Paul Gregory | 28 September 2012
With Windows Server 2012 Microsoft have introduced some new technologies around Domain Controllers to enable Safe DC Virtualisation.
These features enable rapid provisioning for Domain Controllers and the ability to use features like snapshots from the virtualisation vendor. In order to be able to use these features the virtualisation hypervisor must support VM Generation-ID a new attribute exposed to the virtual machine from the Hypervisor. Today VM Generation-ID is supported by Hyper-V 3 and vSphere 5.1 but others will follow quickly. In this blog we will look at Domain Controller Cloning for rapid provisioning and another blog will look at the snapshot feature.
Before cloning can start there are a few things that need to be addressed. These are:
- The PDC Emulator needs to be Windows Server 2012
- You CANNOT clone the PDC Emulator (this can be checked using ADUC or PowerShell)
- The DC you intend to clone has to be added to a new security group called 'Cloneable Domain Controllers'
Having completed the pre-requisite checks the procedure is as follows:
- Check to make sure there are no applications installed on the DC that do not support cloning. This can be done by running Get-ADDCClonedExcludedApplicationList if this command returns any applications then those applications have to be investigated to see if they are 'safe' to clone. Generally any applications which rely on unique ID's will have an issue for example DHCP is not supported because of the DHCP Authorization process.
- Having investigated all the applications and removed the 'unsafe' ones then the DC can be cloned. If there are any applications that can be cloned they need to be added to the CustomDCCloneAllowList.xml which would be done by running the command Get-ADDCClonedExcludedApplicationList -GenerateXML. This will create an XML file of the allowed applications and store the file in the same folder as the NTDS.DIT database. If this step is not completed and there are applications installed which the cloning process sees as unsafe the cloning will fail.
- The clone command is the run to setup the cloning. The command New-ADDCCloneConfigFile is run. This command accepts a range of parameters from the name of the new DC to static IP settings for the new DC. The settings will be stored in an XML file called DCCloneConfig.xml this file is stored in the same folder as the NTDS.DIT file as well.
- Once the command has been completed shutdown the source DC and export the virtual machine. Once the export is complete the source DC can be restarted. The new virtual machine can then be imported onto another host and booted. As part of the boot process the DC will detect it has been cloned and personalise itself using the details in the DCCloneConfig.xml file.