Send in the Clones: Domain Controller Cloning
Imagine yourself in an IT professional’s worst nightmare: a major natural disaster has devastated your company’s network infrastructure. As a Windows system administrator, your role in the recovery will be to get everything back up and running as soon as possible. This would require rapidly restoring your company’s Active Directory Domain Services capacity and building every domain back up seemingly from scratch. How would you accomplish such a daunting task?
Fortunately, Microsoft introduced a new feature in Windows Server 2012 that allows system administrators to “clone” virtualized domain controllers and deploy them rapidly throughout your Active Directory environment. In this blog post, I will walk through the requirements and show you how to clone domain controllers to quickly repopulate your networking environment.
Please note that this tutorial is intended for IT professionals who are already working in the field or those starting their careers who may be looking for a new technique to add to their growing set of skills. If you were not familiar with some of the terms I used above, you can start learning about Active Directory and Windows Server 2012 with this article.
Let’s begin with the requirements for cloning a domain controller:
Step 1: Gather Your Tools
You will need two physical servers running Windows Server 2012, both of which need to have the Hyper-V server role installed. A domain controller running the PDC Emulator also needs to be present, as well as an existing virtualized domain controller; this will serve as the source from which the other virtualized domain controllers will be cloned. These last two need to be on the same domain. Finally, the functional domain level needs to be set to Windows Server 2003 or higher, and the schema version set to 56.
Step 2: Prep the Original Domain Controller
Once you have all the parts necessary to clone, start the process by adding the virtualized domain controller you will be using as the source to the Cloneable Domain Controllers group. Accomplish this with the Add-ADGroupMember cmdlet in Powershell:
This gives the domain controller the permissions it needs to be cloned.
But there may be some roles or programs installed on the domain controller that do not support cloning, like DHCP or Active Directory Certificate Services. To identify these programs and exclude them from the process of cloning, run the command Get-ADDCCloningExcludedApplicationList.
Step 3: Mapping DNA
The next step involves creating a configuration file for clones, somewhat like mapping out the genome of your domain controller so it can be copied. Use the command New-ADDCCloneConfigFile and name the new clone that will be built with the file like so:
The command will prompt a number of tests that verify if all the conditions are in order: the domain controller running a PDC Emulator must be online, the domain controller must be in the “cloneable” group, and no unsupported applications must be found.
Step 4: Pack up the Clone Car
The penultimate step has you exporting the cloned domain controller. Shut down the source domain controller and export it to a folder:
Step 5: Attack of the Clone
Access that folder from the second server with the Hyper-V role installed and import the VM, making sure you create a new unique ID when doing so:
That first cloned domain controller can be imported into as many member servers on your network as needed, giving you the ability to swiftly rebuild your Active Directory environment. In addition to quickly reconstructing your network after a disaster, you can also use cloned domain controllers to quickly build a testing environment or scale up an existing domain.