How to clone a Windows Server 2012 or 2012 R2 Domain Controller
How to clone a Windows Server 2012 or 2012 R2 Domain Controller
One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that Domain Controller. We’ve never been able to clone, ghost or image Domain Controllers in the past.
See our class schedule for complete Server 2012 Training.
Instructor: Rick Trader
How to clone a Windows Server 2012 or 2012 R2 Domain Controller
One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller.
In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that Domain Controller. We’ve never been able to clone, ghost or image Domain Controllers in the past.
One of the brand new features in Windows Server 2012 is the ability to clone a Domain Controller.
In this post, we’ll be looking at how to actually clone a Domain Controller.
First of all, there are some requirements.
- Your Server 2012 Domain Controller must be virtualized. It cannot be a physical box or it cannot be in an environment that’s not virtualized.
- You also must be running on a Hyper‑V platform, whether it be VMware or Microsoft Hyper‑V that supports VM Generalization ID.
This is the new feature that’s in Server 2012’s Hyper‑V product that allows us to actually clone the Domain Controller.
- The Domain Controller has to be placed into a group called Cloneable Domain Controllers. That will allow us to actually clone it. Then every Domain Controller that is created off of that clone will go in that same group.
- The PDC Emulator must also be available to the cloned Domain Controller, both during the cloning process and when the cloned Domain Controller first comes up after it’s restarted.
- The PDC Emulator also must be running on Windows Server 2012.
Let’s go ahead and get started with cloning our first Domain Controller.
I have an environment of two Domain Controllers.
I have a USSHQ DC1 and a DC2. On DC1, I’m going to go ahead open Active Directory Users and Computers.
I’m going to add the Domain Controller that I want to make cloneable. If I look at my Domain Controller’s container, you’ll see I have USSHQ DC2.
This is the Domain Controller I’m actually going to clone.
I can either right click on that Domain Controller and add it to a group, it will be the Cloneable Domain Controllers’ group.
I can add it that way or I could actually have gone to the Cloneable Domain Controllers’ group and added it there.
I will have to restart the USSHQ DC2 so it picks up the fact that it has been added to that group.
Let’s go ahead and restart it so that it will be part of the appropriate group.
Some of the things that we will be using here is there’s an answer file that is an XML file that will be used by this Domain Controller during the cloning process. This file does not exist by default. When we create it, we create it using a PowerShell cmdlet.
We also have a PowerShell cmdlet that goes out and it makes sure that this Domain Controller doesn’t have any applications or services on it that are not compatible with cloning.
I’m going to verify really quick is verify that I do have Internet connectivity.
The reason I’m verifying the Internet connectivity is if you’ve never loaded the PowerShell help file onto your machine, you will not have any of the help system for the cloneable config file PowerShell cmdlet.
The first cmdlet I want is Get‑Help. (I’ve already downloaded help) is called New‑ADDCCloneConfigFile is the actual name of the file we’re going to be creating.
It’s the Active Directory Domain Controller’s Clone Configuration file.
If I do a Get‑Help on that file and import my Active Directory module for me. Notice that it says that it performs a pre‑req checks and actually creates the clone config file.
There are actually five different sets of syntax we can use with the Clone Config File.
You have your descriptions.
I’m going to use the [-example]…to retrieve the examples.
The one I’m going to use here is the most common example which is the first one.
On the first example, we’re going to use the new‑ADDCCloneConfigFile‑Static. This means I’m going to set a static IP address.
If I leave the static IP address out with the IPV address, the resolver IP address and its gateway address and its subnet mask, it’ll actually retrieve a DHCP assigned IP address. I then can go statically set a static IP address. If I wanted to use this machine multiple times as my cloning source I would leave that out.
The second option is ‑CloneComputerName. This will allow me to give the computer an actual name. Again, because Active Directory now allows us ‑‑ starting with Domain Functional Level 2003 ‑‑ I can remain a Domain Controller. I can also leave that entry blank, also, and each time it will randomly generate a computer name.
I’ve got my preferred win server if I’ve got wins in the environment, and, also, I can tell it what site I want this machine to be in if I’m in a multiple site environment.
If I run the command, New‑CloneConfigFile, it’s going to come back and it’s going to warn me that I have not yet ran the validation test.
The validation test is coming out and saying you haven’t checked this machine to verify there was not any applications on this machine that aren’t compatible.
I want to run the Get‑ADDCCloningExcludeApplicationList.
What this will actually do is it’ll go out and check the machine again to see if there’s anything that’s not compatible. It comes and says the Windows License Management Server (WLMS) is on this machine, and you really, really should run this, uninstall this.
In this case, I’m going to show you, I’m not going to uninstall it.
What I’m going to do is create an exception that will allow this utility to actually be ran. I run the exact same switch again and do a generate XML so it actually will create an exceptions list that added the WLMS as an application we know won’t crash if we clone the machine.
I rerun the New‑ADDCCloneConfigFile utility, and notice this time it goes down. It said, “No clone config file was found. No excluded exceptions were found,” and it’s starting the creation of the cloning config file.
If I scroll down, notice the file has already been created, and it’s actually in the Windows NTDS folder.
If I go down to that folder…C drive > Windows,>NTDS.
There’s my clone config file.
If I just open this up, I just do an edit, notice it actually leaves everything blank so I can actually use this file over and over and over again or this one machine.
In a real‑world environment, if I only want to use this one time I would actually fill in the IP address, I’d fill in what I want the computer name to be, I’d fill in what site I want it to be in, but that’s not required if I want to use this same file over and over and over again.
The next step is, then, to shut this computer down. Once the computer shuts down, I now want to export this machine.
I’ll come into my Hyper V product on my host machine, choose export.
I’m going to browse and export this to my C drive. I’m actually going to create a new folder. Going to call it “export.”
Then, on the export folder I’ll select it, export, and it exports this machine out.
This will take a couple minutes. This actual virtual machine’s not that large. If this were a large hard drive, this export could take 12, 14, 15 minutes or even longer.
Now that the machine is exported I now want to import it. Before I import the machine in, I want to rename the original box.
The reason I’m renaming it is when I’m importing it back in, it’s going to want to call it the same thing.
I’m going to name it “2012 Server 2‑A Export” just so I know that’s the machine I actually exported.
Now I’m going to come down and I’m going to import virtual machines.
I’ll go choose that folder where I just imported the machine to. Export.
Select folder. Next
Notice there’s only one machine in there.
It’s the machine we just exported.
I’ll click Next.
The next thing we have to do, we also have to create a brand new, unique ID. Otherwise, when I bring this machine into the import state if I use the same ID it currently has I’ll only be able to reuse this box one time.
I’ll copy the virtual machine and tell it to use a unique ID.
And select Next.
I’m going to store everything in my C drive in a folder called “Hyper V.”
I’m actually going to create a sub‑folder under here for imported.
Once the machine’s been imported, we can then move it into the original folder.
The reason why I’m doing this is when the machine comes in from the import, it’s going to be called the same as the machine we exported so we’ll end up with an error when we do the import. I’m just preventing an error from occurring.
I want to bring the drives into the same folder.
Now it started the import process. This won’t take as long to export, but it still takes a little bit of time.
As you notice, now, the server is the same server by server name that I exported.
At this point, for purposes of Hyper V inside the console, you can rename this to whatever you want to rename it to. I’m going to rename it to “My USS HQ,” and this is going to be DC3 in my environment.
I’m going to go ahead and start it.
The first time I start this box, it will come in and say “preparing cloning” and then “cloning the Domain Controller.” It comes up looking just like a regular Domain Controller.
Notice it says that Domain Controller cloning is in progress, at 21 percent.
Again, depending on the size of the Active Directory database. Mine is just the default database. Mine will take about six to eight minutes to complete. If I had a large scale Active Directory database, this could take quite a bit of time.
As you can see, the Domain Controller has restarted, and I’m at the log‑on screen.
I’ll go ahead and log into this Domain Controller. One of the things I want you to take note about this Domain Controller is it is using a dynamic configured IP address, and it is using a dynamically configured computer name.
The first two things I’m going to do, is I’ll come down to my local server. I’ll go ahead and statically assign my IP address.
Its IP address is going to be 132.16.10. 220. With a 24 bit subnet mask.
I did not install DNS on this server. If DNS had been on the cloned box, it would have been DNS server.
This will automatically dynamically updated DNS. In a real‑world environment, my next step would be to go in, and notice it renamed the box as USS HQ DC2‑CL001?
If I clone this box, this same box, again it would be 002, 003, 004.
In a real‑world environment, I would come in and I would actually change this computer name.
I’m not going to restart here in this demonstration, but I could rename it. If I come down now to Active Directory users and computers…
If I go in to USSHQ.local, I come down to my users, I come down to the clone of Domain Controllers.
Notice it added this cloned computer in here just like we talked about before we actually did it.
Every single time, it’ll add this box.
The other thing that I want to show you is how could I tell if a machine has been actually cloned or not? If I come into this box’s properties.
Notice the attribute editor is not showing up.
I have to do an advanced view.
Calling this Domain Controller, properties, attribute editor.
If I scroll down there’s an attribute called “MSDCS generation ID.”
Notice I’m connected to Domain Controller 1, not Domain Controller 3.
When I look at the properties of that Domain Controller, I’m actually glad it showed up that way.
The msDS-Generation ID is not set.
I actually have to be connected to the Domain Controller that I actually cloned if I want to see that value. I’ll close this and connect to that DC.
Go back into my Domain Controllers. Bring up that Domain Controller’s properties.
Then select Attribute Editor and scroll back down.
Notice if I go into this generation ID, it showed me the hex decimal code.
This is the actual new identification for this particular Domain Controller that shows it as a clone Domain Controller. The only way to see this value is I have to be connected to the Domain Controller that I actually cloned and it’ll be populated.
If I’m actually connected to any other Domain Controller and I look at that field and that value, it will show it always as a not set value. That’s how simple it is to clone a Domain Controller in Server 2012.
Again, if I wanted to bring in another clone of this box that I just built, I would simply go into my Hyper V console.
I’ve already renamed the folder so I just simply come in again, import the machine a second time.
Then we’re just going to export it. Give it a new virtual ID.
Again, I’m going to store it in my Hyper V folder in imported. Again, this is totally up to you. The default location is in the program files for Hyper V.
The hard drive already exists so I’ll just create another folder, DC4, and call this DC4.
Finish. I’m now importing another Domain Controller with all the same configuration as the firs Domain Controller.
I can import this over and over and over again. This is a great feature. The students always ask me, “Why would I want to import Domain Controllers instead of building them from scratch?” I can build a Domain Controller from scratch. It may take me 30, 40 minutes. In import, I can be done in less than 8 to 10 minutes. That’s how simple it is to clone a Domain Controller.
Until next time, Ride safe!
Windows Server Instructor – Interface Technical Training
You May Also Like
In this recorded Windows 10 training webinar from December 2, 2015, Windows Server instructor Rick Trader presents the deployment and management of Windows 10 Enterprise and the new Provisioning capability in Windows 10. Learn how to manage Windows 10 deployments using System Center Configuration Manager, Mobile Device Management and Intune. Also included in his presentation … Continue reading Windows 10 Managing, Deploying and Configuring – December 2, 2015
See our class schedule for complete Course Schedule Training. Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™. Instructor: Rick Trader Video Transcription: One of the things that we might have to do in our corporate network is to take a class of IP addresses and then subnet that into … Continue reading Subnetting a TCP/IP Network using the Magic Box Method
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015