Understand and Troubleshoot Virtualized Domain Controller in Windows Server 8 Beta

Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Microsoft Corporation Published: February 2012
Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Virtualized Domain Controller in Windows Server 8 Beta. This UTG provides you with: A technical overview and functional description of this feature. Technical concepts to help you successfully install, configure, and manage this feature. User Interface options and settings for configuration and management. Relevant architecture of this feature, with dependencies, and technical implementation. Primary troubleshooting tools and methods for this feature.
Copyright information
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. 2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, Visual Studio, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
About the Author Author: Bio: Ned Pyle Ned Pyle is a Senior Support Escalation Engineer with Microsoft Commercial Technical Support in Charlotte, North Carolina, USA. He specializes in Directory Services troubleshooting and advisory services. He has authored and contributed to TechNet whitepapers and Knowledgebase articles. Ned also has credits in several Microsoft Press books. He teaches Microsoft employees new product architecture, is a Microsoft Certified Master instructor, and is a Microsoft Certified Trainer. He edits the official Microsoft Directory Services blog, AskDS.
Contents
Understand and Troubleshoot Guides .......................................................................................................... 1
About the Understand and Troubleshoot Guides .................................................................................................1 Introducing Virtualized Domain Controller ...............................................................................................................2 What Is Virtualized Domain Controller? ...........................................................................................................2 Purpose & Benefits............................................................................................................................................3 Technical Overview ...................................................................................................................................................5 Prerequisites .........................................................................................................................................................5 Functional Descriptions .........................................................................................................................................5 Virtual Domain Controller Cloning ....................................................................................................................5 Virtual Domain Controller Safe Restore ............................................................................................................6 Deploying Virtualized Domain Controller ..................................................................................................................7 Installation Considerations ....................................................................................................................................7 Platform Requirements .........................................................................................................................................7 Critical Caveats ......................................................................................................................................................8 Virtualized Domain Controller Cloning ......................................................................................................................9 1. Validate the Hypervisor ...................................................................................................................................11 2. Create XML ......................................................................................................................................................11 Using a Blank DcCloneConfig.xml File .............................................................................................................11 Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml .........................................................................................................................11 XML Details and Behaviors ..............................................................................................................................14 Using an XML Editor ........................................................................................................................................18 Adding XML to the Running Source DC ...........................................................................................................29 3. Verify the PDCE FSMO role ..............................................................................................................................32 Active Directory Users and Computers Method .............................................................................................32 Windows PowerShell Method.........................................................................................................................32 Validate PDCE Availability ...............................................................................................................................33 4. Authorize a Source DC .....................................................................................................................................34 Active Directory Administrative Center Method ............................................................................................34 Windows PowerShell Method.........................................................................................................................34 Rebuilding Default Permissions ......................................................................................................................35 5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml) .........................36 6. Take the Source Domain Controller Offline ....................................................................................................36
Graphical Method ...........................................................................................................................................36 Windows PowerShell Method.........................................................................................................................37 7. Copy Disks .......................................................................................................................................................38 Manually Copying Disks ..................................................................................................................................39 Exporting the VM ............................................................................................................................................42 Adding XML to the Offline System Disk ..........................................................................................................43 8. Create the New Virtual Machine .....................................................................................................................47 Associating a New VM with Copied Disks .......................................................................................................47 Import VM .......................................................................................................................................................48 9. Clone the New Virtual Machine ......................................................................................................................53 Virtualized Domain Controller Safe Restore ............................................................................................................55 Validate the Hypervisor .......................................................................................................................................55 Validate the Replication Topology ......................................................................................................................55 Writable Domain Controller Contact ..............................................................................................................55 Simultaneous Restore .....................................................................................................................................56 Post-Snapshot Replication ..............................................................................................................................56 Windows PowerShell Snapshot Cmdlets .............................................................................................................58 Further Recommendations .................................................................................................................................58 Troubleshooting ......................................................................................................................................................60 Introduction ........................................................................................................................................................60 Troubleshooting VDC Cloning .............................................................................................................................60 Tools for Troubleshooting ...............................................................................................................................62 General Methodology for Troubleshooting Domain Controller Cloning ........................................................63 Troubleshooting Specific Problems .................................................................................................................65 Advanced Troubleshooting .............................................................................................................................86 Troubleshooting VDC Safe Restore ...................................................................................................................111 Tools for Troubleshooting .............................................................................................................................111 General Methodology for Troubleshooting Domain Controller Safe Restore ..............................................112 Troubleshooting Specific Problems ...............................................................................................................113 Advanced Troubleshooting ...........................................................................................................................121 Appendices ............................................................................................................................................................130 Terminology ......................................................................................................................................................130 VDC Cloning Architecture ..................................................................................................................................131 Overview .......................................................................................................................................................132
Detailed Processing (using Microsoft Hyper-V) ............................................................................................132 VDC Safe Restore Architecture ..........................................................................................................................136 Overview .......................................................................................................................................................136 Detailed Processing (using Microsoft Hyper-V) ............................................................................................137 FixVDCPermissions.ps1 .....................................................................................................................................139 The DCCloneConfigSchema.XSD ........................................................................................................................140 The SampleDCCloneConfig.XML ........................................................................................................................142 The DefaultDCCloneAllowList.XML ...................................................................................................................142 List of default compatible cloning components ................................................................................................155 DRS API Extension for Cloning ...........................................................................................................................160 Windows PowerShell Module Loading ..............................................................................................................161 Additional Resources .............................................................................................................................................162
Understand and Troubleshoot Guides

About the Understand and Troubleshoot Guides
The Understand and Troubleshoot Windows Server "8" Beta Guides support you in developing awareness of key technical concepts, architecture, functionality, and troubleshooting tools and techniques. This understanding enables a successful early adoption experience during the pre-RTM product evaluation phase. This guide contains Level 300 material intended for administrators and architects, and assumes the reader already has extensive knowledge of existing features in previous operating systems.
Introducing Virtualized Domain Controller

Windows Server "8" Beta introduces the first specific virtualization capabilities to Active Directory Domain Services. Virtualized Domain Controller (VDC) takes lessons learned from twelve years of virtualizing Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators.
What Is Virtualized Domain Controller?

Virtualized Domain Controller creates two new key capabilities: Domain controllers can be safely cloned to deploy additional capacity and save configuration time Accidental restoration of domain controller snapshots does not disrupt your AD DS environment.
More Information:
To read more about new features that are not in this documents scope: For AD DS deployment and management improvements, see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta. http://go.microsoft.com/fwlink/p/?LinkId=237244 For Dynamic Access Control and kerberos capabilities, see the Understand and Troubleshoot Dynamic Access Control in Windows Server "8" Beta guide. http://go.microsoft.com/fwlink/p/?LinkId=237254 For GMSA and kerberos capabilities, see the Understand and Troubleshoot Enhanced Security in Windows Server Beta 8 guide. http://go.microsoft.com/fwlink/p/?LinkId=237243
VDC also profits from many other new features included in Windows Server "8" Beta, such as: NIC teaming and Datacenter Bridging Unified Remote Access AD site awareness DNS Security and faster AD-integrated zone availability after boot Hyper-V reliability and scalability improvements BitLocker Network Unlock Additional Windows PowerShell component administration modules
2012 Microsoft Corporation. All rights reserved.
More Information:
To read more about new features that are not in this documents scope: For Unified Remote Access capabilities, see the Understand and Troubleshoot Unified Remote Access in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237246 For DNS capabilities, see the Understand and Troubleshoot DNS Security Extensions (DNSSEC) in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237248 For Hyper-V capabilities, see the Understand and Troubleshoot Hyper-V Virtual Network Switch in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237247 and the Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237258 For BitLocker capabilities, see the Understand and Troubleshoot BitLocker in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237139
Purpose & Benefits

Cloning Domain Controllers
Domain controllers have unique characteristics that make duplication very dangerous. For instance, two domain controllers cannot coexist in the same forest with the same name, invocation ID, and security identifier. In Windows Server 2008 R2 and older operating systems, every virtualized domain controller requires manual promotion as a uniquely built guest computer. Windows Server "8" Beta introduces virtualized domain controller cloning. You no longer have to repeatedly deploy a sysprepped server image and then manually promote the domain controller. Instead, the cloned domain controller automatically syspreps (based on settings in DefaultDCCloneAllowList.xml) and promotes with the existing local AD DS data as installation media, consuming administrator-provided settings like computer name and IP address. This allows faster deployment of new domain controllers in production or test labs, simpler disaster recovery, and the ability to scale out in hosting and branch office scenarios.
Safe Backup and Restore of Domain Controllers

Virtualization creates unique challenges to distributed multi-master workloads that depend upon logical clock-based replication schemes. AD DS replication uses an increasing transaction value assigned to transactions on each domain controller, known as an Update Sequence Number. If a domain controller "rolls back" time during application of a snapshot, a USN may be reused an entirely different transaction; replication cannot converge since other domain controllers believe they already received the update.
Virtualization technology such as Hyper-V includes snapshot abilities, where you create an image of a domain controller at a point in time. Restoring the snapshot discards all changes made since that checkpoint and in previous operating systems, forces the domain controller to quarantine itself with a process called USN rollback protection. Once USN rollback protection is in place, a domain controller no longer replicates again and must be either forcibly demoted or manually restored non-authoritatively. In cases where the domain controller has originated changes since the snapshot was taken, it also leads to lingering objects. Windows Server "8" Beta now detects rollbacks and non-authoritatively synchronizes the delta of changes between a domain controller and its partners for AD DS and SYSVOL. You can now use snapshots without risk of permanently crippling domain controllers and requiring manually forced demotion, metadata cleanup, and re-promotion. While this does not prevent other issues with snapshots - such as inconsistent databases for other technologies and applications - it does make domain controller virtualization safer.
For more information about USN and Invocation ID, review How the Active Directory Replication Model Works http://technet.microsoft.com/en-us/library/cc772726(WS.10).aspx For more information about USN Rollback protection in Windows Server 2008 R2, review Running Domain Controllers in Hyper-V http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd15fbaa6740ffe(v=WS.10)#usn_and_usn_rollback
More Information:
Technical Overview
Prerequisites
This guide assumes familiarity with previous releases of Active Directory Domain Services as well as virtualization technology like Hyper-V or other hypervisors, and does not provide foundation detail around their purpose and functionality. The focus of this guide is to provide information and guidance on the new features and improvements introduced in Windows Server "8" Beta.
More Information: For more information about AD DS, see the TechNet Portal pages linked below: Active Directory Domain Services for Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/dd378801(WS.10).aspx Active Directory Domain Services for Windows Server 2008 http://technet.microsoft.com/en-us/library/dd378891(WS.10).aspx Windows Server Technical Reference http://technet.microsoft.com/en-us/library/cc739127(WS.10).aspx For more information about Hyper-V, see the TechNet Portal pages linked below: Hyper-V Server Portal http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx Windows Server 2008 R2 Hyper-V Portal http://www.microsoft.com/en-us/server-cloud/windows-server/hyper-v.aspx Hyper-V TechNet Library for Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/cc753637(WS.10).aspx
Functional Descriptions
Virtual Domain Controller Cloning
Windows Server "8" Beta implements cloning by extending the existing virtualization and domain controller promotion processes. Instead of creating sysprepped copies of workgroup computers and then manually promoting them using Server Manger+ or the ADDSDeployment Windows PowerShell, an administrator creates a DcCloneConfig.xml file containing the unique server configuration and copies it into the DSA Working Directory (the location where the AD DS database resides; C:\Windows\NTDS, by default). A virtualization administrator takes the domain administrator-authorized virtual machine offline and copies its drive or exports computer. The administrator creates a new virtual machine - using the copied or exported computer - without any other changes required, and the server automatically promotes as a unique domain controller, using the previous domain controller data as source media. Alternatively, domain administrators can mount the offline disk and add the XML files, which allows for factory-like automation using new Windows PowerShell options included in Windows Server "8" Beta. If there are any problems or signs of uniqueness duplication - such
as IP address or name - the promotion blocks and the cloned domain controller switches to DS Restore Mode for analysis. Cloning can be made entirely automatic, to include name generation and IP addressing using DHCP. VDC cloning allows: Swift domain controller deployment in a new forest or domain Scalable provisioning of domain controllers to handle increased load Rapid rollout of replacement domain controllers during disaster recovery, such as flooding or fire, an AD DS forest compromised by intrusion, or loss of virtualization host hardware Quick provisioning of test lab environments
There is clear role separation between domain administrators and virtualization administrators when cloning. Hypervisor admins cannot deploy replica domain controllers by simply copying virtual machines; the domain admins authorize selected domain controllers for cloning. The virtualization admins then deploy the authorized clones. This ensures that unauthorized users do not create new rogue domain controllers.
Critical: Anyone allowed to administer the hypervisor must be highly trusted and audited in the environment. They still have the ability to make copies of domain controllers for offline attack or sale to malicious third parties. Microsoft suggests legally bonding administrators against exceeding their access and contacting law enforcement authorities if suspecting employees of theft.
Note:
There is no graphical interface to create the cloning xml files. However, there is a Windows PowerShell script in development for out of band release, and the XML schema is included. These - and use of simple XML editorial tools - are described later in this guide.
Virtual Domain Controller Safe Restore

Windows Server "8" Beta virtualized domain controller safe restore resets the DC's unique Invocation ID. Since other domain controllers do not recognize the new Invocation ID, they conclude that they have not already seen these USNs and accept the updates, allowing the directory to converge. The domain controller also discards the now-duplicated local Relative Identifier (RID) pool and non-authoritatively restores the SYSVOL folder. This means that accidentally restoring a snapshot is no longer an unsafe operation on domain controllers.
For more information about these topics, review the architecture section of this guide in the appendix.
More Information:
Deploying Virtualized Domain Controller

Installation Considerations
There is no special role or feature installation for VDC; all domain controllers automatically contain cloning and safe restore capabilities. You cannot remove or disable these capabilities. Use of Windows Server "8" Beta domain controllers - and therefore VDC - requires a Windows Server "8" Beta AD DS Schema 52 and Windows Server 2003 Native or higher Forest Functional Level. Both writable and read-only domain controllers support all aspects of virtualized DC, as do Global Catalogs and FSMO roles, with the exception that the PDC emulator must be accessible during cloning.
Important: In Windows Server "8" Beta only, you cannot use the PDC emulator as a source computer to copy and clone. Naturally, this also means you cannot use a domain that contains only one domain controller. This may change in future releases of Windows Server "8" Beta.
Platform Requirements
Virtualized Domain Controller cloning requires: PDC emulator FSMO role transferred to a Windows Server "8" Beta DC PDC emulator available during cloning operations
Both VDC cloning and safe restore require: Windows Server "8" Beta virtualized guests Virtualization host platform supports VM-Generation ID(VMGID)
Review the table below for known configurations as of this writing:

Virtualization Product Microsoft Windows Server "8" Beta server with Hyper-V Feature Microsoft Windows Server "8" Beta Hyper-V Server Microsoft Windows 8 Consumer Preview with Hyper-V Client Feature Microsoft Windows Server 2008 and Windows Server 2008 R2 Non-Microsoft virtualization solutions Supports VDC and VMGID Yes Yes Yes No Contact vendor
Figure 1
Note:
Even though Microsoft supports Windows 7 Virtual PC, Virtual PC 2007, Virtual PC 2004, and Virtual Server 2005 as of this writing, they are incapable of running 64-bit guests. For help with third party virtualization products and their support stance with VDC, contact that vendor directly. For more information, review Support policy for Microsoft software running in nonMicrosoft hardware virtualization software http://support.microsoft.com/kb/897615
More Help:
Critical Caveats
VDC does not support safe restore of the following: VHD and VHDX files manually copied over existing VHD files VHD and VHDX files restored using file backup or full disk backup software
VHDX files are new to Windows Server "8" Beta Hyper-V. Note:
Neither of these operations is a snapshot restoration and therefore do not invoke the VMGeneration ID process. Restoring domain controllers using these methods could either result in a USN rollback and either quarantine the domain controller or introduce lingering objects. If the restoration is older than tombstone lifetime, this creates the potential for lingering objects and a USN bubble; the bubble is the set of changes that are divergent between the two domain controllers. USN Rollback protection does not quarantine the domain controller in this case, potentially leading to lingering objects and the need for forest wide cleanup operations.
Critical: VDC safe restore is not a replacement for system state backups and the AD DS Recycle Bin. After restoring a snapshot, the deltas of previously un-replicated changes originating from that domain controller after snapshot are permanently lost. Safe restore implements automated non-authoritative restoration to prevent accidental domain controller quarantine only.
More Information:
For more information about USN bubbles and lingering objects, see Troubleshooting Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object" http://support.microsoft.com/kb/2028495
Virtualized Domain Controller Cloning

There are a number of stages and steps to cloning a virtualized domain controller, regardless of using graphical tools or Windows PowerShell. At a high level, the three stages are: A. Prepare the environment 1. Validate that the hypervisor supports VM-Generation ID and therefore, cloning 2. Create XML and copy it to the source DC 3. Verify the PDCE FSMO role B. Prepare the source domain controller 4. Authorize a domain controller for cloning 5. Remove incompatible components 6. Take the source domain controller offline C. Create the cloned domain controller 7. Copy or export the source VM and add the XML if not already copied 8. Create a new virtual machine from the copy 9. Start the new virtual machine to commence cloning Because Microsoft only maintains Hyper-V and cannot include steps for third party products like Citrix's Xen or EMC's VMware, this document implements all steps with Windows Server "8" Beta Hyper-V. Contact your vendor for their product-specific steps; Microsoft cannot document them here. There are no procedural differences in the operation when using graphical tools like the Hyper-V Management Console or command-line tools like Windows PowerShell, so the steps are presented only once with both interfaces. This guide provides Windows PowerShell samples for you to explore end-to-end automation of the cloning process; they are not required for any steps. There is no graphical management tool for VDC included in Windows Server "8" Beta. There are several points in the procedure where you have choices for how to create the cloned computer and how you add the xml files; these steps noted in the details below. The process is otherwise unalterable. The diagram below illustrates the virtualized domain controller cloning process, where the domain already exists.
Figure 2
Important:
For details on how the cloning process works at first boot, see the Architecture section. For issues, see the Troubleshooting section. For test lab steps, see Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC) http://go.microsoft.com/fwlink/p/?LinkId=237261 For a step-by-step guide, see the AD DS Virtualization (Cloning and Virtualization safe improvements) guide http://go.microsoft.com/fwlink/p/?LinkID=238316
10
All scenarios described using the following sample conventions: Note: The Windows Server "8" Beta forest is corp.contoso.com Domain controllers are named in the pattern DC1, DC2, etc.
1. Validate the Hypervisor

Ensure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. VDC is hypervisor agnostic and does not require Hyper-V. Review the previous Platform Requirements section in this guide for known VM-Generation ID support.
2. Create XML
The DcCloneConfig.xml file is required for cloning Domain controllers. Its contents allow you to specify unique details like the new computer name and IP address. The CustomDCCloneAllowList.xml file is optional unless you install applications or incompatible Windows services on the source domain controller. The files require precise naming, formatting, and placement; otherwise, cloning fails.
Using a Blank DcCloneConfig.xml File

Optionally, you can create a blank DcCloneConfig.xml file. If provided a blank file, cloning configures the domain controller automatically, using the rules specified in section DcCloneConfig.XML Definitions and Behaviors below. Otherwise, you must populate that file with valid custom settings.
Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml

The ActiveDirectory Windows PowerShell module contains a new cmdlet in Windows Server "8" Beta:
Get-ADDCCloningExcludedApplicationList
You must run this cmdlet on a source domain controller before cloning it. The cmdlet has no arguments. This cmdlet scans a source computer for applications not listed as allowed with VDC cloning and returns the list; any services or installed programs in that list cause the cloning engine to abort.
11
In the example below, there are no incompatible services or programs installed.
Figure 3
In this example though, there are incompatibilities detected because of the DHCP service:
Figure 4
In this final example, there are potential incompatibilities because you installed the Microsoft Forefront Endpoint Protection program:
Figure 5
Important:
Microsoft Forefront is not necessarily incompatible with cloning. VDC in Windows Server "8" Beta always assumes that any programs not included with Windows are risky and as a safeguard, forces you to allow them.
The allow list of supported cloneable applications and services is stored in c:\windows\system32\DefaultDCCloneAllowList.XML. See the Appendix for more information.
12
You must choose to either remove the incompatible applications and components or override the cloning block using the CustomDCCloneAllowList.xml file. For the previous example, where you installed Microsoft Forefront Endpoint Protection, the CustomDCCloneAllowList.xml configuration needed is:
<?xml version="1.0" encoding="utf-8" ?>  <AllowList> <Allow> <Name>Microsoft Forefront Endpoint Protection</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Antimalware</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Forefront Endpoint Protection 2010 Server Management</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Security Client</Name> <Type>Program</Type> </Allow> <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow> <Allow> <Name>MsMpSvcy</Name> <Type>Service</Type> </Allow> <Allow> <Name>NisSrv</Name> <Type>Service</Type> </Allow> </AllowList>
The guide describes the definitions of this XML file and using an XML editor later in this section.
13
XML Details and Behaviors

Formatting Rules
The DcCloneConfig.xml and CustomDCCloneAllowList.xml files are critical to cloning. Since editing XML files is uncommon for domain administrators and these files are proprietary, it is important to understand the terms and rules around formatting:
Figure 6
1. The file names are not alterable and are:

DcCloneConfig.xml CustomDcCloneAllowList.xml
2. The elements (fields inside of <>) are case-sensitive 3. The element's start and end tags must match 4. The data inside elements are not case-sensitive, but are format-sensitive. For example, you cannot provide the IPv4 address in any form but w.x.y.z, with valid IPv4 integers provided in each octet. Likewise, a computer name must be 15 characters or fewer and use only valid characters 5. Any empty or missing elements are handled automatically during cloning (see DcCloneConfig.XML Definitions and Behaviors section below) 6. If any element data duplicates the source computer, cloning does not proceed. For example, you cannot set the IP address to match the old computer IP address 7. The XML follows the rules of included XML schema file c:\windows\system32\DCCloneConfigSchema.xsd
More Information: For explanations of XML terms, review the MSDN XML Glossary: http://msdn.microsoft.com/en-us/library/ms256452(v=VS.110).aspx
14
Template SampleDcCloneConfig.xml
The following sample is also located at %systemroot%\system32\SampleDCCloneConfig.xml on any Windows Server "8" Beta domain controller.
<?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings> </d3c:DCCloneConfig>
15
DcCloneConfig.XML Definitions and Behaviors

Each of the elements in the DcCloneConfig.xml describes a unique aspect of the computer. Not providing certain elements may lead to an unfavorable administrative experience, or cause cloning to fail:
Element SiteName Data AD logical site domain controller joins at promotion New computer name of DC Result if not provided Joins the same site as the source computer being cloned (even for cloned read-only domain controllers) Automatically assigned as first seven characters of the source computer, a hyphen, the letters "CL", and an incrementing number from 0001 to 9999 (example: a server named DCWaukeganIL becomes DCWauke-CL0001) Address (within <IPv4Settings> <StaticSettings> ) New IPv4 address of DC Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address autoconfiguration (SLAAC) and no Ipv4 DHCP is available Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address autoconfiguration (SLAAC) and no Ipv4 DHCP is available Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address autoconfiguration (SLAAC) and no Ipv4 DHCP is available Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address autoconfiguration (SLAAC) and no Ipv4 DHCP is available Cloning proceeds
ComputerName
SubnetMask (within <IPv4Settings> <StaticSettings> )
New IPv4 subnet of Ipv4 address
DefaultGateway (within <IPv4Settings> <StaticSettings> )
New IPv4 gateway of Ipv4 address and subnet
DNSResolver (within <IPv4Settings> <StaticSettings> )
IPv4 Address of a DNS server. If using multiple entries, in order of primary, secondary, tertiary, etc. IPv4 Address of primary WINS server
PreferredWINSServer (within <IPv4Settings> <StaticSettings> ) AlternateWINSServer (within <IPv4Settings>
IPv4 Address of secondary WINS server
Cloning proceeds
16
<StaticSettings> ) DNSResolver (within <IPv4Settings> <DynamicSettings>) IPv4 Address of a DNS server when using DHCP without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc. IPv4 Address of primary WINS server when using DHCP without scope options IPv4 Address of secondary WINS server when using DHCP without scope options IPv6 Address of a DNS server when using DHCP or SLAAC without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc. Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address autoconfiguration (SLAAC) and no Ipv4 DHCP is available Cloning proceeds
PreferredWINSServer (within <IPv4Settings> < DynamicSettings > ) AlternateWINSServer (within <IPv4Settings> < DynamicSettings > ) DNSResolver (within <IPv6Settings> <DynamicSettings>)
Cloning proceeds
Cloning fails if no valid dynamic IPv6 set and no Ipv4 DHCP is available
Figure 7
Important:
Cloning does not support using static Ipv6 entries in Windows Server "8" Beta. You must use IPv6 DHCP or IPv6 Stateless address auto-configuration (SLAAC)
Template CustomDCCloneAllowList.xml
<?xml version="1.0" encoding="utf-8" ?>  <AllowList> <Allow> <Name></Name> <Type>Service</Type> </Allow> <Allow> <Name></Name> <Type>Program</Type> </Allow> </AllowList> Post-beta versions of Windows Server "8" Beta may include the ability to generate a CustomDCCloneAllowList.xml populated with all detected non-allow list programs and services. In Windows Server "8" Beta however, you must create this XML file manually.
Note:
17
CustomDCCloneAllowList.XML Definitions
Each of the elements in the CustomDCCloneAllowList.xml describes a service or program. Cloning fails unless you uninstall the offending service or program, or use the CustomDCCloneAllowList.XML to override the detection.
Element Name Data Can contain value: The same service name as the SERVICE_NAME returned by SC.EXE QUERY The programs listed in the DisplayName registry value name of subkeys in:
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Type Can contain value:

Figure 8
Service Program
Using an XML Editor

There are two XML editors provided by Microsoft: Visual Studio 2010 Express (free, supported) - Download: http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visualcsharp-express XML Notepad (free, unsupported) - Download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7973
Both tools can either create or modify the Dccloneconfig.xml and CustomDCCloneAllowList.xml files safely, if used correctly. In the example below, you see how to create or customize a Dccloneconfig.xml file. You can use the same steps (with one exception noted below) for the CustomDCCloneAllowList.XML file.
Warning: Do not use simple text editors - such as Notepad.exe - that do not understand XML formatting and schema. The XML has strict syntax requirements and is case-sensitive; most mistakes in the XML are fatal to cloning.
18
Using Visual Studio 2010 Express C#

The VS 2010 Express suite of development tools contains an advanced, built-in XML editor. This guide uses the C# version, but any is acceptable and the steps do not change. 1. Install Visual Studio 2010. 2. Create a new empty project. This contains all your XML files.
Figure 9
19
Figure 10
3. Enable Expert Settings, using the Tools menu option. This exposes the XML schema later.
Figure 11
20
4. Using the Project menu, Add New Item and make it an XML file. The name is unimportant, as this is a sample for generating new XML files.
Figure 12
Figure 13
21
5. Using the XML menu, add the Schema DCCloneConfigSchema.xsd (which you can copy from any Windows Server "8" Beta domain controller's %windir%\system32 directory).
Figure 14
Figure 15
Important:
This is only when creating or editing the DCCloneConfig.xml file. There is no schema file provided for CustomDCCloneAllowList.XML.
6. Paste in sample XML from this guide or from the provided templates and save your file and project. Using the View menu, add the Error List pane.
All Windows Server "8" Beta domain controllers contain template XML %windir%\system32\ SampleDcCloneConfig.xml. The template CustomDCCloneAllowList.xml is described previously in this guide.
Note:
You now have a base xml file to use for all subsequent work. The base dccloneconfig.xml includes the schema, highlights all issues with underlining and explanation, and supports Intellisense modification and autocomplete. You can modify any element for your new clones, make copies, and can save off different versions of the XML for later review. You can also add comments.
22
For instance, here is a dccloneconfig.xml sample including the computer name, site, and IPv4 information for a new DC. In this instance, the XML element for Address is malformed in one tag (missing an s):
Figure 16
23
In this instance, the elements are complete, but the case is incorrect (should be uppercase A on Address):
Figure 17
As you can see from these examples, catching these mistakes in a text editor would have been very difficult and require extraordinary attention to detail. For environments using the full version of Visual Studio 2010 and Team Foundation Server, you can create a source control database to guarantee that all cloning info is tracked and checked in or out, minimizing the chance of duplication between administrators.
24
Using XML Notepad 2007

The older XML Notepad 2007 utility provides a simpler - albeit less sophisticated - editorial experience. This tool runs on Windows 8 Consumer Preview and Windows Server "8" Beta as long as the .Net 3.5.x runtimes are installed (they are not included with the OS by default). It is a free tool; it is not tested or supported by Microsoft Support and is provided strictly "asis". 1. Install XML Notepad 2007 and launch it. 2. Paste in a sample from a SampleDccloneconfig.xml and save the file. Note how XML Notepad hides the XML tags from the reader in the tree view pane and shows the data in the right-hand pane, and how it does not expand the elements by default.
Figure 18
25
3. Use the View menu to Expand All nodes.
Figure 19
Figure 20
26
4. Use the View menu to add the c:\windows\system32\DCCloneConfigSchema.xsd, which you can find on any Windows Server "8" Beta domain controller.
Figure 21
Figure 22
You now have a dccloneconfig.xml to use for all subsequent work. It includes the schema, shows all issues in the Error List, and supports a dropdown menu of available elements in a given context. You can modify any element for your new clones and make copies.
27
For instance, here is a sample including the computer name, site, and IPv4 information for a new DC:
Figure 23
28
In this instance, the IPV4NetworkConfig Address element is invalid (should have an uppercase A):
Figure 24
Adding XML to the Running Source DC

Placement of the XML files is critical; if the DcCloneConfig.xml does not exist in the correct folder, then cloning does not occur. If the CustomDCCloneAllowList.xml does not exist in the correct folder, cloning may fail due to program or service allow list checking.
DcCloneConfig.xml Location
The following locations can contain the DcCloneConfig.xml file: 1. DSA Working Directory 2. %windir%\NTDS 3. Removable read/write media, in order of drive letter, at the root of the drive
29
These paths are not configurable. After cloning begins, the cloning checks these locations in that specific 1-3 order and uses the first XML file found, regardless of the other folder's contents.
CustomDCCloneAllowList.xml Location
The following locations can contain the CustomDCCloneAllowList.xml file: 1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters AllowListFolder (REG_SZ) 2. DSA Working Directory 3. %windir%\NTDS 4. Removable read/write media, in order of drive letter, at the root of the drive After cloning begins, the cloning checks these locations in that specific 1-4 order and uses the first XML file found, regardless of the other folder's contents. Optionally, you can copy the updated XML files file to the running source domain controller. There is no harm in copying the files at this stage and restarting the source DC: the original domain controller will not clone, because the VM-Generation ID does not change on the computer until the copied virtual computer boots up and reads its AD DS information. After restarting, the source domain controller renames the clone file, appending a date-time stamp. Copying the XML to the original source domain controller before taking offline is advisable when cloning only once or when using a blank dccloneconfig.xml file. To copy the file using Windows PowerShell, use the following cmdlet:
Copy-Item
Figure 25
Alternatively, you can copy the XML file to the mounted offline disk copied later in the cloning process below.
Determining the DSA Working Directory

It is critical to note the path to the AD DS database folder while the source domain controller is still online and running, as determining on an offline domain controller is difficult. This can be determined by examining the following DSA Working Directory REG_SZ registry key:
HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters DSA Working Directory
30
To return the key without manually navigating through Regedit.exe, you can use the following Reg.exe command:
reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /t reg_sz /v "dsa working directory"
Figure 26
You can also use the following Windows PowerShell command:

get-itemproperty -path registry::hklm\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -name "dsa working directory" | format-list "dsa working directory"
Figure 27
You can combine get-itemproperty and copy-item in order to create automation. For example, to copy a remote dccloneconfig.xml to the local DSA working directory:
Figure 28
Note:
Ntdsutil.exe can also provide this information, but requires stopping the NTDS service, which prevents the domain controller from answering requests.
31
3. Verify the PDCE FSMO role

Before you attempt to clone a DC, you must validate that the domain controller hosting the Primary Domain Controller Emulator FSMO runs Windows Server "8" Beta. The PDC emulator (PDCE) is required for several reasons: 1. The PDCE creates the special Cloneable Domain Controllers group and sets its permission on the root of the domain to allow a domain controller to clone itself. 2. The cloning domain controller contacts the PDCE directly using the DRSUAPI RPC protocol, in order to create computer objects. This also means when using non-fully routed networks, VDC cloning requires network segments with access to the PDCE. It is acceptable to move a cloned domain controller to a different network after cloning - just like a physical domain controller - as long as you are careful to update the AD DS logical site information.
Important: You cannot clone a domain controller in a domain that contains only that single domain controller. A domain must contain at least two domain controllers and the clone source cannot be the PDC emulator.
Active Directory Users and Computers Method

1. Using the Dsa.msc snap-in, right click the domain and click Operations Masters. Note the domain controller named on the PDC tab and close the dialog. 2. Right click that DC's computer object and click Properties, and then validate the Operating System info.
Windows PowerShell Method

You can combine the following ActiveDirectory Windows PowerShell Module cmdlets to return the version of the PDC emulator:
Get-adddomaincontroller Get-adcomputer
If not provided the domain, these cmdlets assume the domain of the computer where run. The following command returns PDCE and Operating System info:
get-adcomputer(Get-ADDomainController -Discover -Service "PrimaryDC").name property * | format-list dnshostname,operatingsystem,operatingsystemversion
32
This example below demonstrates specifying the domain name and filtering the returned properties before the Windows PowerShell pipeline:
Figure 29
Validate PDCE Availability

To validate that the PDCE can be located, run the following Dcdiag.exe command from the server you plan to clone:
Dcdiag /test:locatorcheck /v
This returns the DCLocator status of the PDCE. For example:
Figure 30
33
To validate that the PDCE is accessible through the DRSUAPI RPC protocol, use Nltest.exe /dclist against the PDCE. That test exercises the DsGetDomainControllerInfo function, which is part of DRSUAPI.
Nltest /server:<PDCE> /dclist:<domain>
For example:
Figure 31
Important:
Always perform these tests from a computer on the same network where the clone will reside.
4. Authorize a Source DC
The source domain controller must have the special domain head permission Allow a DC to create a clone of itself. By default, the well-known group Cloneable Domain Controllers has this permission and contains no members. The PDCE creates this group when that FSMO role transfers to a Windows Server "8" Beta domain controller.
Active Directory Administrative Center Method

1. Start Dsac.exe and navigate to the source DC, then open its detail page. 2. In the Member Of section, add the Cloneable Domain Controllers group for that domain.

You can combine the following ActiveDirectory Windows PowerShell Module cmdlets to return the version of the PDC emulator:
get-adcomputer add-adgroupmember
For instance, this adds server DC1 to the group, without the need to specify the distinguished name of the group member:
34
Figure 32
Rebuilding Default Permissions

If you remove this permission from the domain head, cloning fails. You can recreate the permission using the Active Directory Administrative Center or Windows PowerShell
Active Directory Administrative Center Method

1. Open Active Directory Administrative Center, right click the domain head, click Properties, click the Extensions tab, click Security, and then click Advanced. Click This Object Only. 2. Click Add, under Enter the object name to select, type the group name Cloneable Domain Controllers. 3. Under Permissions, click Allow a DC to create a clone of itself, and then click OK.
You can also remove the default permission and add individual Domain controllers. Doing so is likely to cause ongoing maintenance problems however, where new administrators are unaware of this customization. Changing the default setting does not increase security and is discouraged.
Note:

Use the following commands in an administrator-elevated Windows PowerShell console prompt. These commands detect the domain name and add back in the default permissions:
import-module activedirectory cd ad: $domainNC = get-addomain $dcgroup = get-adgroup "Cloneable Domain Controllers" $sid1 = (get-adgroup $dcgroup).sid $acl = get-acl $domainNC $objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid $acl.AddAccessRule($ace1) set-acl -aclobject $acl $domainNC cd c:
Alternatively, run the sample FixVDCPermissions.ps1 in a Windows PowerShell console, where the console starts as an elevated administrator on a domain controller in the affected domain. It automatically set the permissions. The sample is located in the appendix of this guide.
35
Critical:
The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue. For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replication http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml)

Any programs or services previously returned by Get-ADDCCloningExcludedApplicationList and not added to the CustomDCCloneAllowList.xml - must be removed prior to cloning. Uninstalling the application or service is the recommended method.
Critical: Any incompatible programs or services not uninstalled or added to the CustomDCCloneAllowList.xml prevent cloning.
6. Take the Source Domain Controller Offline

You cannot copy a running source DC; it must be shutdown gracefully. Do not clone a domain controller stopped by graceless power loss.
Graphical Method
Use the shutdown button within the running DC, or the Hyper-V Manager shutdown button.
36
Figure 33
Figure 34

You can shut down a virtual machine using either of the following cmdlets:
Stop-computer Stop-vm
Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous to the legacy Shutdown.exe utility. Stop-vm is a new cmdlet in the Windows Server "8" Beta Hyper-V Windows PowerShell module, and is equivalent to the power options in Hyper-V Manager. The latter is useful in lab environments where the domain controller often operates on a private virtualized network.
37
Figure 35
Figure 36
Critical:
The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue. For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replication http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
7. Copy Disks
An administrative choice is required in the copying phase: 1. Copying the disks manually, without Hyper-V 2. Exporting the VM, using Hyper-V All of a virtual machine's disks must be copied, not just the system drive. If the source domain controller uses differencing disks and you plan to move your cloned domain controller to another Hyper-V host, you must export. Copying disks manually is recommended if the source domain controller has only one drive. Export is recommended for VMs with more than one drive or other complex virtualized hardware customizations like multiple NICs. If copying files manually, delete any snapshots prior to copying. If exporting the VM, delete snapshots prior to exporting or from the new VM after importing.
Critical: Snapshots are differencing disks that can return a domain controller to previous state. If you were clone a domain controller then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest. There is no value in prior snapshots on a newly cloned domain controller. Once cloned, the source domain controller can create a new snapshot.
38
Manually Copying Disks

Hyper-V Manager Method
Use the Hyper-V Manager snap-in to determine which disks are associated with the source domain controller. Use the Inspect option to validate if the domain controller uses differencing disks (which requires that you copy the parent disk also)
Figure 37
39
To delete snapshots, select a VM and delete the snapshot subtree.
Figure 38
You can then manually copy the VHD or VHDX files using Windows Explorer, Xcopy.exe, or Robocopy.exe. No special steps are required. It is a best practice to change the file names even if moving to another folder.
If copying between host computers on a LAN (1-Gbit or greater), the Xcopy.exe /J option copies VHD/VHDX files considerably faster than any other tool, at the cost of much greater bandwidth usage.
Note:

To determine the disks using Windows PowerShell, use the Hyper-V Modules:
Get-vmidecontroller Get-vmscsicontroller Get-vmfibrechannelhba Get-vmharddiskdrive
40
For example, you can return all IDE hard drives from a VM named DC2 with the following sample:
Figure 39
If the disk path points to an AVHD or AVHDX file, it is a snapshot. To delete the snapshots associated with a disk and merge in the real VHD or VHDX, use cmdlets:
Get-VMSnapshot Remove-VMSnapshot
For example, to delete all snapshots from a VM named DC2-SOURCECLONE:
To copy the files using Windows PowerShell, use the following cmdlet:
Copy-Item
41
Combine with VM cmdlets in pipelines to aid automation. The pipeline is a channel used between multiple cmdlets to pass data. For example, to copy the drive of an offline source domain controller named DC2-SOURCECLONE to a new disk called c:\temp\copy.vhd without the need to know the exact path to its system drive:
Important:
You cannot use passthru disks with VDC cloning, as they do not use a virtual disk file but instead an actual hard disk.
More Information:
For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows PowerShell http://technet.microsoft.com/en-us/library/ee176927.aspx
Exporting the VM
As an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. Exporting automatically creates a folder named for the VM and containing all disks and configuration information.
Figure 40
42

To export a VM with Hyper-V Manager: 1. Right click the source domain controller and click Export 2. Select an existing folder as the export container 3. Wait for the Status column to stop showing Exporting

To export a VM using the Hyper-V Windows PowerShell module, use cmdlet:
Export-vm
For example, to export a VM named DC2-SOURCECLONE to a folder named C:\VM:
Figure 41
Adding XML to the Offline System Disk

If you did copy the Dccloneconfig.xml to the running source DC, you must copy the updated dccloneconfig.xml file to the offline copied/exported system disk now. Depending on installed applications detected with Get-ADDCCloningExcludedApplicationList earlier, you may also need to copy the CustomDCCloneAllowList.xml file to the disk. The following locations can contain the DcCloneConfig.xml file: 1. DSA Working Directory 2. %windir%\NTDS 3. Removable read/write media, in order of drive letter, at the root of the drive These paths are not configurable. After cloning begins, the cloning checks these locations in that specific order and uses the first XML files found, regardless of the other folder's contents. The following locations can contain the CustomDCCloneAllowList.xml file: 1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters AllowListFolder (REG_SZ) 2. DSA Working Directory 3. %windir%\NTDS 4. Removable read/write media, in order of drive letter, at the root of the drive
43
Windows Explorer Method

Windows Server "8" Beta now offers a graphical option for mounting VHD and VHDX files: 1. Click the newly copied VHD/VHDX file that contains the source DC's system drive or DSA Working Directory location folder, and then click Mount from the Disc Image Tools menu 2. In the now-mounted drive, copy the XML files to a valid location. You may be prompted for permissions to the folder 3. Click the mounted drive and click Eject from the Disk Tools menu
Figure 42
44
Figure 43
Figure 44
45

Alternatively, you can mount the offline disk and copy the XML file using the Windows PowerShell cmdlets:
mount-vhd get-disk get-partition get-volume Add-PartitionAccessPath Copy-Item
This allows you complete control over the process. For instance, the drive can be mounted with a specific drive letter, the file copied, and the drive dismounted.
mount-vhd <disk path> -passthru -nodriveletter | get-disk | get -partition | get-volume | get-partition | Add-PartitionAccessPath -accesspath <drive letter> copy-item <xml file path> <destination path>\dccloneconfig.xml dismount-vhd <disk path>
For example:
Figure 45
46
8. Create the New Virtual Machine

The final configuration step before starting the cloning process is creating a new VM that uses the disks from the copied source domain controller. Depending on the selection made in the copying disks phase, you have two options: 1. Associate a new VM with the copied disk 2. Import the exported VM
Associating a New VM with Copied Disks

If you copied the system disk manually, you must create a new virtual machine using the copied disk. The hypervisor automatically sets the VM-Generation ID for copied disks; no configuration changes are required in the VM or Hyper-V host.
Figure 46
47
1. Create a new virtual machine 2. Specify the VM name, memory, and network 3. On the Connect Virtual Hard Disk page, specify the copied system disk. 4. Complete the wizard to create the VM. If there were multiple disks, NICs, or other customizations, configure them before starting the domain controller. The "Export-Import" method of copying disks is recommended for complex VMs.

You can use the Hyper-V Windows PowerShell module to automate VM creation in Windows Server "8" Beta, using the following cmdlet:
New-VM
For example, here the DC4-CLONEDFROMDC2 VM is created, using 1GB of RAM, booting from the c:\vm\dc4-systemdrive-clonedfromdc2.vhd file, and using the 10.0 virtual network:
Figure 47
Import VM
If you previously exported your VM, you now need to import it back in as a copy. This uses the exported XML to recreate the computer using all the previous settings, drives, networks, and memory settings.
Important: It is important to use the Copy option, as export preserves all information from the source; importing the server with Move or In Place causes information collision if done on the same Hyper-V host server.
48

To import using the Hyper-V Manager snap-in: 1. Click Import Virtual Machine 2. On the Locate Folder page, select the exported VM definition file using the Browse button 3. On the Select Virtual Machine page, click the source computer. 4. On the Choose Import Type page, click Copy the virtual machine (create a new unique ID), then click Finish 5. Rename the imported VM if importing on the same Hyper-V host; it will have the same name as the exported source domain controller.
Figure 48
49
Figure 49
Figure 50
50
Remember to remove any imported snapshots, using the Hyper-V Management snap-in:
Figure 51
Critical:
Deleting any imported snapshots is critically important; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.
51

You can use the Hyper-V Windows PowerShell module to automate VM import in Windows Server "8" Beta, using the following cmdlets:
Import-VM Rename-VM
For example, here the exported VM DC2-CLONED is imported using its automatically determined XML file, then renamed immediately to its new VM name DC5CLONEDFROMDC2:
Figure 52
Remember to remove any imported snapshots, using the following cmdlets:

Get-VMSnapshot Remove-VMSnapshot
For example:
Figure 53
Critical:
Deleting any imported snapshots is critical; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.
52
9. Clone the New Virtual Machine

Optionally, before you begin cloning, turn the offline clone source domain controller back on. Ensure that the PDC emulator is online, regardless. To begin cloning, simply start the new virtual machine. The process initiates automatically and the domain controller reboots automatically after cloning is complete.
Important: Keeping domain controllers turned off for an extended period of time is not recommended and if the clone is joining the same site as its source DC, the initial intra and inter-site replication topology may take longer to build if the source domain controller is offline.
Figure 54
If using Windows PowerShell to start a VM, the new Hyper-V Module cmdlet is:
Start-VM
53
For example:
Figure 55
Once the computer restarts after cloning completes, it is a domain controller and you can logon on normally to confirm normal operation. If there are any errors, the server boots up in DS Restore Mode for investigation. See the Troubleshooting section below if that occurs.
54
Virtualized Domain Controller Safe Restore

Unlike virtualized domain controller cloning, Windows Server "8" Beta VDC safe restore has no configuration steps. The feature works without intervention as long as you meet some simple conditions: The hypervisor supports VM-Generation ID There is a valid partner domain controller that a restored domain controller can replicate changes from non-authoritatively.
Validate the Hypervisor

Ensure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. VDC is hypervisor agnostic and does not require Hyper-V. Review the previous Platform Requirements section in this guide for known VM-generation ID support.
Validate the Replication Topology

VDC safe restore initiates non-authoritative inbound replication for the delta of AD replication as well as non-authoritative resynchronization of all SYSVOL contents. This ensures the domain controller returns from a snapshot with full functionality and all object knowledge. With this new capability come several requirements and limitations: A restored domain controller must be able to contact a writable DC All domain controllers in a domain must not be restored simultaneously Any changes originating from a restored domain controller that have not yet replicated outbound since the snapshot was taken are lost forever
While the troubleshooting section covers these scenarios, details below ensure you do not create a dangerous topology.
Writable Domain Controller Contact

If restored, a domain controller must have connectivity to a writable domain controller; a read-only domain controller cannot send the delta of updates. The topology is likely correct for this already, as a writable domain controller always needed a writable partner. However, if all writable domain controllers are restoring simultaneously, none of them can find a valid source. The same goes if the writable domain controllers are offline for maintenance or otherwise unreachable through the network.
55
Simultaneous Restore
Do not restore all domain controllers in a single domain simultaneously. If all snapshots restore at once, AD replication works normally but SYSVOL replication halts. The restore architecture of FRS and DFSR require setting their replica instance to non-authoritative sync mode. If all domain controllers restore at once, and each domain controller marks itself nonauthoritative for SYSVOL, they all will then try to synchronize group policies and scripts from an authoritative partner; at that point, though, all partners are also non-authoritative.
Important: If all domain controllers are restored at once, use the following articles to set one domain controller - typically the PDC emulator - as authoritative, so that the other domain controllers can return to normal operation: Using the BurFlags registry key to reinitialize File Replication Service replica sets http://support.microsoft.com/kb/290762 How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) - http://support.microsoft.com/kb/2218556
Warning:
Do not run all domain controllers in a forest or domain on the same hypervisor host. That introduces a single point of failure that cripples AD DS, Exchange, SQL, and other enterprise operations each time the hypervisor goes offline. This is no different from using only one domain controller for an entire domain or forest. Multiple domain controllers on multiple platforms are simple prudence in a modern IT environment, just like fire and flood insurance.
Post-Snapshot Replication
Do not restore snapshots until all locally originating changes made since snapshot creation have replicated outbound. Any original changes are lost forever if other domain controllers did not already receive them through replication. Use Repadmin.exe to show any un-replicated outbound changes between a domain controller and its partners: 1. Return the DC's partner names and DSA Object GUIDs with:
Repadmin.exe /showrepl <DC Name of the partner> /repsto
2. Return the pending inbound replication of the partner domain controller to the domain controller to be restored:
Repadmin.exe /showchanges < Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare>
Alternatively, just to see the count of un-replicated changes:

Repadmin.exe /showchanges <Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare> /statistics
56
For example (with output modified for readability and important entries in italic bold), here you look at the replication partnerships of DC4:
C:\>repadmin.exe /showrepl dc4.corp.contoso.com /repsto Default-First-Site-Name\DC4 DSA Options: IS_GC Site Options: (none) DSA object GUID: 5d083398-4bd3-48a4-a80d-fb2ebafb984f DSA invocationID: 730fafec-b6d4-4911-88f2-5b64e48fc2f1 ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============ DC=corp,DC=contoso,DC=com Default-First-Site-Name\DC3 via RPC DSA object GUID: f62978a8-fcf7-40b5-ac00-40aa9c4f5ad3 Last attempt @ 2011-11-11 15:04:12 was successful. Default-First-Site-Name\DC2 via RPC DSA object GUID: 3019137e-d223-4b62-baaa-e241a0c46a11 Last attempt @ 2011-11-11 15:04:15 was successful.
Now you know that it is replicating with DC2 and DC3. You then show the list of changes that DC2 states it still does not have from DC4, and see that there is one new group:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80dfb2ebafb984f dc=corp,dc=contoso,dc=com ==== SOURCE DSA: (null) ==== Objects returned: 1 (0) add CN=newgroup4,CN=Users,DC=corp,DC=contoso,DC=com 1> parentGUID: 55fc995a-04f4-4774-b076-d6a48ac1af99 1> objectGUID: 96b848a2-df1d-433c-a645-956cfbf44086 2> objectClass: top; group 1> instanceType: 0x4 = ( WRITE ) 1> whenCreated: 11/11/2011 3:03:57 PM Eastern Standard Time
You would also test the other partner to ensure that it had not already replicated. Alternatively, if you did not care which objects had not replicated and only cared that any objects were outstanding, you can use the /statistics option:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80dfb2ebafb984f dc=corp,dc=contoso,dc=com /statistics *********************************************** ********* Grand total ************************* Packets: 1 Objects: 1 Object Additions: 1 Object Modifications: 0 Object Deletions: 0 Object Moves: 0 Attributes: 12 Values: 13
57
Important:
Test all writable partners if you see any failures or outstanding replication. As long as at least one is converged, it is generally safe to restore the snapshot, as transitive replication eventually reconciles the other servers. Be sure to note any errors in replication shown by /showchanges as well and do not proceed until they are fixed.
Windows PowerShell Snapshot Cmdlets

The following Windows PowerShell Hyper-V module cmdlets provide snapshot capabilities in Windows Server "8" Beta:
Checkpoint-VM Export-VMSnapshot Get-VMSnapshot Remove-VMSnapshot Rename-VMSnapshot Restore-VMSnapshot
Further Recommendations
VDC safe restore requires administrative responsibility; you can still configure virtualized domain controllers in ways that prevent use of safe restore. Review the following best practices to insure reliable operation. Do not use snapshots in lieu of frequent system state backups and the AD Recycle Bin. A snapshot does not preserve changes originating from the DC; it merely prevents replication quarantine. Objects created, modified, or deleted since snapshot are lost forever if they were not successfully replicated outbound before the restore. Safe restore is a safeguard to administrators when used in production so that restoring a snapshot does not instantly quarantine domain controllers or introduce lingering objects. This is a very real risk in previous virtualization environments, where the hypervisor admins may not have deep knowledge of domain administration or multimaster replication technologies. Limit intentional use of snapshots on domain controllers to test environments whenever possible. Do not to restore snapshots of a VM from before it was a domain controller. Once promoted to a DC, you must delete all previous snapshots immediately. If a snapshot restores to when a domain controller was a member server and there are no later domain controller snapshots, you must either re-promote the domain controller and re-attach to its existing computer account or perform metadata cleanup of the domain controller and then re-promote it. Domain controllers should not point to themselves for primary DNS. While Microsoft has been stating this in best practice analyzer tools and online documentation for years, many customers still believe otherwise. If a domain controller points to itself for DNS and restores to a point in time where it did not have knowledge of other Domain
58
controllers or where the current domain controllers did not exist, it cannot source from them. Because the domain controller points to a responsive DNS service, it will not try other servers. This is especially likely when restoring the oldest domain controller in a forest root domain, which may have no knowledge of any domain controller but itself in a very old snapshot. Do not host all virtual domain controllers on a single hypervisor; this introduces a single point of failure in the AD DS environment, even when clustered.
59
Troubleshooting
Introduction
The most important way to improve your troubleshooting skills is build a test lab and rigorously examine normal, working scenarios. If you encounter errors, they are more obvious and easily understand, since you then have a solid foundation of how domain controller promotion works. This also allows you to build your analysis and network analysis skills. This goes for all distributed systems technologies, not just VDC deployment. This lab does not even have to be in the office - Microsoft provides reasonably priced TechNet subscriptions that allow anyone to run any software without time limits. With free virtualization the norm, it is easy to configure any test environment you need.
More Information: For more information about TechNet subscriptions, see: http://technet.microsoft.com/en-us/subscriptions/default.aspx
The critical elements to advanced troubleshooting of domain controller configuration are: 1. To solve the most complex domain controller promotion issues, you must master all three. Linear analysis combined with focus and attention to detail. 2. Understanding network capture analysis 3. Understanding the built-in logs The first and second are beyond the scope of this guide, but the third can be explained in some detail. Virtualized domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using the data provided and only resort to complex tools and analysis when you have exhausted the provided output and logging.
Troubleshooting VDC Cloning

The troubleshooting strategy for VDC cloning follows this general format (see next page):
60
Figure 56
61
Tools for Troubleshooting

Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller cloning. All of these logs are enabled and configured for maximum verbosity, by default.
Operation Cloning Log Promotion Event viewer\Windows logs\System Event viewer\Applications and services logs\Directory Service %systemroot%\debug\dcpromo.log %systemroot%\debug\dcpromo.log Event viewer\Applications and services logs\Directory Service Event viewer\Windows logs\System Event viewer\Applications and services logs\File Replication Service Event viewer\Applications and services logs\DFS Replication
Tools and Commands for Troubleshooting Domain Controller Configuration

To troubleshoot issues not explained by the logs, use the following tools as a starting point: Dcdiag.exe Repadmin.exe Network Monitor 3.4 (or a third party network capture and analysis tool)
For more information and downloads, see: Netmon http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865
More Information:
62
General Methodology for Troubleshooting Domain Controller Cloning

1. Is the VM booting into DS Repair Mode? a. Examine the System and Directory Services event logs and the dccloneconfig.xml and CustomDCCloneAllowList.xml i. Does an incompatible application need to be in the CustomDCCloneAllowList.xml allow list? Does the CustomDCCloneAllowList.xml contain valid entries? ii. Is the IP address or computer name either duplicated or invalid in the dccloneconfig.xml? iii. Is the AD site invalid in the dccloneconfig.xml? iv. Is the IP address not set in the dccloningconfig.xml and there is no DHCP server available? v. Is the PDC emulator online and available through the RPC protocol? vi. Is the domain controller a member of the Cloneable Domain Controllers group? Is the permission Allow a DC to create a clone of itself set on the domain root for that group? vii. Does the Dccloneconfig.xml file contain syntax errors that prevent correct parsing? viii. Is the hypervisor supported? ix. Did domain controller promotion fail after cloning begin successfully? x. Was the maximum number of auto-generated domain controller names (9999) exceeded? b. Examine the Dcpromo.log. i. Did initial cloning steps succeed but domain controller promotion fail? ii. Do errors indicate issues with the local domain controller or with the AD DS environment, such as errors returned from the PDCE? 2. Is the VM booting into normal mode without cloning? a. Is there a Dccloneconfig.xml file in one of the allowed locations? 3. Is the VM booting into normal mode and cloning completing, but the domain controller is not functioning correctly? a. Does the domain controller have a duplicate IP address of the source domain controller from the dccloneconfig.xml, but the source domain controller was offline during cloning?
63
b. If the domain controller is advertising, treat the issue as any normal postpromotion issue you would have without cloning. c. If the domain controller is not advertising, examine the Directory Services, System, Application, File Replication and DFS Replication event logs for post-promotion errors.
Disabling DSRM Boot

Once booted into DSRM due to any error, a clone does not return to normal mode on its own on the next reboot; you must remove the DS Restore Mode boot flag in order to try cloning again. All of these steps require running as an elevated administrator.
Removing DSRM with Msconfig.exe

To turn DSRM boot off graphically, use the System Configuration tool: 1. Run msconfig.exe 2. On the Boot tab, under Boot Options, de-select Safe boot (it is already selected with the option Active Directory repair enabled) 3. Click OK and restart when prompted
Removing DSRM with Bcdedit.exe

To turn DSRM boot off from the command-line, use the Boot Configuration Data Store Editor: 1. Open a CMD prompt and run:
Bcdedit.exe /deletevalue safeboot
2. Restart the computer with:

Shutdown.exe /t /0 /r Bcdedit.exe also works in a Windows PowerShell console. The commands there are: Note: Bcdedit.exe /deletevalue safeboot Restart-computer
Important:
Contact Microsoft Beta Product Support when you have exhausted these avenues.
64
Troubleshooting Specific Problems

Events
All VDC cloning events write to the System and Directory Services event log of the clone domain controller VM. The Application, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed cloning. Below are the Windows Server "8" Beta cloning-specific events in the System and Directory Services event logs, with notes and suggested resolutions for errors.
System event log

Event ID Source Severity Message 29218 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. The cloning operation could not be completed and a reboot of the cloned machine into DSRM was requested. Please check previous events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt. Please fix the error and reboot into normal mode. Upon reboot, the cloning operation will be re-initiated. Details on virtual domain controller clone errors can be found at http://go.microsoft.com/fwlink/?LinkId=208030 Notes and resolution Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed.
Event ID Source Severity Message
29248 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to obtain Winlogon Notification. The returned error code is %1 (%2). For more information on this error, please review %systemroot%\debug\dcpromo.log for errors that correspond to the virtual domain controller cloning attempt. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030 Contact Microsoft Beta Product Support
Notes and resolution
65
29249 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to parse virtual domain controller configuration file. The returned HRESULT code is %1. The configuration file is:%2 Please fix the errors in the configuration file and retry the cloning operation. For more information about this error, please see %systemroot%\debug\dcpromo.log. Details on virtual domain controller clone configuration file can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Examine the dclconeconfig.xml file for syntax errors using an XML editor and the DCCloneConfigSchema.xsd schema file.
29250 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. There are software, services, or tasks currently enabled on the cloned machine that are not present in the allowed application list for virtual domain controller cloning. The cloning operation cannot be completed if there are non-cloneable applications installed. Please run Active Directory Powershell Cmdlet GetADDCCloningExcludedApplicationList to check which applications are installed on the cloned machine, but not included in the allow list, and add them to the allow list if they are compatible with virtual domain controller cloning. If any of these applications are not compatible with virtual domain controller cloning, please uninstall them before re-trying the cloning operation. The virtual domain controller cloning process searches for the allowed application list file, CustomDCCloneAllowList.xml, based on the following search order; the first file found is used and all others are ignored: 1. The registry value name: HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters\ AllowListFolder 2. The same directory where the DSA Working Directory folder resides 3. %windir%\NTDS 4. Removable read/write media in order of drive letter at the root of the drive Details on virtual domain controller clone allow list can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Follow the message instructions
66
29251 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to reset the IP addresses of the clone machine. The returned error code is %1 (%2). This error might be caused by misconfiguration in network configuration sections in the virtual domain controller configuration file. Please see %systemroot%\debug\dcpromo.log for more information about errors that correspond to IP addresses resetting during virtual domain controller cloning attempts. Details on resetting machine IP addresses on the cloned machine can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Verify the IP information set in the dccloneconfig.xml is valid and does not duplicate the original source machine.
29253 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. The clone domain controller was unable to locate the primary domain controller (PDC) operations master in the cloned computer's home domain of the cloned machine. The returned error code is %1 (%2). Please verify that the primary domain controller in the home domain of the cloned machine is assigned to a live domain controller, is online, and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.
29254 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to bind to the primary domain controller %1. The returned error code is %2 (%3). Please verify that the primary domain controller %1 is online and is operational. Verify
67
that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030 Notes and resolution Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.
29255 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. An attempt to create objects on the primary domain controller %1 required for the image being cloned returned error %2 (%3). Please check for related events in the Directory Service event log on primary domain controller %1. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its typical meaning, and then troubleshoot based on those results.
29256 Microsoft-Windows-DirectoryServices-DSROLE-Server Error An attempt to set the Boot into Directory Services Restore Mode flag failed with error code %1. Please see %systemroot%\debug\dcpromo.log for more information about errors. Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
29257 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning has done. An attempt to reboot the machine failed with error code %1. Please reboot the machine to finish the cloning operation.
68
Examine the Directory Services log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
29264 Microsoft-Windows-DirectoryServices-DSROLE-Server Error An attempt to clear the Boot into Directory Services Restore Mode flag failed with error code %1. Please see %systemroot%\debug\dcpromo.log for more information about errors. Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
Event ID Source Severity Message Notes and resolution
29265 Microsoft-Windows-DirectoryServices-DSROLE-Server Informational Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file %1 has been renamed to %2. N/A, this is a success event.
29266 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning succeeded. The attempt to rename virtual domain controller cloning configuration file %1 failed with error code %2 (%3). Manually rename the dccloneconfig.xml file.
69
Directory Services Event Log

Event ID Source Severity Message 2160 Microsoft-Windows-ActiveDirectory_DomainService Informational The local <COMPUTERNAME> has found a virtual domain controller cloning configuration file. The virtual domain controller cloning configuration file is found at: %1 The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The <COMPUTERNAME> will start to clone itself. Notes and resolution This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
2161 Microsoft-Windows-ActiveDirectory_DomainService Informational The local <COMPUTERNAME> did not find the virtual domain controller cloning configuration file. The local machine is not a cloned DC. This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
2162 Microsoft-Windows-ActiveDirectory_DomainService Error Virtual domain controller cloning failed. Please check events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt. Error code: %1 Follow message instructions, this error is a catchall.
Event ID Source
2163 Microsoft-Windows-ActiveDirectory_DomainService
70
Severity Message Notes and resolution
Informational DsRoleSvc service was started to clone the local virtual domain controller. This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
2164 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to manual. Validate that no third party program is preventing the start of this service.
2165 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to start a thread during the cloning of the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Error code:%1 Error message:%2 Thread name:%3 Contact Microsoft Beta Product Support
2166 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> needs RPCSS service to initiate rebooting into DSRM. Waiting for RPCSS to initialize into a running state failed. Error code:%1 Examine the System event log and service settings for the RPC Server service (Rpcss)
71
2167 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> could not initialize virtual domain controller knowledge. See previous event log entry for details. Additional Data Failure code:%1
Follow message instructions, this error is a catchall.
2168 Microsoft-Windows-ActiveDirectory_DomainService Informational Microsoft-Windows-ActiveDirectory_DomainService The DC is running on a supported hypervisor. VM Generation ID is detected. Current value of VM Generation ID: %1
This is a success event and only an issue if unexpected.
2169 Microsoft-Windows-ActiveDirectory_DomainService Informational There is no VM Generation ID detected. The DC is hosted on a physical machine, a down-level version of Hyper-V, or a hypervisor that does not support the VM Generation ID. Additional Data Failure code returned when checking VM Generation ID:%1 This is a success event if not intending to clone. Otherwise, examine the System event log and review hypervisor product VDC support documentation.
Event ID Source Severity
2170 Microsoft-Windows-ActiveDirectory_DomainService Warning
72
Message
A Generation ID change has been detected. Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.
This is a success event if intending to clone. Otherwise, examine the System event log.
2171 Microsoft-Windows-ActiveDirectory_DomainService Informational No Generation ID change has been detected. Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 This is a success event if not intending to clone, and should be seen at every reboot of a virtualized DC. Otherwise, examine the System event log.
2172 Microsoft-Windows-ActiveDirectory_DomainService Informational Read the msDS-GenerationId attribute of the Domain Controller's computer object. msDS-GenerationId attribute value:%1 This is a success event if intending to clone. Otherwise, examine the System event log.
2173 Microsoft-Windows-ActiveDirectory_DomainService Informational Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first
73
reboot after dcpromo or the DC is not a virtual domain controller. Additional Data Failure code:%1 Notes and resolution This is a success event if intending to clone and it is the first VM reboot after cloning has completed. It can also be ignored on non-virtual Domain controllers. Otherwise, examine the System event log.
2174 Microsoft-Windows-ActiveDirectory_DomainService Informational The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. This is a success event if not intending to clone. Otherwise, examine the System event log.
2175 Microsoft-Windows-ActiveDirectory_DomainService Error Virtual domain controller clone configuration file exists on an unsupported platform. This is a success event if not intending to clone. Otherwise, examine the System event log.
2176 Microsoft-Windows-ActiveDirectory_DomainService Informational Renamed virtual domain controller clone configuration file. Additional Data Old file name:%1 New file name:%2 Rename expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.
Event ID Source
2177 Microsoft-Windows-ActiveDirectory_DomainService
74
Severity Message
Error Renaming virtual domain controller clone configuration file failed. Additional Data File name:%1 Failure code:%2 %3
Rename attempt expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. Manually rename the file and investigate installed third party products that may be preventing the file rename.
2178 Microsoft-Windows-ActiveDirectory_DomainService Informational Detected virtual domain controller clone configuration file, but VM Generation ID has not been changed. The local DC is the clone source DC. Rename the clone configuration file. Expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.
2179 Microsoft-Windows-ActiveDirectory_DomainService Informational The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute:%1 This is a success event and only an issue if unexpected.
2180 Microsoft-Windows-ActiveDirectory_DomainService Warning Failed to set the msDS-GenerationId attribute of the Domain Controller's computer object. Additional Data Failure code:%1
75
Examine the System event log and Dcpromo.log. Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.
2182 Microsoft-Windows-ActiveDirectory_DomainService Informational Internal event: The Directory Service has been asked to clone a remote DSA: This is a success event and only an issue if unexpected.
2183 Microsoft-Windows-ActiveDirectory_DomainService Informational Internal event: <COMPUTERNAME> completed the request to clone the remote Directory System Agent. Original DC name:%3 Request clone DC name:%4 Request clone DC site:%5 Additional Data Error value:%1 %2
2184 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to create a domain controller account for the cloned DC. Original DC name:%1 Allowed number of cloned DC:%2 The limit on the number of domain controller accounts that can be generated by cloning <COMPUTERNAME>was exceeded. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
A single source domain controller name can only automatically generate 9999 times if domain controllers are not demoted, based on the naming convention. Use the <computername> element in the XML to generate a new unique name or clone from a
76
differently named DC.
2191 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> set the following registry value to disable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed.
2192 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to set the following registry value to disable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
2193 Microsoft-Windows-ActiveDirectory_DomainService Informational
77
Message
<COMPUTERNAME> set the following registry value to enable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
2194 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to set the following registry value to enable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
2195 Microsoft-Windows-ActiveDirectory_DomainService Error Failed to set DSRM boot. Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Setting DSRM boot failed. Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
78
2196 Microsoft-Windows-ActiveDirectory_DomainService Error Failed to enable shutdown privilege. Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Enabling shutdown privilege failed.
Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
2197 Microsoft-Windows-ActiveDirectory_DomainService Error Failed to initiate system shutdown. Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Initiating system shutdown failed.
Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
2198 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to create or modify the following cloned DC object. Additional data: Object: %1 Error value: %2 %3 Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.
79
2199 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to create the following cloned DC object because the object already exists. Additional data: Source DC: %1 Object: %2
Validate the dccloneconfig.xml did not specify an existing domain controller or that copies of the dccloneconfig.xml have been used on multiple clones without editing the name. If the collision is still unexpected, determine which administrator promoted it; contact them to discuss if the existing domain controller should be demoted, the existing domain controller metadata cleaned, or if the VDC clone should use a different name.
2203 Microsoft-Windows-ActiveDirectory_DomainService Error Last virtual domain controller cloning failed. This is the first reboot since then so this should be a re-try of the cloning. However, neither virtual domain controller clone configuration file exists nor virtual machine generation ID change is detected. Boot into DSRM. Last virtual domain controller cloning failed:%1 Virtual domain controller clone configuration file exists:%2 Virtual machine generation ID change is detected:%3 Expected if cloning failed previously, due to missing or invalid dccloneconfig.xml
Error Messages
There are no direct interactive errors for failed VDC cloning; all cloning information logs in the System and Directory Services event logs and the domain controller promotion logs in dcpromo.log. However, if the server boots into DS Restore Mode, consider that an "interactive error" and investigate immediately, as promotion or cloning failed.
80
The dcpromo.log contains cloning-specific errors as they pertain to the actual promotion process. Otherwise, they are simply domain controller promotion errors, as you would see on non-virtual or non-cloned Domain controllers.
Known/Likely Issues and Support Scenarios

The following are common issues seen during the Windows Server "8" Beta development process. All of these issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server "8".
Issue Symptoms Resolution and Notes Cloning fails, DSRM Clone boots into Directory Services Restore Mode Validate all steps followed from sections Deploying Virtualized Domain Controller section and General Methodology for Troubleshooting Domain Controller Cloning
Issue Symptoms
Metadata cleaning a clone RODC generates access sis denied errors on the original RODC when attempting to logon After cloning an RODC but later deciding to remove it through metadata cleanup, where you force reset the password of all cached users and computers, you can no longer log on the original source RODC used for cloning. Attempts to logon to the source RODC always return "access is denied" or "bad username or password". Any further clones made from that source RODC always show error "The trust relationship between this workstation and the primary domain failed" at logon.
Resolution and Notes
To prevent the issue, always gracefully demote cloned RODCs using Server Manager or ADDSDeployment Windows PowerShell and do not force their demotion. If already experiencing the issue, forcibly demote the source and clone RODC domain controllers, clean their metadata, then promote the source RODC computer again as an RODC. Since RODCs cannot originate local changes, there is no data loss in this scenario. It is fixed in later releases of Windows Server "8".
Issue Symptoms
Duplicate IP addresses when using DHCP to clone After successfully cloning a DC and using DHCP, the first boot of the clone takes a DHCP lease. Then when the server is renamed and restarted as a DC, it takes a second DHCP lease. The first IP address is not released and you end up with a "phantom" lease Manually delete the unused address lease in DHCP or allow it to expire normally.
81
Issue Symptoms
Cloning RODC fails when there is a pre-existing server object in a renamed AD site After cloning an RODC that already has a computer object in the appropriate AD logical site (in DSSITE.MSC), cloning fails with Directory Services events 1168 Internal Processing error has occurred. Error value (decimal): -1073741823 Error value (hex): c0000001 Internal ID: 30017b3" And for the same event number: Additional Data Error value (decimal): 2 Error value (hex): 2 Internal ID: 7011658" "Internal error: An Active Directory Domain Services
To prevent the issue, remove the pre-existing computer object for the RODC by using DSSITE.MSC
Issue Symptoms
CustomDCCloneAllowList.xml does not support unpredictable service names When attempting to use a single CustomDCCloneAllowList.xml to clone a variety of domain controllers, you cannot proceed because of services that user unpredictable names. For example, services that are Microsoft SQL instances. This is a design limitation of VDC and CustomDCCloneAllowList.xml. You cannot use a common CustomDCCloneAllowList.xml to clone domain controllers that have unpredictable service names. To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml perserver.
82
Issue Symptoms
PrintNotify service always detected by Get-ADDCCloningExcludedApplicationList Even on a brand new server with no programs or roles installed, the GetADDCCloningExcludedApplicationList cmdlet always detects the PrintNotify service. This service is not in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list even though it is a standard service with no known VDC incompatibilities.
To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml perserver. As a less-recommended alternative, grant yourself permissions to the c:\windows\system32\DefaultDCCloneAllowList.XML allow list file on the source domain controller and edit the AllowList to also contain: <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow>
Issue Symptoms Resolution and Notes
Cloning fails into DSRM after very long delay Cloning appears to pause at "Domain controller cloning is at X% completion" for between 8 and 15 minutes. After this, the cloning fails and boots into DSRM. The cloned computer cannot get a dynamic IP address from DHCP or SLAAC, or is using a duplicate IP address. Multiple retry attempts performed by cloning lead to the delay. Resolve the networking issue to allow cloning.
Issue Symptoms
Cloning does not recreate all service principal names If a set of three-part service principal names (SPN) includes both a NetBIOS name with a port and an otherwise identical NetBIOS name without a port, the non-port entry is not recreated with the new computer name. For example: customspn/DC1:200/app1 this is recreated with the new computer name customspn/DC1/app1 this is not recreated with the new computer name Fully-qualified names are recreated and SPN s without three parts are recreated, regardless of ports. For example, these are recreate successfully on the clone: customspn/DC1:202 this is recreated customspn/DC1 this is recreated customspn/DC1.corp.contoso.com:202 this is recreated name customspn/DC1.corp.contoso.com this is recreated
This is a limitation of the domain controller rename process in Windows, not just in cloning. Three-part SPNS are not handled by the renaming logic in any scenario. Most included Windows services are unaffected by this, as they recreate any missing SPNs as needed. Other applications may require manually entering the SPN to resolve the
83
issue.
Issue Symptoms
Cloning fails, boots into normal mode as a duplicate of the source DC A new clone boots up without cloning. The dclconeconfig.xml is not renamed and the server is not in DS Restore Mode. The Directory Services event log shows Error 2164
<COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to Manual. Validate that no third party program is preventing the start of this service.
Issue Symptoms
Cloning succeeds, but SYSVOL is empty and does not replicate inbound or outbound A new clone appears to succeed. Later you notice that the SYSVOL and NETLOGON shares are empty. No SYSVOL files replicate inbound our outbound. The source server was previously migrated from FRS to DFSR. Examining the DFS Replication event log shows event 8028 and repeated 8010 events:
Event ID: 8028 Level: Error DFSR Migration was unable to transition to the 'PREPARED' state for Domain Controller <name>. DFSR will retry the next time it polls the Active Directory. To force an immediate retry, execute the command 'dfsrdiag /pollad'. Additional Information: Domain Controller: <name> Error: 2 The system cannot find the file specified Event ID: 8010 Level: Informational DFSR has started preparing the Domain Controller %1 for migration. DFSR will now create the SYSVOL_DFSR folder, create objects in the local Active Directory and create DFSR member objects for the Domain Controller %1.
Examining the DFSR debug log shows:

20120208 17:12:07.187 2096 SYSM 586 [ERROR] Migration::SysvolMigrationTask::Step [MIG] Failed Migration task. Error: + [Error:2(0x2) Migration::SysVolMigration::Migrate migration.cpp:1200 2096 W The system cannot find the file specified.] + [Error:2(0x2) Migration::SysVolMigration::StepToNextStableState migration.cpp:1271 2096 W The system cannot find the file
84
specified.] + [Error:2(0x2) Migration::SysVolMigration::Prepare migration.cpp:1431 2096 W The system cannot find the file specified.] + [Error:2(0x2) Migration::SysVolMigration::CreateJunctionPointsForDfsrSysvolF older migration.cpp:2637 2096 W The system cannot find the file specified.]
The source domain controller used for cloning once participated in an FRS to DFSR SYSVOL migration (http://technet.microsoft.com/enus/library/dd640019(WS.10).aspx). A known incompatibility in Windows Server "8" Beta VDC cloning prevents previously migrated servers from populating or replicating SYSVOL after cloning. To resolve this issue, forcibly demote the clone domain controller and remove the metadata using NTDSUTIL.EXE or DSA.MSC. Choose a new Windows Server "8" Beta source domain controller that has not previously migrated FRS to DFSR. If there are no such domain controllers, promote a new Windows Server "8" Beta into the domain using Server Manager or ADDSDeployment Windows PowerShell, then use it as the source of cloning. Do not attempt to fix the issues based on the events or debug logs, as there is a strong possibility that you will unintentionally delete all data from all other SYSVOL copies on all domain controllers in the domain. This issue will be resolved in versions later than Windows Server "8" Beta.
85
Advanced Troubleshooting
This guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events (even when they are warnings and errors) related to a cloned domain controller within each log.
Cloning a Domain Controller

In this example, the clone domain controller uses DHCP to get an IP address, replicates SYSVOL using FRS or DFSR (see the appropriate log as necessary), is a global catalog, and uses a blank dccloneconfig.cml file.

The Directory Services log contains the majority of event-based cloning operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
Event ID 2160 Source ActiveDirectory_ DomainService Message The local Active Directory Domain Services has found a virtual domain controller cloning configuration file. The virtual domain controller cloning configuration file is found at: <path>\DCCloneConfig.xml The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The Active Directory Domain Services will start to clone itself. 2191 ActiveDirectory_ DomainService Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry Value: UseDynamicDns Registry Value data: 0 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after
86
cloning is completed. 2191 ActiveDirectory_ DomainService Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Registry Value: RegistrationEnabled Registry Value data: 0 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed." Information 2/7/2012 3:12:49 PM Microsoft-WindowsActiveDirectory_DomainService 2191 Internal Configuration "Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Registry Value: DisableDynamicUpdate Registry Value data: 1 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. 2172 ActiveDirectory_ DomainService Read the msDS-GenerationId attribute of the Domain Controller's computer object. msDS-GenerationId attribute value: <Number> 2170 ActiveDirectory_ DomainService A Generation ID change has been detected. Generation ID cached in DS (old value): <Number> Generation ID currently in VM (new value): <Number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will
87
create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. 1109 ActiveDirectory_ DomainService The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. 1000 1394 ActiveDirectory_ DomainService ActiveDirectory_ DomainService Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted DsRoleSvc service was started to clone the local virtual domain controller. NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 103 NTDS ISAM NTDS (536) NTDSA: The database engine stopped the instance (0). Dirty Shutdown: 0
2163 326
ActiveDirectory_ DomainService NTDS ISAM
88
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.032, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. 102 105 NTDS ISAM NTDS ISAM NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). NTDS (536) NTDSA: The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.015, [4] 0.078, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.046, [10] 0.000, [11] 0.000. Active Directory Domain Services was shut down successfully. NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.016, [4] 0.000, [5] 0.031, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 105 NTDS ISAM NTDS (536) NTDSA: The database engine started a new instance (0). (Time=1 seconds) Internal Timing Sequence: [1] 0.031, [2] 0.000, [3] 0.000, [4] 0.391, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an
1004 102 326
ActiveDirectory_ DomainService NTDS ISAM NTDS ISAM
1109
ActiveDirectory_ DomainService
89
Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. 1168 ActiveDirectory_ DomainService Internal error: An Active Directory Domain Services error has occurred. Additional Data Error value (decimal): 2 Error value (hex): 2 Internal ID: 7011658 1110 ActiveDirectory_ DomainService Promotion of this domain controller to a global catalog will be delayed for the following interval. Interval (minutes): 5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide NTDS (536) NTDSA: The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.047, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.016, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. 1004 1539 ActiveDirectory_ DomainService ActiveDirectory_ DomainService Active Directory Domain Services was shut down successfully. Active Directory Domain Services could not disable the softwarebased disk write cache on the following hard disk. Hard disk: c: Data might be lost during system failures The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute: <Number> Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database
103
NTDS ISAM
2179
2173
90
transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller. Additional Data Failure code: 6 1000 1394 ActiveDirectory_ DomainService ActiveDirectory_ DomainService Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted. 1128 Knowledge Consistency Checker "A replication connection was created from the following source directory service to the local directory service. Source directory service: CN=NTDS Settings,<Domain Controller DN> Local directory service: CN=NTDS Settings, <Domain Controller DN> Additional Data Reason Code: 0x2 Creation Point Internal ID: f0a025d 1999 ActiveDirectory_ DomainService The source directory service has optimized the update sequence number (USN) presented by the destination directory service. The source and destination directory services have a common replication partner. The destination directory service is up to date with the common replication partner, and the source directory service was installed using a backup of this partner. Destination directory service ID: <GUID> (<FQDN>) Common directory service ID: <GUID> Common property USN: <Number> As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous object USN: 0 Previous property USN:
1128
91
0 Database GUID: <GUID> Object USN: <Number> Property USN: <Number>
System Event Log

The next indications of cloning operations are in the System Event log. As the hypervisor tells the guest computer that it was cloned or restored from a snapshot, the domain controller immediately invalidates its RID pool to avoid duplicating security principals later. As cloning proceeds, various expected operations and messages appear, mostly around services starting and stopping and some expected errors caused by this. When completed the System event log notes overall cloning success.
Event ID 16654 Source DirectoryServices-SAM Message A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases: 1. A domain controller is restored from backup. 2. A domain controller running on a virtual machine is restored from snapshot. 3. An administrator has manually invalidated the pool 7036 7036 3096 7036 7036 7036 7036 7036 Service Control Manager Service Control Manager Netlogon Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control The Active Directory Domain Services service entered the running state. The Kerberos Key Distribution Center service entered the running state. The primary Domain Controller for this domain could not be located. The Security Accounts Manager service entered the running state. The Server service entered the running state. The Netlogon service entered the running state. The Active Directory Web Services service entered the running state. The DFS Replication service entered the running state.
92
Manager 7036 14533 14531 7036 7023 7036 5806 Service Control Manager MicrosoftWindows-DfsSvc MicrosoftWindows-DfsSvc Service Control Manager Service Control Manager Service Control Manager Netlogon The File Replication Service service entered the running state. DFS has finished building all namespaces. DFS server has finished initializing. The DFS Namespace service entered the running state. The Intersite Messaging service terminated with the following error: The specified server cannot perform the requested operation. The Intersite Messaging service entered the stopped state. Dynamic DNS updates have been manually disabled on this domain controller. USER ACTION Reconfigure this domain controller to use dynamic DNS updates or manually add the DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the DNS database." 16651 DirectoryServices-SAM The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is The requested FSMO operation failed. The current FSMO holder could not be contacted. 7036 7036 7036 7036 7036 7036 7036 Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control Manager The DNS Server service entered the running state. The DS Role Server service entered the running state. The Netlogon service entered the stopped state. The File Replication Service service entered the stopped state. The Kerberos Key Distribution Center service entered the stopped state. The DNS Server service entered the stopped state. The Active Directory Domain Services service entered the stopped state.
93
7036 7040 7036 7036 29219 29223 29265
Service Control Manager Service Control Manager Service Control Manager Service Control Manager DirectoryServices -DSROLE-Server DirectoryServices -DSROLE-Server DirectoryServices -DSROLE-Server
The Netlogon service entered the running state. The start type of the Active Directory Domain Services service was changed from auto start to disabled. The Netlogon service entered the stopped state. The File Replication Service service entered the running state. Virtual domain controller cloning succeeded. This server is now a Domain Controller. Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file C:\Windows\NTDS\DCCloneConfig.xml has been renamed to C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml. The process C:\Windows\system32\lsass.exe (DC2) has initiated the restart of computer DC2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Reconfiguration (Planned) Reason Code: 0x80020004 Shutdown Type: restart Comment: "
1074
User32
DCPROMO.LOG
The Dcpromo.log contains the actual promotion portion of cloning that the Directory Services event log does not describe. Since the log does not provide the level of explanation that the event log entries impart, this section of the guide contains additional annotation. The promotion process means that the cloning starts, the DC is scrubbed of its current configuration and re-promoted using the existing AD database (much like an IFM promotion), then the DC replicates inbound change deltas of AD and SYSVOL, and cloning is complete.
The log has been modified in this guide for readability, by removing the date column. Points of interest are italicized bold.
Note:
More Information:
For further explanation of the dcpromo.log see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta. http://go.microsoft.com/fwlink/p/?LinkId=237244
94
Start clone-based promotion Set the Directory Services Restore Mode flag so that the server does not boot back up normally as the original clone and cause naming or Directory Service collisions Update the Directory Services event log
[INFO] vDC Cloneing: Setting Boot into DSRM flag succeeded. [WARNING] Cannot get user Token for Format Message: 1725l [INFO] vDC Cloning: Created vDCCloningUpdate event. [INFO] vDC Cloning: Created vDCCloningComplete event.
15:14:01 15:14:01 15:14:01 15:14:01
Stop the NetLogon service so that the domain controller does not advertise
15:14:01 [INFO] Stopping service NETLOGON 15:14:01 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0) 15:14:01 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states 15:14:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3 15:14:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1 15:14:02 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state 15:14:02 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0 15:14:02 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062) 15:14:02 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state 15:14:02 [INFO] StopService on NETLOGON returned 0 15:14:02 [INFO] Configuring service NETLOGON to 1 returned 0 15:14:02 [INFO] Updating service status to 4 15:14:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Examine the dccloneconfig.xml file for administrator-specified customizations. In this sample case it is a blank file, so all settings are automatically generated and automatic IP addressing is required from the network
15:14:02 [INFO] vDC Cloning: Clone config file C:\Windows\NTDS\DCCloneConfig.xml is considered to be a blank file (containing 0 bytes) 15:14:02 [INFO] vDC Cloning: Parsing clone config file C:\Windows\NTDS\DCCloneConfig.xml returned HRESULT 0x0
Validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml
15:14:02 [INFO] vDC Cloning: Checking allowed list: 15:14:03 [INFO] vDC Cloning: Completed checking allowed list: 15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Enable DHCP on the network adapters, since IP information was not specified by the administrator
15:14:03 [INFO] vDC Cloning: Enable DHCP:
95
15:14:03 15:14:03 15:14:03 15:14:03 15:14:03 15:14:03
[INFO] WMI Instance: Win32_NetworkAdapterConfiguration.Index=12 [INFO] Method: EnableDHCP [INFO] HRESULT code: 0x0 (0) [INFO] Return Value: 0x0 (0) [INFO] vDC Cloning: Set vDCCloningUpdate event. [INFO] vDC Cloning: Set vDCCloningUpdate event.
Locate the PDC emulator Set the clone's site (automatically generated in this case) Set the clone's name (automatically generated in this case)
15:14:03 [INFO] vDC Cloning: Found PDC. Name: DC1.root.fabrikam.com 15:14:04 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:04 [INFO] vDC Cloning: Winlogon UI Notification #1: Domain Controller cloning is at 5% completion... 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #2: Domain Controller cloning is at 10% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] Site of the cloned DC: Default-First-Site-Name
Create the new clone computer object Rename the clone to match the new name
15:14:05 [INFO] vDC Cloning: Clone DC objects are created on PDC. 15:14:05 [INFO] Name of the cloned DC: DC2-CL0001 15:14:05 [INFO] DsRolepSetRegStringValue on System\CurrentControlSet\Services\NTDS\Parameters\CloneMachineName to DC2CL0001 returned 0 15:14:05 [INFO] vDC Cloning: Save CloneMachineName in registry: 0x0 (0)
Provide the promotion settings, based on previous dccloneconfig.xml or automatic generation rules
[INFO] vDC Cloning: Promotion parameters setting: [INFO] DNS Domain Name: root.fabrikam.com [INFO] Replica Partner: \\DC1.root.fabrikam.com [INFO] Site Name: Default-First-Site-Name [INFO] DS Database Path: C:\Windows\NTDS [INFO] DS Log Path: C:\Windows\NTDS [INFO] SysVol Root Path: C:\Windows\SYSVOL [INFO] Account: root.fabrikam.com\DC2-CL0001$ [INFO] Options: DSROLE_DC_CLONING (0x800400)
15:14:05 15:14:05 15:14:05 15:14:05 15:14:05 15:14:05 15:14:05 15:14:05 15:14:05
Start promotion
15:14:05 [INFO] Promote DC as a clone 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #3: Domain Controller cloning is at 15% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #4: Domain Controller cloning is at 16% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] Validate supplied paths
96
15:14:05 [INFO] Validating path C:\Windows\NTDS. 15:14:05 [INFO] Path is a directory 15:14:05 [INFO] Path is on a fixed disk drive. 15:14:05 [INFO] Validating path C:\Windows\NTDS. 15:14:05 [INFO] Path is a directory 15:14:05 [INFO] Path is on a fixed disk drive. 15:14:05 [INFO] Validating path C:\Windows\SYSVOL. 15:14:05 [INFO] Path is on a fixed disk drive. 15:14:05 [INFO] Path is on an NTFS volume 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #5: Domain Controller cloning is at 17% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] Start the worker task 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #6: Domain Controller cloning is at 20% completion... 15:14:05 [INFO] Request for promotion returning 0 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #7: Domain Controller cloning is at 21% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Stop and configure all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)
The DNS service taking a long time to shutdown is expected in this scenario, as it is using ADintegrated zones that were no longer available even before the NTDS service stopped - see the DNS events described later in this section of the guide.
Note:
15:14:15 15:14:15 15:14:15 15:14:15 states 15:14:15 (gle=0), 15:14:16 (gle=0), 15:14:16 state 15:14:16 returned 15:14:16 15:14:16 state 15:14:16 15:14:16 15:14:16 15:14:16 15:14:16 15:14:16 (gle=0), 15:14:17 (gle=0),
[INFO] [INFO] [INFO] [INFO]
Stopping service NTDS Stopping service NtFrs ControlService(STOP) on NtFrs returned 1(gle=0) DsRolepWaitForService: waiting for NtFrs to enter one of 7
[INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 SvcStatus.dwCS=1 [INFO] DsRolepWaitForService: exiting because NtFrs entered STOPPED [INFO] DsRolepWaitForService(for any end state) on NtFrs service 0 [INFO] ControlService(STOP) on NtFrs returned 0(gle=1062) [INFO] Exiting service-stop loop after service NtFrs entered STOPPED [INFO] StopService on NtFrs returned 0 [INFO] Configuring service NtFrs to 1 returned 0 [INFO] Stopping service Kdc [INFO] ControlService(STOP) on Kdc returned 1(gle=0) [INFO] DsRolepWaitForService: waiting for Kdc to enter one of 7 states [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 SvcStatus.dwCS=1
97
15:14:17 state 15:14:17 returned 15:14:17 15:14:17 state 15:14:17 15:14:17 15:14:17 15:14:17 15:14:17 15:14:17 (gle=0), 15:14:18 (gle=0), 15:14:19 (gle=0), 15:14:20 (gle=0), 15:14:21 (gle=0), 15:14:22 (gle=0), 15:14:23 (gle=0), 15:14:24 (gle=0), 15:14:25 (gle=0), 15:14:26 (gle=0), 15:14:27 (gle=0), 15:14:28 (gle=0), 15:14:29 (gle=0), 15:14:30 (gle=0), 15:14:31 (gle=0), 15:14:32 (gle=0), 15:14:33 (gle=0), 15:14:34 (gle=0), 15:14:35 (gle=0), 15:14:36 (gle=0), 15:14:37 (gle=0),
[INFO] DsRolepWaitForService: exiting because Kdc entered STOPPED [INFO] DsRolepWaitForService(for any end state) on Kdc service 0 [INFO] ControlService(STOP) on Kdc returned 0(gle=1062) [INFO] Exiting service-stop loop after service Kdc entered STOPPED [INFO] StopService on Kdc returned 0 [INFO] Configuring service Kdc to 1 returned 0 [INFO] Stopping service DNS [INFO] ControlService(STOP) on DNS returned 1(gle=0) [INFO] DsRolepWaitForService: waiting for DNS to enter one of 7 states [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3
98
15:14:38 (gle=0), 15:14:39 (gle=0), 15:14:40 (gle=0), 15:14:41 (gle=0), 15:14:42 (gle=0), 15:14:43 (gle=0), 15:14:44 (gle=0), 15:14:45 (gle=0), 15:14:46 (gle=0), 15:14:47 (gle=0), 15:14:48 (gle=0), 15:14:49 (gle=0), 15:14:50 (gle=0), 15:14:51 (gle=0), 15:14:52 (gle=0), 15:14:53 (gle=0), 15:14:54 (gle=0), 15:14:55 (gle=0), 15:14:56 (gle=0), 15:14:57 (gle=0), 15:14:58 (gle=0), 15:14:59 (gle=0), 15:15:00 (gle=0), 15:15:00 state 15:15:00 returned 15:15:00 15:15:00 state 15:15:00 15:15:00
[INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=1 [INFO] DsRolepWaitForService:
QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 exiting because DNS entered STOPPED
[INFO] DsRolepWaitForService(for any end state) on DNS service 0 [INFO] ControlService(STOP) on DNS returned 0(gle=1062) [INFO] Exiting service-stop loop after service DNS entered STOPPED [INFO] StopService on DNS returned 0 [INFO] Configuring service DNS to 1 returned 0
99
15:15:00 [INFO] ControlService(STOP) on NTDS returned 1(gle=1062) 15:15:00 [INFO] DsRolepWaitForService: waiting for NTDS to enter one of 7 states 15:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=3 15:15:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=1 15:15:01 [INFO] DsRolepWaitForService: exiting because NTDS entered STOPPED state 15:15:01 [INFO] DsRolepWaitForService(for any end state) on NTDS service returned 0 15:15:01 [INFO] ControlService(STOP) on NTDS returned 0(gle=1062) 15:15:01 [INFO] Exiting service-stop loop after service NTDS entered STOPPED state 15:15:01 [INFO] StopService on NTDS returned 0 15:15:01 [INFO] Configuring service NTDS to 1 returned 0 15:15:01 [INFO] Configuring service NTDS 15:15:01 [INFO] Configuring service NTDS to 64 returned 0 15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #8: Domain Controller cloning is at 22% completion... 15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #9: Domain Controller cloning is at 25% completion... 15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Force NT5DS (NTP) time synchronization with another domain controller (typically the PDCE)
15:15:02 [INFO] Forcing time sync
Contact a domain controller that holds the source domain controller account of the clone Flush any existing Kerberos tickets
15:15:02 [INFO] Searching for a domain controller for the domain root.fabrikam.com that contains the account DC2$ 15:15:02 [INFO] Located domain controller DC1.root.fabrikam.com for domain root.fabrikam.com 15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #10: Domain Controller cloning is at 26% completion... 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:02 [INFO] Directing kerberos authentication to DC1.root.fabrikam.com returns 0 15:15:02 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache 15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #11: Domain Controller cloning is at 27% completion... 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:02 [INFO] Using site Default-First-Site-Name for server \\DC1.root.fabrikam.com 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
100
Stop the NetLogon service and set its start type
15:15:02 [INFO] Stopping service NETLOGON 15:15:02 [INFO] Stopping service NETLOGON 15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #12: Domain Controller cloning is at 29% completion... 15:15:02 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0) 15:15:02 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states 15:15:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3 15:15:03 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1 15:15:03 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state 15:15:03 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0 15:15:03 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062) 15:15:03 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state 15:15:03 [INFO] StopService on NETLOGON returned 0 15:15:03 [INFO] Configuring service NETLOGON to 1 returned 0 15:15:03 [INFO] Stopped NETLOGON 15:15:03 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:03 [INFO] vDC Cloning: Winlogon UI Notification #13: Domain Controller cloning is at 30% completion...
Configure the DFSR/NTFRS services to run automatically Delete their existing database files to force non-authoritative sync of SYSVOL when the service next starts
15:15:03 [INFO] Configuring service DFSR 15:15:03 [INFO] Configuring service DFSR to 256 returned 0 15:15:03 [INFO] Configuring service NTFRS 15:15:03 [INFO] Configuring service NTFRS to 256 returned 0 15:15:03 [INFO] Removing DFSR Database files for SysVol 15:15:03 [INFO] Removing FRS Database files in C:\Windows\ntfrs\jet 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edb.log 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00001.jrs 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00002.jrs 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbtmp.log 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\ntfrs.jdb 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\sys\edb.chk 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\temp\tmp.edb 15:15:04 [INFO] Created system volume path 15:15:04 [INFO] Configuring service DFSR 15:15:04 [INFO] Configuring service DFSR to 128 returned 0 15:15:04 [INFO] Configuring service NTFRS 15:15:04 [INFO] Configuring service NTFRS to 128 returned 0 15:15:04 [INFO] vDC Cloning: Winlogon UI Notification #14: Domain Controller cloning is at 40% completion... 15:15:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.
101
Start the promotion process using the existing NTDS database file Contact the RID Master
The AD DS service is not actually installed here, this is legacy instrumentation in the log
Note:
15:15:04 [INFO] Installing the Directory Service 15:15:04 [INFO] Calling NtdsInstall for root.fabrikam.com 15:15:04 [INFO] Starting Active Directory Domain Services installation 15:15:04 [INFO] Validating user supplied options 15:15:04 [INFO] Determining a site in which to install 15:15:04 [INFO] Examining an existing forest... 15:15:04 [INFO] Starting a replication cycle between DC1.root.fabrikam.com and the RID operations master (2008r2-01.root.fabrikam.com), so that the new replica will be able to create users, groups, and computer objects... 15:15:04 [INFO] Configuring the local computer to host Active Directory Domain Services 15:15:04 [INFO] EVENTLOG (Warning): NTDS General / Service Control : 1539 Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk. Hard disk: c: Data might be lost during system failures. 15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Processing : 2041 Duplicate event log entries were suppressed. See the previous event log entry for details. An entry is considered a duplicate if the event code and all of its insertion parameters are identical. The time period for this run of duplicates is from the time of the previous event to the time of this event. Event Code: 80000603 Number of duplicate entries: 2 15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2121 This Active Directory Domain Services server is disabling the Recycle Bin. Deleted objects may not be undeleted at this time.
Change the existing invocation ID that existed in the source computers database Create a new NTDS Settings object for this clone Replicate in AD object delta from the partner domain controller
Even though all objects are listed as replicated, this is just metadata needed to subsume the updates. All the unchanged objects in the cloned NTDS database already exist and do not require replication again, just like using IFM-based promotion.
Note:
102
15:15:10 [INFO] EVENTLOG (Informational): NTDS Replication / Replication : 1109 The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): 24e7b22f-4706-402d-9b4f-f2690f730b40 InvocationID attribute (new value): f74cefb2-89c2-442c-b1ba-3234b0ed62f8 Update sequence number: 20520 The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. 15:15:10 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168 Internal error: An Active Directory Domain Services error has occurred. Additional Data Error value (decimal): 2 Error value (hex): 2 Internal ID: 7011658 15:15:11 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC1.root.fabrikam.com... 15:15:11 [INFO] Replicating the schema directory partition 15:15:11 [INFO] Replicated the schema container. 15:15:12 [INFO] Active Directory Domain Services updated the schema cache. 15:15:12 [INFO] Replicating the configuration directory partition 15:15:12 [INFO] Replicating data CN=Configuration,DC=root,DC=fabrikam,DC=com: Received 2612 out of approximately 2612 objects and 94 out of approximately 94 distinguished name (DN) values... 15:15:12 [INFO] Replicated the configuration container. 15:15:13 [INFO] Replicating critical domain information... 15:15:13 [INFO] Replicating data DC=root,DC=fabrikam,DC=com: Received 109 out of approximately 109 objects and 35 out of approximately 35 distinguished name (DN) values... 15:15:13 [INFO] Replicated the critical objects in the domain container.
Populate the GC partitions as needed with any missing updates Complete the critical AD DS portion of the promotion
15:15:13 [INFO] EVENTLOG (Informational): NTDS General / Global Catalog : 1110 Promotion of this domain controller to a global catalog will be delayed for the following interval. Interval (minutes): 5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before
103
promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide. 15:15:14 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1000 Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 15:15:15 [INFO] Creating new domain users, groups, and computer objects 15:15:16 [INFO] Completing Active Directory Domain Services installation 15:15:16 [INFO] NtdsInstall for root.fabrikam.com returned 0 15:15:16 [INFO] DsRolepInstallDs returned 0 15:15:16 [INFO] Installed Directory Service
Complete the inbound replication of SYSVOL

Controller
15:15:16 [INFO] vDC Cloning: Winlogon UI Notification #15: Domain cloning is at 60% completion... 15:15:16 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] Completed system volume replication 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #16: Domain cloning is at 70% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] SetProductType to 2 [LanmanNT] returned 0 15:15:18 [INFO] Set the product type 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #17: Domain cloning is at 71% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #18: Domain cloning is at 72% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] Set the system volume path for NETLOGON 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #19: Domain cloning is at 73% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] Replicating non critical information 15:15:18 [INFO] User specified to not replicate non-critical data 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #20: Domain cloning is at 80% completion... 15:15:18 [INFO] Stopped the DS 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #21: Domain cloning is at 90% completion... 15:15:18 [INFO] Configuring service NTDS 15:15:18 [INFO] Configuring service NTDS to 16 returned 0
Controller
Controller
Controller
Controller
Controller
Controller
Enable client DNS registration
15:15:18 [INFO] vDC Cloning: Set DisableDynamicUpdate reg value to 0 to enaable dynamic DNS records registration. 15:15:18 [INFO] vDC Cloning: Set UseDynamicDns reg value to 1 to enable dynamic DNS records registration. 15:15:18 [INFO] vDC Cloning: Set RegistrationEnabled reg value to 1 to enable dynamic DNS records registration.
104
Run the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element.
15:15:18 [INFO] vDC Cloning: Running sysprep providers. 15:15:32 [INFO] vDC Cloning: Completed running sysprep providers.
Cloning promotion is complete Remove the DSRM boot flag so the server boots normally next time Rename the dccloneconfig.xml so that it is not read again at next bootup Restart the computer
15:15:32 [INFO] The attempted domain controller operation has completed 15:15:32 [INFO] Updating service status to 4 15:15:32 [INFO] DsRolepSetOperationDone returned 0 15:15:32 [INFO] vDC Cloning: Set vDCCloningComplete event. 15:15:32 [INFO] vDC Cloneing: Clearing Boot into DSRM flag succeeded. 15:15:32 [INFO] vDC Cloning: Winlogon UI Notification #22: Cloning Domain Controller succeeded. Now rebooting... 15:15:33 [INFO] vDC Cloning: Renamed vDC clone configuration file. 15:15:33 [INFO] vDC Cloning: The old name is: C:\Windows\NTDS\DCCloneConfig.xml 15:15:33 [INFO] vDC Cloning: The new name is: C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml 15:15:34 [INFO] vDC Cloning: Release Ipv4 on interface 'Wired Ethernet Connection 2', result=0. 15:15:34 [INFO] vDC Cloning: Release Ipv6 on interface 'Wired Ethernet Connection 2', result=0. 15:15:34 [INFO] Rebooting machine
Active Directory Web Services Event Log

While cloning is occurring, the NTDS.DIT database is often offline for extended periods. The ADWS service logs at least one event for this. After cloning is complete, the ADWS service starts, notes that there is not yet a valid computer certificate yet (there may or may not be, depending on your environment deploying a Microsoft PKI with auto-enrollment or not) and then starts the instance for the new domain controller.
Event ID 1202 Source ADWS Instance Events Message This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636 Active Directory Web Services is starting Active Directory Web Services has successfully reduced its security
1000 1008
ADWS Instance Events ADWS Instance
105
Events 1100 ADWS Instance Events ADWS Instance Events
privileges The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors. ADWS Certificate Events "Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine. Certificate name: <Server FQDN> The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors. Active Directory Web Services is now servicing the specified directory instance. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636
1400
1100
ADWS Instance Events ADWS Instance Events
1200
DNS Server Event Log

The DNS service will experience brief expected outages while cloning occurs, as the DNS service is still running while the AD DS database is offline. This occurs if using Active Directory Integrated DNS, but not if using Standard Primary or Secondary DNS. These errors log multiple times. After cloning completes, DNS comes back online normally.
Event ID 4013 Source DNS-ServerService Message The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is """". The event data contains the error.
4015
DNS-ServerService
106
4000
DNS-ServerService
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code. The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. The DNS server has started. The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.
4013
DNS-ServerService
2 4
DNS-ServerService DNS-ServerService
File Replication Service Event Log

The File Replication Service synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the NTFRS database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.
Event ID 13562 Source NtFrs Message Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC2.root.fabrikam.com for FRS replica set configuration information. Could not bind to a Domain Controller. Will try again at next polling cycle The File Replication Service is stopping. File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type: net share
13502 13565
NtFrs NtFrs
107
When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. 13501 13502 13503 13565 NtFrs NtFrs NtFrs NtFrs The File Replication Service is starting The File Replication Service is stopping. The File Replication Service has stopped. File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. 13501 13553 NtFrs NtFrs The File Replication Service is starting. The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Information related to this event is shown below: Computer DNS name is <Domain Controller FQDN> Replica set member name is <Domain Controller> Replica set root path is <path> Replica staging directory path is <path> Replica working directory path is <path> 13520 NtFrs The File Replication Service moved the preexisting files in <path>to <path>\NtFrs_PreExisting___See_EventLog. The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into c:\windows\sysvol\domain may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner.
108
Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog." 13508 NtFrs he File Replication Service is having trouble enabling replication from \\<Domain Controller FQDN> to <Domain Controller> for <path> using the DNS name \\<Domain Controller FQDN>. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name \\<Domain Controller FQDN> from this computer. [2] FRS is not running on \\<Domain Controller FQDN>. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. 13509 NtFrs The File Replication Service has enabled replication from \\<Domain Controller FQDN> to <Domain Controller> for <Path> after repeated retries. The File Replication Service is no longer preventing the computer <Domain Controller> from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share."
13516
NtFrs
DFS Replication Event Log

The DFSR services synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the DFSR database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.
Event ID 1004 1314 Source DFSR DFSR Message The DFS Replication service has started. The DFS Replication service successfully configured the debug log files. Additional Information: Debug Log File Path: C:\Windows\debug The DFS Replication service has successfully registered the WMI provider The DFS Replication service successfully contacted domain
6102 1206
DFSR DFSR
109
controller DC2.corp.contoso.com to access configuration information. 1210 DFSR The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information: Port: 0" 4614 DFSR The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Read-Only: 0 4604 DFSR The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type ""net share"". Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Sync partner: <domain controller FQDN>
110
Troubleshooting VDC Safe Restore

Tools for Troubleshooting
Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller safe snapshot restore. All of these logs are enabled and configured for maximum verbosity, by default.
Operation Snapshot creation Snapshot restore Log Event viewer\Applications and services logs\Microsoft\Windows\Hyper-V-Worker Event viewer\Applications and services logs\Directory Service Event viewer\Windows logs\System Event viewer\Windows logs\Application Event viewer\Applications and services logs\File Replication Service Event viewer\Applications and services logs\DFS Replication Event viewer\Applications and services logs\DNS Event viewer\Applications and services logs\Microsoft\Windows\Hyper-V-Worker
Tools and Commands for Troubleshooting Domain Controller Configuration

To troubleshoot issues not explained by the logs, use the following tools as a starting point: Dcdiag.exe Repadmin.exe Network Monitor 3.4 (or a third party network capture and analysis tool)
For more information and downloads, see: Netmon http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865
More Information:
111
General Methodology for Troubleshooting Domain Controller Safe Restore

1. Is the safe snapshot restore expected, but having issues? a. Examine the Directory Services event log i. Are there snapshot restore errors? ii. Are there AD replication errors? b. Examine the System event log i. Are there communications errors? ii. Are there AD errors? 2. Is the safe snapshot restore unexpected? a. Examine the hypervisor audit logs to determine who or what caused a rollback b. Contact all administrators of the hypervisor and interrogate them as to who rolled back the VM without notification 3. Is the server implementing USN rollback protection and not safely restoring? a. Examine the Directory Services event log for an unsupported hypervisor b. Examine the OS and validate running Windows Server "8" Beta?
Important: Contact Microsoft Beta Product Support when you have exhausted these avenues.
112
Troubleshooting Specific Problems

Events
All VDC safe snapshot restore events write to the Directory Services event log of the restored domain controller VM. The Application, System, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed restores. Below are the Windows Server "8" Beta safe restore-specific events in the Directory Services event log.
Event ID Source Severity Message 2170 Microsoft-Windows-ActiveDirectory_DomainService Warning A Generation ID change has been detected. Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. Notes and resolution This is a success event if the snapshot was expected. If not, examine the Hyper-VWorker event log or contact all administrators of the hypervisor.
2174 Microsoft-Windows-ActiveDirectory_DomainService Informational The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. Expected event when starting physical domain controllers or VDCs not restored from snapshot
2181 Microsoft-Windows-ActiveDirectory_DomainService Informational The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual
113
machine import operation, or after a live migration operation. Notes and resolution Expected when restoring a snapshot. Transactions track the VM Generation ID changing
2185 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> stopped the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a nonauthoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted.
Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
2186 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to stop the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Error code:%2 Error message:%3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR replication service used to replicate the SYSVOL folder and then starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to stop the current running service and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Examine the System, FRS and DFSR event logs for further information.
114
2187 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> started the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needed to initialize a nonauthoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
2188 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Error code:%2 Error message:%3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL and starting it with appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually and restart the service. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Examine the System, FRS and DFSR event logs for further information.
2189 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> set the following registry values to initialize SYSVOL replica during a non-authoritative restore:
115
Registry Key:%1 Registry Value: %2 Registry Value data: %3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Notes and resolution Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
2190 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to set the following registry values to initialize the SYSVOL replica during a non-authoritative restore: Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 Active Directory detected that the virtual machine that hosts the domain controller role was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to set the above registry values and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Examine Application and System event logs. Investigate third party applications that may be blocking registry updates.
2200 Microsoft-Windows-ActiveDirectory_DomainService Informational Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> initializes replication to bring the domain controller current. Event 2201 will be logged when the replication is finished.
116
Expected when restoring a snapshot. Marks the beginning of inbound AD replication.
2201 Microsoft-Windows-ActiveDirectory_DomainService Informational Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> has finished replication to bring the domain controller current. Expected when restoring a snapshot. Marks the end of inbound AD replication.
2202 Microsoft-Windows-ActiveDirectory_DomainService Error Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> failed replication to bring the domain controller up-to-date. The domain controller will be updated after next periodic replication. Examine the Directory Services and System event logs. Use repadmin.exe to attempt forcing replication and note any failures.
2204 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. <COMPUTERNAME> will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs: Create a new invocation ID Invalidate current RID pool Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool.
117
Expected when restoring a snapshot. This explains all the various reset operations that will occur as part of the safe restore process.
2205 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> invalidated current RID pool after virtual domain controller was reverted to previous state. Expected when restoring a snapshot. The local RID pool must be destroyed as the domain controller has time travelled and they may have already been issued.
2206 Microsoft-Windows-ActiveDirectory_DomainService ERROR <COMPUTERNAME> failed to invalidate current RID pool after virtual domain controller was reverted to previous state. Additional data: Error code: %1 Error value: %2
Examine the Directory Services and System event logs. Validate that the RID Master is online can be reached from this server using Dcdiag.exe /test:ridmanager
2207 Microsoft-Windows-ActiveDirectory_DomainService ERROR <COMPUTERNAME> failed to restore after virtual domain controller was reverted to previous state. A reboot into DSRM was requested. Please check previous events for more information. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Examine the Directory Services and System event logs.
2208 Microsoft-Windows-ActiveDirectory_DomainService Informational
118
Message Notes and resolution
<COMPUTERNAME> deleted DFSR databases to initialize SYSVOL replica during a nonauthoritative restore. Expected when restoring a snapshot. This guarantees DFSR non-authoritatively synchronizes SYSVOL from a partner DC. Note that any other DFSR Replicated Folders on the same volume as SYSVOL will also non-authoritatively sync (domain controllers are not recommended to host custom DFSR sets on the same volume as SYSVOL).
2209 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to delete DFSR databases. Additional data: Error code: %1 Error value: %2 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuild the databases and start the initial sync.
Examine the DFSR event log.
Error Messages
There are no direct interactive errors for failed VDC safe snapshot restore; all cloning information logs in the Directory Services event logs. Naturally, any critical replication or server advertising errors manifest themselves as symptoms elsewhere.
119
Known/Likely Issues and Support Scenarios

The following are common issues seen during the Windows Server "8" Beta development process. All of these issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server "8". The General Methodology for Troubleshooting Domain Controller Safe Restore section and events listed in the Troubleshooting Specific Problems are usually adequate to troubleshoot most issues.
Issue Symptoms Cannot create new security principals on recently safe restored domain controller After restoring a snapshot, attempts to create a new security principal (user, computer, group) on that domain controller fail with: Error 0x2010 The directory service was unable to allocate a relative identifier. Resolution and Notes This issue is caused by the restored computer's stale knowledge of the RID Master FSMO role. If the role moved to this or another domain controller after a snapshot was taken and then later restored, the restored domain controller will not have knowledge of the RID master until initial replication has completed. To resolve the issue, allow AD replication to complete inbound to the restored domain controller. If still not working, validate that all domain controllers have the same correct knowledge of which DC hosts the RID Master.
Figure 57
120
Advanced Troubleshooting
This guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events related to a cloned domain controller within each log.
Restoring a Domain Controller that Replicates SYSVOL Using DFSR

The Directory Services log contains the majority of safe restore operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
Event ID 2170 Source ActiveDirectory_ DomainService Message A Generation ID change has been detected. Generation ID cached in DS (old value): <number> Generation ID currently in VM (new value): <number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application." 2181 ActiveDirectory_ DomainService The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation. Active Directory Domain Services has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. Active Directory Domain Services will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs: Create a new invocation ID Invalidate current RID pool
2204
121
Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool." 2181 ActiveDirectory_ DomainService The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application." 2179 ActiveDirectory_ DomainService The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute: <number> Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services initializes replication to bring the domain controllercurrent. Event 2201 will be logged when the replication is finished. Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services has finished replication to bring the domain controller current.
1109
2200
2201
122
2185
Active Directory Domain Services stopped the FRS or DFSR service used to replicate the SYSVOL folder. Service name: DFSR Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted."
2208
Active Directory Domain Services deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore. Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuid the databases and start the initial sync. " Active Directory Domain Services started the FRS or DFSR service used to replicate the SYSVOL folder. Service name: DFSR Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. "
2187
1587
This directory service has been restored or has been configured to host an application directory partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted. The destination directory service corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local directory service was restored from backup media. Object GUID: <GUID> (<FQDN of partner domain controller>) USN at the time of restore: <number> As a result, the up-to-dateness vector of the destination directory
123
service has been configured with the following settings. Previous database GUID: <GUID> Previous object USN: <number> Previous property USN: <number> New database GUID: <GUID> New object USN: <number> New property USN: <number>
System Event Log

The System event log notes that the machine time that occurs when bringing an offline virtual machine back online and synchronizing with host time. The RID pool invalidates and the DFSR or FRS services are restarted.
Event ID 1 Source Kernel-General Message
<now> from <snapshot time/date>. Change Reason: An application or system component changed the time.
16654
DirectoryServices-SAM
A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases: 1. A domain controller is restored from backup. 2. A domain controller running on a virtual machine is restored from snapshot. 3. An administrator has manually invalidated the pool. See http://go.microsoft.com/fwlink/?LinkId=226247 for more information. The DFS Replication service entered the stopped state. The DFS Replication service entered the running state.
7036 7036
Service Control Manager Service Control Manager
Application Event Log

The Application event log notes the DFSR database stopping and starting.
Event ID 103 Source ESENT Message
DFSRs (1360) \\.\C:\System Volume
124
Information\DFSR\database_<GUID>\dfsr.db: The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.141, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102
ESENT
DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine (6.02.8189.0000) is starting a new instance (0).
DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine created a new database (1, \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.062, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.015, [10] 0.000, [11] 0.000.
105
ESENT
DFS Replication Event Log

The DFSR service is stopped and the database that contains SYSVOL is deleted, forcing a nonauthoritative synchronization inbound.
Event ID 1006 1008 1002 1004 1314 Source DFSR DFSR DFSR DFSR DFSR Message
The DFS Replication service is stopping. The DFS Replication service has stopped. The DFS Replication service is starting. The DFS Replication service has started. The DFS Replication service successfully configured the debug log files. Additional Information: Debug Log File Path: C:\Windows\debug The DFS Replication service has successfully registered the WMI provider. The DFS Replication service successfully contacted domain controller <domain controller FQDN> to access configuration information. The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information: Port: 0 The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it
6102 1206 1210
DFSR DFSR DFSR
4614
DFSR
125
has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Read-Only: 0
4604
DFSR
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share". Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Sync partner: <partner domain controller FQDN>
Restoring a Domain Controller that Replicates SYSVOL Using FRS

The File Replication Event log is used instead of the DFSR event log in this case. The Application event log also writes different FRS-related events. Otherwise, the Directory Services and System Event log messages are generally the same and in the same order as previously described.
File Replication Service Event Log

The FRS service is stopped and restarted with a D2 BURFLAGS value to non-authoritatively synchronize SYSVOL.
Event ID 13502 13503 13501 13512 Source NTFRS NTFRS NTFRS NTFRS Message The File Replication Service is stopping. The File Replication Service has stopped. The File Replication Service is starting The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer DC4. The File Replication Service might not recover
126
when power to the drive is interrupted and critical updates are lost. 13565 NTFRS File Replication Service is initializing the system volume with data from another domain controller. Computer DC4 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers." 13520 NTFRS The File Replication Service moved the preexisting files in <path> to <path>\NtFrs_PreExisting___See_EventLog. The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into <path> may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog. 13553 NTFRS The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Information related to this event is shown below: Computer DNS name is "<domain controller FQDN>" Replica set member name is "<domain controller name>" Replica set root path is "<path>" Replica staging directory path is "<path> " Replica working directory path is "<path>" 13554 NTFRS The File Replication Service successfully added the connections shown below to the replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Inbound from "<partner domain controller FQDN>" Outbound to "<partner domain controller FQDN>" More information may appear in subsequent event log messages.
127
13516
NTFRS
The File Replication Service is no longer preventing the computer DC4 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share.
Application Event Log

The FRS database stops and starts, and is purged due to the D2 BURFLAGS operation.
Event ID 327 Source ESENT Message
ntfrs (1424) The database engine detached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.516, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.063, [12] 0.000. Revived Cache: 0 ntfrs (1424) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.047, [15] 0.000. ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.062, [10] 0.000, [11] 0.141. ntfrs (3000) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.015, [14] 0.000, [15] 0.000. ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.000, [11] 0.109. ntfrs (3000) The database engine created a new database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.016, [5] 0.000, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.016, [11] 0.000. ntfrs (3000) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.078,
103
ESENT
102 105
ESENT ESENT
103
ESENT
102 105
ESENT ESENT
325
ESENT
103
ESENT
128
[6] 0.000, [7] 0.000, [8] 0.000, [9] 0.125, [10] 0.016, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102 105
ESENT ESENT
ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.000, [4] 0.094, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.032, [10] 0.000, [11] 0.000. ntfrs (3000) The database engine attached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.016, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1
326
ESENT
129
Appendices
Terminology
Snapshot The state of a virtual machine at a particular point in time. It is dependent on the chain of previous snapshots taken, on the hardware, and on the virtualization platform. Clone A complete and separate copy of a virtual machine. It is dependent on the virtual hardware (hypervisor). Full Clone A full clone is an independent copy of a virtual machine that shares no resources with the parent virtual machine after the cloning operation. Ongoing operation of a full clone is entirely separate from the parent virtual machine. Differencing disk - A copy of a virtual machine that shares virtual disks with the parent virtual machine in an ongoing manner. This usually conserves disk space and allows multiple virtual machines to use the same software installation. VM Copy- A file system copy of all the related files and folders of a virtual machine. VHD File Copy A copy of a virtual machines VHD VM Generation ID a 128-bit integer given to the virtual machine by the hypervisor. This ID is stored in memory and reset every time a snapshot is applied. The design uses a hypervisor-agnostic mechanism for surfacing the VM-Generation ID in the virtual machine. The Hyper-V implementation exposes the ID in the ACPI table of the virtual machine. Import/Export A Hyper-V feature that allows the user to save the entire virtual machine (VM files, VHD and the machine configuration). It then allows users to using that set of files to bring the machine back on the same machine as the same VM (Restore), on a different machine as the same VM (Move), or a new VM (copy)
130
VDC Cloning Architecture
Figure 58
131
Overview
AD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's creation. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. The domain controller then reads the contents of the dcloneconfig.xml, defaultdccloneallowlist.xml, and any customdccloneallowlist.xml and begins cloning. The domain controller renames itself and alters its IP information. The server re-promotes itself as a new domain controller using the existing NTDS.DIT and SYSVOL contents as source media. Cloning is complete.
Detailed Processing (using Microsoft Hyper-V)

1. An existing virtual machine domain controller boots up in a hypervisor that supports VMGeneration ID. This VM already has an existing VM Generation-ID set on its AD DS computer object when it was promoted (ex: cn=dc2,ou=domain controllers,dc=corp,dc=contoso,dc=com) as part of the msDS-GenerationID attribute (a binary valued octet string added by the Windows Server "8" Beta Schema version 52). This attribute's value is stored in memory. 2. The virtual machine then reads the VM-Generation ID provided by Hyper-V's VMGenerationCounter driver. It compares the two VM-Generation IDs. a. If the IDs match, this is not a new virtual machine and cloning will not proceed. If a dcloneconfig.xml file exists, the domain controller renames the file with a time-date stamp in order to prevent cloning. The server continues booting normally. This is how every reboot of any virtual domain controller operates in Windows Server "8" Beta. b. If there are two IDs that do not match, this is a new virtual machine that contains an NTDS.DIT from a previous domain controller (or it's a restored snapshot). If a dcloneconfig.xml file exists, the domain controller proceeds with cloning operations. If not, it continues with snapshot restoration operations (see that section of this guide). c. If the hypervisor does not provide a VM-Generation ID for comparison but there is a dccloneconfig.xml file, the guest renames the file and the boots into DSRM to protect the network from a duplicate domain controller. If there is no dccloneconfig.xml file, the guest boots normally (with the potential for a duplicate domain controller on the network). 3. The NTDS service checks the value of the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters).
132
a. If does not exist, this is a first attempt at cloning for this virtual machine. The guest implements the VDC object duplication safety measures of invalidating the local RID pool and setting a new replication invocation ID for the domain controller. b. If already set to 0x1, this is a "retry" cloning attempt, where a previous cloning operation failed. The VDC object duplication safety measures are not taken as they had to have already run once before and would unnecessarily alter the guest multiple times. 4. The IsClone DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) 5. The NTDS service changes the guest boot flag to start in DS Restore Mode for any further reboots. 6. The NTDS service attempts to read the DcCloneConfig.xml in one of the three accepted locations (DSA Working Directory, %windir%\NTDS, or removable read/write media, in order of drive letter, at the root of the drive) a. If the file does not exist in any valid location, the guest checks the IP address for duplication. If not duplicated, the server boots up normally. If there is a duplicate IP address, the computer boots into DSRM to protect the network from a duplicate domain controller. b. If the file does exist in a valid location, the NTDS service validates its settings. If the file is blank (or any particular settings are blank) then NTDS uses automatic values for those settings.
More Information: See the previous section XML Details and Behaviors for specific automatic generation rules and network behaviors
c. If the DcCloneConfig.xml exists but contains any invalid entries or is unreadable, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller. 7. The guest disables all DNS auto-registration to prevent accidental hijacking of the source computer name and IP addresses. 8. The guest stops the Netlogon service to prevent any advertising or answering of network AD DS requests from clients. 9. NTDS validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml a. If there are services or programs installed that are not in the default exclusion allow list or the custom exclusion allow list, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller. b. If there are no incompatibilities, cloning continues.
133
More Information:
See the previous section XML Details and Behaviors for specific automatic generation rules and network behaviors
10. If using automatic IP addressing due to blank dccloneconfig.xml network settings, the guest enables DHCP on the network adapters to gain an IP address lease, network routing, and name resolution information. 11. The guest locates and contacts the domain controller running the PDC emulator FSMO role. This uses DNS and the DCLocator protocol. It makes an RPC connection calls the method IDL_DRSAddCloneDC to clone the domain controller computer object. a. If the guest's source compute object holds the domain head extended permission of "'Allow a DC to create a clone of itself" then cloning proceeds. b. If the guest's source computer object does not hold that extended permission, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller 12. The AD DS computer object is set to match the dcloneconfig.xml or automatic generation and created on the PDCE. NTDS creates the correct NTDS setting object for the appropriate AD logical site. The guest renames the local computer name to match the new domain controller object name. 13. The guest provides the promotion settings to the DS Role Server service, which commences promotion 14. The DS Role Server service stops all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS) 15. The guest forces NT5DS (Windows NTP) time synchronization with another domain controller (in a default time hierarchy, this means using the PDCE). The guest contacts a domain controller that holds the source domain controller account of the clone (likely to be the PDCE). All existing Kerberos tickets flush. 16. The guest configures the DFSR or NTFRS services to run automatically. The guest deletes all existing DFSR and NTFRS database files (default: c:\windows\ntfrs and c:\system volume information\dfsr\<database_GUID>), in order to force non-authoritative synchronization of SYSVOL when the service is next started. The guest does not delete the file contents of SYSVOL, to pre-seed the SYSVOL when the synchronization starts later. 17. The DS Role Server service on the guest begins AD DS configuration (promotion), using the existing NTDS.SIT database file as a source, rather than the template database included in c:\windows\system32 like a promotion normally does. 18. The guest contacts the RID Master FSMO role holder to get a new RID pool allocation.
134
19. The promotion process creates a new invocation ID and recreates the NTDS Settings object for the cloned domain controller (irrespective of cloning, this is part of domain promotion when using an existing NTDS.DIT database). 20. NTDS replicates in objects that are missing, newer, or a higher version from a partner domain controller. The NTDS.DIT already contains objects from the time the source domain controller went offline, and those are used as possible in order to minimize replication traffic inbound. The global catalog partitions are populated. 21. The DFSR or FRS service starts and because there is no database, SYSVOL nonauthoritatively synchronizes inbound from a replication partner. This process re-uses preexisting data in the SYSVOL folder, in order to minimize network replication traffic. 22. The guest re-enables DNS client registration now that the computer is uniquely named and networked. 23. The guest runs the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element in order to scrub out references to the previous computer name and SID. 24. Cloning promotion is complete. a. The guest removes the DSRM boot flag so the next reboot will be normal. b. The guest renames the dccloneconfig.xml with an appended date-time stamp, so that it is not read again at next boot up. c. The guest removes the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters). d. The guest sets the "Vdc cloning done" DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) to 0x1. Windows does not use this value, but instead provides it as a marker for third parties. 25. The guest updates the msDS-GenerationID attribute on its own cloned domain controller object to match the current guest VM-Generation ID. 26. The guest restarts. It is now a normal, advertising domain controller.
135
VDC Safe Restore Architecture
Figure 59
Overview
AD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's restoration from a previous snapshot. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When an administrator restores the virtual machine from a previous snapshot, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate securityprincipals. The domain controller then synchronizes AD object differences with a partner. It also non-authoritatively synchronizes the SYSVOL folder. Safe restoration is complete.
136
Detailed Processing (using Microsoft Hyper-V)

1. An administrator restores an existing virtual machine domain controller from a snapshot in a hypervisor that supports VM-Generation ID. This VM already has an existing VM Generation-ID set on its AD DS computer object when it was promoted (ex: cn=dc2,ou=domain controllers,dc=corp,dc=contoso,dc=com) as part of the msDSGenerationID attribute (a binary valued octet string added by the Windows Server "8" Beta Schema version 52). This attribute's value is stored in memory. 2. The virtual machine then reads the VM-Generation ID provided by Hyper-V's VMGenerationCounter driver. It compares the VM-Generation IDs from step 1 and 2. a. If there are two IDs that do not match, it continues with snapshot restoration operations (see that section of this guide). After the snap finishes applying, the Generation-ID set on its AD DS computer object is updated to match the new ID provide by the hypervisor host. b. If the hypervisor does not provide a VM-Generation ID for comparison, the hypervisor does not support safe restore and the guest will operate like a Windows Server 2008 R2 or older virtualized domain controller. The guest implements USN Rollback protection quarantining if there is an attempt to start replicating with USNs that havent advanced past the partner DCs last highest seen USN.
More Information: For more information about this topic, see USN and USN Rollback http://technet.microsoft.com/enus/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10). aspx#usn_and_usn_rollback
3. The guest implements the VDC AD object synchronization operations of: a. Invalidating the local RID pool b. Setting a new invocation ID for the domain controller database. 4. NTDS replicates AD object differences inbound non-authoritatively from a partner domain controller. The domain controller requests changes starting at a USN that precedes the USN at which the local directory service was restored. The up-to-dateness vector of the destination directory service is changes appropriately. 5. The guest synchronizes SYSVOL: a. If using FRS, the guest stops the NTFRS service and sets D2 BURFLAGS registry value. It then starts the NTFRS service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible. b. If using DFSR, the guest stops the DFSR service and deletes the DFSR database files (default location: c:\system volume information\dfsr\<database GUID>). It then starts the DFSR service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.
137
6. The guest updates the msDS-GenerationID attribute on its own domain controller object to match the current guest VM-Generation ID. 7. Safe snapshot restore completes.
138
FixVDCPermissions.ps1
# Unsigned script, requires use of set-executionpolicy remotesigned -force # You must run the Windows PowerShell console as an elevated administrator # Load Active Directory Windows PowerShell Module and switch to AD DS drive import-module activedirectory cd ad: ## Get Domain NC $domainNC = get-addomain ## Get groups and obtain their SIDs $dcgroup = get-adgroup "Cloneable Domain Controllers" $sid1 = (get-adgroup $dcgroup).sid ## Get the DACL of the domain $acl = get-acl $domainNC ## The following object specific ACE grants extended right 'Allow a DC to create a clone of itself' for the CDC group to the Domain NC ## 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e is the schemaIDGuid for 'DS-CloneDomain-Controller" $objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid ## Add the ACE in the ACL and set the ACL on the object $acl.AddAccessRule($ace1) set-acl -aclobject $acl $domainNC write-host "Done writing new VDC permissions." cd c:
139
The DCCloneConfigSchema.XSD
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="unqualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="uri:microsoft.com:schemas:DCCloneConfig"> <xs:element name="DCCloneConfig"> <xs:complexType> <xs:all>  <xs:element name="SiteName" type="xs:string" minOccurs="0" maxOccurs="1"/>  <xs:element name="ComputerName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPSettings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:all> <xs:element name="IPv4Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="Address" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="SubnetMask" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="DefaultGateway" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element>  <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence> </xs:complexType>
140
</xs:element>  </xs:choice>  </xs:complexType> </xs:element>  <xs:element name="IPv6Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element>  <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element>  </xs:choice> </xs:complexType> </xs:element>  </xs:all> </xs:complexType> </xs:element>  </xs:all> </xs:complexType> </xs:element> </xs:schema>
141
The SampleDCCloneConfig.XML
<?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings> </d3c:DCCloneConfig>
The DefaultDCCloneAllowList.XML
<DefaultCloneConfig> <AllowList>  <Allow> <Name>ADWS</Name> <Type>Service</Type> </Allow> <Allow> <Name>AeLookupSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>ALG</Name> <Type>Service</Type> </Allow> <Allow> <Name>AllUserInstallAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppIDSvc</Name>
142
<Type>Service</Type> </Allow> <Allow> <Name>Appinfo</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppMgmt</Name> <Type>Service</Type> </Allow> <Allow> <Name>AudioEndpointBuilder</Name> <Type>Service</Type> </Allow> <Allow> <Name>Audiosrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>AxInstSV</Name> <Type>Service</Type> </Allow> <Allow> <Name>BFE</Name> <Type>Service</Type> </Allow> <Allow> <Name>BITS</Name> <Type>Service</Type> </Allow> <Allow> <Name>BrokerInfrastructure</Name> <Type>Service</Type> </Allow> <Allow> <Name>Browser</Name> <Type>Service</Type> </Allow> <Allow> <Name>CertPropSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>COMSysApp</Name> <Type>Service</Type> </Allow> <Allow> <Name>CryptSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>CscService</Name> <Type>Service</Type> </Allow> <Allow>
143
<Name>DcomLaunch</Name> <Type>Service</Type> </Allow> <Allow> <Name>defragsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceAssociationService</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceInstall</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dfs</Name> <Type>Service</Type> </Allow> <Allow> <Name>DFSR</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dhcp</Name> <Type>Service</Type> </Allow> <Allow> <Name>DNS</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dnscache</Name> <Type>Service</Type> </Allow> <Allow> <Name>dot3svc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DPS</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsmSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsRoleSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Eaphost</Name> <Type>Service</Type> </Allow>
144
<Allow> <Name>EFS</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventLog</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventSystem</Name> <Type>Service</Type> </Allow> <Allow> <Name>FCRegSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>fdPHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>FDResPub</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache3.0.0.0</Name> <Type>Service</Type> </Allow> <Allow> <Name>gpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>hidserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>hkmsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>idsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IKEEXT</Name> <Type>Service</Type> </Allow> <Allow> <Name>IPBusEnum</Name> <Type>Service</Type>
145
</Allow> <Allow> <Name>iphlpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IsmServ</Name> <Type>Service</Type> </Allow> <Allow> <Name>Kdc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KdsSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KeyIso</Name> <Type>Service</Type> </Allow> <Allow> <Name>KPSSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>KtmRm</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanServer</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanWorkstation</Name> <Type>Service</Type> </Allow> <Allow> <Name>lltdsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>lmhosts</Name> <Type>Service</Type> </Allow> <Allow> <Name>LSM</Name> <Type>Service</Type> </Allow> <Allow> <Name>MMCSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>MpsSvc</Name>
146
<Type>Service</Type> </Allow> <Allow> <Name>MSDTC</Name> <Type>Service</Type> </Allow> <Allow> <Name>MSiSCSI</Name> <Type>Service</Type> </Allow> <Allow> <Name>msiserver</Name> <Type>Service</Type> </Allow> <Allow> <Name>napagent</Name> <Type>Service</Type> </Allow> <Allow> <Name>NcaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netlogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netman</Name> <Type>Service</Type> </Allow> <Allow> <Name>netprofm</Name> <Type>Service</Type> </Allow> <Allow> <Name>NetTcpPortSharing</Name> <Type>Service</Type> </Allow> <Allow> <Name>NlaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>nsi</Name> <Type>Service</Type> </Allow> <Allow> <Name>NTDS</Name> <Type>Service</Type> </Allow> <Allow> <Name>NtFrs</Name> <Type>Service</Type> </Allow> <Allow>
147
<Name>PerfHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>pla</Name> <Type>Service</Type> </Allow> <Allow> <Name>PlugPlay</Name> <Type>Service</Type> </Allow> <Allow> <Name>PolicyAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>Power</Name> <Type>Service</Type> </Allow> <Allow> <Name>PrintService</Name> <Type>Service</Type> </Allow> <Allow> <Name>ProfSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasAuto</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasMan</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteRegistry</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcEptMapper</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcLocator</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcSs</Name> <Type>Service</Type> </Allow>
148
<Allow> <Name>RSoPProv</Name> <Type>Service</Type> </Allow> <Allow> <Name>sacsvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>SamSs</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCardSvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>Schedule</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCPolicySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>seclogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>SENS</Name> <Type>Service</Type> </Allow> <Allow> <Name>SessionEnv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SharedAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>ShellHWDetection</Name> <Type>Service</Type> </Allow> <Allow> <Name>SidKeySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SNMPTRAP</Name> <Type>Service</Type> </Allow> <Allow> <Name>Spooler</Name> <Type>Service</Type>
149
</Allow> <Allow> <Name>sppsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SSDPSRV</Name> <Type>Service</Type> </Allow> <Allow> <Name>SstpSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>stisvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>svsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>swprv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SysMain</Name> <Type>Service</Type> </Allow> <Allow> <Name>SystemEventsBroker</Name> <Type>Service</Type> </Allow> <Allow> <Name>TabletInputService</Name> <Type>Service</Type> </Allow> <Allow> <Name>TapiSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>TermService</Name> <Type>Service</Type> </Allow> <Allow> <Name>Themes</Name> <Type>Service</Type> </Allow> <Allow> <Name>THREADORDER</Name> <Type>Service</Type> </Allow> <Allow> <Name>TimeBroker</Name>
150
<Type>Service</Type> </Allow> <Allow> <Name>TrkWks</Name> <Type>Service</Type> </Allow> <Allow> <Name>TrustedInstaller</Name> <Type>Service</Type> </Allow> <Allow> <Name>UALSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>UI0Detect</Name> <Type>Service</Type> </Allow> <Allow> <Name>UmRdpService</Name> <Type>Service</Type> </Allow> <Allow> <Name>upnphost</Name> <Type>Service</Type> </Allow> <Allow> <Name>VaultSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>vds</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicheartbeat</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmickvpexchange</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicrdv</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicshutdown</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmictimesync</Name> <Type>Service</Type> </Allow> <Allow>
151
<Name>vmicvss</Name> <Type>Service</Type> </Allow> <Allow> <Name>VSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>W32Time</Name> <Type>Service</Type> </Allow> <Allow> <Name>WbioSrvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WcsPlugInService</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiServiceHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiSystemHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WebClient</Name> <Type>Service</Type> </Allow> <Allow> <Name>Wecsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>wercplsupport</Name> <Type>Service</Type> </Allow> <Allow> <Name>WerSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WiaRpc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WinHttpAutoProxySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Winmgmt</Name> <Type>Service</Type> </Allow>
152
<Allow> <Name>WinRM</Name> <Type>Service</Type> </Allow> <Allow> <Name>wmiApSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>WPDBusEnum</Name> <Type>Service</Type> </Allow> <Allow> <Name>WSService</Name> <Type>Service</Type> </Allow> <Allow> <Name>wuauserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>wudfsvc</Name> <Type>Service</Type> </Allow> </AllowList> <sysprepInformation> <imaging> <sysprepModule methodName="CAPISysPrep_Generalize" moduleName="$(runtime.windows)\system32\capisp.dll" /> <sysprepModule methodName="DhcpClient_Generalize" moduleName="$(runtime.system32)\dhcpcsvc.dll" /> <sysprepModule methodName="RdpSysPrepGeneralize" moduleName="$(runtime.system32)\setup\tssysprep.dll" />  <sysprepModule methodName="RdpSysPrepRestore" moduleName="$(runtime.system32)\setup\tssysprep.dll" /> <sysprepModule methodName="RacSysprepSpecialize" moduleName="RacEngn.dll" /> <sysprepModule methodName="WerSysprepCleanup" moduleName="wer.dll" /> <sysprepModule methodName="SqmSysprepGeneralize" moduleName="sqmapi.dll" /> <sysprepModule methodName="SqmSysprepSpecialize" moduleName="sqmapi.dll" /> <sysprepModule methodName="GeneralizeForImaging" moduleName="$(runtime.system32)\wuaueng.dll" /> <sysprepModule methodName="SLReArmWindows" moduleName="$(runtime.system32)\slc.dll" /> </imaging> </sysprepInformation> </DefaultCloneConfig>
153
Note:
The DefaultDCCloneAllowList also contains the SYSPREP modules called during cloning. These "mini-sysprep" steps are performed to ensure the cloned domain controller is unique in the important aspects.
154
List of default compatible cloning components

The following services support for cloning and are included in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list.
Name Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Name ADWS AeLookupSvc ALG AllUserInstallAgent AppIDSvc Appinfo AppMgmt AudioEndpointBuilder Audiosrv AxInstSV BFE BITS BrokerInfrastructure Browser CertPropSvc COMSysApp CryptSvc CscService DcomLaunch defragsvc DeviceAssociationService DeviceInstall Dfs DFSR Dhcp DNS DCOM Server Process Launcher Optimize drives Device Association Service Device Install Service DFS Namespace DFS Replication DHCP Client DNS Server Base Filtering Engine Background Intelligent Transfer Service Broker Infrastructure Computer Browser Certificate Propagation COM+ System Application Cryptographic Services Caption (aka "friendly name") Active Directory Web Services Application Experience Application Layer Gateway Service Windows All-User Install Agent Application Identity Application Information Application Management Windows Audio Endpoint Builder Windows Audio
155
Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service
Dnscache dot3svc DPS DsmSvc DsRoleSvc Eaphost EFS EventLog EventSystem FCRegSvc fdPHost FDResPub FontCache FontCache3.0.0.0 gpsvc hidserv hkmsvc idsvc IKEEXT IPBusEnum iphlpsvc IsmServ Kdc KdsSvc KeyIso KPSSVC KtmRm LanmanServer LanmanWorkstation lltdsvc lmhosts
DNS Client Wired AutoConfig Diagnostic Policy Service Device Setup Manager DS Role Server Extensible Authentication Protocol Encrypting File System (EFS) Windows Event Log COM+ Event System
Function Discovery Provider Host Function Discovery Resource Publication Windows Font Cache Service
Group Policy Client Human Interface Device Access Health Key and Certificate Management
IKE and AuthIP IPsec Keying Modules
Function Discovery Provider Host Intersite Messaging Kerberos Key Distribution Center Microsoft Key Distribution Service CNG Key Isolation KDC Proxy Server service (KPS) KtmRm for Distributed Transaction Coordinator Server Workstation Link-Layer Topology Discovery Mapper TCP/IP NetBIOS Helper
156
LSM MMCSS MpsSvc MSDTC MSiSCSI msiserver napagent NcaSvc Netlogon Netman netprofm NetTcpPortSharing NlaSvc nsi NTDS NtFrs PerfHost pla PlugPlay PolicyAgent Power PrintService ProfSvc RasAuto RasMan RemoteAccess RemoteRegistry RpcEptMapper RpcLocator RpcSs RSoPProv
Local Session Manager Multimedia Class Scheduler Windows Firewall Distributed Transaction Coordinator Microsoft iSCSI Initiator Service Windows Installer Network Access Protection Agent Network Connectivity Assistant Netlogon Network Connections Network List Service Net.Tcp Port Sharing Service Network Location Awareness Network Store Interface Service Active Directory Domain Services File Replication Performance Counter DLL Host Performance Logs & Alerts Plug and Play IPsec Policy Agent Power
User Profile Service Remote Access Auto Connection Manager Remote Access Connection Manager Routing and Remote Access Remote Registry RPC Endpoint Mapper Remote Procedure Call (RPC) Locator Remote Procedure Call (RPC) Resultant Set of Policy Provider
157
sacsvr SamSs SCardSvr Schedule SCPolicySvc seclogon SENS SessionEnv SharedAccess ShellHWDetection SidKeySvc SNMPTRAP Spooler sppsvc SSDPSRV SstpSvc stisvc svsvc swprv SysMain SystemEventsBroker TabletInputService TapiSrv TermService Themes THREADORDER TimeBroker TrkWks TrustedInstaller UALSVC UI0Detect
Special Administration Console Helper Security Accounts Manager Smart Card Task Scheduler Smart Card Removal Policy Secondary Logon System Event Notification Service Remote Desktop Configuration Internet Connection Sharing (ICS) Shell Hardware Detection
SNMP Trap Print Spooler Software Protection SSDP Discovery Secure Socket Tunneling Protocol Service
Spot Verifier Microsoft Software Shadow Copy Provider Superfetch System Events Broker
Telephony Remote Desktop Services Themes Thread Ordering Server Time Broker Distributed Link Tracking Client Windows Modules Installer User Access Logging Service Interactive Services Detection
158
Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service
UmRdpService upnphost VaultSvc vds vmicheartbeat vmickvpexchange vmicrdv vmicshutdown vmictimesync vmicvss VSS W32Time WbioSrvc WcsPlugInService WdiServiceHost WdiSystemHost WebClient Wecsvc wercplsupport WerSvc WiaRpc WinHttpAutoProxySvc Winmgmt WinRM wmiApSrv WPDBusEnum WSService wuauserv wudfsvc
Remote Desktop Services UserMode Port Redirector UPnP Device Host Credential Manager Virtual Disk Hyper-V Heartbeat Service Hyper-V Data Exchange Service Hyper-V Remote Desktop Virtualization Service Hyper-V Guest Shutdown Service Hyper-V Time Synchronization Service Hyper-V Volume Shadow Copy Requestor Volume Shadow Copy Windows Time
Windows Color System Diagnostic Service Host Diagnostic System Host
Windows Event Collector Problem Reports and Solutions Control Panel Support Windows Error Reporting Service
WinHTTP Web Proxy Auto-Discovery Service Windows Management Instrumentation Windows Remote Management (WS-Management) WMI Performance Adapter Portable Device Enumerator Service Windows Store Service (WSService) Windows Update Windows Driver Foundation - User-mode Driver Framework
159
DRS API Extension for Cloning

Windows Server "8" Beta extends the existing Directory Replication Service (DRS) Remote Protocol (UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2) to include a new RPC method IDL_DRSAddCloneDC (Opnum 28). The IDL_DRSAddCloneDC method creates a new domain controller object by copying attributes from an existing domain controller object. The states of a domain controller are composed of computer, server, NTDS settings, FRS, DFSR, and connection objects maintained for each domain controller. When duplicating an object, this RPC method replaces all references to the original domain controller with corresponding objects of the new domain controller. The caller must have the control access right DS-Clone-Domain-Controller on the domain naming context. Use of this new method always requires direct access to the PDC emulator domain controller from the caller. Because this RPC method is new, your network analysis software requires updated parsers to include fields for the new Opnum 28 in the existing UUID E3514235-4B06-11D1-AB0400C04FC2DCD2. Otherwise, you cannot parse this traffic. For example, using an older parser in Netmon 3.4:
More Information: For more information about this topic, see 4.1.29 IDL_DRSAddCloneDC (Opnum 28) http://msdn.microsoft.com/en-us/library/hh554213(v=prot.13).aspx
160
Windows PowerShell Module Loading

Windows PowerShell 3.0 implements dynamic module loading. Using the Import-Module cmdlet is typically no longer required; instead, simply invoking the cmdlet, alias, or function automatically loads the module. To see loaded modules, use the Get-Module cmdlet.
Get-Module
Figure 60
To see all installed modules with their exported functions and cmdlets, use:
Get-Module -ListAvailable
The main case for using the import-module command is when you need access to the "AD:" Windows PowerShell virtual drive and nothing else has already loaded the module. For example, using the following commands:
import-module activedirectory cd ad: dir
161
Additional Resources
For information about Windows Server "8" Beta Virtualized Domain Controllers, see: Understand and Troubleshoot Virtualized Domain Controllers in Windows Server "8" Beta Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC) AD DS Virtualization (Cloning and Virtualization safe improvements)
For more information about Windows Server "8" Beta AD DS Simplified Administration, see: Understand and Troubleshoot ADDS Simplified Administration in Windows Server "8" Beta Active Directory Administrative Center Enhancements (FGPP UI, Recycle Bin UI, and Windows PowerShell Script Viewer) Active Directory Replication and Topology Management Using Windows PowerShell AD DS Deployment Guide Test Lab Guide: Demonstrate ADDS Simplified Administration in Windows Server "8" Beta
For more information about Active Directory Domain services, see: Active Directory Domain Services (TechNet Portal) Active Directory Domain Services for Windows Server 2008 R2 Active Directory Domain Services for Windows Server 2008 Windows Server Technical Reference (Windows Server 2003) Active Directory Administrative Center: Getting Started (Windows Server 2008 R2) Running Adprep (Windows Server 2008 R2) USN and USN Rollback Protection (Windows Server 2008 R2) Active Directory Administration with Windows PowerShell (Windows Server 2008 R2) Ask the Directory Services Team (Official Microsoft Commercial Technical Support Blog)
For a list of all of the Windows Server "8" Beta TLGs, see Windows Server "8" Beta Test Lab Guides in the TechNet Wiki. To provide the authors of this guide with feedback or suggestions for improvement, send email to utgfeedback@microsoft.com.
162

Understand and Troubleshoot Virtualized Domain Controller in Windows Server 8 Beta

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understand and Troubleshoot Virtualized Domain Controller in Windows Server 8 Beta

Uploaded by

Copyright:

Available Formats

Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta

Microsoft Corporation Published: February 2012

All other trademarks are property of their respective owners.

Understand and Troubleshoot Guides

Understand and Troubleshoot Guides

Introducing Virtualized Domain Controller

What Is Virtualized Domain Controller?

2012 Microsoft Corporation. All rights reserved.

Purpose & Benefits

Safe Backup and Restore of Domain Controllers

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

Virtual Domain Controller Safe Restore

2012 Microsoft Corporation. All rights reserved.

Deploying Virtualized Domain Controller

Review the table below for known configurations as of this writing:

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

Virtualized Domain Controller Cloning

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

1. Validate the Hypervisor

Using a Blank DcCloneConfig.xml File

Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml

Understand and Troubleshoot Guides

In the example below, there are no incompatible services or programs installed.

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

XML Details and Behaviors

1. The file names are not alterable and are:

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

DcCloneConfig.XML Definitions and Behaviors

SubnetMask (within <IPv4Settings> <StaticSettings> )

New IPv4 subnet of Ipv4 address

DefaultGateway (within <IPv4Settings> <StaticSettings> )

New IPv4 gateway of Ipv4 address and subnet

DNSResolver (within <IPv4Settings> <StaticSettings> )

PreferredWINSServer (within <IPv4Settings> <StaticSettings> ) AlternateWINSServer (within <IPv4Settings>

IPv4 Address of secondary WINS server

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Type Can contain value:

Using an XML Editor

2012 Microsoft Corporation. All rights reserved.

Using Visual Studio 2010 Express C#

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

Using XML Notepad 2007

Understand and Troubleshoot Guides

3. Use the View menu to Expand All nodes.

2012 Microsoft Corporation. All rights reserved.

Understand and Troubleshoot Guides

2012 Microsoft Corporation. All rights reserved.

Adding XML to the Running Source DC

Understand and Troubleshoot Guides

Determining the DSA Working Directory

2012 Microsoft Corporation. All rights reserved.

You can also use the following Windows PowerShell command: