -GenerateXML parameter. This provisions the applications and programs in the CustomDCCloneAllowList.xml file.
  3. On the source virtualized domain controller, run the New-ADDCCloneConfigFile cmdlet at an elevated PowerShell prompt to generate the configuration file for the clone. Set the host name, TCP/IP configuration, and optionally, the Active Directory site, as shown in this example: 
    New-ADDCCloneConfigFile -CloneComputerName "VCorpServer18" -Static
-IPv4Address "192.168.10.34" -IPv4SubnetMask "255.255.255.0"
-IPv4DefaultGateway "192.168.10.1" -IPv4DNSResolver "192.168.10.38"
-SiteName "Seattle-First-Site"
  4. Export a copy of the virtualized domain controller. Before you can copy the virtualized domain controller, you must shut down the source domain controller and then delete any associated snapshots. Deleting snapshots merges any AVHD files into the base VHD, which ensures that you create a clone from the newest directory version and get the correct configuration. To shut down the source domain controller, enter the following at an elevated PowerShell prompt: 
    Stop-VM -Name SourceDC -ComputerName HyperVHost
    Here, SourceDC is the source virtualized domain controller and HyperVHost is the server hosting the virtualized domain controller, such as 
    Stop-VM -Name VCorpServer01 -ComputerName VHostServer12
    To delete snapshots of the source domain controller, enter the following at an elevated PowerShell prompt: 
    Get-VMSnapshot SourceDC | Remove-VMSnapshot -IncludeAllChildSnapshots
    Here, SourceDC is the source virtualized domain controller, such as 
    Get-VMSnapshot VCorpServer01 | Remove-VMSnapshot -IncludeAllChildSnapshots
    Finally, copy the virtualized domain controller. To do this, enter the following at an elevated PowerShell prompt: 
    Export-VM -Name SourceDC -ComputerName HyperVHost -Path FolderPath
    Here, SourceDC is the source virtualized domain controller, HyperVHost is the server hosting the virtualized domain controller, and FolderPath sets the save location such as 
    Export-VM -Name VCorpServer01 -ComputerName VHostServer12 -Path d:\VMs\
VServer01
  5. Import the copy of the virtualized source domain controller, and rename it. If you plan to run the virtualized domain controller on a different Hyper-V host, copy the contents of the save folder to a folder on that host. Import the virtualized source domain controller by entering the following at an elevated PowerShell prompt: 
    Import-VM -Path FolderPath -Copy -GenerateNewId
    Here, FolderPath sets the folder path to the save location such as 
    Import-VM -Name -Path d:\VMs\VServer01
    Rename the virtualized source domain controller by entering the following at an elevated PowerShell prompt: 
    Rename-VM -Name OrigDCName -NewName NewDCName
    Here, OrigDCName is the name of the original source domain controller and NewDCName is the new name for the new virtualized domain controller, such as 
    Rename-VM -Name VCorpServer01 -NewName VCorpServer02

While the source domain controller is offline, you can create multiple clones as well. Simply repeat the import-and-rename process, making sure each clone has a different save location for its required files. You can use the -VhdDestinationPath parameter to set the location for virtual hard disks for a virtual machine, the -SnapshotFilePath parameter to set the path for the Snapshot store, the -SmartPagingFilePath to set the path for the smart paging folder, and the -VirtualMachinePath to set the path for the virtual machine configuration folder. These paths all can be set to the same destination.

Finalizing the clone deployment

After you copy, import, and export the clone or clones, you can finalize the deployment. To do this, follow these steps:

  1. Restart the source domain controller to bring it back online. To start the source domain controller, enter the following at an elevated PowerShell prompt: 
    Start-VM -Name SourceDC -ComputerName HyperVHost
    Here, SourceDC is the source virtualized domain controller and HyperVHost is the server hosting the virtualized domain controller, such as 
    Start-VM -Name VCorpServer01 -ComputerName VHostServer12
  2. Start each clone in turn to bring it online for the first time. To start a clone, enter the following at an elevated PowerShell prompt: 
    Start-VM -Name NewDC -ComputerName HyperVHost
    Here, NewDC is the name of the clone and HyperVHost is the server hosting the virtualized domain controller, such as 
    Start-VM -Name VCorpServer02 -ComputerName VHostServer45
  3. Ensure the cloning completed successfully by logging on to the clone and checking its configuration. If you can't log on normally, the clone might be operating in Directory Services Recovery Mode. At this point, simply restarting the clone might resolve the problem.

Troubleshooting the clone deployment

If the clone does not return to a normal mode on the next reboot, try logging on using Directory Services Recovery Mode. Type .\Administrator as the user and the DSRM password. You'll find errors related to cloning by reviewing the following:

  • The System event log
  • The Directory Service event log
  • The Dcpromo log

In the Dcpromo log, which is stored in the %SystemRoot%/Debug folder, look for entries regarding the state of the directory-cloning process. If the entries state that cloning cannot be retried, the virtual machine could not be set up as a clone virtualized domain controller. Delete the virtual machine on the Hyper-V host and re-create the clone.

If the errors you see relate to cloning and cloning can be retried, you need to remove the DS Restore Mode boot flag so that Active Directory Domain Services can configure itself again. To do this, follow these steps:

  1. After you fix the cause of any errors, type msconfig in the Apps Search box and then press Enter to start the System Configuration utility. Alternatively, you could press Windows key + R, type msconfig, and then press Enter.
  2. On the Boot tab, under Boot Options, clear Safe boot and then tap or click OK. When prompted to restart the server, tap or click Yes.
  3. When the virtual machine restarts, Active Directory attempts to finalize the cloning and provision itself again. Log on to the clone, and determine whether the issues are resolved.

If entries in the Dcpromo log indicate cloning succeeded, other types of issues might relate to the following items:

  • Promotion, the directory configuration, incompatible applications, and services in the allow list (CustomDCCloneAllowList.xml). Incompatible applications and services must be removed.
  • Invalid or duplicated IP address or other improper TCP/IP settings or an invalid Active Directory site listed in the config file (Dccloneconfig.xml). TCP/IP and site settings must be corrected as appropriate.
  • Invalid or duplicate MAC address. The machine address must be valid and unique.
  • An invalid or duplicate host name. The clone cannot have the same host name as the source domain controller.
  • The PDC emulator being unavailable. The PDC emulator must be reachable by a remote procedure call (RPC).
  • The domain controller not having appropriate permissions. The domain controller must be a member of Cloneable Domain Controllers. The Allow A DC To Create A Clone Of Itself permission must be set on the domain root for the Cloneable Domain Controllers group.

If the domain controller is not advertising itself as available, check the Directory Service, System, Application, and DFS Replication event logs for errors and take corrective action as appropriate. Otherwise, if the domain controller is advertising itself as available, troubleshoot as you would any other newly promoted domain controller.

[Previous] [Content] [Next]

In this tutorial:

  1. Implementing Active Directory Domain Services
  2. Installing Active Directory Domain Services
  3. Cloning virtualized domain controllers
  4. Uninstalling Active Directory
  5. Creating and managing organizational units
  6. Delegating the administration of domains and OUs