Understand and Troubleshoot Virtualized Domain Controller in Windows Server 8 Beta

Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta

Microsoft Corporation

Published: February 2012

Abstract

This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,

and troubleshooting methods for Virtualized Domain Controller in Windows Server “8” Beta. This UTG

provides you with:

A technical overview and functional description of this feature.

Technical concepts to help you successfully install, configure, and manage this feature.

User Interface options and settings for configuration and management.

Relevant architecture of this feature, with dependencies, and technical implementation.

Primary troubleshooting tools and methods for this feature.

Copyright information

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft. All rights reserved.

Active Directory, Hyper-V, Microsoft, Visual Studio, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

About the Author

Author: Ned Pyle

Bio: Ned Pyle is a Senior Support Escalation Engineer with Microsoft Commercial Technical Support in Charlotte, North Carolina, USA. He specializes in Directory Services troubleshooting and advisory services. He has authored and contributed to TechNet whitepapers and Knowledgebase articles. Ned also has credits in several Microsoft Press books. He teaches Microsoft employees new product architecture, is a Microsoft Certified Master instructor, and is a Microsoft Certified Trainer. He edits the official Microsoft Directory Services blog, AskDS.

http://blogs.technet.com/askds

ContentsUnderstand and Troubleshoot Guides.........................................................................................................1

About the Understand and Troubleshoot Guides................................................................................................1

Introducing Virtualized Domain Controller..............................................................................................................2

What Is Virtualized Domain Controller?..........................................................................................................2

Purpose & Benefits..........................................................................................................................................3

Technical Overview..................................................................................................................................................5

Prerequisites........................................................................................................................................................5

Functional Descriptions.......................................................................................................................................5

Virtual Domain Controller Cloning...................................................................................................................5

Virtual Domain Controller Safe Restore...........................................................................................................6

Deploying Virtualized Domain Controller................................................................................................................7

Installation Considerations..................................................................................................................................7

Platform Requirements........................................................................................................................................7

Critical Caveats....................................................................................................................................................8

Virtualized Domain Controller Cloning.....................................................................................................................9

1. Validate the Hypervisor.................................................................................................................................11

2. Create XML....................................................................................................................................................11

Using a Blank DcCloneConfig.xml File............................................................................................................11

Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml........................................................................................................................11

XML Details and Behaviors............................................................................................................................14

Using an XML Editor......................................................................................................................................18

Adding XML to the Running Source DC..........................................................................................................29

3. Verify the PDCE FSMO role............................................................................................................................32

Active Directory Users and Computers Method............................................................................................32

Windows PowerShell Method.......................................................................................................................32

Validate PDCE Availability..............................................................................................................................33

4. Authorize a Source DC...................................................................................................................................34

Active Directory Administrative Center Method...........................................................................................34


Rebuilding Default Permissions.....................................................................................................................35

5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml).........................36

6. Take the Source Domain Controller Offline...................................................................................................36

Graphical Method..........................................................................................................................................36


7. Copy Disks......................................................................................................................................................38

Manually Copying Disks.................................................................................................................................39

Exporting the VM...........................................................................................................................................42

Adding XML to the Offline System Disk.........................................................................................................43

8. Create the New Virtual Machine....................................................................................................................47

Associating a New VM with Copied Disks......................................................................................................47

Import VM.....................................................................................................................................................48

9. Clone the New Virtual Machine.....................................................................................................................53

Virtualized Domain Controller Safe Restore..........................................................................................................55

Validate the Hypervisor.....................................................................................................................................55

Validate the Replication Topology.....................................................................................................................55

Writable Domain Controller Contact.............................................................................................................55

Simultaneous Restore....................................................................................................................................56

Post-Snapshot Replication.............................................................................................................................56

Windows PowerShell Snapshot Cmdlets...........................................................................................................58

Further Recommendations................................................................................................................................58

Troubleshooting.....................................................................................................................................................60

Introduction.......................................................................................................................................................60

Troubleshooting VDC Cloning............................................................................................................................60

Tools for Troubleshooting.............................................................................................................................62

General Methodology for Troubleshooting Domain Controller Cloning........................................................63

Troubleshooting Specific Problems...............................................................................................................65

Advanced Troubleshooting............................................................................................................................86

Troubleshooting VDC Safe Restore..................................................................................................................111

Tools for Troubleshooting............................................................................................................................111

General Methodology for Troubleshooting Domain Controller Safe Restore..............................................112

Troubleshooting Specific Problems.............................................................................................................113

Advanced Troubleshooting..........................................................................................................................121

Appendices..........................................................................................................................................................130

Terminology.....................................................................................................................................................130

VDC Cloning Architecture................................................................................................................................131

Overview.....................................................................................................................................................132

Detailed Processing (using Microsoft Hyper-V)............................................................................................132

VDC Safe Restore Architecture........................................................................................................................136

Overview.....................................................................................................................................................136

Detailed Processing (using Microsoft Hyper-V)............................................................................................137

FixVDCPermissions.ps1....................................................................................................................................139

The DCCloneConfigSchema.XSD......................................................................................................................140

The SampleDCCloneConfig.XML......................................................................................................................142

The DefaultDCCloneAllowList.XML..................................................................................................................142

List of default compatible cloning components...............................................................................................155

DRS API Extension for Cloning.........................................................................................................................160

Windows PowerShell Module Loading............................................................................................................161

Additional Resources...........................................................................................................................................162


Understand and Troubleshoot GuidesAbout the Understand and Troubleshoot Guides

The Understand and Troubleshoot Windows Server "8" Beta Guides support you in developing awareness of key technical concepts, architecture, functionality, and troubleshooting tools and techniques. This understanding enables a successful early adoption experience during the pre-RTM product evaluation phase. This guide contains Level 300 material intended for administrators and architects, and assumes the reader already has extensive knowledge of existing features in previous operating systems.

1

Understand and Troubleshoot Guides

Introducing Virtualized Domain ControllerWindows Server "8" Beta introduces the first specific virtualization capabilities to Active Directory Domain Services. Virtualized Domain Controller (VDC) takes lessons learned from twelve years of virtualizing Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators.

What Is Virtualized Domain Controller?Virtualized Domain Controller creates two new key capabilities:

Domain controllers can be safely cloned to deploy additional capacity and save configuration time

Accidental restoration of domain controller snapshots does not disrupt your AD DS environment.

More Information:

To read more about new features that are not in this document’s scope:For AD DS deployment and management improvements, see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta.http://go.microsoft.com/fwlink/p/?LinkId=237244For Dynamic Access Control and kerberos capabilities, see the Understand and Troubleshoot Dynamic Access Control in Windows Server "8" Beta guide.http://go.microsoft.com/fwlink/p/?LinkId=237254For GMSA and kerberos capabilities, see the Understand and Troubleshoot Enhanced Security in Windows Server Beta 8 guide.http://go.microsoft.com/fwlink/p/?LinkId=237243

VDC also profits from many other new features included in Windows Server "8" Beta, such as:

NIC teaming and Datacenter Bridging

Unified Remote Access AD site awareness

DNS Security and faster AD-integrated zone availability after boot

Hyper-V reliability and scalability improvements

BitLocker Network Unlock

Additional Windows PowerShell component administration modules

2 © 2012 Microsoft Corporation. All rights reserved.

http://go.microsoft.com/fwlink/p/?LinkId=237243




More Information:

To read more about new features that are not in this document’s scope:For Unified Remote Access capabilities, see the Understand and Troubleshoot Unified Remote Access in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237246For DNS capabilities, see the Understand and Troubleshoot DNS Security Extensions (DNSSEC) in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237248For Hyper-V capabilities, see the Understand and Troubleshoot Hyper-V Virtual Network Switch in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237247and the Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237258For BitLocker capabilities, see the Understand and Troubleshoot BitLocker in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237139

Purpose & BenefitsCloning Domain Controllers

Domain controllers have unique characteristics that make duplication very dangerous. For instance, two domain controllers cannot coexist in the same forest with the same name, invocation ID, and security identifier. In Windows Server 2008 R2 and older operating systems, every virtualized domain controller requires manual promotion as a uniquely built guest computer.

Windows Server "8" Beta introduces virtualized domain controller cloning. You no longer have to repeatedly deploy a sysprepped server image and then manually promote the domain controller. Instead, the cloned domain controller automatically syspreps (based on settings in DefaultDCCloneAllowList.xml) and promotes with the existing local AD DS data as installation media, consuming administrator-provided settings like computer name and IP address. This allows faster deployment of new domain controllers in production or test labs, simpler disaster recovery, and the ability to scale out in hosting and branch office scenarios.

Safe Backup and Restore of Domain Controllers Virtualization creates unique challenges to distributed multi-master workloads that depend upon logical clock-based replication schemes. AD DS replication uses an increasing transaction value assigned to transactions on each domain controller, known as an Update Sequence Number. If a domain controller "rolls back" time during application of a snapshot, a USN may be reused an entirely different transaction; replication cannot converge since other domain controllers believe they already received the update.

Virtualization technology such as Hyper-V includes snapshot abilities, where you create an image of a domain controller at a point in time. Restoring the snapshot discards all changes

3







made since that checkpoint and in previous operating systems, forces the domain controller to quarantine itself with a process called USN rollback protection. Once USN rollback protection is in place, a domain controller no longer replicates again and must be either forcibly demoted or manually restored non-authoritatively. In cases where the domain controller has originated changes since the snapshot was taken, it also leads to lingering objects.

Windows Server "8" Beta now detects rollbacks and non-authoritatively synchronizes the delta of changes between a domain controller and its partners for AD DS and SYSVOL. You can now use snapshots without risk of permanently crippling domain controllers and requiring manually forced demotion, metadata cleanup, and re-promotion. While this does not prevent other issues with snapshots - such as inconsistent databases for other technologies and applications - it does make domain controller virtualization safer.

More Information:

For more information about USN and Invocation ID, review How the Active Directory Replication Model Workshttp://technet.microsoft.com/en-us/library/cc772726(WS.10).aspxFor more information about USN Rollback protection in Windows Server 2008 R2, review Running Domain Controllers in Hyper-Vhttp://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=WS.10)#usn_and_usn_rollback


http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=WS.10)#usn_and_usn_rollback

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=WS.10)#usn_and_usn_rollback

http://technet.microsoft.com/en-us/library/cc772726(WS.10).aspx


Technical OverviewPrerequisites

This guide assumes familiarity with previous releases of Active Directory Domain Services as well as virtualization technology like Hyper-V or other hypervisors, and does not provide foundation detail around their purpose and functionality. The focus of this guide is to provide information and guidance on the new features and improvements introduced in Windows Server "8" Beta.

More Information:

For more information about AD DS, see the TechNet Portal pages linked below:Active Directory Domain Services for Windows Server 2008 R2 - http://technet.microsoft.com/en-us/library/dd378801(WS.10).aspxActive Directory Domain Services for Windows Server 2008 - http://technet.microsoft.com/en-us/library/dd378891(WS.10).aspxWindows Server Technical Referencehttp://technet.microsoft.com/en-us/library/cc739127(WS.10).aspxFor more information about Hyper-V, see the TechNet Portal pages linked below:Hyper-V Server Portal -http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspxWindows Server 2008 R2 Hyper-V Portal -http://www.microsoft.com/en-us/server-cloud/windows-server/hyper-v.aspxHyper-V TechNet Library for Windows Server 2008 R2 -http://technet.microsoft.com/en-us/library/cc753637(WS.10).aspx

Functional Descriptions

Virtual Domain Controller CloningWindows Server "8" Beta implements cloning by extending the existing virtualization and domain controller promotion processes. Instead of creating sysprepped copies of workgroup computers and then manually promoting them using Server Manger+ or the ADDSDeployment Windows PowerShell, an administrator creates a DcCloneConfig.xml file containing the unique server configuration and copies it into the DSA Working Directory (the location where the AD DS database resides; C:\Windows\NTDS, by default). A virtualization administrator takes the domain administrator-authorized virtual machine offline and copies its drive or exports computer. The administrator creates a new virtual machine - using the copied or exported computer - without any other changes required, and the server automatically promotes as a unique domain controller, using the previous domain controller data as source media.

Alternatively, domain administrators can mount the offline disk and add the XML files, which allows for factory-like automation using new Windows PowerShell options included in

5


http://www.microsoft.com/en-us/server-cloud/windows-server/hyper-v.aspx

http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx


http://technet.microsoft.com/en-us/library/dd378891(WS.10).aspx



Windows Server "8" Beta. If there are any problems or signs of uniqueness duplication - such as IP address or name - the promotion blocks and the cloned domain controller switches to DS Restore Mode for analysis. Cloning can be made entirely automatic, to include name generation and IP addressing using DHCP.

VDC cloning allows:

• Swift domain controller deployment in a new forest or domain

• Scalable provisioning of domain controllers to handle increased load

• Rapid rollout of replacement domain controllers during disaster recovery, such as flooding or fire, an AD DS forest compromised by intrusion, or loss of virtualization host hardware

• Quick provisioning of test lab environments

There is clear role separation between domain administrators and virtualization administrators when cloning. Hypervisor admins cannot deploy replica domain controllers by simply copying virtual machines; the domain admins authorize selected domain controllers for cloning. The virtualization admins then deploy the authorized clones. This ensures that unauthorized users do not create new rogue domain controllers.

Critical:Anyone allowed to administer the hypervisor must be highly trusted and audited in the environment. They still have the ability to make copies of domain controllers for offline attack or sale to malicious third parties. Microsoft suggests legally bonding administrators against exceeding their access and contacting law enforcement authorities if suspecting employees of theft.

Note:There is no graphical interface to create the cloning xml files. However, there is a Windows PowerShell script in development for out of band release, and the XML schema is included. These - and use of simple XML editorial tools - are described later in this guide.

Virtual Domain Controller Safe RestoreWindows Server "8" Beta virtualized domain controller safe restore resets the DC's unique Invocation ID. Since other domain controllers do not recognize the new Invocation ID, they conclude that they have not already seen these USNs and accept the updates, allowing the directory to converge. The domain controller also discards the now-duplicated local Relative Identifier (RID) pool and non-authoritatively restores the SYSVOL folder. This means that accidentally restoring a snapshot is no longer an unsafe operation on domain controllers.

More Information:

For more information about these topics, review the architecture section of this guide in the appendix.



Deploying Virtualized Domain ControllerInstallation Considerations

There is no special role or feature installation for VDC; all domain controllers automatically contain cloning and safe restore capabilities. You cannot remove or disable these capabilities.

Use of Windows Server "8" Beta domain controllers - and therefore VDC - requires a Windows Server "8" Beta AD DS Schema 52 and Windows Server 2003 Native or higher Forest Functional Level.

Both writable and read-only domain controllers support all aspects of virtualized DC, as do Global Catalogs and FSMO roles, with the exception that the PDC emulator must be accessible during cloning.

Important:In Windows Server "8" Beta only, you cannot use the PDC emulator as a source computer to copy and clone. Naturally, this also means you cannot use a domain that contains only one domain controller. This may change in future releases of Windows Server "8" Beta.

Platform RequirementsVirtualized Domain Controller cloning requires:

PDC emulator FSMO role transferred to a Windows Server "8" Beta DC

PDC emulator available during cloning operations

Both VDC cloning and safe restore require:

Windows Server "8" Beta virtualized guests

Virtualization host platform supports VM-Generation ID(VMGID)

Review the table below for known configurations as of this writing:

Virtualization Product Supports VDC and VMGID

Microsoft Windows Server "8" Beta server with Hyper-V Feature

Yes

Microsoft Windows Server "8" Beta Hyper-V Server Yes

Microsoft Windows 8 Consumer Preview with Hyper-V Client Feature

Yes

Microsoft Windows Server 2008 and Windows Server 2008 R2

No

Non-Microsoft virtualization solutions Contact vendor

7


Figure 1

Note:Even though Microsoft supports Windows 7 Virtual PC, Virtual PC 2007, Virtual PC 2004, and Virtual Server 2005 as of this writing, they are incapable of running 64-bit guests.

More Help:For help with third party virtualization products and their support stance with VDC, contact that vendor directly.For more information, review Support policy for Microsoft software running in non-Microsoft hardware virtualization software

Critical CaveatsVDC does not support safe restore of the following:

VHD and VHDX files manually copied over existing VHD files

VHD and VHDX files restored using file backup or full disk backup software

Note:VHDX files are new to Windows Server "8" Beta Hyper-V.

Neither of these operations is a snapshot restoration and therefore do not invoke the VM-Generation ID process. Restoring domain controllers using these methods could either result in a USN rollback and either quarantine the domain controller or introduce lingering objects. If the restoration is older than tombstone lifetime, this creates the potential for lingering objects and a USN bubble; the bubble is the set of changes that are divergent between the two domain controllers. USN Rollback protection does not quarantine the domain controller in this case, potentially leading to lingering objects and the need for forest wide cleanup operations.

Critical:VDC safe restore is not a replacement for system state backups and the AD DS Recycle Bin. After restoring a snapshot, the deltas of previously un-replicated changes originating from that domain controller after snapshot are permanently lost. Safe restore implements automated non-authoritative restoration to prevent accidental domain controller quarantine only.

More Information:

For more information about USN bubbles and lingering objects, see Troubleshooting Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object"


http://support.microsoft.com/kb/2028495



Virtualized Domain Controller CloningThere are a number of stages and steps to cloning a virtualized domain controller, regardless of using graphical tools or Windows PowerShell. At a high level, the three stages are:

A. Prepare the environment

1. Validate that the hypervisor supports VM-Generation ID and therefore, cloning

2. Create XML and copy it to the source DC

3. Verify the PDCE FSMO role

B. Prepare the source domain controller

4. Authorize a domain controller for cloning

5. Remove incompatible components

6. Take the source domain controller offline

C. Create the cloned domain controller

7. Copy or export the source VM and add the XML if not already copied

8. Create a new virtual machine from the copy

9. Start the new virtual machine to commence cloning

Because Microsoft only maintains Hyper-V and cannot include steps for third party products like Citrix's Xen or EMC's VMware, this document implements all steps with Windows Server "8" Beta Hyper-V. Contact your vendor for their product-specific steps; Microsoft cannot document them here.

There are no procedural differences in the operation when using graphical tools like the Hyper-V Management Console or command-line tools like Windows PowerShell, so the steps are presented only once with both interfaces. This guide provides Windows PowerShell samples for you to explore end-to-end automation of the cloning process; they are not required for any steps. There is no graphical management tool for VDC included in Windows Server "8" Beta.

There are several points in the procedure where you have choices for how to create the cloned computer and how you add the xml files; these steps noted in the details below. The process is otherwise unalterable.

The diagram below illustrates the virtualized domain controller cloning process, where the domain already exists.

9


Figure 2

Important:For details on how the cloning process works at first boot, see the Architecture section. For issues, see the Troubleshooting section.For test lab steps, see Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC)http://go.microsoft.com/fwlink/p/?LinkId=237261For a step-by-step guide, see the AD DS Virtualization (Cloning and Virtualization safe improvements) guidehttp://go.microsoft.com/fwlink/p/?LinkID=238316


http://go.microsoft.com/fwlink/p/?LinkID=238316



Note:All scenarios described using the following sample conventions:

The Windows Server "8" Beta forest is corp.contoso.com Domain controllers are named in the pattern DC1, DC2, etc.

1. Validate the HypervisorEnsure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. VDC is hypervisor agnostic and does not require Hyper-V.

Review the previous Platform Requirements section in this guide for known VM-Generation ID support.

2. Create XML The DcCloneConfig.xml file is required for cloning Domain controllers. Its contents allow you to specify unique details like the new computer name and IP address.

The CustomDCCloneAllowList.xml file is optional unless you install applications or incompatible Windows services on the source domain controller. The files require precise naming, formatting, and placement; otherwise, cloning fails.

Using a Blank DcCloneConfig.xml FileOptionally, you can create a blank DcCloneConfig.xml file. If provided a blank file, cloning configures the domain controller automatically, using the rules specified in section DcCloneConfig.XML Definitions and Behaviors below. Otherwise, you must populate that file with valid custom settings.

Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml

The ActiveDirectory Windows PowerShell module contains a new cmdlet in Windows Server "8" Beta:

Get-ADDCCloningExcludedApplicationList

You must run this cmdlet on a source domain controller before cloning it. The cmdlet has no arguments. This cmdlet scans a source computer for applications not listed as allowed with VDC cloning and returns the list; any services or installed programs in that list cause the cloning engine to abort.

11


In the example below, there are no incompatible services or programs installed.

Figure 3

In this example though, there are incompatibilities detected because of the DHCP service:

Figure 4

In this final example, there are potential incompatibilities because you installed the Microsoft Forefront Endpoint Protection program:

Figure 5

Important:Microsoft Forefront is not necessarily incompatible with cloning. VDC in Windows Server "8" Beta always assumes that any programs not included with Windows are risky and as a safeguard, forces you to allow them.

The allow list of supported cloneable applications and services is stored in c:\windows\system32\DefaultDCCloneAllowList.XML. See the Appendix for more information.



You must choose to either remove the incompatible applications and components or override the cloning block using the CustomDCCloneAllowList.xml file. For the previous example, where you installed Microsoft Forefront Endpoint Protection, the CustomDCCloneAllowList.xml configuration needed is:

<?xml version="1.0" encoding="utf-8" ?><AllowList> <Allow> <Name>Microsoft Forefront Endpoint Protection</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Antimalware</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Forefront Endpoint Protection 2010 Server Management</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Security Client</Name> <Type>Program</Type> </Allow> <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow> <Allow> <Name>MsMpSvcy</Name> <Type>Service</Type> </Allow> <Allow> <Name>NisSrv</Name> <Type>Service</Type> </Allow></AllowList>

The guide describes the definitions of this XML file and using an XML editor later in this section.

13


XML Details and BehaviorsFormatting Rules

The DcCloneConfig.xml and CustomDCCloneAllowList.xml files are critical to cloning. Since editing XML files is uncommon for domain administrators and these files are proprietary, it is important to understand the terms and rules around formatting:

Figure 6

1. The file names are not alterable and are:

DcCloneConfig.xmlCustomDcCloneAllowList.xml

2. The elements (fields inside of <>) are case-sensitive

3. The element's start and end tags must match

4. The data inside elements are not case-sensitive, but are format-sensitive. For example, you cannot provide the IPv4 address in any form but w.x.y.z, with valid IPv4 integers provided in each octet. Likewise, a computer name must be 15 characters or fewer and use only valid characters

5. Any empty or missing elements are handled automatically during cloning (see DcCloneConfig.XML Definitions and Behaviors section below)

6. If any element data duplicates the source computer, cloning does not proceed. For example, you cannot set the IP address to match the old computer IP address

7. The XML follows the rules of included XML schema file c:\windows\system32\DCCloneConfigSchema.xsd

More Information:

For explanations of XML terms, review the MSDN XML Glossary:



Template SampleDcCloneConfig.xmlThe following sample is also located at %systemroot%\system32\SampleDCCloneConfig.xml on any Windows Server "8" Beta domain controller.

<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings></d3c:DCCloneConfig>

15


DcCloneConfig.XML Definitions and BehaviorsEach of the elements in the DcCloneConfig.xml describes a unique aspect of the computer. Not providing certain elements may lead to an unfavorable administrative experience, or cause cloning to fail:

Element Data Result if not provided

SiteName AD logical site domain controller joins at promotion

Joins the same site as the source computer being cloned (even for cloned read-only domain controllers)

ComputerName New computer name of DC Automatically assigned as first seven characters of the source computer, a hyphen, the letters "CL", and an incrementing number from 0001 to 9999(example: a server named DCWaukeganIL becomesDCWauke-CL0001)

Address(within <IPv4Settings><StaticSettings> )

New IPv4 address of DC Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available

SubnetMask(within <IPv4Settings><StaticSettings> )

New IPv4 subnet of Ipv4 address

Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available

DefaultGateway(within <IPv4Settings><StaticSettings> )

New IPv4 gateway of Ipv4 address and subnet


DNSResolver(within <IPv4Settings><StaticSettings> )

IPv4 Address of a DNS server. If using multiple entries, in order of primary, secondary, tertiary, etc.


PreferredWINSServer(within <IPv4Settings><StaticSettings> )

IPv4 Address of primary WINS server

Cloning proceeds

AlternateWINSServer(within <IPv4Settings>

IPv4 Address of secondary WINS server

Cloning proceeds



<StaticSettings> )

DNSResolver(within <IPv4Settings><DynamicSettings>)

IPv4 Address of a DNS server when using DHCP without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc.


PreferredWINSServer(within <IPv4Settings>< DynamicSettings > )

IPv4 Address of primary WINS server when using DHCP without scope options

Cloning proceeds

AlternateWINSServer(within <IPv4Settings>< DynamicSettings > )

IPv4 Address of secondary WINS server when using DHCP without scope options

Cloning proceeds

DNSResolver(within <IPv6Settings><DynamicSettings>)

IPv6 Address of a DNS server when using DHCP or SLAAC without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc.

Cloning fails if no valid dynamic IPv6 set and no Ipv4 DHCP is available

Figure 7

Important:Cloning does not support using static Ipv6 entries in Windows Server "8" Beta. You must use IPv6 DHCP or IPv6 Stateless address auto-configuration (SLAAC)

Template CustomDCCloneAllowList.xml<?xml version="1.0" encoding="utf-8" ?><AllowList> <Allow> <Name></Name> <Type>Service</Type> </Allow> <Allow> <Name></Name> <Type>Program</Type> </Allow></AllowList>

Note:Post-beta versions of Windows Server "8" Beta may include the ability to generate a CustomDCCloneAllowList.xml populated with all detected non-allow list programs and services. In Windows Server "8" Beta however, you must create this XML file manually.

17


CustomDCCloneAllowList.XML DefinitionsEach of the elements in the CustomDCCloneAllowList.xml describes a service or program. Cloning fails unless you uninstall the offending service or program, or use the CustomDCCloneAllowList.XML to override the detection.

Element Data

Name Can contain value: The same service name as the SERVICE_NAME returned by SC.EXE QUERY The programs listed in the DisplayName registry value name of subkeys in:

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Type Can contain value: Service Program

Figure 8

Using an XML EditorThere are two XML editors provided by Microsoft:

Visual Studio 2010 Express (free, supported) - Download: http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-csharp-express

XML Notepad (free, unsupported) - Download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7973

Both tools can either create or modify the Dccloneconfig.xml and CustomDCCloneAllowList.xml files safely, if used correctly. In the example below, you see how to create or customize a Dccloneconfig.xml file. You can use the same steps (with one exception noted below) for the CustomDCCloneAllowList.XML file.

Warning:Do not use simple text editors - such as Notepad.exe - that do not understand XML formatting and schema. The XML has strict syntax requirements and is case-sensitive; most mistakes in the XML are fatal to cloning.


http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7973

http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-csharp-express

http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-csharp-express


Using Visual Studio 2010 Express C#The VS 2010 Express suite of development tools contains an advanced, built-in XML editor. This guide uses the C# version, but any is acceptable and the steps do not change.

1. Install Visual Studio 2010.

2. Create a new empty project. This contains all your XML files.

Figure 9

19


Figure 10

3. Enable Expert Settings, using the Tools menu option. This exposes the XML schema later.

Figure 11



4. Using the Project menu, Add New Item and make it an XML file. The name is unimportant, as this is a sample for generating new XML files.

Figure 12

Figure 13

21


5. Using the XML menu, add the Schema DCCloneConfigSchema.xsd (which you can copy from any Windows Server "8" Beta domain controller's %windir%\system32 directory).

Figure 14

Figure 15

Important:This is only when creating or editing the DCCloneConfig.xml file. There is no schema file provided for CustomDCCloneAllowList.XML.

6. Paste in sample XML from this guide or from the provided templates and save your file and project. Using the View menu, add the Error List pane.

Note:All Windows Server "8" Beta domain controllers contain template XML %windir%\system32\ SampleDcCloneConfig.xml. The template CustomDCCloneAllowList.xml is described previously in this guide.

You now have a base xml file to use for all subsequent work. The base dccloneconfig.xml includes the schema, highlights all issues with underlining and explanation, and supports Intellisense modification and autocomplete. You can modify any element for your new clones, make copies, and can save off different versions of the XML for later review. You can also add comments.



For instance, here is a dccloneconfig.xml sample including the computer name, site, and IPv4 information for a new DC. In this instance, the XML element for Address is malformed in one tag (missing an s):

Figure 16

23


In this instance, the elements are complete, but the case is incorrect (should be uppercase A on Address):

Figure 17

As you can see from these examples, catching these mistakes in a text editor would have been very difficult and require extraordinary attention to detail.

For environments using the full version of Visual Studio 2010 and Team Foundation Server, you can create a source control database to guarantee that all cloning info is tracked and checked in or out, minimizing the chance of duplication between administrators.



Using XML Notepad 2007The older XML Notepad 2007 utility provides a simpler - albeit less sophisticated - editorial experience. This tool runs on Windows 8 Consumer Preview and Windows Server "8" Beta as long as the .Net 3.5.x runtimes are installed (they are not included with the OS by default). It is a free tool; it is not tested or supported by Microsoft Support and is provided strictly "as-is".

1. Install XML Notepad 2007 and launch it.

2. Paste in a sample from a SampleDccloneconfig.xml and save the file. Note how XML Notepad hides the XML tags from the reader in the tree view pane and shows the data in the right-hand pane, and how it does not expand the elements by default.

Figure 18

25


3. Use the View menu to Expand All nodes.

Figure 19

Figure 20



4. Use the View menu to add the c:\windows\system32\DCCloneConfigSchema.xsd, which you can find on any Windows Server "8" Beta domain controller.

Figure 21

Figure 22

You now have a dccloneconfig.xml to use for all subsequent work. It includes the schema, shows all issues in the Error List, and supports a dropdown menu of available elements in a given context. You can modify any element for your new clones and make copies.

27


For instance, here is a sample including the computer name, site, and IPv4 information for a new DC:

Figure 23



In this instance, the IPV4NetworkConfig Address element is invalid (should have an uppercase A):

Figure 24

Adding XML to the Running Source DCPlacement of the XML files is critical; if the DcCloneConfig.xml does not exist in the correct folder, then cloning does not occur. If the CustomDCCloneAllowList.xml does not exist in the correct folder, cloning may fail due to program or service allow list checking.

DcCloneConfig.xml LocationThe following locations can contain the DcCloneConfig.xml file:

1. DSA Working Directory

2. %windir%\NTDS

3. Removable read/write media, in order of drive letter, at the root of the drive

29


These paths are not configurable. After cloning begins, the cloning checks these locations in that specific 1-3 order and uses the first XML file found, regardless of the other folder's contents.

CustomDCCloneAllowList.xml LocationThe following locations can contain the CustomDCCloneAllowList.xml file:

1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters

AllowListFolder (REG_SZ)


3. %windir%\NTDS


After cloning begins, the cloning checks these locations in that specific 1-4 order and uses the first XML file found, regardless of the other folder's contents.

Optionally, you can copy the updated XML files file to the running source domain controller. There is no harm in copying the files at this stage and restarting the source DC: the original domain controller will not clone, because the VM-Generation ID does not change on the computer until the copied virtual computer boots up and reads its AD DS information. After restarting, the source domain controller renames the clone file, appending a date-time stamp.

Copying the XML to the original source domain controller before taking offline is advisable when cloning only once or when using a blank dccloneconfig.xml file.

To copy the file using Windows PowerShell, use the following cmdlet:

Copy-Item

Figure 25

Alternatively, you can copy the XML file to the mounted offline disk copied later in the cloning process below.

Determining the DSA Working DirectoryIt is critical to note the path to the AD DS database folder while the source domain controller is still online and running, as determining on an offline domain controller is difficult. This can be determined by examining the following DSA Working Directory REG_SZ registry key:

HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\ParametersDSA Working Directory



To return the key without manually navigating through Regedit.exe, you can use the following Reg.exe command:

reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /t reg_sz /v "dsa working directory"

Figure 26

You can also use the following Windows PowerShell command:

get-itemproperty -path registry::hklm\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -name "dsa working directory" | format-list "dsa working directory"

Figure 27

You can combine get-itemproperty and copy-item in order to create automation. For example, to copy a remote dccloneconfig.xml to the local DSA working directory:

Figure 28

Note:Ntdsutil.exe can also provide this information, but requires stopping the NTDS service, which prevents the domain controller from answering requests.

31


3. Verify the PDCE FSMO roleBefore you attempt to clone a DC, you must validate that the domain controller hosting the Primary Domain Controller Emulator FSMO runs Windows Server "8" Beta. The PDC emulator (PDCE) is required for several reasons:

1. The PDCE creates the special Cloneable Domain Controllers group and sets its permission on the root of the domain to allow a domain controller to clone itself.

2. The cloning domain controller contacts the PDCE directly using the DRSUAPI RPC protocol, in order to create computer objects.

This also means when using non-fully routed networks, VDC cloning requires network segments with access to the PDCE. It is acceptable to move a cloned domain controller to a different network after cloning - just like a physical domain controller - as long as you are careful to update the AD DS logical site information.

Important:You cannot clone a domain controller in a domain that contains only that single domain controller. A domain must contain at least two domain controllers and the clone source cannot be the PDC emulator.

Active Directory Users and Computers Method 1. Using the Dsa.msc snap-in, right click the domain and click Operations Masters. Note the

domain controller named on the PDC tab and close the dialog.

2. Right click that DC's computer object and click Properties, and then validate the Operating System info.

Windows PowerShell Method You can combine the following ActiveDirectory Windows PowerShell Module cmdlets to return the version of the PDC emulator:

Get-adddomaincontrollerGet-adcomputer

If not provided the domain, these cmdlets assume the domain of the computer where run.

The following command returns PDCE and Operating System info:

get-adcomputer(Get-ADDomainController -Discover -Service "PrimaryDC").name -property * | format-list dnshostname,operatingsystem,operatingsystemversion



This example below demonstrates specifying the domain name and filtering the returned properties before the Windows PowerShell pipeline:

Figure 29

Validate PDCE AvailabilityTo validate that the PDCE can be located, run the following Dcdiag.exe command from the server you plan to clone:

Dcdiag /test:locatorcheck /v

This returns the DCLocator status of the PDCE. For example:

Figure 30

33


To validate that the PDCE is accessible through the DRSUAPI RPC protocol, use Nltest.exe /dclist against the PDCE. That test exercises the DsGetDomainControllerInfo function, which is part of DRSUAPI.

Nltest /server:<PDCE> /dclist:<domain>

For example:

Figure 31

Important:Always perform these tests from a computer on the same network where the clone will reside.

4. Authorize a Source DCThe source domain controller must have the special domain head permission Allow a DC to create a clone of itself. By default, the well-known group Cloneable Domain Controllers has this permission and contains no members. The PDCE creates this group when that FSMO role transfers to a Windows Server "8" Beta domain controller.

Active Directory Administrative Center Method1. Start Dsac.exe and navigate to the source DC, then open its detail page.

2. In the Member Of section, add the Cloneable Domain Controllers group for that domain.

Windows PowerShell MethodYou can combine the following ActiveDirectory Windows PowerShell Module cmdlets to return the version of the PDC emulator:

get-adcomputer add-adgroupmember

For instance, this adds server DC1 to the group, without the need to specify the distinguished name of the group member:



Figure 32

Rebuilding Default PermissionsIf you remove this permission from the domain head, cloning fails. You can recreate the permission using the Active Directory Administrative Center or Windows PowerShell

Active Directory Administrative Center Method 1. Open Active Directory Administrative Center, right click the domain head, click

Properties, click the Extensions tab, click Security, and then click Advanced. Click This Object Only.

2. Click Add, under Enter the object name to select, type the group name Cloneable Domain Controllers.

3. Under Permissions, click Allow a DC to create a clone of itself, and then click OK.

Note:You can also remove the default permission and add individual Domain controllers. Doing so is likely to cause ongoing maintenance problems however, where new administrators are unaware of this customization. Changing the default setting does not increase security and is discouraged.

Windows PowerShell MethodUse the following commands in an administrator-elevated Windows PowerShell console prompt. These commands detect the domain name and add back in the default permissions:

import-module activedirectorycd ad:$domainNC = get-addomain$dcgroup = get-adgroup "Cloneable Domain Controllers"$sid1 = (get-adgroup $dcgroup).sid$acl = get-acl $domainNC$objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid$acl.AddAccessRule($ace1)set-acl -aclobject $acl $domainNCcd c:

Alternatively, run the sample FixVDCPermissions.ps1 in a Windows PowerShell console, where the console starts as an elevated administrator on a domain controller in the affected domain. It automatically set the permissions. The sample is located in the appendix of this guide.

35


Critical:The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue.For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replicationhttp://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx

5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml)

Any programs or services previously returned by Get-ADDCCloningExcludedApplicationList - and not added to the CustomDCCloneAllowList.xml - must be removed prior to cloning. Uninstalling the application or service is the recommended method.

Critical:Any incompatible programs or services not uninstalled or added to the CustomDCCloneAllowList.xml prevent cloning.

6. Take the Source Domain Controller OfflineYou cannot copy a running source DC; it must be shutdown gracefully. Do not clone a domain controller stopped by graceless power loss.

Graphical MethodUse the shutdown button within the running DC, or the Hyper-V Manager shutdown button.




Figure 33

Figure 34

Windows PowerShell MethodYou can shut down a virtual machine using either of the following cmdlets:

Stop-computerStop-vm

Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous to the legacy Shutdown.exe utility. Stop-vm is a new cmdlet in the Windows Server "8" Beta Hyper-V Windows PowerShell module, and is equivalent to the power options in Hyper-V Manager. The latter is useful in lab environments where the domain controller often operates on a private virtualized network.

37


Figure 35

Figure 36

Critical:The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue.For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replicationhttp://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx

7. Copy DisksAn administrative choice is required in the copying phase:

1. Copying the disks manually, without Hyper-V

2. Exporting the VM, using Hyper-V

All of a virtual machine's disks must be copied, not just the system drive. If the source domain controller uses differencing disks and you plan to move your cloned domain controller to another Hyper-V host, you must export.

Copying disks manually is recommended if the source domain controller has only one drive. Export is recommended for VMs with more than one drive or other complex virtualized hardware customizations like multiple NICs.

If copying files manually, delete any snapshots prior to copying. If exporting the VM, delete snapshots prior to exporting or from the new VM after importing.

Critical:Snapshots are differencing disks that can return a domain controller to previous state. If you were clone a domain controller then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest. There is no value in prior snapshots on a newly cloned domain controller.Once cloned, the source domain controller can create a new snapshot.




Manually Copying DisksHyper-V Manager Method

Use the Hyper-V Manager snap-in to determine which disks are associated with the source domain controller. Use the Inspect option to validate if the domain controller uses differencing disks (which requires that you copy the parent disk also)

Figure 37

39


To delete snapshots, select a VM and delete the snapshot subtree.

Figure 38

You can then manually copy the VHD or VHDX files using Windows Explorer, Xcopy.exe, or Robocopy.exe. No special steps are required. It is a best practice to change the file names even if moving to another folder.

Note:.

Windows PowerShell MethodTo determine the disks using Windows PowerShell, use the Hyper-V Modules:

Get-vmidecontrollerGet-vmscsicontrollerGet-vmfibrechannelhbaGet-vmharddiskdrive



For example, you can return all IDE hard drives from a VM named DC2 with the following sample:

Figure 39

If the disk path points to an AVHD or AVHDX file, it is a snapshot. To delete the snapshots associated with a disk and merge in the real VHD or VHDX, use cmdlets:

Get-VMSnapshotRemove-VMSnapshot

For example, to delete all snapshots from a VM named DC2-SOURCECLONE:

To copy the files using Windows PowerShell, use the following cmdlet:

Copy-Item

41


Combine with VM cmdlets in pipelines to aid automation. The pipeline is a channel used between multiple cmdlets to pass data. For example, to copy the drive of an offline source domain controller named DC2-SOURCECLONE to a new disk called c:\temp\copy.vhd without the need to know the exact path to its system drive:

Important:You cannot use passthru disks with VDC cloning, as they do not use a virtual disk file but instead an actual hard disk.

More Information:

For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows PowerShellhttp://technet.microsoft.com/en-us/library/ee176927.aspx

Exporting the VMAs an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. Exporting automatically creates a folder named for the VM and containing all disks and configuration information.

Figure 40


http://technet.microsoft.com/en-us/library/ee176927.aspx


Hyper-V Manager MethodTo export a VM with Hyper-V Manager:

1. Right click the source domain controller and click Export

2. Select an existing folder as the export container

3. Wait for the Status column to stop showing Exporting

Windows PowerShell MethodTo export a VM using the Hyper-V Windows PowerShell module, use cmdlet:

Export-vm

For example, to export a VM named DC2-SOURCECLONE to a folder named C:\VM:

Figure 41

Adding XML to the Offline System DiskIf you did copy the Dccloneconfig.xml to the running source DC, you must copy the updated dccloneconfig.xml file to the offline copied/exported system disk now. Depending on installed applications detected with Get-ADDCCloningExcludedApplicationList earlier, you may also need to copy the CustomDCCloneAllowList.xml file to the disk.

The following locations can contain the DcCloneConfig.xml file:


2. %windir%\NTDS


These paths are not configurable. After cloning begins, the cloning checks these locations in that specific order and uses the first XML files found, regardless of the other folder's contents.

The following locations can contain the CustomDCCloneAllowList.xml file:

1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters

AllowListFolder (REG_SZ)


3. %windir%\NTDS


43


Windows Explorer MethodWindows Server "8" Beta now offers a graphical option for mounting VHD and VHDX files:

1. Click the newly copied VHD/VHDX file that contains the source DC's system drive or DSA Working Directory location folder, and then click Mount from the Disc Image Tools menu

2. In the now-mounted drive, copy the XML files to a valid location. You may be prompted for permissions to the folder

3. Click the mounted drive and click Eject from the Disk Tools menu

Figure 42



Figure 43

Figure 44

45


Windows PowerShell MethodAlternatively, you can mount the offline disk and copy the XML file using the Windows PowerShell cmdlets:

mount-vhdget-diskget-partitionget-volumeAdd-PartitionAccessPathCopy-Item

This allows you complete control over the process. For instance, the drive can be mounted with a specific drive letter, the file copied, and the drive dismounted.

mount-vhd <disk path> -passthru -nodriveletter | get-disk | get -partition | get-volume | get-partition | Add-PartitionAccessPath -accesspath <drive letter>

copy-item <xml file path> <destination path>\dccloneconfig.xml

dismount-vhd <disk path>

For example:

Figure 45



8. Create the New Virtual MachineThe final configuration step before starting the cloning process is creating a new VM that uses the disks from the copied source domain controller. Depending on the selection made in the copying disks phase, you have two options:

1. Associate a new VM with the copied disk

2. Import the exported VM

Associating a New VM with Copied DisksIf you copied the system disk manually, you must create a new virtual machine using the copied disk. The hypervisor automatically sets the VM-Generation ID for copied disks; no configuration changes are required in the VM or Hyper-V host.

Hyper-V Manager Method

Figure 46

47


1. Create a new virtual machine

2. Specify the VM name, memory, and network

3. On the Connect Virtual Hard Disk page, specify the copied system disk.

4. Complete the wizard to create the VM.

If there were multiple disks, NICs, or other customizations, configure them before starting the domain controller. The "Export-Import" method of copying disks is recommended for complex VMs.

Windows PowerShell MethodYou can use the Hyper-V Windows PowerShell module to automate VM creation in Windows Server "8" Beta, using the following cmdlet:

New-VM

For example, here the DC4-CLONEDFROMDC2 VM is created, using 1GB of RAM, booting from the c:\vm\dc4-systemdrive-clonedfromdc2.vhd file, and using the 10.0 virtual network:

Figure 47

Import VMIf you previously exported your VM, you now need to import it back in as a copy. This uses the exported XML to recreate the computer using all the previous settings, drives, networks, and memory settings.

Important:It is important to use the Copy option, as export preserves all information from the source; importing the server with Move or In Place causes information collision if done on the same Hyper-V host server.



Hyper-V Manager MethodTo import using the Hyper-V Manager snap-in:

1. Click Import Virtual Machine

2. On the Locate Folder page, select the exported VM definition file using the Browse button

3. On the Select Virtual Machine page, click the source computer.

4. On the Choose Import Type page, click Copy the virtual machine (create a new unique ID), then click Finish

5. Rename the imported VM if importing on the same Hyper-V host; it will have the same name as the exported source domain controller.

Figure 48

49


Figure 49

Figure 50



Remember to remove any imported snapshots, using the Hyper-V Management snap-in:

Figure 51

Critical:Deleting any imported snapshots is critically important; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.

51


Windows PowerShell MethodYou can use the Hyper-V Windows PowerShell module to automate VM import in Windows Server "8" Beta, using the following cmdlets:

Import-VMRename-VM

For example, here the exported VM DC2-CLONED is imported using its automatically determined XML file, then renamed immediately to its new VM name DC5-CLONEDFROMDC2:

Figure 52

Remember to remove any imported snapshots, using the following cmdlets:

Get-VMSnapshotRemove-VMSnapshot

For example:

Figure 53

Critical:Deleting any imported snapshots is critical; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.



9. Clone the New Virtual MachineOptionally, before you begin cloning, turn the offline clone source domain controller back on. Ensure that the PDC emulator is online, regardless.

To begin cloning, simply start the new virtual machine. The process initiates automatically and the domain controller reboots automatically after cloning is complete.

Important:Keeping domain controllers turned off for an extended period of time is not recommended and if the clone is joining the same site as its source DC, the initial intra and inter-site replication topology may take longer to build if the source domain controller is offline.

Figure 54

If using Windows PowerShell to start a VM, the new Hyper-V Module cmdlet is:

Start-VM

53


For example:

Figure 55

Once the computer restarts after cloning completes, it is a domain controller and you can logon on normally to confirm normal operation. If there are any errors, the server boots up in DS Restore Mode for investigation. See the Troubleshooting section below if that occurs.



Virtualized Domain Controller Safe RestoreUnlike virtualized domain controller cloning, Windows Server "8" Beta VDC safe restore has no configuration steps. The feature works without intervention as long as you meet some simple conditions:

The hypervisor supports VM-Generation ID

There is a valid partner domain controller that a restored domain controller can replicate changes from non-authoritatively.

Validate the HypervisorEnsure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. VDC is hypervisor agnostic and does not require Hyper-V.

Review the previous Platform Requirements section in this guide for known VM-generation ID support.

Validate the Replication TopologyVDC safe restore initiates non-authoritative inbound replication for the delta of AD replication as well as non-authoritative resynchronization of all SYSVOL contents. This ensures the domain controller returns from a snapshot with full functionality and all object knowledge.

With this new capability come several requirements and limitations:

A restored domain controller must be able to contact a writable DC

All domain controllers in a domain must not be restored simultaneously

Any changes originating from a restored domain controller that have not yet replicated outbound since the snapshot was taken are lost forever

While the troubleshooting section covers these scenarios, details below ensure you do not create a dangerous topology.

Writable Domain Controller ContactIf restored, a domain controller must have connectivity to a writable domain controller; a read-only domain controller cannot send the delta of updates. The topology is likely correct for this already, as a writable domain controller always needed a writable partner. However, if all writable domain controllers are restoring simultaneously, none of them can find a valid source. The same goes if the writable domain controllers are offline for maintenance or otherwise unreachable through the network.

55


Simultaneous RestoreDo not restore all domain controllers in a single domain simultaneously. If all snapshots restore at once, AD replication works normally but SYSVOL replication halts. The restore architecture of FRS and DFSR require setting their replica instance to non-authoritative sync mode. If all domain controllers restore at once, and each domain controller marks itself non-authoritative for SYSVOL, they all will then try to synchronize group policies and scripts from an authoritative partner; at that point, though, all partners are also non-authoritative.

Important:If all domain controllers are restored at once, use the following articles to set one domain controller - typically the PDC emulator - as authoritative, so that the other domain controllers can return to normal operation:

Using the BurFlags registry key to reinitialize File Replication Service replica sets - http://support.microsoft.com/kb/290762How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) - http://support.microsoft.com/kb/2218556

Warning:Do not run all domain controllers in a forest or domain on the same hypervisor host. That introduces a single point of failure that cripples AD DS, Exchange, SQL, and other enterprise operations each time the hypervisor goes offline. This is no different from using only one domain controller for an entire domain or forest. Multiple domain controllers on multiple platforms are simple prudence in a modern IT environment, just like fire and flood insurance.

Post-Snapshot ReplicationDo not restore snapshots until all locally originating changes made since snapshot creation have replicated outbound. Any original changes are lost forever if other domain controllers did not already receive them through replication.

Use Repadmin.exe to show any un-replicated outbound changes between a domain controller and its partners:

1. Return the DC's partner names and DSA Object GUIDs with:

Repadmin.exe /showrepl <DC Name of the partner> /repsto

2. Return the pending inbound replication of the partner domain controller to the domain controller to be restored:

Repadmin.exe /showchanges < Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare>

Alternatively, just to see the count of un-replicated changes:





Repadmin.exe /showchanges <Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare> /statistics

For example (with output modified for readability and important entries in italic bold), here you look at the replication partnerships of DC4:

C:\>repadmin.exe /showrepl dc4.corp.contoso.com /repsto

Default-First-Site-Name\DC4DSA Options: IS_GCSite Options: (none)DSA object GUID: 5d083398-4bd3-48a4-a80d-fb2ebafb984fDSA invocationID: 730fafec-b6d4-4911-88f2-5b64e48fc2f1

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

DC=corp,DC=contoso,DC=com Default-First-Site-Name\DC3 via RPC DSA object GUID: f62978a8-fcf7-40b5-ac00-40aa9c4f5ad3 Last attempt @ 2011-11-11 15:04:12 was successful. Default-First-Site-Name\DC2 via RPC DSA object GUID: 3019137e-d223-4b62-baaa-e241a0c46a11 Last attempt @ 2011-11-11 15:04:15 was successful.

Now you know that it is replicating with DC2 and DC3. You then show the list of changes that DC2 states it still does not have from DC4, and see that there is one new group:

C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f dc=corp,dc=contoso,dc=com

==== SOURCE DSA: (null) ====Objects returned: 1(0) add CN=newgroup4,CN=Users,DC=corp,DC=contoso,DC=com 1> parentGUID: 55fc995a-04f4-4774-b076-d6a48ac1af99 1> objectGUID: 96b848a2-df1d-433c-a645-956cfbf44086 2> objectClass: top; group 1> instanceType: 0x4 = ( WRITE ) 1> whenCreated: 11/11/2011 3:03:57 PM Eastern Standard Time

You would also test the other partner to ensure that it had not already replicated.

Alternatively, if you did not care which objects had not replicated and only cared that any objects were outstanding, you can use the /statistics option:

C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f dc=corp,dc=contoso,dc=com /statistics

******************************************************** Grand total *************************Packets: 1Objects: 1Object Additions: 1Object Modifications: 0Object Deletions: 0Object Moves: 0

57


Attributes: 12Values: 13

Important:Test all writable partners if you see any failures or outstanding replication. As long as at least one is converged, it is generally safe to restore the snapshot, as transitive replication eventually reconciles the other servers.Be sure to note any errors in replication shown by /showchanges as well and do not proceed until they are fixed.

Windows PowerShell Snapshot CmdletsThe following Windows PowerShell Hyper-V module cmdlets provide snapshot capabilities in Windows Server "8" Beta:

Checkpoint-VMExport-VMSnapshotGet-VMSnapshotRemove-VMSnapshotRename-VMSnapshotRestore-VMSnapshot

Further Recommendations VDC safe restore requires administrative responsibility; you can still configure virtualized domain controllers in ways that prevent use of safe restore. Review the following best practices to insure reliable operation.

Do not use snapshots in lieu of frequent system state backups and the AD Recycle Bin. A snapshot does not preserve changes originating from the DC; it merely prevents replication quarantine. Objects created, modified, or deleted since snapshot are lost forever if they were not successfully replicated outbound before the restore. Safe restore is a safeguard to administrators when used in production so that restoring a snapshot does not instantly quarantine domain controllers or introduce lingering objects. This is a very real risk in previous virtualization environments, where the hypervisor admins may not have deep knowledge of domain administration or multi-master replication technologies. Limit intentional use of snapshots on domain controllers to test environments whenever possible.

Do not to restore snapshots of a VM from before it was a domain controller. Once promoted to a DC, you must delete all previous snapshots immediately. If a snapshot restores to when a domain controller was a member server and there are no later domain controller snapshots, you must either re-promote the domain controller and re-attach to its existing computer account or perform metadata cleanup of the domain controller and then re-promote it.

Domain controllers should not point to themselves for primary DNS. While Microsoft has been stating this in best practice analyzer tools and online documentation for



years, many customers still believe otherwise. If a domain controller points to itself for DNS and restores to a point in time where it did not have knowledge of other Domain controllers or where the current domain controllers did not exist, it cannot source from them. Because the domain controller points to a responsive DNS service, it will not try other servers. This is especially likely when restoring the oldest domain controller in a forest root domain, which may have no knowledge of any domain controller but itself in a very old snapshot.

Do not host all virtual domain controllers on a single hypervisor; this introduces a single point of failure in the AD DS environment, even when clustered.

59


Troubleshooting Introduction

The most important way to improve your troubleshooting skills is build a test lab and rigorously examine normal, working scenarios. If you encounter errors, they are more obvious and easily understand, since you then have a solid foundation of how domain controller promotion works. This also allows you to build your analysis and network analysis skills. This goes for all distributed systems technologies, not just VDC deployment. This lab does not even have to be in the office - Microsoft provides reasonably priced TechNet subscriptions that allow anyone to run any software without time limits. With free virtualization the norm, it is easy to configure any test environment you need.

More Information:

For more information about TechNet subscriptions, see:

The critical elements to advanced troubleshooting of domain controller configuration are:

1. To solve the most complex domain controller promotion issues, you must master all three. Linear analysis combined with focus and attention to detail.

2. Understanding network capture analysis

3. Understanding the built-in logs

The first and second are beyond the scope of this guide, but the third can be explained in some detail. Virtualized domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using the data provided and only resort to complex tools and analysis when you have exhausted the provided output and logging.

Troubleshooting VDC CloningThe troubleshooting strategy for VDC cloning follows this general format (see next page):


http://technet.microsoft.com/en-us/subscriptions/default.aspx


Figure 56

61


Tools for Troubleshooting Logging Options

The built-in logs are the most important tool for troubleshooting issues with domain controller cloning. All of these logs are enabled and configured for maximum verbosity, by default.

Operation Log

Cloning Event viewer\Windows logs\System Event viewer\Applications and services logs\Directory

Service %systemroot%\debug\dcpromo.log

Promotion %systemroot%\debug\dcpromo.log Event viewer\Applications and services logs\Directory

Service Event viewer\Windows logs\System Event viewer\Applications and services logs\File

Replication Service Event viewer\Applications and services logs\DFS

Replication

Tools and Commands for Troubleshooting Domain Controller ConfigurationTo troubleshoot issues not explained by the logs, use the following tools as a starting point:

Dcdiag.exe

Repadmin.exe

Network Monitor 3.4 (or a third party network capture and analysis tool)

More Information:

For more information and downloads, see:Netmonhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865




General Methodology for Troubleshooting Domain Controller Cloning

1. Is the VM booting into DS Repair Mode?

a. Examine the System and Directory Services event logs and the dccloneconfig.xml and CustomDCCloneAllowList.xml

i. Does an incompatible application need to be in the CustomDCCloneAllowList.xml allow list? Does the CustomDCCloneAllowList.xml contain valid entries?

ii. Is the IP address or computer name either duplicated or invalid in the dccloneconfig.xml?

iii. Is the AD site invalid in the dccloneconfig.xml?

iv. Is the IP address not set in the dccloningconfig.xml and there is no DHCP server available?

v. Is the PDC emulator online and available through the RPC protocol?

vi. Is the domain controller a member of the Cloneable Domain Controllers group? Is the permission Allow a DC to create a clone of itself set on the domain root for that group?

vii. Does the Dccloneconfig.xml file contain syntax errors that prevent correct parsing?

viii. Is the hypervisor supported?

ix. Did domain controller promotion fail after cloning begin successfully?

x. Was the maximum number of auto-generated domain controller names (9999) exceeded?

b. Examine the Dcpromo.log.

i. Did initial cloning steps succeed but domain controller promotion fail?

ii. Do errors indicate issues with the local domain controller or with the AD DS environment, such as errors returned from the PDCE?

2. Is the VM booting into normal mode without cloning?

a. Is there a Dccloneconfig.xml file in one of the allowed locations?

3. Is the VM booting into normal mode and cloning completing, but the domain controller is not functioning correctly?

a. Does the domain controller have a duplicate IP address of the source domain controller from the dccloneconfig.xml, but the source domain controller was offline during cloning?

63


b. If the domain controller is advertising, treat the issue as any normal post-promotion issue you would have without cloning.

c. If the domain controller is not advertising, examine the Directory Services, System, Application, File Replication and DFS Replication event logs for post-promotion errors.

Disabling DSRM BootOnce booted into DSRM due to any error, a clone does not return to normal mode on its own on the next reboot; you must remove the DS Restore Mode boot flag in order to try cloning again. All of these steps require running as an elevated administrator.

Removing DSRM with Msconfig.exe

To turn DSRM boot off graphically, use the System Configuration tool:

1. Run msconfig.exe

2. On the Boot tab, under Boot Options, de-select Safe boot (it is already selected with the option Active Directory repair enabled)

3. Click OK and restart when prompted

Removing DSRM with Bcdedit.exe

To turn DSRM boot off from the command-line, use the Boot Configuration Data Store Editor:

1. Open a CMD prompt and run:

Bcdedit.exe /deletevalue safeboot

2. Restart the computer with:

Shutdown.exe /t /0 /r

Note:. The commands there are:

Bcdedit.exe /deletevalue safebootRestart-computer

Important:Contact Microsoft Beta Product Support when you have exhausted these avenues.



Troubleshooting Specific ProblemsEvents

All VDC cloning events write to the System and Directory Services event log of the clone domain controller VM. The Application, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed cloning.

Below are the Windows Server "8" Beta cloning-specific events in the System and Directory Services event logs, with notes and suggested resolutions for errors.

System event log

Event ID 29218

Source Microsoft-Windows-DirectoryServices-DSROLE-Server

Severity Error

Message Virtual domain controller cloning failed. The cloning operation could not be completed and a reboot of the cloned machine into DSRM was requested. Please check previous events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt.Please fix the error and reboot into normal mode. Upon reboot, the cloning operation will be re-initiated.Details on virtual domain controller clone errors can be found at http://go.microsoft.com/fwlink/?LinkId=208030

Notes and resolution

Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed.

Event ID 29248


Severity Error

Message Virtual domain controller cloning failed to obtain Winlogon Notification.The returned error code is %1 (%2).For more information on this error, please review %systemroot%\debug\dcpromo.log for errors that correspond to the virtual domain controller cloning attempt.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030

Notes and resolutio

Contact Microsoft Beta Product Support

65


n



Event ID 29249


Severity Error

Message Virtual domain controller cloning failed to parse virtual domain controller configuration file.The returned HRESULT code is %1.The configuration file is:%2Please fix the errors in the configuration file and retry the cloning operation. For more information about this error, please see %systemroot%\debug\dcpromo.log.Details on virtual domain controller clone configuration file can be found at http://go.microsoft.com/fwlink/?LinkId=208030


Examine the dclconeconfig.xml file for syntax errors using an XML editor and the DCCloneConfigSchema.xsd schema file.

Event ID 29250


Severity Error

Message Virtual domain controller cloning failed. There are software, services, or tasks currently enabled on the cloned machine that are not present in the allowed application list for virtual domain controller cloning. The cloning operation cannot be completed if there are non-cloneable applications installed.Please run Active Directory Powershell Cmdlet Get-ADDCCloningExcludedApplicationList to check which applications are installed on the cloned machine, but not included in the allow list, and add them to the allow list if they are compatible with virtual domain controller cloning. If any of these applications are not compatible with virtual domain controller cloning, please uninstall them before re-trying the cloning operation.The virtual domain controller cloning process searches for the allowed application list file, CustomDCCloneAllowList.xml, based on the following search order; the first file found is used and all others are ignored:

1. The registry value name: HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters\AllowListFolder

2. The same directory where the DSA Working Directory folder resides3. %windir%\NTDS4. Removable read/write media in order of drive letter at the root of the drive

Details on virtual domain controller clone allow list can be found at http://go.microsoft.com/fwlink/?LinkId=208030

Notes and Follow the message instructions

67


resolution

Event ID 29251


Severity Error

Message Virtual domain controller cloning failed to reset the IP addresses of the clone machine.The returned error code is %1 (%2).This error might be caused by misconfiguration in network configuration sections in the virtual domain controller configuration file. Please see %systemroot%\debug\dcpromo.log for more information about errors that correspond to IP addresses resetting during virtual domain controller cloning attempts.Details on resetting machine IP addresses on the cloned machine can be found at http://go.microsoft.com/fwlink/?LinkId=208030


Verify the IP information set in the dccloneconfig.xml is valid and does not duplicate the original source machine.

Event ID 29253


Severity Error

Message Virtual domain controller cloning failed. The clone domain controller was unable to locate the primary domain controller (PDC) operations master in the cloned computer's home domain of the cloned machine.The returned error code is %1 (%2).Please verify that the primary domain controller in the home domain of the cloned machine is assigned to a live domain controller, is online, and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030


Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.

Event ID 29254




Severity Error

Message Virtual domain controller cloning failed to bind to the primary domain controller %1.The returned error code is %2 (%3).Please verify that the primary domain controller %1 is online and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030


Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.

Event ID 29255


Severity Error

Message Virtual domain controller cloning failed. An attempt to create objects on the primary domain controller %1 required for the image being cloned returned error %2 (%3).Please check for related events in the Directory Service event log on primary domain controller %1.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030


Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its typical meaning, and then troubleshoot based on those results.

Event ID 29256


Severity Error

Message An attempt to set the Boot into Directory Services Restore Mode flag failed with error code %1.Please see %systemroot%\debug\dcpromo.log for more information about errors.


Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.

69


Event ID 29257


Severity Error

Message Virtual domain controller cloning has done. An attempt to reboot the machine failed with error code %1.Please reboot the machine to finish the cloning operation.


Examine the Directory Services log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.

Event ID 29264


Severity Error

Message An attempt to clear the Boot into Directory Services Restore Mode flag failed with error code %1.Please see %systemroot%\debug\dcpromo.log for more information about errors.


Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.

Event ID 29265


Severity Informational

Message Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file %1 has been renamed to %2.


N/A, this is a success event.

Event ID 29266


Severity Error

Message Virtual domain controller cloning succeeded. The attempt to rename virtual domain



controller cloning configuration file %1 failed with error code %2 (%3).


Manually rename the dccloneconfig.xml file.

71


Directory Services Event Log

Event ID 2160

Source Microsoft-Windows-ActiveDirectory_DomainService


Message The local <COMPUTERNAME> has found a virtual domain controller cloning configuration file.The virtual domain controller cloning configuration file is found at: %1The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The <COMPUTERNAME> will start to clone itself.


This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.

Event ID 2161



Message The local <COMPUTERNAME> did not find the virtual domain controller cloning configuration file. The local machine is not a cloned DC.



Event ID 2162


Severity Error

Message Virtual domain controller cloning failed.Please check events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt.Error code: %1


Follow message instructions, this error is a catchall.



Event ID 2163



Message DsRoleSvc service was started to clone the local virtual domain controller.



Event ID 2164


Severity Error

Message <COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.


Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to manual. Validate that no third party program is preventing the start of this service.

Event ID 2165


Severity Error

Message <COMPUTERNAME> failed to start a thread during the cloning of the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.Error code:%1Error message:%2Thread name:%3


Contact Microsoft Beta Product Support

Event ID 2166


73


Severity Error

Message <COMPUTERNAME> needs RPCSS service to initiate rebooting into DSRM. Waiting for RPCSS to initialize into a running state failed.Error code:%1


Examine the System event log and service settings for the RPC Server service (Rpcss)

Event ID 2167


Severity Error

Message <COMPUTERNAME> could not initialize virtual domain controller knowledge. See previous event log entry for details.Additional DataFailure code:%1


Follow message instructions, this error is a catchall.

Event ID 2168



Message Microsoft-Windows-ActiveDirectory_DomainServiceThe DC is running on a supported hypervisor. VM Generation ID is detected.Current value of VM Generation ID: %1


This is a success event and only an issue if unexpected.

Event ID 2169



Message There is no VM Generation ID detected. The DC is hosted on a physical machine, a



down-level version of Hyper-V, or a hypervisor that does not support the VM Generation ID.Additional DataFailure code returned when checking VM Generation ID:%1


This is a success event if not intending to clone. Otherwise, examine the System event log and review hypervisor product VDC support documentation.

Event ID 2170


Severity Warning

Message A Generation ID change has been detected.Generation ID cached in DS (old value):%1Generation ID currently in VM (new value):%2The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.


This is a success event if intending to clone. Otherwise, examine the System event log.

Event ID 2171



Message No Generation ID change has been detected.Generation ID cached in DS (old value):%1Generation ID currently in VM (new value):%2


This is a success event if not intending to clone, and should be seen at every reboot of a virtualized DC. Otherwise, examine the System event log.

75


Event ID 2172



Message Read the msDS-GenerationId attribute of the Domain Controller's computer object.msDS-GenerationId attribute value:%1


This is a success event if intending to clone. Otherwise, examine the System event log.

Event ID 2173



Message Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller.Additional DataFailure code:%1


This is a success event if intending to clone and it is the first VM reboot after cloning has completed. It can also be ignored on non-virtual Domain controllers. Otherwise, examine the System event log.

Event ID 2174



Message The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot.


This is a success event if not intending to clone. Otherwise, examine the System event log.

Event ID 2175




Severity Error

Message Virtual domain controller clone configuration file exists on an unsupported platform.


This is a success event if not intending to clone. Otherwise, examine the System event log.

Event ID 2176



Message Renamed virtual domain controller clone configuration file.Additional DataOld file name:%1New file name:%2


Rename expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.

Event ID 2177


Severity Error

Message Renaming virtual domain controller clone configuration file failed.Additional DataFile name:%1Failure code:%2 %3


Rename attempt expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. Manually rename the file and investigate installed third party products that may be preventing the file rename.

Event ID 2178



Message Detected virtual domain controller clone configuration file, but VM Generation ID has not been changed. The local DC is the clone source DC. Rename the clone

77


configuration file.


Expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.

Event ID 2179



Message The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter:GenerationID attribute:%1



Event ID 2180


Severity Warning

Message Failed to set the msDS-GenerationId attribute of the Domain Controller's computer object.Additional DataFailure code:%1


Examine the System event log and Dcpromo.log. Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.

Event ID 2182



Message Internal event: The Directory Service has been asked to clone a remote DSA:





Event ID 2183



Message Internal event: <COMPUTERNAME> completed the request to clone the remote Directory System Agent.Original DC name:%3Request clone DC name:%4Request clone DC site:%5Additional DataError value:%1 %2



Event ID 2184


Severity Error

Message <COMPUTERNAME> failed to create a domain controller account for the cloned DC.Original DC name:%1Allowed number of cloned DC:%2The limit on the number of domain controller accounts that can be generated by cloning <COMPUTERNAME>was exceeded. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.


A single source domain controller name can only automatically generate 9999 times if domain controllers are not demoted, based on the naming convention. Use the <computername> element in the XML to generate a new unique name or clone from a differently named DC.

Event ID 2191



Message <COMPUTERNAME> set the following registry value to disable DNS updates.Registry Key:%1Registry Value: %2

79


Registry Value data: %3During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed.



Event ID 2192


Severity Error

Message <COMPUTERNAME> failed to set the following registry value to disable DNS updates.Registry Key:%1Registry Value: %2Registry Value data: %3Error code:%4Error message:%5During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.


Examine Application and System event logs. Investigate third party application that may be blocking registry updates.

Event ID 2193



Message <COMPUTERNAME> set the following registry value to enable DNS updates.Registry Key:%1Registry Value: %2Registry Value data: %3During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine



undergoing cloning.



Event ID 2194


Severity Error

Message <COMPUTERNAME> failed to set the following registry value to enable DNS updates.Registry Key:%1Registry Value: %2Registry Value data: %3Error code:%4Error message:%5During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.



Event ID 2195


Severity Error

Message Failed to set DSRM boot.Error code:%1Error message:%2When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Setting DSRM boot failed.



81


Event ID 2196


Severity Error

Message Failed to enable shutdown privilege.Error code:%1Error message:%2When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Enabling shutdown privilege failed.


Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.

Event ID 2197


Severity Error

Message Failed to initiate system shutdown.Error code:%1Error message:%2When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Initiating system shutdown failed.


Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.

Event ID 2198


Severity Error

Message <COMPUTERNAME> failed to create or modify the following cloned DC object.Additional data:Object:%1Error value: %2%3




Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.

Event ID 2199


Severity Error

Message <COMPUTERNAME> failed to create the following cloned DC object because the object already exists.Additional data:Source DC:%1Object:%2


Validate the dccloneconfig.xml did not specify an existing domain controller or that copies of the dccloneconfig.xml have been used on multiple clones without editing the name. If the collision is still unexpected, determine which administrator promoted it; contact them to discuss if the existing domain controller should be demoted, the existing domain controller metadata cleaned, or if the VDC clone should use a different name.

Event ID 2203


Severity Error

Message Last virtual domain controller cloning failed. This is the first reboot since then so this should be a re-try of the cloning. However, neither virtual domain controller clone configuration file exists nor virtual machine generation ID change is detected. Boot into DSRM.Last virtual domain controller cloning failed:%1Virtual domain controller clone configuration file exists:%2Virtual machine generation ID change is detected:%3


Expected if cloning failed previously, due to missing or invalid dccloneconfig.xml

83


Error MessagesThere are no direct interactive errors for failed VDC cloning; all cloning information logs in the System and Directory Services event logs and the domain controller promotion logs in dcpromo.log. However, if the server boots into DS Restore Mode, consider that an "interactive error" and investigate immediately, as promotion or cloning failed.

The dcpromo.log contains cloning-specific errors as they pertain to the actual promotion process. Otherwise, they are simply domain controller promotion errors, as you would see on non-virtual or non-cloned Domain controllers.

Known/Likely Issues and Support ScenariosThe following are common issues seen during the Windows Server "8" Beta development process. All of these issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server "8".

Issue Cloning fails, DSRM

Symptoms Clone boots into Directory Services Restore Mode

Resolution and Notes

Validate all steps followed from sections Deploying Virtualized Domain Controller section and General Methodology for Troubleshooting Domain Controller Cloning

Issue Metadata cleaning a clone RODC generates access sis denied errors on the original RODC when attempting to logon

Symptoms After cloning an RODC but later deciding to remove it through metadata cleanup, where you force reset the password of all cached users and computers, you can no longer log on the original source RODC used for cloning.Attempts to logon to the source RODC always return "access is denied" or "bad username or password".Any further clones made from that source RODC always show error "The trust relationship between this workstation and the primary domain failed" at logon.


To prevent the issue, always gracefully demote cloned RODCs using Server Manager or ADDSDeployment Windows PowerShell and do not force their demotion.If already experiencing the issue, forcibly demote the source and clone RODC domain controllers, clean their metadata, then promote the source RODC computer again as an RODC. Since RODCs cannot originate local changes, there is no data loss in this scenario. It is fixed in later releases of Windows Server "8".

Issue Duplicate IP addresses when using DHCP to clone

Symptoms After successfully cloning a DC and using DHCP, the first boot of the clone takes a DHCP lease. Then when the server is renamed and restarted as a DC, it takes a second DHCP lease. The first IP address is not released and you end up with a



"phantom" lease


Manually delete the unused address lease in DHCP or allow it to expire normally.

85


Issue Cloning RODC fails when there is a pre-existing server object in a renamed AD site

Symptoms After cloning an RODC that already has a computer object in the appropriate AD logical site (in DSSITE.MSC), cloning fails with Directory Services events

1168 Internal Processing "Internal error: An Active Directory Domain Services error has occurred.

Error value (decimal):

-1073741823

Error value (hex):

c0000001

Internal ID:

30017b3"

And for the same event number:

Additional Data

Error value (decimal):

2

Error value (hex):

2

Internal ID:

7011658"


To prevent the issue, remove the pre-existing computer object for the RODC by using DSSITE.MSC

Issue CustomDCCloneAllowList.xml does not support unpredictable service names

Symptoms When attempting to use a single CustomDCCloneAllowList.xml to clone a variety of domain controllers, you cannot proceed because of services that user unpredictable names. For example, services that are Microsoft SQL instances.


This is a design limitation of VDC and CustomDCCloneAllowList.xml. You cannot use a common CustomDCCloneAllowList.xml to clone domain controllers that have unpredictable service names.To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml per-server.



Issue PrintNotify service always detected by Get-ADDCCloningExcludedApplicationList

Symptoms Even on a brand new server with no programs or roles installed, the Get-ADDCCloningExcludedApplicationList cmdlet always detects the PrintNotify service.

This service is not in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list even though it is a standard service with no known VDC incompatibilities.


To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml per-server.As a less-recommended alternative, grant yourself permissions to the c:\windows\system32\DefaultDCCloneAllowList.XML allow list file on the source domain controller and edit the AllowList to also contain: <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow>

Issue Cloning fails into DSRM after very long delay

Symptoms Cloning appears to pause at "Domain controller cloning is at X% completion" for between 8 and 15 minutes. After this, the cloning fails and boots into DSRM.


The cloned computer cannot get a dynamic IP address from DHCP or SLAAC, or is using a duplicate IP address. Multiple retry attempts performed by cloning lead to the delay. Resolve the networking issue to allow cloning.

Issue Cloning does not recreate all service principal names

Symptoms If a set of three-part service principal names (SPN) includes both a NetBIOS name with a port and an otherwise identical NetBIOS name without a port, the non-port entry is not recreated with the new computer name. For example:

customspn/DC1:200/app1 this is recreated with the new computer namecustomspn/DC1/app1 this is not recreated with the new computer name

Fully-qualified names are recreated and SPN s without three parts are recreated, regardless of ports. For example, these are recreate successfully on the clone:

customspn/DC1:202 this is recreated customspn/DC1 this is recreated customspn/DC1.corp.contoso.com:202 this is recreated namecustomspn/DC1.corp.contoso.com this is recreated


This is a limitation of the domain controller rename process in Windows, not just in cloning. Three-part SPNS are not handled by the renaming logic in any scenario. Most included Windows services are unaffected by this, as they recreate any missing SPNs as needed. Other applications may require manually entering the SPN

87


to resolve the issue.

Issue Cloning fails, boots into normal mode as a duplicate of the source DC

Symptoms A new clone boots up without cloning. The dclconeconfig.xml is not renamed and the server is not in DS Restore Mode. The Directory Services event log shows Error 2164

<COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.


Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to Manual. Validate that no third party program is preventing the start of this service.

Issue Cloning succeeds, but SYSVOL is empty and does not replicate inbound or outbound

Symptoms A new clone appears to succeed. Later you notice that the SYSVOL and NETLOGON shares are empty. No SYSVOL files replicate inbound our outbound. The source server was previously migrated from FRS to DFSR.

Examining the DFS Replication event log shows event 8028 and repeated 8010 events:

Event ID: 8028Level: ErrorDFSR Migration was unable to transition to the 'PREPARED' state for Domain Controller <name>. DFSR will retry the next time it polls the Active Directory. To force an immediate retry, execute the command 'dfsrdiag /pollad'.Additional Information:Domain Controller: <name>Error: 2 The system cannot find the file specified

Event ID: 8010Level: InformationalDFSR has started preparing the Domain Controller %1 formigration. DFSR will now create the SYSVOL_DFSR folder, createobjects in the local Active Directory and create DFSR memberobjects for the Domain Controller %1.

Examining the DFSR debug log shows:

20120208 17:12:07.187 2096 SYSM 586 [ERROR] Migration::SysvolMigrationTask::Step [MIG] Failed Migration task. Error:



+ [Error:2(0x2) Migration::SysVolMigration::Migrate migration.cpp:1200 2096 W The system cannot find the file specified.]+ [Error:2(0x2) Migration::SysVolMigration::StepToNextStableState migration.cpp:1271 2096 W The system cannot find the file specified.]+ [Error:2(0x2) Migration::SysVolMigration::Prepare migration.cpp:1431 2096 W The system cannot find the file specified.]+ [Error:2(0x2) Migration::SysVolMigration::CreateJunctionPointsForDfsrSysvolFolder migration.cpp:2637 2096 W The system cannot find the file specified.]


The source domain controller used for cloning once participated in an FRS to DFSR SYSVOL migration (http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx). A known incompatibility in Windows Server "8" Beta VDC cloning prevents previously migrated servers from populating or replicating SYSVOL after cloning.To resolve this issue, forcibly demote the clone domain controller and remove the metadata using NTDSUTIL.EXE or DSA.MSC. Choose a new Windows Server "8" Beta source domain controller that has not previously migrated FRS to DFSR. If there are no such domain controllers, promote a new Windows Server "8" Beta into the domain using Server Manager or ADDSDeployment Windows PowerShell, then use it as the source of cloning.Do not attempt to fix the issues based on the events or debug logs, as there is a strong possibility that you will unintentionally delete all data from all other SYSVOL copies on all domain controllers in the domain.This issue will be resolved in versions later than Windows Server "8" Beta.

89

http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx)


Advanced TroubleshootingThis guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events (even when they are warnings and errors) related to a cloned domain controller within each log.

Cloning a Domain Controller In this example, the clone domain controller uses DHCP to get an IP address, replicates SYSVOL using FRS or DFSR (see the appropriate log as necessary), is a global catalog, and uses a blank dccloneconfig.cml file.

Directory Services Event Log

The Directory Services log contains the majority of event-based cloning operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.

Event ID

Source Message

2160 ActiveDirectory_DomainService

The local Active Directory Domain Services has found a virtual domain controller cloning configuration file. The virtual domain controller cloning configuration file is found at:<path>\DCCloneConfig.xmlThe existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The Active Directory Domain Services will start to clone itself.


Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key:SYSTEM\CurrentControlSet\Services\Netlogon\ParametersRegistry Value:UseDynamicDnsRegistry Value data:0During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after



cloning is completed.


Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key:SYSTEM\CurrentControlSet\Services\Dnscache\ParametersRegistry Value:RegistrationEnabledRegistry Value data:0During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed."Information 2/7/2012 3:12:49 PM Microsoft-Windows-ActiveDirectory_DomainService 2191 Internal Configuration

"Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key:SYSTEM\CurrentControlSet\Services\Tcpip\ParametersRegistry Value:DisableDynamicUpdateRegistry Value data:1During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed.


Read the msDS-GenerationId attribute of the Domain Controller's computer object.msDS-GenerationId attribute value:<Number>


A Generation ID change has been detected. Generation ID cached in DS (old value):<Number>Generation ID currently in VM (new value):<Number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services

91


will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.


The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value):<GUID>InvocationID attribute (new value):<GUID>Update sequence number:<Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.


Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0


All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted


DsRoleSvc service was started to clone the local virtual domain controller.

326 NTDS ISAM NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.Saved Cache: 1

103 NTDS ISAM NTDS (536) NTDSA: The database engine stopped the instance (0).

Dirty Shutdown: 0



Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.032, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.

102 NTDS ISAM NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0).

105 NTDS ISAM NTDS (536) NTDSA: The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.015, [4] 0.078, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.046, [10] 0.000, [11] 0.000.


Active Directory Domain Services was shut down successfully.

102 NTDS ISAM NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0).

326 NTDS ISAM NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds)

Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.016, [4] 0.000, [5] 0.031, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.Saved Cache: 1

105 NTDS ISAM NTDS (536) NTDSA: The database engine started a new instance (0). (Time=1 seconds) Internal Timing Sequence: [1] 0.031, [2] 0.000, [3] 0.000, [4] 0.391, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000.


The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value):<GUID>InvocationID attribute (new value):<GUID>Update sequence number:<Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the

93


content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.


Internal error: An Active Directory Domain Services error has occurred. Additional DataError value (decimal):2Error value (hex):2Internal ID:7011658


Promotion of this domain controller to a global catalog will be delayed for the following interval. Interval (minutes):5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide

103 NTDS ISAM NTDS (536) NTDSA: The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.047, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.016, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.


Active Directory Domain Services was shut down successfully.


Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk. Hard disk:c: Data might be lost during system failures


The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute:<Number>


Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database



transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller. Additional DataFailure code:6


Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0


All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted.


1128 Knowledge Consistency Checker "A replication connection was created from the following source directory service to the local directory service. Source directory service:CN=NTDS Settings,<Domain Controller DN>Local directory service:CN=NTDS Settings, <Domain Controller DN> Additional DataReason Code:0x2Creation Point Internal ID:f0a025d


The source directory service has optimized the update sequence number (USN) presented by the destination directory service. The source and destination directory services have a common replication partner. The destination directory service is up to date with the common replication partner, and the source directory service was installed using a backup of this partner. Destination directory service ID:<GUID> (<FQDN>)Common directory service ID:<GUID>Common property USN:<Number> As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous object USN:0Previous property USN:0

95


Database GUID:<GUID>Object USN:<Number>Property USN:<Number>

System Event Log

The next indications of cloning operations are in the System Event log. As the hypervisor tells the guest computer that it was cloned or restored from a snapshot, the domain controller immediately invalidates its RID pool to avoid duplicating security principals later. As cloning proceeds, various expected operations and messages appear, mostly around services starting and stopping and some expected errors caused by this. When completed the System event log notes overall cloning success.

Event ID

Source Message

16654 Directory-Services-SAM

A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:1. A domain controller is restored from backup.2. A domain controller running on a virtual machine is restored from snapshot.3. An administrator has manually invalidated the pool

7036 Service Control Manager

The Active Directory Domain Services service entered the running state.


The Kerberos Key Distribution Center service entered the running state.

3096 Netlogon The primary Domain Controller for this domain could not be located.


The Security Accounts Manager service entered the running state.


The Server service entered the running state.


The Netlogon service entered the running state.


The Active Directory Web Services service entered the running state.


The DFS Replication service entered the running state.




The File Replication Service service entered the running state.

14533 Microsoft-Windows-DfsSvc

DFS has finished building all namespaces.

14531 Microsoft-Windows-DfsSvc

DFS server has finished initializing.


The DFS Namespace service entered the running state.


The Intersite Messaging service terminated with the following error:The specified server cannot perform the requested operation.


The Intersite Messaging service entered the stopped state.

5806 Netlogon Dynamic DNS updates have been manually disabled on this domain controller.USER ACTIONReconfigure this domain controller to use dynamic DNS updates or manually add the DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the DNS database."


The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is The requested FSMO operation failed. The current FSMO holder could not be contacted.


The DNS Server service entered the running state.


The DS Role Server service entered the running state.


The Netlogon service entered the stopped state.


The File Replication Service service entered the stopped state.


The Kerberos Key Distribution Center service entered the stopped state.


The DNS Server service entered the stopped state.


The Active Directory Domain Services service entered the stopped state.

97



The Netlogon service entered the running state.


The start type of the Active Directory Domain Services service was changed from auto start to disabled.


The Netlogon service entered the stopped state.


The File Replication Service service entered the running state.

29219 DirectoryServices-DSROLE-Server

Virtual domain controller cloning succeeded.


This server is now a Domain Controller.


Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file C:\Windows\NTDS\DCCloneConfig.xml has been renamed to C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml.

1074 User32 The process C:\Windows\system32\lsass.exe (DC2) has initiated the restart of computer DC2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Reconfiguration (Planned) Reason Code: 0x80020004 Shutdown Type: restart Comment: "

DCPROMO.LOG

The Dcpromo.log contains the actual promotion portion of cloning that the Directory Services event log does not describe. Since the log does not provide the level of explanation that the event log entries impart, this section of the guide contains additional annotation.

The promotion process means that the cloning starts, the DC is scrubbed of its current configuration and re-promoted using the existing AD database (much like an IFM promotion), then the DC replicates inbound change deltas of AD and SYSVOL, and cloning is complete.

Note:The log has been modified in this guide for readability, by removing the date column. Points of interest are italicized bold.

More Information:

For further explanation of the dcpromo.log see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta.http://go.microsoft.com/fwlink/p/?LinkId=237244




Start clone-based promotion

Set the Directory Services Restore Mode flag so that the server does not boot back up normally as the original clone and cause naming or Directory Service collisions

Update the Directory Services event log

15:14:01 [INFO] vDC Cloneing: Setting Boot into DSRM flag succeeded.15:14:01 [WARNING] Cannot get user Token for Format Message: 1725l15:14:01 [INFO] vDC Cloning: Created vDCCloningUpdate event.15:14:01 [INFO] vDC Cloning: Created vDCCloningComplete event.

Stop the NetLogon service so that the domain controller does not advertise

15:14:01 [INFO] Stopping service NETLOGON15:14:01 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)15:14:01 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states15:14:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=315:14:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=115:14:02 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state15:14:02 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 015:14:02 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)15:14:02 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state15:14:02 [INFO] StopService on NETLOGON returned 015:14:02 [INFO] Configuring service NETLOGON to 1 returned 015:14:02 [INFO] Updating service status to 415:14:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.

Examine the dccloneconfig.xml file for administrator-specified customizations.

In this sample case it is a blank file, so all settings are automatically generated and automatic IP addressing is required from the network

15:14:02 [INFO] vDC Cloning: Clone config file C:\Windows\NTDS\DCCloneConfig.xml is considered to be a blank file (containing 0 bytes)15:14:02 [INFO] vDC Cloning: Parsing clone config file C:\Windows\NTDS\DCCloneConfig.xml returned HRESULT 0x0

Validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml

15:14:02 [INFO] vDC Cloning: Checking allowed list:15:14:03 [INFO] vDC Cloning: Completed checking allowed list:15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.

Enable DHCP on the network adapters, since IP information was not specified by the administrator

15:14:03 [INFO] vDC Cloning: Enable DHCP:

99


15:14:03 [INFO] WMI Instance: Win32_NetworkAdapterConfiguration.Index=1215:14:03 [INFO] Method: EnableDHCP15:14:03 [INFO] HRESULT code: 0x0 (0)15:14:03 [INFO] Return Value: 0x0 (0)15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.

Locate the PDC emulator

Set the clone's site (automatically generated in this case)

Set the clone's name (automatically generated in this case)

15:14:03 [INFO] vDC Cloning: Found PDC. Name: DC1.root.fabrikam.com15:14:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:04 [INFO] vDC Cloning: Winlogon UI Notification #1: Domain Controller cloning is at 5% completion...15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #2: Domain Controller cloning is at 10% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] Site of the cloned DC: Default-First-Site-Name

Create the new clone computer object

Rename the clone to match the new name

15:14:05 [INFO] vDC Cloning: Clone DC objects are created on PDC.15:14:05 [INFO] Name of the cloned DC: DC2-CL000115:14:05 [INFO] DsRolepSetRegStringValue on System\CurrentControlSet\Services\NTDS\Parameters\CloneMachineName to DC2-CL0001 returned 015:14:05 [INFO] vDC Cloning: Save CloneMachineName in registry: 0x0 (0)

Provide the promotion settings, based on previous dccloneconfig.xml or automatic generation rules

15:14:05 [INFO] vDC Cloning: Promotion parameters setting:15:14:05 [INFO] DNS Domain Name: root.fabrikam.com15:14:05 [INFO] Replica Partner: \\DC1.root.fabrikam.com15:14:05 [INFO] Site Name: Default-First-Site-Name15:14:05 [INFO] DS Database Path: C:\Windows\NTDS15:14:05 [INFO] DS Log Path: C:\Windows\NTDS15:14:05 [INFO] SysVol Root Path: C:\Windows\SYSVOL15:14:05 [INFO] Account: root.fabrikam.com\DC2-CL0001$15:14:05 [INFO] Options: DSROLE_DC_CLONING (0x800400)

Start promotion

15:14:05 [INFO] Promote DC as a clone15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #3: Domain Controller cloning is at 15% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #4: Domain Controller cloning is at 16% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] Validate supplied paths15:14:05 [INFO] Validating path C:\Windows\NTDS.



15:14:05 [INFO] Path is a directory15:14:05 [INFO] Path is on a fixed disk drive.15:14:05 [INFO] Validating path C:\Windows\NTDS.15:14:05 [INFO] Path is a directory15:14:05 [INFO] Path is on a fixed disk drive.15:14:05 [INFO] Validating path C:\Windows\SYSVOL.15:14:05 [INFO] Path is on a fixed disk drive.15:14:05 [INFO] Path is on an NTFS volume15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #5: Domain Controller cloning is at 17% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] Start the worker task15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #6: Domain Controller cloning is at 20% completion...15:14:05 [INFO] Request for promotion returning 015:14:05 [INFO] vDC Cloning: Winlogon UI Notification #7: Domain Controller cloning is at 21% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.

Stop and configure all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)

Note:The DNS service taking a long time to shutdown is expected in this scenario, as it is using AD-integrated zones that were no longer available even before the NTDS service stopped - see the DNS events described later in this section of the guide.

15:14:15 [INFO] Stopping service NTDS15:14:15 [INFO] Stopping service NtFrs15:14:15 [INFO] ControlService(STOP) on NtFrs returned 1(gle=0)15:14:15 [INFO] DsRolepWaitForService: waiting for NtFrs to enter one of 7 states15:14:15 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 (gle=0), SvcStatus.dwCS=315:14:16 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 (gle=0), SvcStatus.dwCS=115:14:16 [INFO] DsRolepWaitForService: exiting because NtFrs entered STOPPED state15:14:16 [INFO] DsRolepWaitForService(for any end state) on NtFrs service returned 015:14:16 [INFO] ControlService(STOP) on NtFrs returned 0(gle=1062)15:14:16 [INFO] Exiting service-stop loop after service NtFrs entered STOPPED state15:14:16 [INFO] StopService on NtFrs returned 015:14:16 [INFO] Configuring service NtFrs to 1 returned 015:14:16 [INFO] Stopping service Kdc15:14:16 [INFO] ControlService(STOP) on Kdc returned 1(gle=0)15:14:16 [INFO] DsRolepWaitForService: waiting for Kdc to enter one of 7 states15:14:16 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 (gle=0), SvcStatus.dwCS=315:14:17 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 (gle=0), SvcStatus.dwCS=115:14:17 [INFO] DsRolepWaitForService: exiting because Kdc entered STOPPED state

101


15:14:17 [INFO] DsRolepWaitForService(for any end state) on Kdc service returned 015:14:17 [INFO] ControlService(STOP) on Kdc returned 0(gle=1062)15:14:17 [INFO] Exiting service-stop loop after service Kdc entered STOPPED state15:14:17 [INFO] StopService on Kdc returned 015:14:17 [INFO] Configuring service Kdc to 1 returned 015:14:17 [INFO] Stopping service DNS15:14:17 [INFO] ControlService(STOP) on DNS returned 1(gle=0)15:14:17 [INFO] DsRolepWaitForService: waiting for DNS to enter one of 7 states15:14:17 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:18 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:19 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:20 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:21 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:22 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:23 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:24 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:25 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:26 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:27 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:28 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:29 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:30 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:31 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:32 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:33 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:34 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:35 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:36 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:37 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:38 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3



15:14:39 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:40 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:41 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:42 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:43 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:44 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:45 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:46 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:47 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:48 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:49 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:50 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:51 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:52 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:53 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:54 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:55 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:56 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:57 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:58 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:59 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=115:15:00 [INFO] DsRolepWaitForService: exiting because DNS entered STOPPED state15:15:00 [INFO] DsRolepWaitForService(for any end state) on DNS service returned 015:15:00 [INFO] ControlService(STOP) on DNS returned 0(gle=1062)15:15:00 [INFO] Exiting service-stop loop after service DNS entered STOPPED state15:15:00 [INFO] StopService on DNS returned 015:15:00 [INFO] Configuring service DNS to 1 returned 015:15:00 [INFO] ControlService(STOP) on NTDS returned 1(gle=1062)

103


15:15:00 [INFO] DsRolepWaitForService: waiting for NTDS to enter one of 7 states15:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=315:15:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=115:15:01 [INFO] DsRolepWaitForService: exiting because NTDS entered STOPPED state15:15:01 [INFO] DsRolepWaitForService(for any end state) on NTDS service returned 015:15:01 [INFO] ControlService(STOP) on NTDS returned 0(gle=1062)15:15:01 [INFO] Exiting service-stop loop after service NTDS entered STOPPED state15:15:01 [INFO] StopService on NTDS returned 015:15:01 [INFO] Configuring service NTDS to 1 returned 015:15:01 [INFO] Configuring service NTDS15:15:01 [INFO] Configuring service NTDS to 64 returned 015:15:01 [INFO] vDC Cloning: Winlogon UI Notification #8: Domain Controller cloning is at 22% completion...15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #9: Domain Controller cloning is at 25% completion...15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.

Force NT5DS (NTP) time synchronization with another domain controller (typically the PDCE)

15:15:02 [INFO] Forcing time sync

Contact a domain controller that holds the source domain controller account of the clone

Flush any existing Kerberos tickets

15:15:02 [INFO] Searching for a domain controller for the domain root.fabrikam.com that contains the account DC2$15:15:02 [INFO] Located domain controller DC1.root.fabrikam.com for domain root.fabrikam.com15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #10: Domain Controller cloning is at 26% completion...15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:02 [INFO] Directing kerberos authentication to DC1.root.fabrikam.com returns 015:15:02 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #11: Domain Controller cloning is at 27% completion...15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:02 [INFO] Using site Default-First-Site-Name for server \\DC1.root.fabrikam.com15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.



Stop the NetLogon service and set its start type

15:15:02 [INFO] Stopping service NETLOGON15:15:02 [INFO] Stopping service NETLOGON15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #12: Domain Controller cloning is at 29% completion...15:15:02 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)15:15:02 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states15:15:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=315:15:03 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=115:15:03 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state15:15:03 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 015:15:03 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)15:15:03 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state15:15:03 [INFO] StopService on NETLOGON returned 015:15:03 [INFO] Configuring service NETLOGON to 1 returned 015:15:03 [INFO] Stopped NETLOGON15:15:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:03 [INFO] vDC Cloning: Winlogon UI Notification #13: Domain Controller cloning is at 30% completion...

Configure the DFSR/NTFRS services to run automatically

Delete their existing database files to force non-authoritative sync of SYSVOL when the service next starts

15:15:03 [INFO] Configuring service DFSR15:15:03 [INFO] Configuring service DFSR to 256 returned 015:15:03 [INFO] Configuring service NTFRS15:15:03 [INFO] Configuring service NTFRS to 256 returned 015:15:03 [INFO] Removing DFSR Database files for SysVol15:15:03 [INFO] Removing FRS Database files in C:\Windows\ntfrs\jet15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edb.log15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00001.jrs15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00002.jrs15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbtmp.log15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\ntfrs.jdb15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\sys\edb.chk15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\temp\tmp.edb15:15:04 [INFO] Created system volume path15:15:04 [INFO] Configuring service DFSR15:15:04 [INFO] Configuring service DFSR to 128 returned 015:15:04 [INFO] Configuring service NTFRS15:15:04 [INFO] Configuring service NTFRS to 128 returned 015:15:04 [INFO] vDC Cloning: Winlogon UI Notification #14: Domain Controller cloning is at 40% completion...15:15:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.

105


Start the promotion process using the existing NTDS database file

Contact the RID Master

Note:The AD DS service is not actually installed here, this is legacy instrumentation in the log

15:15:04 [INFO] Installing the Directory Service15:15:04 [INFO] Calling NtdsInstall for root.fabrikam.com15:15:04 [INFO] Starting Active Directory Domain Services installation15:15:04 [INFO] Validating user supplied options15:15:04 [INFO] Determining a site in which to install15:15:04 [INFO] Examining an existing forest...15:15:04 [INFO] Starting a replication cycle between DC1.root.fabrikam.com and the RID operations master (2008r2-01.root.fabrikam.com), so that the new replica will be able to create users, groups, and computer objects...15:15:04 [INFO] Configuring the local computer to host Active Directory Domain Services15:15:04 [INFO] EVENTLOG (Warning): NTDS General / Service Control : 1539Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.Hard disk:c:Data might be lost during system failures.15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Processing : 2041Duplicate event log entries were suppressed.See the previous event log entry for details. An entry is considered a duplicate ifthe event code and all of its insertion parameters are identical. The time period forthis run of duplicates is from the time of the previous event to the time of this event.Event Code:80000603Number of duplicate entries: 215:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2121This Active Directory Domain Services server is disabling the Recycle Bin. Deleted objects may not be undeleted at this time.

Change the existing invocation ID that existed in the source computers database

Create a new NTDS Settings object for this clone

Replicate in AD object delta from the partner domain controller

Note:Even though all objects are listed as replicated, this is just metadata needed to subsume the updates. All the unchanged objects in the cloned NTDS database already exist and do not require replication again, just like using IFM-based promotion.



15:15:10 [INFO] EVENTLOG (Informational): NTDS Replication / Replication : 1109The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:InvocationID attribute (old value):24e7b22f-4706-402d-9b4f-f2690f730b40InvocationID attribute (new value):f74cefb2-89c2-442c-b1ba-3234b0ed62f8Update sequence number:20520The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.15:15:10 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168Internal error: An Active Directory Domain Services error has occurred.Additional DataError value (decimal):2Error value (hex):2Internal ID:701165815:15:11 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC1.root.fabrikam.com...15:15:11 [INFO] Replicating the schema directory partition15:15:11 [INFO] Replicated the schema container.15:15:12 [INFO] Active Directory Domain Services updated the schema cache.15:15:12 [INFO] Replicating the configuration directory partition15:15:12 [INFO] Replicating data CN=Configuration,DC=root,DC=fabrikam,DC=com: Received 2612 out of approximately 2612 objects and 94 out of approximately 94 distinguished name (DN) values...15:15:12 [INFO] Replicated the configuration container.15:15:13 [INFO] Replicating critical domain information...15:15:13 [INFO] Replicating data DC=root,DC=fabrikam,DC=com: Received 109 out of approximately 109 objects and 35 out of approximately 35 distinguished name (DN) values...15:15:13 [INFO] Replicated the critical objects in the domain container.

Populate the GC partitions as needed with any missing updates

Complete the critical AD DS portion of the promotion

15:15:13 [INFO] EVENTLOG (Informational): NTDS General / Global Catalog : 1110

107


Promotion of this domain controller to a global catalog will be delayed for the following interval.Interval (minutes):5This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.15:15:14 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1000Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 15:15:15 [INFO] Creating new domain users, groups, and computer objects15:15:16 [INFO] Completing Active Directory Domain Services installation15:15:16 [INFO] NtdsInstall for root.fabrikam.com returned 015:15:16 [INFO] DsRolepInstallDs returned 015:15:16 [INFO] Installed Directory Service

Complete the inbound replication of SYSVOL

15:15:16 [INFO] vDC Cloning: Winlogon UI Notification #15: Domain Controller cloning is at 60% completion...15:15:16 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] Completed system volume replication15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #16: Domain Controller cloning is at 70% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] SetProductType to 2 [LanmanNT] returned 015:15:18 [INFO] Set the product type15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #17: Domain Controller cloning is at 71% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #18: Domain Controller cloning is at 72% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] Set the system volume path for NETLOGON15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #19: Domain Controller cloning is at 73% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] Replicating non critical information15:15:18 [INFO] User specified to not replicate non-critical data15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #20: Domain Controller cloning is at 80% completion...15:15:18 [INFO] Stopped the DS15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #21: Domain Controller cloning is at 90% completion...15:15:18 [INFO] Configuring service NTDS15:15:18 [INFO] Configuring service NTDS to 16 returned 0

Enable client DNS registration



15:15:18 [INFO] vDC Cloning: Set DisableDynamicUpdate reg value to 0 to enaable dynamic DNS records registration.15:15:18 [INFO] vDC Cloning: Set UseDynamicDns reg value to 1 to enable dynamic DNS records registration.15:15:18 [INFO] vDC Cloning: Set RegistrationEnabled reg value to 1 to enable dynamic DNS records registration.

109


Run the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element.

15:15:18 [INFO] vDC Cloning: Running sysprep providers.15:15:32 [INFO] vDC Cloning: Completed running sysprep providers.

Cloning promotion is complete

Remove the DSRM boot flag so the server boots normally next time

Rename the dccloneconfig.xml so that it is not read again at next bootup

Restart the computer

15:15:32 [INFO] The attempted domain controller operation has completed15:15:32 [INFO] Updating service status to 415:15:32 [INFO] DsRolepSetOperationDone returned 015:15:32 [INFO] vDC Cloning: Set vDCCloningComplete event.15:15:32 [INFO] vDC Cloneing: Clearing Boot into DSRM flag succeeded.15:15:32 [INFO] vDC Cloning: Winlogon UI Notification #22: Cloning Domain Controller succeeded. Now rebooting...15:15:33 [INFO] vDC Cloning: Renamed vDC clone configuration file.15:15:33 [INFO] vDC Cloning: The old name is: C:\Windows\NTDS\DCCloneConfig.xml15:15:33 [INFO] vDC Cloning: The new name is: C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml15:15:34 [INFO] vDC Cloning: Release Ipv4 on interface 'Wired Ethernet Connection 2', result=0.15:15:34 [INFO] vDC Cloning: Release Ipv6 on interface 'Wired Ethernet Connection 2', result=0.15:15:34 [INFO] Rebooting machine

Active Directory Web Services Event Log

While cloning is occurring, the NTDS.DIT database is often offline for extended periods. The ADWS service logs at least one event for this. After cloning is complete, the ADWS service starts, notes that there is not yet a valid computer certificate yet (there may or may not be, depending on your environment deploying a Microsoft PKI with auto-enrollment or not) and then starts the instance for the new domain controller.

Event ID

Source Message

1202 ADWS Instance Events

This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636


Active Directory Web Services is starting

1008 ADWS Instance Active Directory Web Services has successfully reduced its security



Events privileges


The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors.


ADWS Certificate Events "Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine. Certificate name: <Server FQDN>


The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors.


Active Directory Web Services is now servicing the specified directory instance. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636

DNS Server Event Log

The DNS service will experience brief expected outages while cloning occurs, as the DNS service is still running while the AD DS database is offline. This occurs if using Active Directory Integrated DNS, but not if using Standard Primary or Secondary DNS. These errors log multiple times. After cloning completes, DNS comes back online normally.

Event ID

Source Message

4013 DNS-Server-Service

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.


The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is """". The event data contains the error.

111



The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.


The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.


The DNS server has started.


The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.

File Replication Service Event Log

The File Replication Service synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the NTFRS database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.

Event ID

Source Message

13562 NtFrs Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC2.root.fabrikam.com for FRS replica set configuration information. Could not bind to a Domain Controller. Will try again at next polling cycle

13502 NtFrs The File Replication Service is stopping.

13565 NtFrs File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.To check for the SYSVOL share, at the command prompt, type:net share



When File Replication Service completes the initialization process, the SYSVOL share will appear.The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

13501 NtFrs The File Replication Service is starting

13502 NtFrs The File Replication Service is stopping.

13503 NtFrs The File Replication Service has stopped.

13565 NtFrs File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.To check for the SYSVOL share, at the command prompt, type:net shareWhen File Replication Service completes the initialization process, the SYSVOL share will appear.The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

13501 NtFrs The File Replication Service is starting.

13553 NtFrs The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"Information related to this event is shown below:Computer DNS name is <Domain Controller FQDN>Replica set member name is <Domain Controller>Replica set root path is <path>Replica staging directory path is <path>Replica working directory path is <path>

13520 NtFrs The File Replication Service moved the preexisting files in <path>to <path>\NtFrs_PreExisting___See_EventLog.The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into c:\windows\sysvol\domain may lead to name conflicts if the files already exist on some other replicating partner.In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner.

113


Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog."

13508 NtFrs he File Replication Service is having trouble enabling replication from \\<Domain Controller FQDN> to <Domain Controller> for <path> using theDNS name \\<Domain Controller FQDN>. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name \\<Domain Controller FQDN> from this computer. [2] FRS is not running on \\<Domain Controller FQDN>. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

13509 NtFrs The File Replication Service has enabled replication from \\<Domain Controller FQDN> to <Domain Controller> for <Path> after repeated retries.

13516 NtFrs The File Replication Service is no longer preventing the computer <Domain Controller> from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.Type "net share" to check for the SYSVOL share."

DFS Replication Event Log

The DFSR services synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the DFSR database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.

Event ID

Source Message

1004 DFSR The DFS Replication service has started.

1314 DFSR The DFS Replication service successfully configured the debug log files. Additional Information:Debug Log File Path: C:\Windows\debug

6102 DFSR The DFS Replication service has successfully registered the WMI provider

1206 DFSR The DFS Replication service successfully contacted domain



controller DC2.corp.contoso.com to access configuration information.

1210 DFSR The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information:Port: 0"

4614 DFSR The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Read-Only: 0

4604 DFSR The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type ""net share"". Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Sync partner: <domain controller FQDN>

115


Troubleshooting VDC Safe Restore

Tools for Troubleshooting Logging Options

The built-in logs are the most important tool for troubleshooting issues with domain controller safe snapshot restore. All of these logs are enabled and configured for maximum verbosity, by default.

Operation Log

Snapshot creation Event viewer\Applications and services logs\Microsoft\Windows\Hyper-V-Worker

Snapshot restore Event viewer\Applications and services logs\Directory Service

Event viewer\Windows logs\System Event viewer\Windows logs\Application Event viewer\Applications and services logs\File

Replication Service Event viewer\Applications and services logs\DFS

Replication Event viewer\Applications and services logs\DNS Event viewer\Applications and services logs\Microsoft\

Windows\Hyper-V-Worker

Tools and Commands for Troubleshooting Domain Controller ConfigurationTo troubleshoot issues not explained by the logs, use the following tools as a starting point:

Dcdiag.exe

Repadmin.exe

Network Monitor 3.4 (or a third party network capture and analysis tool)

More Information:

For more information and downloads, see:Netmonhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865




General Methodology for Troubleshooting Domain Controller Safe Restore

1. Is the safe snapshot restore expected, but having issues?

a. Examine the Directory Services event log

i. Are there snapshot restore errors?

ii. Are there AD replication errors?

b. Examine the System event log

i. Are there communications errors?

ii. Are there AD errors?

2. Is the safe snapshot restore unexpected?

a. Examine the hypervisor audit logs to determine who or what caused a rollback

b. Contact all administrators of the hypervisor and interrogate them as to who rolled back the VM without notification

3. Is the server implementing USN rollback protection and not safely restoring?

a. Examine the Directory Services event log for an unsupported hypervisor

b. Examine the OS and validate running Windows Server "8" Beta?

Important:Contact Microsoft Beta Product Support when you have exhausted these avenues.

117


Troubleshooting Specific ProblemsEvents

All VDC safe snapshot restore events write to the Directory Services event log of the restored domain controller VM. The Application, System, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed restores.

Below are the Windows Server "8" Beta safe restore-specific events in the Directory Services event log.

Event ID 2170


Severity Warning

Message A Generation ID change has been detected.Generation ID cached in DS (old value):%1Generation ID currently in VM (new value):%2The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.


This is a success event if the snapshot was expected. If not, examine the Hyper-V-Worker event log or contact all administrators of the hypervisor.

Event ID 2174



Message The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot.


Expected event when starting physical domain controllers or VDCs not restored from snapshot

Event ID 2181





Message The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation.


Expected when restoring a snapshot. Transactions track the VM Generation ID changing

Event ID 2185



Message <COMPUTERNAME> stopped the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted.


Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.

Event ID 2186


Severity Error

Message <COMPUTERNAME> failed to stop the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Error code:%2Error message:%3Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR replication service used to replicate the SYSVOL folder and then starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to stop the current running service and cannot complete the non-authoritative

119


restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.


Examine the System, FRS and DFSR event logs for further information.

Event ID 2187



Message <COMPUTERNAME> started the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore.



Event ID 2188


Severity Error

Message <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Error code:%2Error message:%3Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL and starting it with appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually and restart the service. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.




Examine the System, FRS and DFSR event logs for further information.

Event ID 2189



Message <COMPUTERNAME> set the following registry values to initialize SYSVOL replica during a non-authoritative restore:Registry Key:%1Registry Value: %2Registry Value data: %3Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore.



Event ID 2190


Severity Error

Message <COMPUTERNAME> failed to set the following registry values to initialize the SYSVOL replica during a non-authoritative restore:Registry Key:%1Registry Value: %2Registry Value data: %3Error code:%4Error message:%5Active Directory detected that the virtual machine that hosts the domain controller role was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to set the above registry values and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?

121


LinkId=208030 for more information.


Examine Application and System event logs. Investigate third party applications that may be blocking registry updates.

Event ID 2200



Message Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> initializes replication to bring the domain controller current. Event 2201 will be logged when the replication is finished.


Expected when restoring a snapshot. Marks the beginning of inbound AD replication.

Event ID 2201



Message Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> has finished replication to bring the domain controller current.


Expected when restoring a snapshot. Marks the end of inbound AD replication.

Event ID 2202


Severity Error

Message Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> failed replication to bring the domain controller up-to-date. The domain controller will be updated after next periodic replication.

Notes and

Examine the Directory Services and System event logs. Use repadmin.exe to attempt



resolution

forcing replication and note any failures.

Event ID 2204



Message <COMPUTERNAME> has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. <COMPUTERNAME> will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs:Create a new invocation IDInvalidate current RID poolOwnership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable.Start SYSVOL replication service restore operation.Start replication to bring the reverted domain controller to the most current state.Request a new RID pool.


Expected when restoring a snapshot. This explains all the various reset operations that will occur as part of the safe restore process.

Event ID 2205



Message <COMPUTERNAME> invalidated current RID pool after virtual domain controller was reverted to previous state.


Expected when restoring a snapshot. The local RID pool must be destroyed as the domain controller has time travelled and they may have already been issued.

Event ID 2206


Severity ERROR

Message <COMPUTERNAME> failed to invalidate current RID pool after virtual domain

123


controller was reverted to previous state.Additional data:Error code: %1Error value: %2


Examine the Directory Services and System event logs. Validate that the RID Master is online can be reached from this server using Dcdiag.exe /test:ridmanager

Event ID 2207


Severity ERROR

Message <COMPUTERNAME> failed to restore after virtual domain controller was reverted to previous state. A reboot into DSRM was requested. Please check previous events for more information. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.


Examine the Directory Services and System event logs.

Event ID 2208



Message <COMPUTERNAME> deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore.


Expected when restoring a snapshot. This guarantees DFSR non-authoritatively synchronizes SYSVOL from a partner DC. Note that any other DFSR Replicated Folders on the same volume as SYSVOL will also non-authoritatively sync (domain controllers are not recommended to host custom DFSR sets on the same volume as SYSVOL).

Event ID 2209


Severity Error

Message <COMPUTERNAME> failed to delete DFSR databases.Additional data:Error code: %1Error value: %2



Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuild the databases and start the initial sync.


Examine the DFSR event log.

Error MessagesThere are no direct interactive errors for failed VDC safe snapshot restore; all cloning information logs in the Directory Services event logs. Naturally, any critical replication or server advertising errors manifest themselves as symptoms elsewhere.

125


Known/Likely Issues and Support ScenariosThe following are common issues seen during the Windows Server "8" Beta development process. All of these issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server "8".

The General Methodology for Troubleshooting Domain Controller Safe Restore section and events listed in the Troubleshooting Specific Problems are usually adequate to troubleshoot most issues.

Issue Cannot create new security principals on recently safe restored domain controller

Symptoms After restoring a snapshot, attempts to create a new security principal (user, computer, group) on that domain controller fail with:Error 0x2010The directory service was unable to allocate a relative identifier.


This issue is caused by the restored computer's stale knowledge of the RID Master FSMO role. If the role moved to this or another domain controller after a snapshot was taken and then later restored, the restored domain controller will not have knowledge of the RID master until initial replication has completed.To resolve the issue, allow AD replication to complete inbound to the restored domain controller. If still not working, validate that all domain controllers have the same correct knowledge of which DC hosts the RID Master.

Figure 57



Advanced TroubleshootingThis guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events related to a cloned domain controller within each log.

Restoring a Domain Controller that Replicates SYSVOL Using DFSRDirectory Services Event Log

The Directory Services log contains the majority of safe restore operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.

Event ID

Source Message


A Generation ID change has been detected. Generation ID cached in DS (old value):<number>Generation ID currently in VM (new value):<number>The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application."


The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation.


Active Directory Domain Services has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. Active Directory Domain Services will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs: Create a new invocation ID Invalidate current RID pool

127


Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool."


The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation.


The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:InvocationID attribute (old value):<GUID>InvocationID attribute (new value):<GUID>Update sequence number:<number>The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application."


The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute:<number>


Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services initializes replication to bring the domain controllercurrent. Event 2201 will be logged when the replication is finished.


Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services has finished replication to bring the domain controller current.




Active Directory Domain Services stopped the FRS or DFSR service used to replicate the SYSVOL folder.Service name:DFSRActive Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted."


Active Directory Domain Services deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore.Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuid the databases and start the initial sync. "


Active Directory Domain Services started the FRS or DFSR service used to replicate the SYSVOL folder.Service name:DFSRActive Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. "


This directory service has been restored or has been configured to host an application directory partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted. The destination directory service corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local directory service was restored from backup media. Object GUID:<GUID> (<FQDN of partner domain controller>)USN at the time of restore:<number>

129


As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous database GUID:<GUID>Previous object USN:<number>Previous property USN:<number>New database GUID:<GUID>New object USN:<number>New property USN:<number>

System Event Log

The System event log notes that the machine time that occurs when bringing an offline virtual machine back online and synchronizing with host time. The RID pool invalidates and the DFSR or FRS services are restarted.

Event ID Source Message

1 Kernel-General The system time has changed to <now> from <snapshot time/date>.

Change Reason: An application or system component changed the time.


A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:1. A domain controller is restored from backup.2. A domain controller running on a virtual machine is restored from snapshot.3. An administrator has manually invalidated the pool.See http://go.microsoft.com/fwlink/?LinkId=226247 for more information.


The DFS Replication service entered the stopped state.


The DFS Replication service entered the running state.

Application Event Log

The Application event log notes the DFSR database stopping and starting.




103 ESENT DFSRs (1360) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine stopped the instance (0). Dirty Shutdown: 0Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.141, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.

102 ESENT DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine (6.02.8189.0000) is starting a new instance (0).

105 ESENT DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine started a new instance (0). (Time=0 seconds)Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000.

DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine created a new database (1, \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db). (Time=0 seconds)Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.062, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.015, [10] 0.000, [11] 0.000.

DFS Replication Event Log

The DFSR service is stopped and the database that contains SYSVOL is deleted, forcing a non-authoritative synchronization inbound.


1006 DFSR The DFS Replication service is stopping.

1008 DFSR The DFS Replication service has stopped.

1002 DFSR The DFS Replication service is starting.

1004 DFSR The DFS Replication service has started.

1314 DFSR The DFS Replication service successfully configured the debug log files. Additional Information:Debug Log File Path: C:\Windows\debug

6102 DFSR The DFS Replication service has successfully registered the WMI provider.

1206 DFSR The DFS Replication service successfully contacted domain controller <domain controller FQDN> to access configuration information.

1210 DFSR The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information:Port: 0

4614 DFSR The DFS Replication service initialized SYSVOL at local path C:\

131


Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Read-Only: 0

4604 DFSR The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share". Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Sync partner: <partner domain controller FQDN>

Restoring a Domain Controller that Replicates SYSVOL Using FRSThe File Replication Event log is used instead of the DFSR event log in this case. The Application event log also writes different FRS-related events. Otherwise, the Directory Services and System Event log messages are generally the same and in the same order as previously described.

File Replication Service Event Log

The FRS service is stopped and restarted with a D2 BURFLAGS value to non-authoritatively synchronize SYSVOL.


13502 NTFRS The File Replication Service is stopping.

13503 NTFRS The File Replication Service has stopped.

13501 NTFRS The File Replication Service is starting

13512 NTFRS The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet



on the computer DC4. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.

13565 NTFRS File Replication Service is initializing the system volume with data from another domain controller. Computer DC4 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type:net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers."

13520 NTFRS The File Replication Service moved the preexisting files in <path> to <path>\NtFrs_PreExisting___See_EventLog. The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into <path> may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog.

13553 NTFRS The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Information related to this event is shown below:Computer DNS name is "<domain controller FQDN>"Replica set member name is "<domain controller name>"Replica set root path is "<path>"Replica staging directory path is "<path> "Replica working directory path is "<path>"

13554 NTFRS The File Replication Service successfully added the connections shown below to the replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Inbound from "<partner domain controller FQDN>" Outbound to "<partner domain controller FQDN>" More information may appear in subsequent event log

133


messages.

13516 NTFRS The File Replication Service is no longer preventing the computer DC4 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share.

Application Event Log

The FRS database stops and starts, and is purged due to the D2 BURFLAGS operation.


327 ESENT ntfrs (1424) The database engine detached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.516, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.063, [12] 0.000.Revived Cache: 0

103 ESENT ntfrs (1424) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.047, [15] 0.000.

102 ESENT ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0).

105 ESENT ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.062, [10] 0.000, [11] 0.141.

103 ESENT ntfrs (3000) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.015, [14] 0.000, [15] 0.000.



325 ESENT ntfrs (3000) The database engine created a new database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.016, [5] 0.000, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.016, [11] 0.000.

103 ESENT ntfrs (3000) The database engine stopped the instance (0). Dirty Shutdown: 0



Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.078, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.125, [10] 0.016, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.



326 ESENT ntfrs (3000) The database engine attached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.016, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.Saved Cache: 1

135


AppendicesTerminology

Snapshot – The state of a virtual machine at a particular point in time. It is dependent on the chain of previous snapshots taken, on the hardware, and on the virtualization platform.

Clone – A complete and separate copy of a virtual machine. It is dependent on the virtual hardware (hypervisor).

Full Clone – A full clone is an independent copy of a virtual machine that shares no resources with the parent virtual machine after the cloning operation. Ongoing operation of a full clone is entirely separate from the parent virtual machine.

Differencing disk - A copy of a virtual machine that shares virtual disks with the parent virtual machine in an ongoing manner. This usually conserves disk space and allows multiple virtual machines to use the same software installation.

VM Copy- A file system copy of all the related files and folders of a virtual machine.

VHD File Copy – A copy of a virtual machine’s VHD

VM Generation ID – a 128-bit integer given to the virtual machine by the hypervisor. This ID is stored in memory and reset every time a snapshot is applied. The design uses a hypervisor-agnostic mechanism for surfacing the VM-Generation ID in the virtual machine. The Hyper-V implementation exposes the ID in the ACPI table of the virtual machine.

Import/Export – A Hyper-V feature that allows the user to save the entire virtual machine (VM files, VHD and the machine configuration). It then allows users to using that set of files to bring the machine back on the same machine as the same VM (Restore), on a different machine as the same VM (Move), or a new VM (copy)



VDC Cloning Architecture

Figure 58

137


OverviewAD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's creation. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. The domain controller then reads the contents of the dcloneconfig.xml, defaultdccloneallowlist.xml, and any customdccloneallowlist.xml and begins cloning. The domain controller renames itself and alters its IP information. The server re-promotes itself as a new domain controller using the existing NTDS.DIT and SYSVOL contents as source media. Cloning is complete.

Detailed Processing (using Microsoft Hyper-V)1. An existing virtual machine domain controller boots up in a hypervisor that supports VM-

Generation ID. This VM already has an existing VM Generation-ID set on its AD DS computer object when it was promoted (ex: cn=dc2,ou=domain controllers,dc=corp,dc=contoso,dc=com) as part of the msDS-GenerationID attribute (a binary valued octet string added by the Windows Server "8" Beta Schema version 52). This attribute's value is stored in memory.

2. The virtual machine then reads the VM-Generation ID provided by Hyper-V's VMGenerationCounter driver. It compares the two VM-Generation IDs.

a. If the IDs match, this is not a new virtual machine and cloning will not proceed. If a dcloneconfig.xml file exists, the domain controller renames the file with a time-date stamp in order to prevent cloning. The server continues booting normally. This is how every reboot of any virtual domain controller operates in Windows Server "8" Beta.

b. If there are two IDs that do not match, this is a new virtual machine that contains an NTDS.DIT from a previous domain controller (or it's a restored snapshot). If a dcloneconfig.xml file exists, the domain controller proceeds with cloning operations. If not, it continues with snapshot restoration operations (see that section of this guide).

c. If the hypervisor does not provide a VM-Generation ID for comparison but there is a dccloneconfig.xml file, the guest renames the file and the boots into DSRM to protect the network from a duplicate domain controller. If there is no dccloneconfig.xml file, the guest boots normally (with the potential for a duplicate domain controller on the network).

3. The NTDS service checks the value of the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters).



a. If does not exist, this is a first attempt at cloning for this virtual machine. The guest implements the VDC object duplication safety measures of invalidating the local RID pool and setting a new replication invocation ID for the domain controller.

b. If already set to 0x1, this is a "retry" cloning attempt, where a previous cloning operation failed. The VDC object duplication safety measures are not taken as they had to have already run once before and would unnecessarily alter the guest multiple times.

4. The IsClone DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters)

5. The NTDS service changes the guest boot flag to start in DS Restore Mode for any further reboots.

6. The NTDS service attempts to read the DcCloneConfig.xml in one of the three accepted locations (DSA Working Directory, %windir%\NTDS, or removable read/write media, in order of drive letter, at the root of the drive)

a. If the file does not exist in any valid location, the guest checks the IP address for duplication. If not duplicated, the server boots up normally. If there is a duplicate IP address, the computer boots into DSRM to protect the network from a duplicate domain controller.

b. If the file does exist in a valid location, the NTDS service validates its settings. If the file is blank (or any particular settings are blank) then NTDS uses automatic values for those settings.

More Information:

See the previous section XML Details and Behaviors for specific automatic generation rules

c. If the DcCloneConfig.xml exists but contains any invalid entries or is unreadable, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller.

7. The guest disables all DNS auto-registration to prevent accidental hijacking of the source computer name and IP addresses.

8. The guest stops the Netlogon service to prevent any advertising or answering of network AD DS requests from clients.

9. NTDS validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml

a. If there are services or programs installed that are not in the default exclusion allow list or the custom exclusion allow list, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller.

b. If there are no incompatibilities, cloning continues.

139


More Information:

See the previous section XML Details and Behaviors for specific automatic generation rules

10. If using automatic IP addressing due to blank dccloneconfig.xml network settings, the guest enables DHCP on the network adapters to gain an IP address lease, network routing, and name resolution information.

11. The guest locates and contacts the domain controller running the PDC emulator FSMO role. This uses DNS and the DCLocator protocol. It makes an RPC connection calls the method IDL_DRSAddCloneDC to clone the domain controller computer object.

a. If the guest's source compute object holds the domain head extended permission of "'Allow a DC to create a clone of itself" then cloning proceeds.

b. If the guest's source computer object does not hold that extended permission, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller

12. The AD DS computer object is set to match the dcloneconfig.xml or automatic generation and created on the PDCE. NTDS creates the correct NTDS setting object for the appropriate AD logical site. The guest renames the local computer name to match the new domain controller object name.

13. The guest provides the promotion settings to the DS Role Server service, which commences promotion

14. The DS Role Server service stops all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)

15. The guest forces NT5DS (Windows NTP) time synchronization with another domain controller (in a default time hierarchy, this means using the PDCE). The guest contacts a domain controller that holds the source domain controller account of the clone (likely to be the PDCE). All existing Kerberos tickets flush.

16. The guest configures the DFSR or NTFRS services to run automatically. The guest deletes all existing DFSR and NTFRS database files (default: c:\windows\ntfrs and c:\system volume information\dfsr\<database_GUID>), in order to force non-authoritative synchronization of SYSVOL when the service is next started. The guest does not delete the file contents of SYSVOL, to pre-seed the SYSVOL when the synchronization starts later.

17. The DS Role Server service on the guest begins AD DS configuration (promotion), using the existing NTDS.SIT database file as a source, rather than the template database included in c:\windows\system32 like a promotion normally does.

18. The guest contacts the RID Master FSMO role holder to get a new RID pool allocation.



19. The promotion process creates a new invocation ID and recreates the NTDS Settings object for the cloned domain controller (irrespective of cloning, this is part of domain promotion when using an existing NTDS.DIT database).

20. NTDS replicates in objects that are missing, newer, or a higher version from a partner domain controller. The NTDS.DIT already contains objects from the time the source domain controller went offline, and those are used as possible in order to minimize replication traffic inbound. The global catalog partitions are populated.

21. The DFSR or FRS service starts and because there is no database, SYSVOL non-authoritatively synchronizes inbound from a replication partner. This process re-uses pre-existing data in the SYSVOL folder, in order to minimize network replication traffic.

22. The guest re-enables DNS client registration now that the computer is uniquely named and networked.

23. The guest runs the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element in order to scrub out references to the previous computer name and SID.

24. Cloning promotion is complete.

a. The guest removes the DSRM boot flag so the next reboot will be normal.

b. The guest renames the dccloneconfig.xml with an appended date-time stamp, so that it is not read again at next boot up.

c. The guest removes the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters).

d. The guest sets the "Vdc cloning done" DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) to 0x1. Windows does not use this value, but instead provides it as a marker for third parties.

25. The guest updates the msDS-GenerationID attribute on its own cloned domain controller object to match the current guest VM-Generation ID.

26. The guest restarts. It is now a normal, advertising domain controller.

141


VDC Safe Restore Architecture

Figure 59

OverviewAD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's restoration from a previous snapshot. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When an administrator restores the virtual machine from a previous snapshot, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. The domain controller then synchronizes AD object differences with a partner. It also non-authoritatively synchronizes the SYSVOL folder. Safe restoration is complete.



Detailed Processing (using Microsoft Hyper-V)1. An administrator restores an existing virtual machine domain controller from a snapshot

in a hypervisor that supports VM-Generation ID. This VM already has an existing VM Generation-ID set on its AD DS computer object when it was promoted (ex: cn=dc2,ou=domain controllers,dc=corp,dc=contoso,dc=com) as part of the msDS-GenerationID attribute (a binary valued octet string added by the Windows Server "8" Beta Schema version 52). This attribute's value is stored in memory.

2. The virtual machine then reads the VM-Generation ID provided by Hyper-V's VMGenerationCounter driver. It compares the VM-Generation IDs from step 1 and 2.

a. If there are two IDs that do not match, it continues with snapshot restoration operations (see that section of this guide). After the snap finishes applying, the Generation-ID set on its AD DS computer object is updated to match the new ID provide by the hypervisor host.

b. If the hypervisor does not provide a VM-Generation ID for comparison, the hypervisor does not support safe restore and the guest will operate like a Windows Server 2008 R2 or older virtualized domain controller. The guest implements USN Rollback protection quarantining if there is an attempt to start replicating with USNs that haven’t advanced past the partner DCs last highest seen USN.

More Information:

For more information about this topic, see USN and USN Rollback

3. The guest implements the VDC AD object synchronization operations of:

a. Invalidating the local RID pool

b. Setting a new invocation ID for the domain controller database.

4. NTDS replicates AD object differences inbound non-authoritatively from a partner domain controller. The domain controller requests changes starting at a USN that precedes the USN at which the local directory service was restored. The up-to-dateness vector of the destination directory service is changes appropriately.

5. The guest synchronizes SYSVOL:

a. If using FRS, the guest stops the NTFRS service and sets D2 BURFLAGS registry value. It then starts the NTFRS service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.

b. If using DFSR, the guest stops the DFSR service and deletes the DFSR database files (default location: c:\system volume information\dfsr\<database GUID>). It then starts the DFSR service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.

143

http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx#usn_and_usn_rollback




6. The guest updates the msDS-GenerationID attribute on its own domain controller object to match the current guest VM-Generation ID.

7. Safe snapshot restore completes.



FixVDCPermissions.ps1# Unsigned script, requires use of set-executionpolicy remotesigned -force# You must run the Windows PowerShell console as an elevated administrator

# Load Active Directory Windows PowerShell Module and switch to AD DS driveimport-module activedirectorycd ad:

## Get Domain NC$domainNC = get-addomain

## Get groups and obtain their SIDs $dcgroup = get-adgroup "Cloneable Domain Controllers"

$sid1 = (get-adgroup $dcgroup).sid

## Get the DACL of the domain$acl = get-acl $domainNC

## The following object specific ACE grants extended right 'Allow a DC to create a clone of itself' for the CDC group to the Domain NC## 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e is the schemaIDGuid for 'DS-Clone-Domain-Controller"

$objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid

## Add the ACE in the ACL and set the ACL on the object

$acl.AddAccessRule($ace1)set-acl -aclobject $acl $domainNCwrite-host "Done writing new VDC permissions."cd c:

145


The DCCloneConfigSchema.XSD<?xml version="1.0" encoding="utf-8"?><xs:schema elementFormDefault="unqualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="uri:microsoft.com:schemas:DCCloneConfig"> <xs:element name="DCCloneConfig"> <xs:complexType> <xs:all>  <xs:element name="SiteName" type="xs:string" minOccurs="0" maxOccurs="1"/>  <xs:element name="ComputerName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPSettings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:all> <xs:element name="IPv4Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="Address" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="SubnetMask" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="DefaultGateway" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element>  <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence>



</xs:complexType> </xs:element>  </xs:choice>  </xs:complexType> </xs:element>  <xs:element name="IPv6Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element>  <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element>  </xs:choice> </xs:complexType> </xs:element>  </xs:all> </xs:complexType> </xs:element>  </xs:all> </xs:complexType> </xs:element></xs:schema>

147


The SampleDCCloneConfig.XML<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings></d3c:DCCloneConfig>

The DefaultDCCloneAllowList.XML<DefaultCloneConfig> <AllowList>  <Allow> <Name>ADWS</Name> <Type>Service</Type> </Allow> <Allow> <Name>AeLookupSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>ALG</Name> <Type>Service</Type> </Allow> <Allow> <Name>AllUserInstallAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppIDSvc</Name>



<Type>Service</Type> </Allow> <Allow> <Name>Appinfo</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppMgmt</Name> <Type>Service</Type> </Allow> <Allow> <Name>AudioEndpointBuilder</Name> <Type>Service</Type> </Allow> <Allow> <Name>Audiosrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>AxInstSV</Name> <Type>Service</Type> </Allow> <Allow> <Name>BFE</Name> <Type>Service</Type> </Allow> <Allow> <Name>BITS</Name> <Type>Service</Type> </Allow> <Allow> <Name>BrokerInfrastructure</Name> <Type>Service</Type> </Allow> <Allow> <Name>Browser</Name> <Type>Service</Type> </Allow> <Allow> <Name>CertPropSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>COMSysApp</Name> <Type>Service</Type> </Allow> <Allow> <Name>CryptSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>CscService</Name> <Type>Service</Type> </Allow> <Allow>

149


<Name>DcomLaunch</Name> <Type>Service</Type> </Allow> <Allow> <Name>defragsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceAssociationService</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceInstall</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dfs</Name> <Type>Service</Type> </Allow> <Allow> <Name>DFSR</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dhcp</Name> <Type>Service</Type> </Allow> <Allow> <Name>DNS</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dnscache</Name> <Type>Service</Type> </Allow> <Allow> <Name>dot3svc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DPS</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsmSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsRoleSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Eaphost</Name> <Type>Service</Type> </Allow>



<Allow> <Name>EFS</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventLog</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventSystem</Name> <Type>Service</Type> </Allow> <Allow> <Name>FCRegSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>fdPHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>FDResPub</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache3.0.0.0</Name> <Type>Service</Type> </Allow> <Allow> <Name>gpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>hidserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>hkmsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>idsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IKEEXT</Name> <Type>Service</Type> </Allow> <Allow> <Name>IPBusEnum</Name> <Type>Service</Type>

151


</Allow> <Allow> <Name>iphlpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IsmServ</Name> <Type>Service</Type> </Allow> <Allow> <Name>Kdc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KdsSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KeyIso</Name> <Type>Service</Type> </Allow> <Allow> <Name>KPSSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>KtmRm</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanServer</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanWorkstation</Name> <Type>Service</Type> </Allow> <Allow> <Name>lltdsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>lmhosts</Name> <Type>Service</Type> </Allow> <Allow> <Name>LSM</Name> <Type>Service</Type> </Allow> <Allow> <Name>MMCSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>MpsSvc</Name>



<Type>Service</Type> </Allow> <Allow> <Name>MSDTC</Name> <Type>Service</Type> </Allow> <Allow> <Name>MSiSCSI</Name> <Type>Service</Type> </Allow> <Allow> <Name>msiserver</Name> <Type>Service</Type> </Allow> <Allow> <Name>napagent</Name> <Type>Service</Type> </Allow> <Allow> <Name>NcaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netlogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netman</Name> <Type>Service</Type> </Allow> <Allow> <Name>netprofm</Name> <Type>Service</Type> </Allow> <Allow> <Name>NetTcpPortSharing</Name> <Type>Service</Type> </Allow> <Allow> <Name>NlaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>nsi</Name> <Type>Service</Type> </Allow> <Allow> <Name>NTDS</Name> <Type>Service</Type> </Allow> <Allow> <Name>NtFrs</Name> <Type>Service</Type> </Allow> <Allow>

153


<Name>PerfHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>pla</Name> <Type>Service</Type> </Allow> <Allow> <Name>PlugPlay</Name> <Type>Service</Type> </Allow> <Allow> <Name>PolicyAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>Power</Name> <Type>Service</Type> </Allow> <Allow> <Name>PrintService</Name> <Type>Service</Type> </Allow> <Allow> <Name>ProfSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasAuto</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasMan</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteRegistry</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcEptMapper</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcLocator</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcSs</Name> <Type>Service</Type> </Allow>



<Allow> <Name>RSoPProv</Name> <Type>Service</Type> </Allow> <Allow> <Name>sacsvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>SamSs</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCardSvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>Schedule</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCPolicySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>seclogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>SENS</Name> <Type>Service</Type> </Allow> <Allow> <Name>SessionEnv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SharedAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>ShellHWDetection</Name> <Type>Service</Type> </Allow> <Allow> <Name>SidKeySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SNMPTRAP</Name> <Type>Service</Type> </Allow> <Allow> <Name>Spooler</Name> <Type>Service</Type>

155


</Allow> <Allow> <Name>sppsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SSDPSRV</Name> <Type>Service</Type> </Allow> <Allow> <Name>SstpSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>stisvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>svsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>swprv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SysMain</Name> <Type>Service</Type> </Allow> <Allow> <Name>SystemEventsBroker</Name> <Type>Service</Type> </Allow> <Allow> <Name>TabletInputService</Name> <Type>Service</Type> </Allow> <Allow> <Name>TapiSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>TermService</Name> <Type>Service</Type> </Allow> <Allow> <Name>Themes</Name> <Type>Service</Type> </Allow> <Allow> <Name>THREADORDER</Name> <Type>Service</Type> </Allow> <Allow> <Name>TimeBroker</Name>



<Type>Service</Type> </Allow> <Allow> <Name>TrkWks</Name> <Type>Service</Type> </Allow> <Allow> <Name>TrustedInstaller</Name> <Type>Service</Type> </Allow> <Allow> <Name>UALSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>UI0Detect</Name> <Type>Service</Type> </Allow> <Allow> <Name>UmRdpService</Name> <Type>Service</Type> </Allow> <Allow> <Name>upnphost</Name> <Type>Service</Type> </Allow> <Allow> <Name>VaultSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>vds</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicheartbeat</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmickvpexchange</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicrdv</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicshutdown</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmictimesync</Name> <Type>Service</Type> </Allow> <Allow>

157


<Name>vmicvss</Name> <Type>Service</Type> </Allow> <Allow> <Name>VSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>W32Time</Name> <Type>Service</Type> </Allow> <Allow> <Name>WbioSrvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WcsPlugInService</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiServiceHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiSystemHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WebClient</Name> <Type>Service</Type> </Allow> <Allow> <Name>Wecsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>wercplsupport</Name> <Type>Service</Type> </Allow> <Allow> <Name>WerSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WiaRpc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WinHttpAutoProxySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Winmgmt</Name> <Type>Service</Type> </Allow>



<Allow> <Name>WinRM</Name> <Type>Service</Type> </Allow> <Allow> <Name>wmiApSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>WPDBusEnum</Name> <Type>Service</Type> </Allow> <Allow> <Name>WSService</Name> <Type>Service</Type> </Allow> <Allow> <Name>wuauserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>wudfsvc</Name> <Type>Service</Type> </Allow> </AllowList> <sysprepInformation> <imaging> <sysprepModule methodName="CAPISysPrep_Generalize" moduleName="$(runtime.windows)\system32\capisp.dll" /> <sysprepModule methodName="DhcpClient_Generalize" moduleName="$(runtime.system32)\dhcpcsvc.dll" /> <sysprepModule methodName="RdpSysPrepGeneralize" moduleName="$(runtime.system32)\setup\tssysprep.dll" />  <sysprepModule methodName="RdpSysPrepRestore" moduleName="$(runtime.system32)\setup\tssysprep.dll" /> <sysprepModule methodName="RacSysprepSpecialize" moduleName="RacEngn.dll" /> <sysprepModule methodName="WerSysprepCleanup" moduleName="wer.dll" /> <sysprepModule methodName="SqmSysprepGeneralize" moduleName="sqmapi.dll" /> <sysprepModule methodName="SqmSysprepSpecialize" moduleName="sqmapi.dll" /> <sysprepModule methodName="GeneralizeForImaging" moduleName="$(runtime.system32)\wuaueng.dll" /> <sysprepModule methodName="SLReArmWindows" moduleName="$(runtime.system32)\slc.dll" /> </imaging> </sysprepInformation>

</DefaultCloneConfig>

159


Note:The DefaultDCCloneAllowList also contains the SYSPREP modules called during cloning. These "mini-sysprep" steps are performed to ensure the cloned domain controller is unique in the important aspects.



List of default compatible cloning components The following services support for cloning and are included in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list.

Name Name Caption (aka "friendly name")

Service ADWS Active Directory Web Services

Service AeLookupSvc Application Experience

Service ALG Application Layer Gateway Service

Service AllUserInstallAgent Windows All-User Install Agent

Service AppIDSvc Application Identity

Service Appinfo Application Information

Service AppMgmt Application Management

Service AudioEndpointBuilder Windows Audio Endpoint Builder

Service Audiosrv Windows Audio

Service AxInstSV

Service BFE Base Filtering Engine

Service BITS Background Intelligent Transfer Service

Service BrokerInfrastructure Broker Infrastructure

Service Browser Computer Browser

Service CertPropSvc Certificate Propagation

Service COMSysApp COM+ System Application

Service CryptSvc Cryptographic Services

Service CscService

Service DcomLaunch DCOM Server Process Launcher

Service defragsvc Optimize drives

Service DeviceAssociationService

Device Association Service

Service DeviceInstall Device Install Service

Service Dfs DFS Namespace

Service DFSR DFS Replication

Service Dhcp DHCP Client

Service DNS DNS Server

161


Service Dnscache DNS Client

Service dot3svc Wired AutoConfig

Service DPS Diagnostic Policy Service

Service DsmSvc Device Setup Manager

Service DsRoleSvc DS Role Server

Service Eaphost Extensible Authentication Protocol

Service EFS Encrypting File System (EFS)

Service EventLog Windows Event Log

Service EventSystem COM+ Event System

Service FCRegSvc

Service fdPHost Function Discovery Provider Host

Service FDResPub Function Discovery Resource Publication

Service FontCache Windows Font Cache Service

Service FontCache3.0.0.0

Service gpsvc Group Policy Client

Service hidserv Human Interface Device Access

Service hkmsvc Health Key and Certificate Management

Service idsvc

Service IKEEXT IKE and AuthIP IPsec Keying Modules

Service IPBusEnum

Service iphlpsvc Function Discovery Provider Host

Service IsmServ Intersite Messaging

Service Kdc Kerberos Key Distribution Center

Service KdsSvc Microsoft Key Distribution Service

Service KeyIso CNG Key Isolation

Service KPSSVC KDC Proxy Server service (KPS)

Service KtmRm KtmRm for Distributed Transaction Coordinator

Service LanmanServer Server

Service LanmanWorkstation Workstation

Service lltdsvc Link-Layer Topology Discovery Mapper

Service lmhosts TCP/IP NetBIOS Helper



Service LSM Local Session Manager

Service MMCSS Multimedia Class Scheduler

Service MpsSvc Windows Firewall

Service MSDTC Distributed Transaction Coordinator

Service MSiSCSI Microsoft iSCSI Initiator Service

Service msiserver Windows Installer

Service napagent Network Access Protection Agent

Service NcaSvc Network Connectivity Assistant

Service Netlogon Netlogon

Service Netman Network Connections

Service netprofm Network List Service

Service NetTcpPortSharing Net.Tcp Port Sharing Service

Service NlaSvc Network Location Awareness

Service nsi Network Store Interface Service

Service NTDS Active Directory Domain Services

Service NtFrs File Replication

Service PerfHost Performance Counter DLL Host

Service pla Performance Logs & Alerts

Service PlugPlay Plug and Play

Service PolicyAgent IPsec Policy Agent

Service Power Power

Service PrintService

Service ProfSvc User Profile Service

Service RasAuto Remote Access Auto Connection Manager

Service RasMan Remote Access Connection Manager

Service RemoteAccess Routing and Remote Access

Service RemoteRegistry Remote Registry

Service RpcEptMapper RPC Endpoint Mapper

Service RpcLocator Remote Procedure Call (RPC) Locator

Service RpcSs Remote Procedure Call (RPC)

Service RSoPProv Resultant Set of Policy Provider

163


Service sacsvr Special Administration Console Helper

Service SamSs Security Accounts Manager

Service SCardSvr Smart Card

Service Schedule Task Scheduler

Service SCPolicySvc Smart Card Removal Policy

Service seclogon Secondary Logon

Service SENS System Event Notification Service

Service SessionEnv Remote Desktop Configuration

Service SharedAccess Internet Connection Sharing (ICS)

Service ShellHWDetection Shell Hardware Detection

Service SidKeySvc

Service SNMPTRAP SNMP Trap

Service Spooler Print Spooler

Service sppsvc Software Protection

Service SSDPSRV SSDP Discovery

Service SstpSvc Secure Socket Tunneling Protocol Service

Service stisvc

Service svsvc Spot Verifier

Service swprv Microsoft Software Shadow Copy Provider

Service SysMain Superfetch

Service SystemEventsBroker System Events Broker

Service TabletInputService

Service TapiSrv Telephony

Service TermService Remote Desktop Services

Service Themes Themes

Service THREADORDER Thread Ordering Server

Service TimeBroker Time Broker

Service TrkWks Distributed Link Tracking Client

Service TrustedInstaller Windows Modules Installer

Service UALSVC User Access Logging Service

Service UI0Detect Interactive Services Detection



Service UmRdpService Remote Desktop Services UserMode Port Redirector

Service upnphost UPnP Device Host

Service VaultSvc Credential Manager

Service vds Virtual Disk

Service vmicheartbeat Hyper-V Heartbeat Service

Service vmickvpexchange Hyper-V Data Exchange Service

Service vmicrdv Hyper-V Remote Desktop Virtualization Service

Service vmicshutdown Hyper-V Guest Shutdown Service

Service vmictimesync Hyper-V Time Synchronization Service

Service vmicvss Hyper-V Volume Shadow Copy Requestor

Service VSS Volume Shadow Copy

Service W32Time Windows Time

Service WbioSrvc

Service WcsPlugInService Windows Color System

Service WdiServiceHost Diagnostic Service Host

Service WdiSystemHost Diagnostic System Host

Service WebClient

Service Wecsvc Windows Event Collector

Service wercplsupport Problem Reports and Solutions Control Panel Support

Service WerSvc Windows Error Reporting Service

Service WiaRpc

Service WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service

Service Winmgmt Windows Management Instrumentation

Service WinRM Windows Remote Management (WS-Management)

Service wmiApSrv WMI Performance Adapter

Service WPDBusEnum Portable Device Enumerator Service

Service WSService Windows Store Service (WSService)

Service wuauserv Windows Update

Service wudfsvc Windows Driver Foundation - User-mode Driver Framework

165


DRS API Extension for CloningWindows Server "8" Beta extends the existing Directory Replication Service (DRS) Remote Protocol (UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2) to include a new RPC method IDL_DRSAddCloneDC (Opnum 28). The IDL_DRSAddCloneDC method creates a new domain controller object by copying attributes from an existing domain controller object.

The states of a domain controller are composed of computer, server, NTDS settings, FRS, DFSR, and connection objects maintained for each domain controller. When duplicating an object, this RPC method replaces all references to the original domain controller with corresponding objects of the new domain controller. The caller must have the control access right DS-Clone-Domain-Controller on the domain naming context.

Use of this new method always requires direct access to the PDC emulator domain controller from the caller.

Because this RPC method is new, your network analysis software requires updated parsers to include fields for the new Opnum 28 in the existing UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2. Otherwise, you cannot parse this traffic. For example, using an older parser in Netmon 3.4:

More Information:

For more information about this topic, see 4.1.29 IDL_DRSAddCloneDC (Opnum 28)


http://msdn.microsoft.com/en-us/library/hh554213(v=prot.13).aspx


Windows PowerShell Module LoadingWindows PowerShell 3.0 implements dynamic module loading. Using the Import-Module cmdlet is typically no longer required; instead, simply invoking the cmdlet, alias, or function automatically loads the module.

To see loaded modules, use the Get-Module cmdlet.

Get-Module

Figure 60

To see all installed modules with their exported functions and cmdlets, use:

Get-Module -ListAvailable

The main case for using the import-module command is when you need access to the "AD:" Windows PowerShell virtual drive and nothing else has already loaded the module. For example, using the following commands:

import-module activedirectorycd ad:dir

167


Additional ResourcesFor information about Windows Server "8" Beta Virtualized Domain Controllers, see:

Understand and Troubleshoot Virtualized Domain Controllers in Windows Server "8" Beta

Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC)

AD DS Virtualization (Cloning and Virtualization safe improvements)

For more information about Windows Server "8" Beta AD DS Simplified Administration, see:

Understand and Troubleshoot ADDS Simplified Administration in Windows Server "8" Beta

Active Directory Administrative Center Enhancements (FGPP UI, Recycle Bin UI, and Windows PowerShell Script Viewer)

Active Directory Replication and Topology Management Using Windows PowerShell AD DS Deployment Guide Test Lab Guide: Demonstrate ADDS Simplified Administration in Windows Server "8 "

Beta

For more information about Active Directory Domain services, see:

Active Directory Domain Services (TechNet Portal) Active Directory Domain Services for Windows Server 2008 R2 Active Directory Domain Services for Windows Server 2008 Windows Server Technical Reference (Windows Server 2003) Active Directory Administrative Center: Getting Started (Windows Server 2008 R2) Running Adprep (Windows Server 2008 R2) USN and USN Rollback Protection (Windows Server 2008 R2) Active Directory Administration with Windows PowerShell (Windows Server 2008 R2) Ask the Directory Services Team (Official Microsoft Commercial Technical Support Blog)

For a list of all of the Windows Server "8" Beta TLGs, see Windows Server "8" Beta Test Lab Guides in the TechNet Wiki.

To provide the authors of this guide with feedback or suggestions for improvement, send email to [email protected].


mailto:[email protected]

http://go.microsoft.com/fwlink/?LinkID=243062

http://go.microsoft.com/fwlink/?LinkID=243062

http://blogs.technet.com/b/askds/


http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#usn_and_usn_rollback

Understand and Troubleshoot Virtualized Domain Controller in Windows Server 8 Beta

Documents

hkeylocalmachinesystemcurrentcontrolsetservicesntdsparameters

hkeylocalmachinesystemcurrentcontrolsetservicesntdsparameters

system volume

windowsntfrsjetntfrs

services logsmicrosoftwindowshyper

system volume

blocking privilege

aaaa record