Cloned virtualized domain controller (cloning a virtualized deployment of DCs)

Source: Internet
Author: User

Cloned virtualized domain controller (cloning a virtualized deployment of DCs)

In versions prior to Windows Server 2012, adding additional virtual domain controllers during the upgrade of a domain controller involves two methods of data replication, namely, "replicating" the network and using IFM media. But if the database (NTDS. DIT) itself is relatively large, both of which require a significant amount of time to replicate the Active Directory database.

But in Windows Server 2012, cloning a virtual domain controller is no longer as cumbersome as it used to be. Server 2012 introduces new cloning capabilities, speeding up the process of building new, additional domain controllers, and saving time for configuring domain controllers during rapid deployment.

Now, when a Windows Server 2012 virtual domain controller runs on Hyper-V and VMware's vsphere, it recognizes that this is a virtualized platform, compared to running in Windows Server 2008 R2 or earlier versions of virtual domain controllers is a significant improvement.

The Windows Server domain controller running on the virtualization platform comes with the ability to replicate and secure recovery , and these features cannot be disabled.

To prevent replication errors (old objects), Microsoft has improved the code of the Hyper-V hypervisor and added the Vm-generation-id feature, Vm-generation-id (vmgid) feature allows Windows Server 2012 The virtual domain controller is securely and successfully replicated.

First, the installation precautions

Virtualized domain controllers do not have any special role or feature installations, and all domain controllers will automatically contain the cloning and security restore features. These features cannot be removed or disabled.

Use a Windows Server 2012 domain controller that requires Windows Server AD DS schema version 56 or later, and a forest functional level that is equal to Windows Server 2003 native or later.

Both writable and read-only domain controllers support all aspects of virtualized DCs, as do global catalogs and FSMO roles.

When cloning begins, the PDC emulator FSMO role owner must be online.

Second, the platform requirements

Virtualized domain controller cloning requirements:

PDC emulator FSMO role hosted on Windows Server (DC)

PDC emulator available during cloning operation

Both cloning and security restore require:

Windows Server 2012 Virtualization Guest

Virtualization Host platform supports VM generation ID (Vmgid)

Third, virtualized domain controller cloning

There are several points in the process where you can choose how to create a cloned computer and how to add an XML file, as detailed in the following steps. This procedure cannot be changed in any other way.

Describes the virtualized domain controller cloning process, where the domain already exists.

650) this.width=650; "src=" "/>

Step 1 Verify the hypervisor

Ensure that the source domain controller is running on the supported hypervisor by reviewing the vendor documentation. Virtualized domain controllers are independent of the hypervisor and do not require Hyper-V.

If the hypervisor is Microsoft Hyper-V, make sure that it is running on Windows Server 2012. You can use Device management to verify this

Open devmgmt.msc and check the installed Microsoft Hyper-V devices and drivers in your system device. A specific system device required by a virtualized domain controller is a Microsoft Hyper-V Build counter (driver: Vmgencounter.sys)

650) this.width=650; "src=" "/>

Step 2 Verify the PDCE FSMO role

Before you attempt to clone a DC, you must verify that the domain controller that hosts the master domain controller emulator FSMO is running Windows Server 2012. The PDC Emulator (PDCE) is required for a variety of reasons:

    • PDCE creates a special group of cloned domain controllers and sets its permissions on the root of the domain to allow the domain controller to clone itself.

    • The clone domain controller will use the DRSUAPI RPC protocol to contact PDCE directly to create a computer object for the cloned DC.

Using the Dsa.msc snap-in, right-click the domain, and then click Operations Master. Note On the PDC tab, name the domain controller, and then close the dialog box.

650) this.width=650; "src=" "/>

Right-click the computer object for the DC, click Properties, and then verify the operating system information.

650) this.width=650; "src=" "/>

Step 3 Grant the source DC permissions

Add permissions to allow DCs to be cloned

Add the domain controller machine account that needs to be replicated to the Cloneable domain controllers group.

650) this.width=650; "src=" "/>

Step 4 Remove the incompatible application or service (this step is optional)

Before cloning, you must remove any programs or services that were previously returned by Get-addccloningexcludedapplicationlist (and not added to Customdccloneallowlist.xml). Uninstalling an application or service is the recommended method.

Any incompatible programs or services that are not uninstalled or added to Customdccloneallowlist.xml will block cloning.

Use the Get-adcomputerserviceaccount cmdlet to find any stand-alone managed service account (MSA) in the domain and check whether any of these accounts are being used by this computer. If either MSA is installed, use the Uninstall-adserviceaccount cmdlet to remove the locally installed service account. After you complete the operation to take the source domain controller offline in step 6th, you can use Install-adserviceaccount to re-add the MSA when the server comes back online.

In Windows Server 2012, a standalone MSA (first published in Windows Server R2) was replaced with a group MSA. Group MSA supports cloning.

Check for services that are not available for cloning in the current service


If so, troubleshoot the service and uninstall the service or generate an exclusion file


To be Continued ...

This article is from the "Liu Daojun blog" blog, make sure to keep this source

Cloned virtualized domain controller (cloning a virtualized deployment of DCs)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.