Cloning a domain controller - Why bother?

When you create the first domain controller in your organization, you are also creating the first domain, the first forest, and the first site. That’s a pretty big deal! After all, it is the domain controller, through group policy, that manages the collection of resources, computers, and user accounts in your organization. With this in mind, you should always use a test environment before deploying the clones to your organization’s network.

The process of creating multiple domain controllers within a domain can be quite time consuming and at times very complex. Ideally, you want to limit the amount of network capacity and reduce the amount of time required to complete the process. Fortunately, Windows Server 2012 and Windows Server 2012 R2, enable you to clone a domain controller to multiple virtual machines with the use of Hyper-V. (For more information on Hyper-V, see my previous blog “Demystifying the Installation of the Hyper-V Role Using Server Manager”).

You may be wondering if it’s actually worth the trouble to clone domain controllers. The answer is yes.

When the cloning process is complete, the clone is a separate virtual machine. This means changes made to the clone do not affect the parent virtual machine and vice versa. It also means that the clone will have a MAC address and universally unique identifier (UUID) that is different from the parent virtual machine. The benefits of virtual domain controller cloning include:

• Deploying additional domain controllers in a new domain more quickly than individual deployments.
• Implementing restoration more quickly during disaster recovery by restoring Active Directory Domain Services (AD DS).
• Private cloud deployments are optimized and increased scale requirements are met.
• Test environments can be deployed more rapidly.
• Increased capacity needs in branch offices can be met rapidly by cloning existing domain controllers.

You are able to clone domain controllers using Windows Server 2012 or Windows Server 2012 R2. But there are guidelines that must be followed in order for the cloning process to work properly:

• The domain controller must be placed into a group called Cloneable Domain Controllers. Being a member of this group determines whether a domain controller can be cloned. This group has some permissions set on the domain that should not be removed. Removing these permissions will cause cloning to fail.
• Domain controllers should not be added to the group until you plan to clone them and then should be removed from the group once cloning is complete.
• Your Server 2012 domain controller must be virtualized. It cannot be a physical box and it cannot be in an environment that’s not virtualized. This is because cloning the domain controller is a feature of Hyper-V, the software that creates and runs virtual machines.
• It must be running on a Hyper-V platform, whether it be VMware or Microsoft Hyper-V, that supports VM Generalization ID.
• The PDC emulator role holder must be online and available to the cloned domain controller and must be running Windows Server 2012.
• A member of the Domain Admins group needs to prepare the computer that is to be cloned. Hyper-V administrators are unable to clone a domain controller without the support of AD DS administrators, and vice versa.

Note: The Cloneable Domain Controller starts with a special PowerShell cmdlet: New-ADDCCloneConfig.

There are 3 Steps to Cloning a Domain Controller. Let’s go through them together:

Step 1: Check Domain Controller for prerequisites

1. For the parent domain controller (henceforth known as DC1), in Server Manager, click Tools, and then click Active Directory Administrative Center.
2. In Active Directory Administrative Center, double-click your local domain, and then, in the details pane, double-click the Domain Controllers OU (Organizational Unit).
3. In the details pane, select DC1, and then, in the Tasks pane, in the DC1 section, click Add to group.
4. In the Select Groups dialog box, in the Enter the object names to select box, type Cloneable, and then click Check Names.
5. Ensure that the group name is expanded to Cloneable Domain Controllers, and then click OK.
6. On DC1, in the taskbar, click the Windows PowerShell icon.
7. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Get-ADDCCloningExcludedApplicationList

8. Verify the list of critical applications. In production, you need to verify each application or use a domain controller that has fewer applications installed by default. Type the following command, and then press Enter:

Get-ADDCCloningExcludedApplicationList –GenerateXML

9. To create the DCCloneConfig.xml file, at the Windows PowerShell command prompt, type the following command, and then press Enter:

New-ADDCCloneConfigFile

10. To shut down DC1, at the Windows PowerShell command prompt, type the following command, and then press Enter:

Stop-Computer

Step 2: Export the Source Domain Controller

1. On the host computer, in Hyper-V Manager, in the details pane, select the DC1 virtual machine.
2. In the Actions pane, in DC1 section, click Export.
3. In the Export Virtual Machine dialog box, select the location where you want to save the files, and then click Export.
4. Wait until the export is finished.
5. In the Actions pane, in the DC1 section, click Start.

Step 3: Clone the Exported Domain Controller

1. In the Actions pane, in the upper section that is named like the parent computer, click Import Virtual Machine.
2. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.
3. On the Locate Folder page, click Browse, select the folder that leads to the path location, click Select Folder, and then click Next.
4. On the Select Virtual Machine page, select DC1, and then click Next.
5. On the Choose Import Type page, select Copy the virtual machine (create a new unique ID), and then click Next.
6. On the Choose Folders for Virtual Machine Files page, select the store the virtual machine in a different location check box. For each folder location, provide the path. Click Next.
7. On the Choose Folders to Store Virtual Hard Disks page, provide the path, and then click Next.
8. On the Completing Import Wizard page, click Finish.
9. In the details pane, identify and select the newly imported virtual machine named DC1, which has the State shown as Off. In the lower section of the Actions pane, click Rename.
10. Type DC3 as the name, and then press Enter.
11. In the Actions pane, in the DC3 section, click Start, and then click Connect to see the virtual machine starting.

While the server is starting, note the “Domain Controller cloning is at x% completion” message.

Step 4: Revert and Delete Virtual Machines

When you finish, you will need to do some cleaning up. You may recall that you made the clones by using the virtual domain controller you created for this purpose. You can now get rid of that virtual machine and keep the clones. Revert the virtual machine to its initial state or delete the virtual machine by completing the following steps:

1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click original Cloneable DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

For more help with cloning domain controllers, I recommend a blog posted by Rick Trader that walks you through the steps necessary to clone a domain controller. Rick provides an informative visual representation of domain controller cloning using screenshots and a video.