Server 2012 – Cloning a Domain Controller

Cloning a DC for rapid deployment has become an option with Server 2012.

In order to Clone a Domain Controller the domains PDC emulator FSMO role holder must be running Windows Server 2012 or newer.
The second prerequisite is the Virtualization platform, ie. Hyper-V, must support the Virtual Machine Generation ID functionality.

STEP1: Giving Domain Controller permission to be cloned:

Our DC we are going to clone needs to be member of the “Cloneable Domain Controllers” Group. This is a Global Security Group located in the Users Container. It has as default no members.

Add the DC named TDC01 to the Group. Second line just verifies the membership:

Add-ADGroupMember -Identity "Cloneable Domain Controllers" -Members (Get-ADComputer -Identity TDC01)
Get-ADGroupMember -Identity "Cloneable Domain Controllers"

You can also do it using Active Directory Users and Computers:

STEP 2: Cloning Configuration file

In order to to create a clone, the first step is to create a Cloning Configuration File. This is needed in order to tell Active Directory that we are cloning a DC and not just a roll back from snapshot or similar.

We are creating a cloning file using New-ADDCloneConfigFile PowerShell cmdlet.

The cloning configuration file contains identifying elements like name and IP address. Elements not specified will be dynamically created like DHCP for IP etc.

An empty one will look like this:

<?XML version="1.0"?>
<d3c:DCCloneConfig xmls:d3c="">

Cloning Configuration file location

The cloning configuration file named DCCloneConfig.XML can be placed in different locations depending on the need. I am using option 2 in this post.

  1. The DSA Working Directory where the ntds.dit file is stored.
  2. The %windir%/ntds folder
  3. The root of a mounted removeable media. Ie. an virtual floppy disk. (VFD file)

STEP 3: Run Get-ADDCCloneingExcludedApplicationList

  1. On the DC we want to clone, we run the Get-ADDCCloneingExcludedApplicationList. This will check all services and applications up against the approved list. If any unsupported applications are found, they will be printed to the PowerShell window.
  2. Since all my unspported applications are ok, despite the printout I’m going to continue by issuing
    Get-ADDCCloningExcludedApplicationList -GenerateXml

STEP 4: Run the New-ADDCCloneConfigFile cmdlet:

  1.  New-ADDCCloneConfigFile -Static -IPv4Address "" -IPv4DNSResolver "" -IPv4SubnetMask "" -CloneComputerName "TDC02" -IPv4DefaultGateway ""
    Success output looks like this. Take note of the file location C:\Windows\NTDS\DCCloneConfig.xml
    Click image for full size.
    !! Note/edit: I actually made a typo on the Gateway IP. It managed to clone anyway, but if my network were setup differently I might not had been so Lucky. You can use an array for DNSResolver, which is explained further down this post.

STEP 5: Move the .xml files

  1. We need to move the .xml files before we continue, or our source DC thinks it needs to be cloned as well when we next boot it up.
    Move the two files CustomDCCloneAllowList.xml and DCCloneConfig.xml from C:\Windows\NTDS to C:\Cloning
  2. Shut down your Domain Controller.

STEP 6: Copy/Export and Import Virtual Machine/VHD

  1. You can do this in different ways, but you will most likely copy the VHD or Export your Virtual Machine.
    Regardless of approach, you do this with machine in Off mode.
    I am going to export it to a directory named d:\export for further references.
    Note: if you are only going to clone one DC, you can skip the export step and just import it directly from your existing DC, then do nr, 2, 3 and 5.
  2. Mount the exported vhd file and copy the two files CustomDCCloneAllowList.xml and DCCloneConfig.xml from C:\Cloning to C:\Windows\NTDS
    (from step5)
    Either using PowerShell
    Mount-VHD -Path "D:\Export\TDC01\Virtual Hard Disks\TDC01.vhdx"
    Or right-click the vhdx file and choose Mount
  3. Dismount the VHD using PowerShell
    Dismount-VHD -Path "D:\Export\TDC01\Virtual Hard Disks\TDC01.vhdx"
  4. Now import the machine from the export directory and choose Copy the virtual machine (create a new unique ID)
  5. Now I’m powering up my original DC before turning on the soon to be cloned one.
    01-CloneStart 02-CloneStart 03-CloneStart

STEP 7: cleaning up

  1. You must remove the two files CustomDCCloneAllowList.xml and DCCloneConfig.xml from the %windir%/ntds directory of your new DC or it is going to try cloning at next boot up.
  2. Both the new and source server should be removed from the Cloneable Domain Controllers Group.
    You need to reenable this membership if you want to clone it at a later point.
    Remove-ADGroupMember -Identity "Cloneable Domain Controllers" -Members (Get-ADComputer -Identity TDC01)
    Remove-ADGroupMember -Identity "Cloneable Domain Controllers" -Members (Get-ADComputer -Identity TDC02)
    Or using the Active Directory Users and Computers

Making more Clone Config Files

If you want to make more clones you can create new cloning configuration files using any machine with the Active Directory RSAT tools installed by running the following commands (this one based on the above example).
Note how the IPv4DNSResolver accepts arrays, which means you can set up both primary and secondary DNS entries. You can use a switch called -Sitename if you use something different than the default one.

New-ADDCCloneConfigFile -CloneComputerName TDC02 `
-Static `
-IPv4Address `
-IPv4DNSResolver @("", "") `
-IPv4SubnetMask `
-IPv4DefaultGateway " `
-Offline `
-Path .\ `

Files of notes:

DefaultDCCloneAllowList.xml in %windir%\system32
CustomDCCloneAllowList.xml file.

Posted in Powershell, Server 2012 Tagged with: , , ,

Leave a Reply