After detailing Active Directory Virtualization Safeguards with VM-GenerationID in part 5 of this series on Virtualizing Domain Controllers on vSphere, it’s time to talk about the second Active Directory Domain Services feature that is enabled through the VM-GenerationID technology: Domain Controller cloning.
About Domain Controller cloning
Microsoft recommends not re-using Domain Controllers for other roles. When sticking with this recommended practice, Domain Controllers running the same Windows Server version in your environment are 99% identical.
In many large organizations, however, deploying an additional Domain Controller, even a virtual one, is a change that might span weeks. After the initial installation and promotion, multiple agents, additional software and tweaks need to be performed to make it a full family member of the Domain Controllers OU.
By leveraging the values for the VM-GenerationID in vRAM and in the Active Directory database (not replicated), a Domain Controller can see when its virtual hard disk is being re-used for another Domain Controller.
When properly prepared, the essential files for Domain Controller cloning, then, instruct the virtual Domain Controller to clone. Specifically, only the situation in which you want a Domain Controller to clone, will lead to cloning. All other situations will lead to booting into Directory Services Restore Mode (DSRM).
Domain Controller cloning enables fast, safer Domain Controller provisioning through clone operations. These operations include regular VM cloning and manual VMDK copy operations.
VMware Converter’s Hot cloning feature is not supported with Domain Controller cloning. The ‘cloning’ name overlay is purely coincidental.
Situations where Domain Controller cloning isn’t beneficial
There are a couple of situations where Domain Controller Cloning isn’t beneficial:
- When you want to promote a Domain Controller in a remote location with limited bandwidth. When the remote location features a virtualization host and a VM template for the desired Windows Server version, it’s more beneficial to perform an Install from Media (IfM) installation. This is especially true when copying over the virtual hard disk of a cloneable Domain Controller might take longer to transfer than 60 days (the pre-Windows Server 2003 SP1 tombstone lifetime period).
- When the agents and the software you install on Domain Controllers to make them fully functional isn’t cloneable and, thus, breaks Domain Controller cloning.
The list of requirements to allow Domain Controller cloning starts with the requirements for VM-GenerationID, as shared earlier:
- VMware vSphere needs to run version 5.0 update 2, or up.
- VMware tools need to be installed and running on virtual Domain Controllers, ideally with a version that matches the VMware vSphere version.
- The virtual Domain Controller needs to run Windows Server 2012, or up.
- The Virtual Machine hardware version needs to be version 7, or up.
On top of these requirements, Domain Controller cloning adds additional requirements:
- At least one Windows Server 2012-based Domain Controller (or a newer version of Windows Server) needs to be configured to host the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role. This change should be replicated to all Domain Controllers in affected Active Directory sites.
- The Domain Controller holding the RID Master FMSO role needs to be available during the cloning process.
- DNS needs to be available during the cloning process.
- The reference Domain Controller cannot be a Read-only Domain Controller.
- The reference Domain Controller needs to be a member of the Cloneable Domain Controllers security group in Active Directory or needs to be granted the DS-Clone-Domain-Controller extended right.
- The reference Domain Controller cannot be assigned Managed Service Accounts (MSAs), unless these accounts are group Managed Service Accounts (gMSAs).
- A CustomDCCloneAllowList.xml and DCCloneConfig.xml file needs to be available to the cloned Domain Controller in the root of a removable drive or in the folder of the Active Directory database (by default: C:\Windows\NTDS)
- Applications that are incompatible with cloning should be uninstalled or added to CustomDCCloneAllowList.xml.
To be able to clone a Virtual Machine in vSphere, you must have the following privileges within the vSphere infrastructure:
- Virtual machine .Provisioning.Clone virtual machine permissions on the virtual machine you are cloning.
- Virtual machine .Inventory.Create from existing permissions on the datacenter or virtual machine folder.
- Virtual machine.Configuration.Add new disk permissions on the datacenter or virtual machine folder.
- Resource.Assign virtual machine to resource pool permissions on the destination host, cluster, or resource pool.
- Datastore.Allocate space permissions on the destination datastore or datastore folder.
- Network.Assign network permissions on the network to which the virtual machine will be assigned.
- Virtual machine .Provisioning.Read customization specifications permissions on the root vCenter Server if you are customizing the guest operating system.
Having performed Domain Controller cloning in large environment and in many demos, please adhere to these practices:
- Leave the Cloneable Domain Controllers security group in Active Directory empty in-between clone operations.
- Inventory and validate all software and agents, services and applications on the reference Domain Controller before cloning.
VMware Tools is validated and works with Domain Controller cloning.
- Always shutdown the reference Domain Controller prior to cloning.
- Ensure that the reference Domain Controller holds no Flexible Single Master Operations (FSMO) role.
When creating many clones from one reference Domain Controller, please:
- Don’t use -CloneComputerName or -Static -IPv4Address in the dccloneconfig.xml file, as this results in clones with the same hostname and/or IPv4 address.
- Ensure that the Dynamic Host Configuration Protocol (DHCP) service is functional in the infrastructure. The information specified in DcCloneConfig.xml should be unique. When a duplicate or invalid computer name is specified, when an IP address conflict is detected, when IP and DNS information is left out and there is no DHCP Server on the network, when only one WINS Server address is specified or when a typo is made in the Active Directory site name, Domain Controller Cloning will halt.
- Don’t turn on the reference Domain Controller, until all mass cloning operations have finished. Alternatively, convert the first clone to a template and deploy new Domain Controllers from this template, but remember that this template is only re-useable for the duration of the Tombstone Lifetime.
How to clone a Domain Controller on vSphere
Perform these steps to clone a reference Domain Controller that is running as a virtual machine on VMware vSphere, resulting in a cloned Domain Controller, also running as a virtual machine on VMware vSphere:
1. Add the reference Domain Controller to the Cloneable Domain Controllers group
To add the reference Domain Controller to the Cloneable Domain Controllers security group, use the following PowerShell one-liner:
Add-ADGroupMember -Identity “Cloneable Domain Controllers” -Members “cn=dc01,ou=Domain Controllers,dc=domain,dc=tld”
You can run the above command on the reference Domain Controller when signed in, from another Domain Controller or any domain-joined device with the Active Directory Module for Windows PowerShell installed that you’re signed into with credentials that allow management of the security group. In the latter two cases, make sure the change is replicated throughout the Domain Controllers holding the PDCe FSMO role and the RID Master Role and the reference Domain Controller.
2. Resolve Service Principal Name (SPN) issues
run Get-ADServiceAccount on the reference Domain Controller, to get the list of Service Principal Names in use. To remove the Service accounts automatically, use the following PowerShell one-liner:
Get-ADServiceAccount –filter:“*” | Remove-ADServiceAccount
3. Resolve problems with non-cloneable applications, agents and services
You would typically run the Get-ADDCCloningExcludedApplicationList PowerShell Cmdlet to get a list of the programs and services blocking successful Domain Controller Cloning. The following PowerShell one-liner can be used to automatically create the CustomDCCloneAllowList.xml file in C:\Windows\NTDS:
Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force
4. Create the DCCloneConfig file
At this stage, run the New-ADDCCloningConfigFile PowerShell Cmdlet. You do not need to specify any parameters if you don’t want to.
When you don’t add any parameters, this Cmdlet will create the cleanest of DCCloneConfig.xml files in the Active Directory database path. This specific file will use the following Domain Controller Cloning configuration:
- The target Domain Controller will be assigned IP-addresses through DHCP.
- The target Domain Controller name will be automatically generated.
- The target Domain Controller will be assigned the same Active Directory site as the reference Domain Controller.
If you want to specify a host name, Active Directory site or IP addressing information, a sample PowerShell one-liner would look like:
New-ADDCCloneConfigFile –CloneComputerName “DC02” –SiteName “ADSite01” -Static –IPv4Address “10.0.1.2” –IPv4SubnetMask “255.255.255.0” -IPv4DefaultGateway “10.0.1.1” -IPv4DNSResolver “10.0.0.2”
5. Shut down the reference Domain Controller
Now, shut down the Domain Controller, from within Windows Server. For instance, with the following PowerShell one-liner:
6. Clone the reference Domain Controller from vCenter
Perform these steps to clone the reference Domain Controller:
- Open and log into the VMware vSphere or or vSphere Web Client.
- Locate the virtual machine you wish to clone in the inventory.
- Right-click the virtual machine and select Clone and then Clone to Virtual Machine from the context menu.
- On the Select a name and folder page, enter a unique name for the clone Domain Controller and select a deployment location.
- Click Next.
- On the Select a compute resource page, select the host, cluster, resource pool, or vApp where the clone Domain Controller will run.
- Click Next.
- On the Select storage page, select the datastore or datastore cluster in which to store the template configuration files and all of the virtual disks.
- Click Next.
- On the Select deploy options page, do not select additional customization options for the clone Domain Controller.
- On the Ready to complete page, review the virtual machine settings and click Finish.
After the clone operation succeeds, the clone Domain Controller appears in the inventory. Start it.
Start the reference Domain Controller when cloning completes, or use it as a template Domain Controller for the period that is maximized by the Active Directory Tombstone Lifetime.
Domain Controller Cloning is useful when you want to create a replica Domain Controller fast.
Of course, you can use it to quickly create an extra Domain Controller when the current Domain Controllers are burdened, but you can also use it as a Disaster Recovery method. More on that in the next blogpost in this series.
Related Microsoft KnowledgeBase Articles
2742844 Domain controller cloning fails, server boots in DSRM
2742908 After cloning domain controller, “no logon servers available”
2742927 New-AdDcCloneConfig error “Index was out of range”
2747974 Domain controller cloning event 2224 gives incorrect guidance
2742959 Domain controller cloning error 8437
2743278 Domain controller cloning error 0x80041005
2742916 Domain controller cloning fails with error 8610
2742970 DC cloning fails with no DSRM, duplicate source and clone computer
2745013 New-AdDcCloneConfigFile error “the server is not operational”
2742874 DC cloning does not recreate all service principal names
2742836 Extra DHCP leases after cloning domain controllers