Cloning Virtual Domain Controllers in Windows Server 2012

Monday Apr 1st 2013 by Nirmal Sharma
Share:

Discover how the new cloning feature in Windows Server 2012 can simplify building a new additional domain controller as well as save time when provisioning domain controllers for rapid deployment.

In versions of Microsoft Windows Server prior to Windows Server 2012, the process of adding an additional virtual domain controller involved copying data using one of two options during the domain controller promotion process: "Replicate over the Network" or "Using IFM Media."

Depending on the size of the database (NTDS.DIT), it can take a considerable amount of time to copy the Active Directory database with either option.

The new cloning feature introduced in Windows Server 2012, however, not only speeds up the process for building a new additional domain controller but also saves time when it comes to provisioning domain controllers for rapid deployment.

A Windows Server 2012 Virtual Domain Controller running on a Hyper-V Version 3.0 and VMware's vSphere 5.1 knows that it is running on a virtualization platform. This is a significant change from virtual domain controllers running on Windows Server 2008 R2 and earlier.

A Windows Server 2012 Domain Controller running on a virtualization platform comes with cloning and safe restore capabilities features, and these features cannot be disabled. This article is geared primarily towards explaining the cloning process, and we'll leave exploration of the safe restore capability for another time.

Server Tutorials To avoid replication of old objects or lingering objects, Microsoft modified the Hyper-V Hypervisor code to include a capability called VM-Generation-ID. The VM-Generation-ID (VMGID) feature allows a Windows Server 2012 Virtual Domain Controller to be cloned safely and successfully.

Overview

Beginning with Microsoft Windows Server 2012, there's a new attribute in Windows Server 2012 Active Directory on the computer object of the Virtual Domain Controller and a VM Instance container that is running the Virtual Domain Controller. This attribute is called the VM-Generation-ID unique identifier.

When the Windows Server 2012 Virtual Domain Controller starts up, it matches the data of VM-Generation-ID with the VM Instance container data. If there's a mismatch with the data, Windows Server 2012 Virtual Domain Controller knows that either a snapshot has been applied or a cloning event has taken place. Hence, in the case of cloning event, Active Directory Administrators never need to worry and can safely clone a Virtual Domain Controller running Windows Server 2012.

Requirements

The following requirements are imposed to successfully clone a Virtual Domain Controller:

  • Virtualization platform that supports VMGID. VMGID is currently supported on Hyper-V Version 3.0 on Windows Server 2012 and vSphare 5.1
  • Windows Server 2012 operating system running as a Guest Domain Controller
  • PDC Emulator to be available on a Windows Server 2012 Domain Controller before the cloning process begins.
  • Forest Functional Level to be Windows Server 2003 or higher
  • Schema version should be set to 56.
  • Cloneable Domain Controllers group and permissions set on Domain Naming Context of the Source Virtual Domain Controller

Note: The PDC Emulator must be running on a Windows Server 2012 Domain Controller and is required for the following reasons:

  1. A special Cloneable Domain Controllers group is created in the Active Directory and permissions are set for this group on the root of the domain naming context. By default, the group has no members in it. The PDC Emulator, if it is transferred from an earlier domain controller to Windows Server 2012, creates this group if it does not exist already.
  2. The cloning Domain Controller uses the DRSUAPI RPC protocol to contact the PDC Emulator directly for creating the computer object for the Domain Controller which is being cloned.

Cloning

The safe cloning feature of VM-Generation-ID provides an opportunity to clone the Windows Server 2012 domain controller successfully. At a high level, the process for cloning involves the following steps:

  • Preparing the environment
  • Authorizing a domain controller as a source for the cloning
  • Reviewing and generating the list of applications and services
  • Configuring the source domain controller
  • Exporting, copying, importing and renaming the source domain controller as a new virtual machine
  • Starting the new virtual machine
  • Wrapping up

1. Preparing the environment

As part of preparing the environmental process, you need to run a set of commands to validate the driver that is responsible for cloning the domain controllers and PDC Emulator, which must be available on a Windows Server 2012 Domain Controller.

Checking availability of VM-Generation-ID Driver

Microsoft Hyper-V 3.0 running on Windows Server 2012 provides a driver called Microsoft Hyper-V Generation Counter (vmgencounter.sys). This driver is responsible for cloning a domain controller. You can easily check the availability of this driver under the Device Manager on the Hyper-V Host.

Checking availability of PDC Emulator Role

The source domain controller must have the control access right (CAR) to allow a DC to create a clone of itself on the domain NC head. By default, the well-known group Cloneable Domain Controllers has this permission and contains no members. The PDCE creates this group when that FSMO role transfers to a Windows Server 2012 domain controller.


2. Authorizing a domain controller as a source for the cloning

Add the source domain controller computer object to the Cloneable Domain Controllers security group so that this domain controller can be used for the cloning. The cloning process checks to see if the current domain controller is designated for cloning virtual domain controllers.


3. Reviewing the list of applications and Services

As part of this process, you need to review the list of applications and services installed on the source domain controller which will be included in the cloning.

Every application or service running on a computer creates Security Identifiers to identify some of its internal components. It is a necessary action to check if there is any application running on the domain controller that will be impacted by the cloning process.

To get the list of applications and services installed, run the following PowerShell command:

Get-ADDCCloningExcludedApplicationList

Once you have the list, check with the application vendor to see if their application is impacted. When you have finalized the list of applications to be part of the cloning process, you need to generate a CustomDCCloneAllowList.XML file using the below command

Get-ADDCCloningExcludedApplicationList -GenerateXML

The CustomDCCloneAllowList.XML file is stored under %SystemRoot%\NTDS\ folder


4. Configuring the source domain controller

At this stage, a PowerShell command is run to generate the DCCloneConfig.XML file in the %SystemRoot%\NTDS folder. The file contains the necessary configuration information for the cloned domain controller. A sample DCCloneConfig.XML file exists in the %SystemRot%\System32 folder. The sample file name is SampleDCCloneConfig.XML.

Run the following PowerShell command to generate the DCCloneConfig.XML file:

New-ADDCCloneConfigFile -CloneComputerName "Name_of_New_DC" -SiteName "Name_of_AD_Site"
-Static -IPv4Address "IP_Address_of_New_DC" -IPv4SubnetMask "Subnet_Mask_for_New_DC"
-IPv4DefaultGateway "Gateway_For_New_DC" -IPv4DNSResolver "IP_Address_of_DNS_Server"

Once the cloning file is generated, shut down the Source Virtual Domain Controller by running the following PowerShell command or using Hyper-V Manager:

Stop-VM -Name "SourceDC" - ComputerName "HyperVHost"


5. Exporting, copying, importing and renaming the source domain controller as a new virtual machine

At this point, the source domain controller is ready with the necessary cloning configuration files. Run the following PowerShell command to export, import and rename the Source Domain Controller:

To Export the Virtual Machine of Source Domain Controller:

Export-VM -Name "SourceDC" - ComputerName "HyperVHost" -Path "E:\ExportedSourceDC"

Copy E:\ExportedSourceDC folder contents to a new Hyper-V Host

To Import and generate a new VM-Generation-ID:

$vm = Import-VM -Path "E:\ExportedSourceDC\SourceDC\Virtual Machines" -Copy -GenerateNewId

Note: GenerateNewID makes it possible for the domain controller to be cloned successfully. If you are importing to the same Hyper-V Host, make sure to use the unique folder locations by specifying the parameters with the Import-VM command as mentioned below:

-VhdDestinationPath
-SnapshotFilePath
-SmartPagingFilePath
-VirtualMachinePath

To rename the newly cloned Virtual Machine:

Rename-VM -VM $vm -New-Name "VirtualDC2"


6. Starting New Virtual Machine

Finally, start the source domain controller and newly imported cloned virtual machine. When the cloned virtual machine starts up, it processes the instructions from the DCCloneConfig.XML file to configure it with a new computer name, IP Address and AD Site, which you had specified during step 4 using the New-ADDCCloneConfigFile command.


7. Wrapping up

Cloned domain controllers will also be part of the Cloneable Domain Controllers group. Make sure to remove the computer object of the newly cloned domain controller from this group.


Conclusion

In this article we learned about the new cloning feature introduced in the Windows Server 2012 as well as the necessary requirements you need to make sure are in place before the cloning process begins. The article also explained the steps involved in cloning a virtual domain controller running Windows Server 2012.


Nirmal Sharma
is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He has specialized in Microsoft Technologies since 1994 and has followed the progression of Microsoft Operating System and software. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Solution IDs for www.Dynamic-SpotAction.com. Nirmal can be reached at nirmal_sharma@mvps.org.

Follow ServerWatch on Twitter and on Facebook

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved