Professional Documents
Culture Documents
Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Virtualized Domain Controller in Windows Server 8 Beta. This UTG provides you with: A technical overview and functional description of this feature. Technical concepts to help you successfully install, configure, and manage this feature. User Interface options and settings for configuration and management. Relevant architecture of this feature, with dependencies, and technical implementation. Primary troubleshooting tools and methods for this feature.
Copyright information
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. 2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, Visual Studio, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.
About the Author Author: Bio: Ned Pyle Ned Pyle is a Senior Support Escalation Engineer with Microsoft Commercial Technical Support in Charlotte, North Carolina, USA. He specializes in Directory Services troubleshooting and advisory services. He has authored and contributed to TechNet whitepapers and Knowledgebase articles. Ned also has credits in several Microsoft Press books. He teaches Microsoft employees new product architecture, is a Microsoft Certified Master instructor, and is a Microsoft Certified Trainer. He edits the official Microsoft Directory Services blog, AskDS.
Contents
Understand and Troubleshoot Guides .......................................................................................................... 1
About the Understand and Troubleshoot Guides .................................................................................................1 Introducing Virtualized Domain Controller ...............................................................................................................2 What Is Virtualized Domain Controller? ...........................................................................................................2 Purpose & Benefits............................................................................................................................................3 Technical Overview ...................................................................................................................................................5 Prerequisites .........................................................................................................................................................5 Functional Descriptions .........................................................................................................................................5 Virtual Domain Controller Cloning ....................................................................................................................5 Virtual Domain Controller Safe Restore ............................................................................................................6 Deploying Virtualized Domain Controller ..................................................................................................................7 Installation Considerations ....................................................................................................................................7 Platform Requirements .........................................................................................................................................7 Critical Caveats ......................................................................................................................................................8 Virtualized Domain Controller Cloning ......................................................................................................................9 1. Validate the Hypervisor ...................................................................................................................................11 2. Create XML ......................................................................................................................................................11 Using a Blank DcCloneConfig.xml File .............................................................................................................11 Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml .........................................................................................................................11 XML Details and Behaviors ..............................................................................................................................14 Using an XML Editor ........................................................................................................................................18 Adding XML to the Running Source DC ...........................................................................................................29 3. Verify the PDCE FSMO role ..............................................................................................................................32 Active Directory Users and Computers Method .............................................................................................32 Windows PowerShell Method.........................................................................................................................32 Validate PDCE Availability ...............................................................................................................................33 4. Authorize a Source DC .....................................................................................................................................34 Active Directory Administrative Center Method ............................................................................................34 Windows PowerShell Method.........................................................................................................................34 Rebuilding Default Permissions ......................................................................................................................35 5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml) .........................36 6. Take the Source Domain Controller Offline ....................................................................................................36
Graphical Method ...........................................................................................................................................36 Windows PowerShell Method.........................................................................................................................37 7. Copy Disks .......................................................................................................................................................38 Manually Copying Disks ..................................................................................................................................39 Exporting the VM ............................................................................................................................................42 Adding XML to the Offline System Disk ..........................................................................................................43 8. Create the New Virtual Machine .....................................................................................................................47 Associating a New VM with Copied Disks .......................................................................................................47 Import VM .......................................................................................................................................................48 9. Clone the New Virtual Machine ......................................................................................................................53 Virtualized Domain Controller Safe Restore ............................................................................................................55 Validate the Hypervisor .......................................................................................................................................55 Validate the Replication Topology ......................................................................................................................55 Writable Domain Controller Contact ..............................................................................................................55 Simultaneous Restore .....................................................................................................................................56 Post-Snapshot Replication ..............................................................................................................................56 Windows PowerShell Snapshot Cmdlets .............................................................................................................58 Further Recommendations .................................................................................................................................58 Troubleshooting ......................................................................................................................................................60 Introduction ........................................................................................................................................................60 Troubleshooting VDC Cloning .............................................................................................................................60 Tools for Troubleshooting ...............................................................................................................................62 General Methodology for Troubleshooting Domain Controller Cloning ........................................................63 Troubleshooting Specific Problems .................................................................................................................65 Advanced Troubleshooting .............................................................................................................................86 Troubleshooting VDC Safe Restore ...................................................................................................................111 Tools for Troubleshooting .............................................................................................................................111 General Methodology for Troubleshooting Domain Controller Safe Restore ..............................................112 Troubleshooting Specific Problems ...............................................................................................................113 Advanced Troubleshooting ...........................................................................................................................121 Appendices ............................................................................................................................................................130 Terminology ......................................................................................................................................................130 VDC Cloning Architecture ..................................................................................................................................131 Overview .......................................................................................................................................................132
Detailed Processing (using Microsoft Hyper-V) ............................................................................................132 VDC Safe Restore Architecture ..........................................................................................................................136 Overview .......................................................................................................................................................136 Detailed Processing (using Microsoft Hyper-V) ............................................................................................137 FixVDCPermissions.ps1 .....................................................................................................................................139 The DCCloneConfigSchema.XSD ........................................................................................................................140 The SampleDCCloneConfig.XML ........................................................................................................................142 The DefaultDCCloneAllowList.XML ...................................................................................................................142 List of default compatible cloning components ................................................................................................155 DRS API Extension for Cloning ...........................................................................................................................160 Windows PowerShell Module Loading ..............................................................................................................161 Additional Resources .............................................................................................................................................162
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
More Information:
To read more about new features that are not in this documents scope: For AD DS deployment and management improvements, see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta. http://go.microsoft.com/fwlink/p/?LinkId=237244 For Dynamic Access Control and kerberos capabilities, see the Understand and Troubleshoot Dynamic Access Control in Windows Server "8" Beta guide. http://go.microsoft.com/fwlink/p/?LinkId=237254 For GMSA and kerberos capabilities, see the Understand and Troubleshoot Enhanced Security in Windows Server Beta 8 guide. http://go.microsoft.com/fwlink/p/?LinkId=237243
VDC also profits from many other new features included in Windows Server "8" Beta, such as: NIC teaming and Datacenter Bridging Unified Remote Access AD site awareness DNS Security and faster AD-integrated zone availability after boot Hyper-V reliability and scalability improvements BitLocker Network Unlock Additional Windows PowerShell component administration modules
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
More Information:
To read more about new features that are not in this documents scope: For Unified Remote Access capabilities, see the Understand and Troubleshoot Unified Remote Access in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237246 For DNS capabilities, see the Understand and Troubleshoot DNS Security Extensions (DNSSEC) in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237248 For Hyper-V capabilities, see the Understand and Troubleshoot Hyper-V Virtual Network Switch in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237247 and the Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237258 For BitLocker capabilities, see the Understand and Troubleshoot BitLocker in Windows Server "8" Beta guide http://go.microsoft.com/fwlink/p/?LinkId=237139
Virtualization technology such as Hyper-V includes snapshot abilities, where you create an image of a domain controller at a point in time. Restoring the snapshot discards all changes made since that checkpoint and in previous operating systems, forces the domain controller to quarantine itself with a process called USN rollback protection. Once USN rollback protection is in place, a domain controller no longer replicates again and must be either forcibly demoted or manually restored non-authoritatively. In cases where the domain controller has originated changes since the snapshot was taken, it also leads to lingering objects. Windows Server "8" Beta now detects rollbacks and non-authoritatively synchronizes the delta of changes between a domain controller and its partners for AD DS and SYSVOL. You can now use snapshots without risk of permanently crippling domain controllers and requiring manually forced demotion, metadata cleanup, and re-promotion. While this does not prevent other issues with snapshots - such as inconsistent databases for other technologies and applications - it does make domain controller virtualization safer.
For more information about USN and Invocation ID, review How the Active Directory Replication Model Works http://technet.microsoft.com/en-us/library/cc772726(WS.10).aspx For more information about USN Rollback protection in Windows Server 2008 R2, review Running Domain Controllers in Hyper-V http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd15fbaa6740ffe(v=WS.10)#usn_and_usn_rollback
More Information:
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Technical Overview
Prerequisites
This guide assumes familiarity with previous releases of Active Directory Domain Services as well as virtualization technology like Hyper-V or other hypervisors, and does not provide foundation detail around their purpose and functionality. The focus of this guide is to provide information and guidance on the new features and improvements introduced in Windows Server "8" Beta.
More Information: For more information about AD DS, see the TechNet Portal pages linked below: Active Directory Domain Services for Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/dd378801(WS.10).aspx Active Directory Domain Services for Windows Server 2008 http://technet.microsoft.com/en-us/library/dd378891(WS.10).aspx Windows Server Technical Reference http://technet.microsoft.com/en-us/library/cc739127(WS.10).aspx For more information about Hyper-V, see the TechNet Portal pages linked below: Hyper-V Server Portal http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx Windows Server 2008 R2 Hyper-V Portal http://www.microsoft.com/en-us/server-cloud/windows-server/hyper-v.aspx Hyper-V TechNet Library for Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/cc753637(WS.10).aspx
Functional Descriptions
Virtual Domain Controller Cloning
Windows Server "8" Beta implements cloning by extending the existing virtualization and domain controller promotion processes. Instead of creating sysprepped copies of workgroup computers and then manually promoting them using Server Manger+ or the ADDSDeployment Windows PowerShell, an administrator creates a DcCloneConfig.xml file containing the unique server configuration and copies it into the DSA Working Directory (the location where the AD DS database resides; C:\Windows\NTDS, by default). A virtualization administrator takes the domain administrator-authorized virtual machine offline and copies its drive or exports computer. The administrator creates a new virtual machine - using the copied or exported computer - without any other changes required, and the server automatically promotes as a unique domain controller, using the previous domain controller data as source media. Alternatively, domain administrators can mount the offline disk and add the XML files, which allows for factory-like automation using new Windows PowerShell options included in Windows Server "8" Beta. If there are any problems or signs of uniqueness duplication - such
as IP address or name - the promotion blocks and the cloned domain controller switches to DS Restore Mode for analysis. Cloning can be made entirely automatic, to include name generation and IP addressing using DHCP. VDC cloning allows: Swift domain controller deployment in a new forest or domain Scalable provisioning of domain controllers to handle increased load Rapid rollout of replacement domain controllers during disaster recovery, such as flooding or fire, an AD DS forest compromised by intrusion, or loss of virtualization host hardware Quick provisioning of test lab environments
There is clear role separation between domain administrators and virtualization administrators when cloning. Hypervisor admins cannot deploy replica domain controllers by simply copying virtual machines; the domain admins authorize selected domain controllers for cloning. The virtualization admins then deploy the authorized clones. This ensures that unauthorized users do not create new rogue domain controllers.
Critical: Anyone allowed to administer the hypervisor must be highly trusted and audited in the environment. They still have the ability to make copies of domain controllers for offline attack or sale to malicious third parties. Microsoft suggests legally bonding administrators against exceeding their access and contacting law enforcement authorities if suspecting employees of theft.
Note:
There is no graphical interface to create the cloning xml files. However, there is a Windows PowerShell script in development for out of band release, and the XML schema is included. These - and use of simple XML editorial tools - are described later in this guide.
More Information:
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Platform Requirements
Virtualized Domain Controller cloning requires: PDC emulator FSMO role transferred to a Windows Server "8" Beta DC PDC emulator available during cloning operations
Both VDC cloning and safe restore require: Windows Server "8" Beta virtualized guests Virtualization host platform supports VM-Generation ID(VMGID)
Figure 1
Note:
Even though Microsoft supports Windows 7 Virtual PC, Virtual PC 2007, Virtual PC 2004, and Virtual Server 2005 as of this writing, they are incapable of running 64-bit guests. For help with third party virtualization products and their support stance with VDC, contact that vendor directly. For more information, review Support policy for Microsoft software running in nonMicrosoft hardware virtualization software http://support.microsoft.com/kb/897615
More Help:
Critical Caveats
VDC does not support safe restore of the following: VHD and VHDX files manually copied over existing VHD files VHD and VHDX files restored using file backup or full disk backup software
VHDX files are new to Windows Server "8" Beta Hyper-V. Note:
Neither of these operations is a snapshot restoration and therefore do not invoke the VMGeneration ID process. Restoring domain controllers using these methods could either result in a USN rollback and either quarantine the domain controller or introduce lingering objects. If the restoration is older than tombstone lifetime, this creates the potential for lingering objects and a USN bubble; the bubble is the set of changes that are divergent between the two domain controllers. USN Rollback protection does not quarantine the domain controller in this case, potentially leading to lingering objects and the need for forest wide cleanup operations.
Critical: VDC safe restore is not a replacement for system state backups and the AD DS Recycle Bin. After restoring a snapshot, the deltas of previously un-replicated changes originating from that domain controller after snapshot are permanently lost. Safe restore implements automated non-authoritative restoration to prevent accidental domain controller quarantine only.
More Information:
For more information about USN bubbles and lingering objects, see Troubleshooting Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object" http://support.microsoft.com/kb/2028495
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 2
Important:
For details on how the cloning process works at first boot, see the Architecture section. For issues, see the Troubleshooting section. For test lab steps, see Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC) http://go.microsoft.com/fwlink/p/?LinkId=237261 For a step-by-step guide, see the AD DS Virtualization (Cloning and Virtualization safe improvements) guide http://go.microsoft.com/fwlink/p/?LinkID=238316
10
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
All scenarios described using the following sample conventions: Note: The Windows Server "8" Beta forest is corp.contoso.com Domain controllers are named in the pattern DC1, DC2, etc.
2. Create XML
The DcCloneConfig.xml file is required for cloning Domain controllers. Its contents allow you to specify unique details like the new computer name and IP address. The CustomDCCloneAllowList.xml file is optional unless you install applications or incompatible Windows services on the source domain controller. The files require precise naming, formatting, and placement; otherwise, cloning fails.
You must run this cmdlet on a source domain controller before cloning it. The cmdlet has no arguments. This cmdlet scans a source computer for applications not listed as allowed with VDC cloning and returns the list; any services or installed programs in that list cause the cloning engine to abort.
11
Figure 3
In this example though, there are incompatibilities detected because of the DHCP service:
Figure 4
In this final example, there are potential incompatibilities because you installed the Microsoft Forefront Endpoint Protection program:
Figure 5
Important:
Microsoft Forefront is not necessarily incompatible with cloning. VDC in Windows Server "8" Beta always assumes that any programs not included with Windows are risky and as a safeguard, forces you to allow them.
The allow list of supported cloneable applications and services is stored in c:\windows\system32\DefaultDCCloneAllowList.XML. See the Appendix for more information.
12
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
You must choose to either remove the incompatible applications and components or override the cloning block using the CustomDCCloneAllowList.xml file. For the previous example, where you installed Microsoft Forefront Endpoint Protection, the CustomDCCloneAllowList.xml configuration needed is:
<?xml version="1.0" encoding="utf-8" ?> <!-- Allow migration of a computer using MSFFEP file --> <AllowList> <Allow> <Name>Microsoft Forefront Endpoint Protection</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Antimalware</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Forefront Endpoint Protection 2010 Server Management</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Security Client</Name> <Type>Program</Type> </Allow> <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow> <Allow> <Name>MsMpSvcy</Name> <Type>Service</Type> </Allow> <Allow> <Name>NisSrv</Name> <Type>Service</Type> </Allow> </AllowList>
The guide describes the definitions of this XML file and using an XML editor later in this section.
13
Figure 6
2. The elements (fields inside of <>) are case-sensitive 3. The element's start and end tags must match 4. The data inside elements are not case-sensitive, but are format-sensitive. For example, you cannot provide the IPv4 address in any form but w.x.y.z, with valid IPv4 integers provided in each octet. Likewise, a computer name must be 15 characters or fewer and use only valid characters 5. Any empty or missing elements are handled automatically during cloning (see DcCloneConfig.XML Definitions and Behaviors section below) 6. If any element data duplicates the source computer, cloning does not proceed. For example, you cannot set the IP address to match the old computer IP address 7. The XML follows the rules of included XML schema file c:\windows\system32\DCCloneConfigSchema.xsd
More Information: For explanations of XML terms, review the MSDN XML Glossary: http://msdn.microsoft.com/en-us/library/ms256452(v=VS.110).aspx
14
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Template SampleDcCloneConfig.xml
The following sample is also located at %systemroot%\system32\SampleDCCloneConfig.xml on any Windows Server "8" Beta domain controller.
<?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings> </d3c:DCCloneConfig>
15
ComputerName
IPv4 Address of a DNS server. If using multiple entries, in order of primary, secondary, tertiary, etc. IPv4 Address of primary WINS server
Cloning proceeds
16
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<StaticSettings> ) DNSResolver (within <IPv4Settings> <DynamicSettings>) IPv4 Address of a DNS server when using DHCP without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc. IPv4 Address of primary WINS server when using DHCP without scope options IPv4 Address of secondary WINS server when using DHCP without scope options IPv6 Address of a DNS server when using DHCP or SLAAC without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc. Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address autoconfiguration (SLAAC) and no Ipv4 DHCP is available Cloning proceeds
PreferredWINSServer (within <IPv4Settings> < DynamicSettings > ) AlternateWINSServer (within <IPv4Settings> < DynamicSettings > ) DNSResolver (within <IPv6Settings> <DynamicSettings>)
Cloning proceeds
Cloning fails if no valid dynamic IPv6 set and no Ipv4 DHCP is available
Figure 7
Important:
Cloning does not support using static Ipv6 entries in Windows Server "8" Beta. You must use IPv6 DHCP or IPv6 Stateless address auto-configuration (SLAAC)
Template CustomDCCloneAllowList.xml
<?xml version="1.0" encoding="utf-8" ?> <!-- Empty sample CustomDCCloneAllowList.xml file --> <AllowList> <Allow> <Name></Name> <Type>Service</Type> </Allow> <Allow> <Name></Name> <Type>Program</Type> </Allow> </AllowList> Post-beta versions of Windows Server "8" Beta may include the ability to generate a CustomDCCloneAllowList.xml populated with all detected non-allow list programs and services. In Windows Server "8" Beta however, you must create this XML file manually.
Note:
17
CustomDCCloneAllowList.XML Definitions
Each of the elements in the CustomDCCloneAllowList.xml describes a service or program. Cloning fails unless you uninstall the offending service or program, or use the CustomDCCloneAllowList.XML to override the detection.
Element Name Data Can contain value: The same service name as the SERVICE_NAME returned by SC.EXE QUERY The programs listed in the DisplayName registry value name of subkeys in:
Service Program
Both tools can either create or modify the Dccloneconfig.xml and CustomDCCloneAllowList.xml files safely, if used correctly. In the example below, you see how to create or customize a Dccloneconfig.xml file. You can use the same steps (with one exception noted below) for the CustomDCCloneAllowList.XML file.
Warning: Do not use simple text editors - such as Notepad.exe - that do not understand XML formatting and schema. The XML has strict syntax requirements and is case-sensitive; most mistakes in the XML are fatal to cloning.
18
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 9
19
Figure 10
3. Enable Expert Settings, using the Tools menu option. This exposes the XML schema later.
Figure 11
20
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
4. Using the Project menu, Add New Item and make it an XML file. The name is unimportant, as this is a sample for generating new XML files.
Figure 12
Figure 13
21
5. Using the XML menu, add the Schema DCCloneConfigSchema.xsd (which you can copy from any Windows Server "8" Beta domain controller's %windir%\system32 directory).
Figure 14
Figure 15
Important:
This is only when creating or editing the DCCloneConfig.xml file. There is no schema file provided for CustomDCCloneAllowList.XML.
6. Paste in sample XML from this guide or from the provided templates and save your file and project. Using the View menu, add the Error List pane.
All Windows Server "8" Beta domain controllers contain template XML %windir%\system32\ SampleDcCloneConfig.xml. The template CustomDCCloneAllowList.xml is described previously in this guide.
Note:
You now have a base xml file to use for all subsequent work. The base dccloneconfig.xml includes the schema, highlights all issues with underlining and explanation, and supports Intellisense modification and autocomplete. You can modify any element for your new clones, make copies, and can save off different versions of the XML for later review. You can also add comments.
22
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
For instance, here is a dccloneconfig.xml sample including the computer name, site, and IPv4 information for a new DC. In this instance, the XML element for Address is malformed in one tag (missing an s):
Figure 16
23
In this instance, the elements are complete, but the case is incorrect (should be uppercase A on Address):
Figure 17
As you can see from these examples, catching these mistakes in a text editor would have been very difficult and require extraordinary attention to detail. For environments using the full version of Visual Studio 2010 and Team Foundation Server, you can create a source control database to guarantee that all cloning info is tracked and checked in or out, minimizing the chance of duplication between administrators.
24
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 18
25
Figure 19
Figure 20
26
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
4. Use the View menu to add the c:\windows\system32\DCCloneConfigSchema.xsd, which you can find on any Windows Server "8" Beta domain controller.
Figure 21
Figure 22
You now have a dccloneconfig.xml to use for all subsequent work. It includes the schema, shows all issues in the Error List, and supports a dropdown menu of available elements in a given context. You can modify any element for your new clones and make copies.
27
For instance, here is a sample including the computer name, site, and IPv4 information for a new DC:
Figure 23
28
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
In this instance, the IPV4NetworkConfig Address element is invalid (should have an uppercase A):
Figure 24
DcCloneConfig.xml Location
The following locations can contain the DcCloneConfig.xml file: 1. DSA Working Directory 2. %windir%\NTDS 3. Removable read/write media, in order of drive letter, at the root of the drive
29
These paths are not configurable. After cloning begins, the cloning checks these locations in that specific 1-3 order and uses the first XML file found, regardless of the other folder's contents.
CustomDCCloneAllowList.xml Location
The following locations can contain the CustomDCCloneAllowList.xml file: 1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters AllowListFolder (REG_SZ) 2. DSA Working Directory 3. %windir%\NTDS 4. Removable read/write media, in order of drive letter, at the root of the drive After cloning begins, the cloning checks these locations in that specific 1-4 order and uses the first XML file found, regardless of the other folder's contents. Optionally, you can copy the updated XML files file to the running source domain controller. There is no harm in copying the files at this stage and restarting the source DC: the original domain controller will not clone, because the VM-Generation ID does not change on the computer until the copied virtual computer boots up and reads its AD DS information. After restarting, the source domain controller renames the clone file, appending a date-time stamp. Copying the XML to the original source domain controller before taking offline is advisable when cloning only once or when using a blank dccloneconfig.xml file. To copy the file using Windows PowerShell, use the following cmdlet:
Copy-Item
Figure 25
Alternatively, you can copy the XML file to the mounted offline disk copied later in the cloning process below.
30
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
To return the key without manually navigating through Regedit.exe, you can use the following Reg.exe command:
reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /t reg_sz /v "dsa working directory"
Figure 26
Figure 27
You can combine get-itemproperty and copy-item in order to create automation. For example, to copy a remote dccloneconfig.xml to the local DSA working directory:
Figure 28
Note:
Ntdsutil.exe can also provide this information, but requires stopping the NTDS service, which prevents the domain controller from answering requests.
31
If not provided the domain, these cmdlets assume the domain of the computer where run. The following command returns PDCE and Operating System info:
get-adcomputer(Get-ADDomainController -Discover -Service "PrimaryDC").name property * | format-list dnshostname,operatingsystem,operatingsystemversion
32
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
This example below demonstrates specifying the domain name and filtering the returned properties before the Windows PowerShell pipeline:
Figure 29
Figure 30
33
To validate that the PDCE is accessible through the DRSUAPI RPC protocol, use Nltest.exe /dclist against the PDCE. That test exercises the DsGetDomainControllerInfo function, which is part of DRSUAPI.
Nltest /server:<PDCE> /dclist:<domain>
For example:
Figure 31
Important:
Always perform these tests from a computer on the same network where the clone will reside.
4. Authorize a Source DC
The source domain controller must have the special domain head permission Allow a DC to create a clone of itself. By default, the well-known group Cloneable Domain Controllers has this permission and contains no members. The PDCE creates this group when that FSMO role transfers to a Windows Server "8" Beta domain controller.
For instance, this adds server DC1 to the group, without the need to specify the distinguished name of the group member:
34
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 32
Note:
Alternatively, run the sample FixVDCPermissions.ps1 in a Windows PowerShell console, where the console starts as an elevated administrator on a domain controller in the affected domain. It automatically set the permissions. The sample is located in the appendix of this guide.
35
Critical:
The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue. For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replication http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
Graphical Method
Use the shutdown button within the running DC, or the Hyper-V Manager shutdown button.
36
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 33
Figure 34
Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous to the legacy Shutdown.exe utility. Stop-vm is a new cmdlet in the Windows Server "8" Beta Hyper-V Windows PowerShell module, and is equivalent to the power options in Hyper-V Manager. The latter is useful in lab environments where the domain controller often operates on a private virtualized network.
37
Figure 35
Figure 36
Critical:
The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue. For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replication http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
7. Copy Disks
An administrative choice is required in the copying phase: 1. Copying the disks manually, without Hyper-V 2. Exporting the VM, using Hyper-V All of a virtual machine's disks must be copied, not just the system drive. If the source domain controller uses differencing disks and you plan to move your cloned domain controller to another Hyper-V host, you must export. Copying disks manually is recommended if the source domain controller has only one drive. Export is recommended for VMs with more than one drive or other complex virtualized hardware customizations like multiple NICs. If copying files manually, delete any snapshots prior to copying. If exporting the VM, delete snapshots prior to exporting or from the new VM after importing.
Critical: Snapshots are differencing disks that can return a domain controller to previous state. If you were clone a domain controller then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest. There is no value in prior snapshots on a newly cloned domain controller. Once cloned, the source domain controller can create a new snapshot.
38
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 37
39
Figure 38
You can then manually copy the VHD or VHDX files using Windows Explorer, Xcopy.exe, or Robocopy.exe. No special steps are required. It is a best practice to change the file names even if moving to another folder.
If copying between host computers on a LAN (1-Gbit or greater), the Xcopy.exe /J option copies VHD/VHDX files considerably faster than any other tool, at the cost of much greater bandwidth usage.
Note:
40
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
For example, you can return all IDE hard drives from a VM named DC2 with the following sample:
Figure 39
If the disk path points to an AVHD or AVHDX file, it is a snapshot. To delete the snapshots associated with a disk and merge in the real VHD or VHDX, use cmdlets:
Get-VMSnapshot Remove-VMSnapshot
To copy the files using Windows PowerShell, use the following cmdlet:
Copy-Item
41
Combine with VM cmdlets in pipelines to aid automation. The pipeline is a channel used between multiple cmdlets to pass data. For example, to copy the drive of an offline source domain controller named DC2-SOURCECLONE to a new disk called c:\temp\copy.vhd without the need to know the exact path to its system drive:
Important:
You cannot use passthru disks with VDC cloning, as they do not use a virtual disk file but instead an actual hard disk.
More Information:
For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows PowerShell http://technet.microsoft.com/en-us/library/ee176927.aspx
Exporting the VM
As an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. Exporting automatically creates a folder named for the VM and containing all disks and configuration information.
Figure 40
42
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 41
43
Figure 42
44
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 43
Figure 44
45
This allows you complete control over the process. For instance, the drive can be mounted with a specific drive letter, the file copied, and the drive dismounted.
mount-vhd <disk path> -passthru -nodriveletter | get-disk | get -partition | get-volume | get-partition | Add-PartitionAccessPath -accesspath <drive letter> copy-item <xml file path> <destination path>\dccloneconfig.xml dismount-vhd <disk path>
For example:
Figure 45
46
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 46
47
1. Create a new virtual machine 2. Specify the VM name, memory, and network 3. On the Connect Virtual Hard Disk page, specify the copied system disk. 4. Complete the wizard to create the VM. If there were multiple disks, NICs, or other customizations, configure them before starting the domain controller. The "Export-Import" method of copying disks is recommended for complex VMs.
For example, here the DC4-CLONEDFROMDC2 VM is created, using 1GB of RAM, booting from the c:\vm\dc4-systemdrive-clonedfromdc2.vhd file, and using the 10.0 virtual network:
Figure 47
Import VM
If you previously exported your VM, you now need to import it back in as a copy. This uses the exported XML to recreate the computer using all the previous settings, drives, networks, and memory settings.
Important: It is important to use the Copy option, as export preserves all information from the source; importing the server with Move or In Place causes information collision if done on the same Hyper-V host server.
48
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 48
49
Figure 49
Figure 50
50
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Remember to remove any imported snapshots, using the Hyper-V Management snap-in:
Figure 51
Critical:
Deleting any imported snapshots is critically important; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.
51
For example, here the exported VM DC2-CLONED is imported using its automatically determined XML file, then renamed immediately to its new VM name DC5CLONEDFROMDC2:
Figure 52
For example:
Figure 53
Critical:
Deleting any imported snapshots is critical; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.
52
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 54
If using Windows PowerShell to start a VM, the new Hyper-V Module cmdlet is:
Start-VM
53
For example:
Figure 55
Once the computer restarts after cloning completes, it is a domain controller and you can logon on normally to confirm normal operation. If there are any errors, the server boots up in DS Restore Mode for investigation. See the Troubleshooting section below if that occurs.
54
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
While the troubleshooting section covers these scenarios, details below ensure you do not create a dangerous topology.
55
Simultaneous Restore
Do not restore all domain controllers in a single domain simultaneously. If all snapshots restore at once, AD replication works normally but SYSVOL replication halts. The restore architecture of FRS and DFSR require setting their replica instance to non-authoritative sync mode. If all domain controllers restore at once, and each domain controller marks itself nonauthoritative for SYSVOL, they all will then try to synchronize group policies and scripts from an authoritative partner; at that point, though, all partners are also non-authoritative.
Important: If all domain controllers are restored at once, use the following articles to set one domain controller - typically the PDC emulator - as authoritative, so that the other domain controllers can return to normal operation: Using the BurFlags registry key to reinitialize File Replication Service replica sets http://support.microsoft.com/kb/290762 How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) - http://support.microsoft.com/kb/2218556
Warning:
Do not run all domain controllers in a forest or domain on the same hypervisor host. That introduces a single point of failure that cripples AD DS, Exchange, SQL, and other enterprise operations each time the hypervisor goes offline. This is no different from using only one domain controller for an entire domain or forest. Multiple domain controllers on multiple platforms are simple prudence in a modern IT environment, just like fire and flood insurance.
Post-Snapshot Replication
Do not restore snapshots until all locally originating changes made since snapshot creation have replicated outbound. Any original changes are lost forever if other domain controllers did not already receive them through replication. Use Repadmin.exe to show any un-replicated outbound changes between a domain controller and its partners: 1. Return the DC's partner names and DSA Object GUIDs with:
Repadmin.exe /showrepl <DC Name of the partner> /repsto
2. Return the pending inbound replication of the partner domain controller to the domain controller to be restored:
Repadmin.exe /showchanges < Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare>
56
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
For example (with output modified for readability and important entries in italic bold), here you look at the replication partnerships of DC4:
C:\>repadmin.exe /showrepl dc4.corp.contoso.com /repsto Default-First-Site-Name\DC4 DSA Options: IS_GC Site Options: (none) DSA object GUID: 5d083398-4bd3-48a4-a80d-fb2ebafb984f DSA invocationID: 730fafec-b6d4-4911-88f2-5b64e48fc2f1 ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============ DC=corp,DC=contoso,DC=com Default-First-Site-Name\DC3 via RPC DSA object GUID: f62978a8-fcf7-40b5-ac00-40aa9c4f5ad3 Last attempt @ 2011-11-11 15:04:12 was successful. Default-First-Site-Name\DC2 via RPC DSA object GUID: 3019137e-d223-4b62-baaa-e241a0c46a11 Last attempt @ 2011-11-11 15:04:15 was successful.
Now you know that it is replicating with DC2 and DC3. You then show the list of changes that DC2 states it still does not have from DC4, and see that there is one new group:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80dfb2ebafb984f dc=corp,dc=contoso,dc=com ==== SOURCE DSA: (null) ==== Objects returned: 1 (0) add CN=newgroup4,CN=Users,DC=corp,DC=contoso,DC=com 1> parentGUID: 55fc995a-04f4-4774-b076-d6a48ac1af99 1> objectGUID: 96b848a2-df1d-433c-a645-956cfbf44086 2> objectClass: top; group 1> instanceType: 0x4 = ( WRITE ) 1> whenCreated: 11/11/2011 3:03:57 PM Eastern Standard Time
You would also test the other partner to ensure that it had not already replicated. Alternatively, if you did not care which objects had not replicated and only cared that any objects were outstanding, you can use the /statistics option:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80dfb2ebafb984f dc=corp,dc=contoso,dc=com /statistics *********************************************** ********* Grand total ************************* Packets: 1 Objects: 1 Object Additions: 1 Object Modifications: 0 Object Deletions: 0 Object Moves: 0 Attributes: 12 Values: 13
57
Important:
Test all writable partners if you see any failures or outstanding replication. As long as at least one is converged, it is generally safe to restore the snapshot, as transitive replication eventually reconciles the other servers. Be sure to note any errors in replication shown by /showchanges as well and do not proceed until they are fixed.
Further Recommendations
VDC safe restore requires administrative responsibility; you can still configure virtualized domain controllers in ways that prevent use of safe restore. Review the following best practices to insure reliable operation. Do not use snapshots in lieu of frequent system state backups and the AD Recycle Bin. A snapshot does not preserve changes originating from the DC; it merely prevents replication quarantine. Objects created, modified, or deleted since snapshot are lost forever if they were not successfully replicated outbound before the restore. Safe restore is a safeguard to administrators when used in production so that restoring a snapshot does not instantly quarantine domain controllers or introduce lingering objects. This is a very real risk in previous virtualization environments, where the hypervisor admins may not have deep knowledge of domain administration or multimaster replication technologies. Limit intentional use of snapshots on domain controllers to test environments whenever possible. Do not to restore snapshots of a VM from before it was a domain controller. Once promoted to a DC, you must delete all previous snapshots immediately. If a snapshot restores to when a domain controller was a member server and there are no later domain controller snapshots, you must either re-promote the domain controller and re-attach to its existing computer account or perform metadata cleanup of the domain controller and then re-promote it. Domain controllers should not point to themselves for primary DNS. While Microsoft has been stating this in best practice analyzer tools and online documentation for years, many customers still believe otherwise. If a domain controller points to itself for DNS and restores to a point in time where it did not have knowledge of other Domain
58
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
controllers or where the current domain controllers did not exist, it cannot source from them. Because the domain controller points to a responsive DNS service, it will not try other servers. This is especially likely when restoring the oldest domain controller in a forest root domain, which may have no knowledge of any domain controller but itself in a very old snapshot. Do not host all virtual domain controllers on a single hypervisor; this introduces a single point of failure in the AD DS environment, even when clustered.
59
Troubleshooting
Introduction
The most important way to improve your troubleshooting skills is build a test lab and rigorously examine normal, working scenarios. If you encounter errors, they are more obvious and easily understand, since you then have a solid foundation of how domain controller promotion works. This also allows you to build your analysis and network analysis skills. This goes for all distributed systems technologies, not just VDC deployment. This lab does not even have to be in the office - Microsoft provides reasonably priced TechNet subscriptions that allow anyone to run any software without time limits. With free virtualization the norm, it is easy to configure any test environment you need.
More Information: For more information about TechNet subscriptions, see: http://technet.microsoft.com/en-us/subscriptions/default.aspx
The critical elements to advanced troubleshooting of domain controller configuration are: 1. To solve the most complex domain controller promotion issues, you must master all three. Linear analysis combined with focus and attention to detail. 2. Understanding network capture analysis 3. Understanding the built-in logs The first and second are beyond the scope of this guide, but the third can be explained in some detail. Virtualized domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using the data provided and only resort to complex tools and analysis when you have exhausted the provided output and logging.
60
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 56
61
More Information:
62
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
63
b. If the domain controller is advertising, treat the issue as any normal postpromotion issue you would have without cloning. c. If the domain controller is not advertising, examine the Directory Services, System, Application, File Replication and DFS Replication event logs for post-promotion errors.
Important:
Contact Microsoft Beta Product Support when you have exhausted these avenues.
64
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
29248 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to obtain Winlogon Notification. The returned error code is %1 (%2). For more information on this error, please review %systemroot%\debug\dcpromo.log for errors that correspond to the virtual domain controller cloning attempt. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030 Contact Microsoft Beta Product Support
65
29249 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to parse virtual domain controller configuration file. The returned HRESULT code is %1. The configuration file is:%2 Please fix the errors in the configuration file and retry the cloning operation. For more information about this error, please see %systemroot%\debug\dcpromo.log. Details on virtual domain controller clone configuration file can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Examine the dclconeconfig.xml file for syntax errors using an XML editor and the DCCloneConfigSchema.xsd schema file.
29250 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. There are software, services, or tasks currently enabled on the cloned machine that are not present in the allowed application list for virtual domain controller cloning. The cloning operation cannot be completed if there are non-cloneable applications installed. Please run Active Directory Powershell Cmdlet GetADDCCloningExcludedApplicationList to check which applications are installed on the cloned machine, but not included in the allow list, and add them to the allow list if they are compatible with virtual domain controller cloning. If any of these applications are not compatible with virtual domain controller cloning, please uninstall them before re-trying the cloning operation. The virtual domain controller cloning process searches for the allowed application list file, CustomDCCloneAllowList.xml, based on the following search order; the first file found is used and all others are ignored: 1. The registry value name: HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters\ AllowListFolder 2. The same directory where the DSA Working Directory folder resides 3. %windir%\NTDS 4. Removable read/write media in order of drive letter at the root of the drive Details on virtual domain controller clone allow list can be found at http://go.microsoft.com/fwlink/?LinkId=208030
66
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
29251 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to reset the IP addresses of the clone machine. The returned error code is %1 (%2). This error might be caused by misconfiguration in network configuration sections in the virtual domain controller configuration file. Please see %systemroot%\debug\dcpromo.log for more information about errors that correspond to IP addresses resetting during virtual domain controller cloning attempts. Details on resetting machine IP addresses on the cloned machine can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Verify the IP information set in the dccloneconfig.xml is valid and does not duplicate the original source machine.
29253 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. The clone domain controller was unable to locate the primary domain controller (PDC) operations master in the cloned computer's home domain of the cloned machine. The returned error code is %1 (%2). Please verify that the primary domain controller in the home domain of the cloned machine is assigned to a live domain controller, is online, and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.
29254 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed to bind to the primary domain controller %1. The returned error code is %2 (%3). Please verify that the primary domain controller %1 is online and is operational. Verify
67
that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030 Notes and resolution Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.
29255 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning failed. An attempt to create objects on the primary domain controller %1 required for the image being cloned returned error %2 (%3). Please check for related events in the Directory Service event log on primary domain controller %1. Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its typical meaning, and then troubleshoot based on those results.
29256 Microsoft-Windows-DirectoryServices-DSROLE-Server Error An attempt to set the Boot into Directory Services Restore Mode flag failed with error code %1. Please see %systemroot%\debug\dcpromo.log for more information about errors. Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
29257 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning has done. An attempt to reboot the machine failed with error code %1. Please reboot the machine to finish the cloning operation.
68
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Examine the Directory Services log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
29264 Microsoft-Windows-DirectoryServices-DSROLE-Server Error An attempt to clear the Boot into Directory Services Restore Mode flag failed with error code %1. Please see %systemroot%\debug\dcpromo.log for more information about errors. Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
29265 Microsoft-Windows-DirectoryServices-DSROLE-Server Informational Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file %1 has been renamed to %2. N/A, this is a success event.
29266 Microsoft-Windows-DirectoryServices-DSROLE-Server Error Virtual domain controller cloning succeeded. The attempt to rename virtual domain controller cloning configuration file %1 failed with error code %2 (%3). Manually rename the dccloneconfig.xml file.
69
2161 Microsoft-Windows-ActiveDirectory_DomainService Informational The local <COMPUTERNAME> did not find the virtual domain controller cloning configuration file. The local machine is not a cloned DC. This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
2162 Microsoft-Windows-ActiveDirectory_DomainService Error Virtual domain controller cloning failed. Please check events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt. Error code: %1 Follow message instructions, this error is a catchall.
Event ID Source
2163 Microsoft-Windows-ActiveDirectory_DomainService
70
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Informational DsRoleSvc service was started to clone the local virtual domain controller. This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
2164 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to manual. Validate that no third party program is preventing the start of this service.
2165 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to start a thread during the cloning of the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Error code:%1 Error message:%2 Thread name:%3 Contact Microsoft Beta Product Support
2166 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> needs RPCSS service to initiate rebooting into DSRM. Waiting for RPCSS to initialize into a running state failed. Error code:%1 Examine the System event log and service settings for the RPC Server service (Rpcss)
71
2167 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> could not initialize virtual domain controller knowledge. See previous event log entry for details. Additional Data Failure code:%1
2168 Microsoft-Windows-ActiveDirectory_DomainService Informational Microsoft-Windows-ActiveDirectory_DomainService The DC is running on a supported hypervisor. VM Generation ID is detected. Current value of VM Generation ID: %1
2169 Microsoft-Windows-ActiveDirectory_DomainService Informational There is no VM Generation ID detected. The DC is hosted on a physical machine, a down-level version of Hyper-V, or a hypervisor that does not support the VM Generation ID. Additional Data Failure code returned when checking VM Generation ID:%1 This is a success event if not intending to clone. Otherwise, examine the System event log and review hypervisor product VDC support documentation.
72
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Message
A Generation ID change has been detected. Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.
This is a success event if intending to clone. Otherwise, examine the System event log.
2171 Microsoft-Windows-ActiveDirectory_DomainService Informational No Generation ID change has been detected. Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 This is a success event if not intending to clone, and should be seen at every reboot of a virtualized DC. Otherwise, examine the System event log.
2172 Microsoft-Windows-ActiveDirectory_DomainService Informational Read the msDS-GenerationId attribute of the Domain Controller's computer object. msDS-GenerationId attribute value:%1 This is a success event if intending to clone. Otherwise, examine the System event log.
2173 Microsoft-Windows-ActiveDirectory_DomainService Informational Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first
73
reboot after dcpromo or the DC is not a virtual domain controller. Additional Data Failure code:%1 Notes and resolution This is a success event if intending to clone and it is the first VM reboot after cloning has completed. It can also be ignored on non-virtual Domain controllers. Otherwise, examine the System event log.
2174 Microsoft-Windows-ActiveDirectory_DomainService Informational The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. This is a success event if not intending to clone. Otherwise, examine the System event log.
2175 Microsoft-Windows-ActiveDirectory_DomainService Error Virtual domain controller clone configuration file exists on an unsupported platform. This is a success event if not intending to clone. Otherwise, examine the System event log.
2176 Microsoft-Windows-ActiveDirectory_DomainService Informational Renamed virtual domain controller clone configuration file. Additional Data Old file name:%1 New file name:%2 Rename expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.
Event ID Source
2177 Microsoft-Windows-ActiveDirectory_DomainService
74
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Severity Message
Error Renaming virtual domain controller clone configuration file failed. Additional Data File name:%1 Failure code:%2 %3
Rename attempt expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. Manually rename the file and investigate installed third party products that may be preventing the file rename.
2178 Microsoft-Windows-ActiveDirectory_DomainService Informational Detected virtual domain controller clone configuration file, but VM Generation ID has not been changed. The local DC is the clone source DC. Rename the clone configuration file. Expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.
2179 Microsoft-Windows-ActiveDirectory_DomainService Informational The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute:%1 This is a success event and only an issue if unexpected.
2180 Microsoft-Windows-ActiveDirectory_DomainService Warning Failed to set the msDS-GenerationId attribute of the Domain Controller's computer object. Additional Data Failure code:%1
75
Examine the System event log and Dcpromo.log. Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.
2182 Microsoft-Windows-ActiveDirectory_DomainService Informational Internal event: The Directory Service has been asked to clone a remote DSA: This is a success event and only an issue if unexpected.
2183 Microsoft-Windows-ActiveDirectory_DomainService Informational Internal event: <COMPUTERNAME> completed the request to clone the remote Directory System Agent. Original DC name:%3 Request clone DC name:%4 Request clone DC site:%5 Additional Data Error value:%1 %2
2184 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to create a domain controller account for the cloned DC. Original DC name:%1 Allowed number of cloned DC:%2 The limit on the number of domain controller accounts that can be generated by cloning <COMPUTERNAME>was exceeded. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
A single source domain controller name can only automatically generate 9999 times if domain controllers are not demoted, based on the naming convention. Use the <computername> element in the XML to generate a new unique name or clone from a
76
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2191 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> set the following registry value to disable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed.
2192 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to set the following registry value to disable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
77
Message
<COMPUTERNAME> set the following registry value to enable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
2194 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to set the following registry value to enable DNS updates. Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
2195 Microsoft-Windows-ActiveDirectory_DomainService Error Failed to set DSRM boot. Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Setting DSRM boot failed. Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
78
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2196 Microsoft-Windows-ActiveDirectory_DomainService Error Failed to enable shutdown privilege. Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Enabling shutdown privilege failed.
Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
2197 Microsoft-Windows-ActiveDirectory_DomainService Error Failed to initiate system shutdown. Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Initiating system shutdown failed.
Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
2198 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to create or modify the following cloned DC object. Additional data: Object: %1 Error value: %2 %3 Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.
79
2199 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to create the following cloned DC object because the object already exists. Additional data: Source DC: %1 Object: %2
Validate the dccloneconfig.xml did not specify an existing domain controller or that copies of the dccloneconfig.xml have been used on multiple clones without editing the name. If the collision is still unexpected, determine which administrator promoted it; contact them to discuss if the existing domain controller should be demoted, the existing domain controller metadata cleaned, or if the VDC clone should use a different name.
2203 Microsoft-Windows-ActiveDirectory_DomainService Error Last virtual domain controller cloning failed. This is the first reboot since then so this should be a re-try of the cloning. However, neither virtual domain controller clone configuration file exists nor virtual machine generation ID change is detected. Boot into DSRM. Last virtual domain controller cloning failed:%1 Virtual domain controller clone configuration file exists:%2 Virtual machine generation ID change is detected:%3 Expected if cloning failed previously, due to missing or invalid dccloneconfig.xml
Error Messages
There are no direct interactive errors for failed VDC cloning; all cloning information logs in the System and Directory Services event logs and the domain controller promotion logs in dcpromo.log. However, if the server boots into DS Restore Mode, consider that an "interactive error" and investigate immediately, as promotion or cloning failed.
80
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
The dcpromo.log contains cloning-specific errors as they pertain to the actual promotion process. Otherwise, they are simply domain controller promotion errors, as you would see on non-virtual or non-cloned Domain controllers.
Issue Symptoms
Metadata cleaning a clone RODC generates access sis denied errors on the original RODC when attempting to logon After cloning an RODC but later deciding to remove it through metadata cleanup, where you force reset the password of all cached users and computers, you can no longer log on the original source RODC used for cloning. Attempts to logon to the source RODC always return "access is denied" or "bad username or password". Any further clones made from that source RODC always show error "The trust relationship between this workstation and the primary domain failed" at logon.
To prevent the issue, always gracefully demote cloned RODCs using Server Manager or ADDSDeployment Windows PowerShell and do not force their demotion. If already experiencing the issue, forcibly demote the source and clone RODC domain controllers, clean their metadata, then promote the source RODC computer again as an RODC. Since RODCs cannot originate local changes, there is no data loss in this scenario. It is fixed in later releases of Windows Server "8".
Issue Symptoms
Duplicate IP addresses when using DHCP to clone After successfully cloning a DC and using DHCP, the first boot of the clone takes a DHCP lease. Then when the server is renamed and restarted as a DC, it takes a second DHCP lease. The first IP address is not released and you end up with a "phantom" lease Manually delete the unused address lease in DHCP or allow it to expire normally.
81
Issue Symptoms
Cloning RODC fails when there is a pre-existing server object in a renamed AD site After cloning an RODC that already has a computer object in the appropriate AD logical site (in DSSITE.MSC), cloning fails with Directory Services events 1168 Internal Processing error has occurred. Error value (decimal): -1073741823 Error value (hex): c0000001 Internal ID: 30017b3" And for the same event number: Additional Data Error value (decimal): 2 Error value (hex): 2 Internal ID: 7011658" "Internal error: An Active Directory Domain Services
To prevent the issue, remove the pre-existing computer object for the RODC by using DSSITE.MSC
Issue Symptoms
CustomDCCloneAllowList.xml does not support unpredictable service names When attempting to use a single CustomDCCloneAllowList.xml to clone a variety of domain controllers, you cannot proceed because of services that user unpredictable names. For example, services that are Microsoft SQL instances. This is a design limitation of VDC and CustomDCCloneAllowList.xml. You cannot use a common CustomDCCloneAllowList.xml to clone domain controllers that have unpredictable service names. To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml perserver.
82
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Issue Symptoms
PrintNotify service always detected by Get-ADDCCloningExcludedApplicationList Even on a brand new server with no programs or roles installed, the GetADDCCloningExcludedApplicationList cmdlet always detects the PrintNotify service. This service is not in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list even though it is a standard service with no known VDC incompatibilities.
To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml perserver. As a less-recommended alternative, grant yourself permissions to the c:\windows\system32\DefaultDCCloneAllowList.XML allow list file on the source domain controller and edit the AllowList to also contain: <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow>
Cloning fails into DSRM after very long delay Cloning appears to pause at "Domain controller cloning is at X% completion" for between 8 and 15 minutes. After this, the cloning fails and boots into DSRM. The cloned computer cannot get a dynamic IP address from DHCP or SLAAC, or is using a duplicate IP address. Multiple retry attempts performed by cloning lead to the delay. Resolve the networking issue to allow cloning.
Issue Symptoms
Cloning does not recreate all service principal names If a set of three-part service principal names (SPN) includes both a NetBIOS name with a port and an otherwise identical NetBIOS name without a port, the non-port entry is not recreated with the new computer name. For example: customspn/DC1:200/app1 this is recreated with the new computer name customspn/DC1/app1 this is not recreated with the new computer name Fully-qualified names are recreated and SPN s without three parts are recreated, regardless of ports. For example, these are recreate successfully on the clone: customspn/DC1:202 this is recreated customspn/DC1 this is recreated customspn/DC1.corp.contoso.com:202 this is recreated name customspn/DC1.corp.contoso.com this is recreated
This is a limitation of the domain controller rename process in Windows, not just in cloning. Three-part SPNS are not handled by the renaming logic in any scenario. Most included Windows services are unaffected by this, as they recreate any missing SPNs as needed. Other applications may require manually entering the SPN to resolve the
83
issue.
Issue Symptoms
Cloning fails, boots into normal mode as a duplicate of the source DC A new clone boots up without cloning. The dclconeconfig.xml is not renamed and the server is not in DS Restore Mode. The Directory Services event log shows Error 2164
<COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to Manual. Validate that no third party program is preventing the start of this service.
Issue Symptoms
Cloning succeeds, but SYSVOL is empty and does not replicate inbound or outbound A new clone appears to succeed. Later you notice that the SYSVOL and NETLOGON shares are empty. No SYSVOL files replicate inbound our outbound. The source server was previously migrated from FRS to DFSR. Examining the DFS Replication event log shows event 8028 and repeated 8010 events:
Event ID: 8028 Level: Error DFSR Migration was unable to transition to the 'PREPARED' state for Domain Controller <name>. DFSR will retry the next time it polls the Active Directory. To force an immediate retry, execute the command 'dfsrdiag /pollad'. Additional Information: Domain Controller: <name> Error: 2 The system cannot find the file specified Event ID: 8010 Level: Informational DFSR has started preparing the Domain Controller %1 for migration. DFSR will now create the SYSVOL_DFSR folder, create objects in the local Active Directory and create DFSR member objects for the Domain Controller %1.
84
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
specified.] + [Error:2(0x2) Migration::SysVolMigration::Prepare migration.cpp:1431 2096 W The system cannot find the file specified.] + [Error:2(0x2) Migration::SysVolMigration::CreateJunctionPointsForDfsrSysvolF older migration.cpp:2637 2096 W The system cannot find the file specified.]
The source domain controller used for cloning once participated in an FRS to DFSR SYSVOL migration (http://technet.microsoft.com/enus/library/dd640019(WS.10).aspx). A known incompatibility in Windows Server "8" Beta VDC cloning prevents previously migrated servers from populating or replicating SYSVOL after cloning. To resolve this issue, forcibly demote the clone domain controller and remove the metadata using NTDSUTIL.EXE or DSA.MSC. Choose a new Windows Server "8" Beta source domain controller that has not previously migrated FRS to DFSR. If there are no such domain controllers, promote a new Windows Server "8" Beta into the domain using Server Manager or ADDSDeployment Windows PowerShell, then use it as the source of cloning. Do not attempt to fix the issues based on the events or debug logs, as there is a strong possibility that you will unintentionally delete all data from all other SYSVOL copies on all domain controllers in the domain. This issue will be resolved in versions later than Windows Server "8" Beta.
85
Advanced Troubleshooting
This guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events (even when they are warnings and errors) related to a cloned domain controller within each log.
86
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
cloning is completed. 2191 ActiveDirectory_ DomainService Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Registry Value: RegistrationEnabled Registry Value data: 0 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed." Information 2/7/2012 3:12:49 PM Microsoft-WindowsActiveDirectory_DomainService 2191 Internal Configuration "Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Registry Value: DisableDynamicUpdate Registry Value data: 1 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. 2172 ActiveDirectory_ DomainService Read the msDS-GenerationId attribute of the Domain Controller's computer object. msDS-GenerationId attribute value: <Number> 2170 ActiveDirectory_ DomainService A Generation ID change has been detected. Generation ID cached in DS (old value): <Number> Generation ID currently in VM (new value): <Number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will
87
create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. 1109 ActiveDirectory_ DomainService The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. 1000 1394 ActiveDirectory_ DomainService ActiveDirectory_ DomainService Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted DsRoleSvc service was started to clone the local virtual domain controller. NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 103 NTDS ISAM NTDS (536) NTDSA: The database engine stopped the instance (0). Dirty Shutdown: 0
2163 326
88
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.032, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. 102 105 NTDS ISAM NTDS ISAM NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). NTDS (536) NTDSA: The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.015, [4] 0.078, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.046, [10] 0.000, [11] 0.000. Active Directory Domain Services was shut down successfully. NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.016, [4] 0.000, [5] 0.031, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 105 NTDS ISAM NTDS (536) NTDSA: The database engine started a new instance (0). (Time=1 seconds) Internal Timing Sequence: [1] 0.031, [2] 0.000, [3] 0.000, [4] 0.391, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an
1109
ActiveDirectory_ DomainService
89
Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. 1168 ActiveDirectory_ DomainService Internal error: An Active Directory Domain Services error has occurred. Additional Data Error value (decimal): 2 Error value (hex): 2 Internal ID: 7011658 1110 ActiveDirectory_ DomainService Promotion of this domain controller to a global catalog will be delayed for the following interval. Interval (minutes): 5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide NTDS (536) NTDSA: The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.047, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.016, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. 1004 1539 ActiveDirectory_ DomainService ActiveDirectory_ DomainService Active Directory Domain Services was shut down successfully. Active Directory Domain Services could not disable the softwarebased disk write cache on the following hard disk. Hard disk: c: Data might be lost during system failures The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute: <Number> Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database
103
NTDS ISAM
2179
ActiveDirectory_ DomainService
2173
ActiveDirectory_ DomainService
90
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller. Additional Data Failure code: 6 1000 1394 ActiveDirectory_ DomainService ActiveDirectory_ DomainService Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted. 1128 Knowledge Consistency Checker "A replication connection was created from the following source directory service to the local directory service. Source directory service: CN=NTDS Settings,<Domain Controller DN> Local directory service: CN=NTDS Settings, <Domain Controller DN> Additional Data Reason Code: 0x2 Creation Point Internal ID: f0a025d 1999 ActiveDirectory_ DomainService The source directory service has optimized the update sequence number (USN) presented by the destination directory service. The source and destination directory services have a common replication partner. The destination directory service is up to date with the common replication partner, and the source directory service was installed using a backup of this partner. Destination directory service ID: <GUID> (<FQDN>) Common directory service ID: <GUID> Common property USN: <Number> As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous object USN: 0 Previous property USN:
1128
ActiveDirectory_ DomainService
91
92
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Manager 7036 14533 14531 7036 7023 7036 5806 Service Control Manager MicrosoftWindows-DfsSvc MicrosoftWindows-DfsSvc Service Control Manager Service Control Manager Service Control Manager Netlogon The File Replication Service service entered the running state. DFS has finished building all namespaces. DFS server has finished initializing. The DFS Namespace service entered the running state. The Intersite Messaging service terminated with the following error: The specified server cannot perform the requested operation. The Intersite Messaging service entered the stopped state. Dynamic DNS updates have been manually disabled on this domain controller. USER ACTION Reconfigure this domain controller to use dynamic DNS updates or manually add the DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the DNS database." 16651 DirectoryServices-SAM The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is The requested FSMO operation failed. The current FSMO holder could not be contacted. 7036 7036 7036 7036 7036 7036 7036 Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control Manager Service Control Manager The DNS Server service entered the running state. The DS Role Server service entered the running state. The Netlogon service entered the stopped state. The File Replication Service service entered the stopped state. The Kerberos Key Distribution Center service entered the stopped state. The DNS Server service entered the stopped state. The Active Directory Domain Services service entered the stopped state.
93
Service Control Manager Service Control Manager Service Control Manager Service Control Manager DirectoryServices -DSROLE-Server DirectoryServices -DSROLE-Server DirectoryServices -DSROLE-Server
The Netlogon service entered the running state. The start type of the Active Directory Domain Services service was changed from auto start to disabled. The Netlogon service entered the stopped state. The File Replication Service service entered the running state. Virtual domain controller cloning succeeded. This server is now a Domain Controller. Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file C:\Windows\NTDS\DCCloneConfig.xml has been renamed to C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml. The process C:\Windows\system32\lsass.exe (DC2) has initiated the restart of computer DC2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Reconfiguration (Planned) Reason Code: 0x80020004 Shutdown Type: restart Comment: "
1074
User32
DCPROMO.LOG
The Dcpromo.log contains the actual promotion portion of cloning that the Directory Services event log does not describe. Since the log does not provide the level of explanation that the event log entries impart, this section of the guide contains additional annotation. The promotion process means that the cloning starts, the DC is scrubbed of its current configuration and re-promoted using the existing AD database (much like an IFM promotion), then the DC replicates inbound change deltas of AD and SYSVOL, and cloning is complete.
The log has been modified in this guide for readability, by removing the date column. Points of interest are italicized bold.
Note:
More Information:
For further explanation of the dcpromo.log see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta. http://go.microsoft.com/fwlink/p/?LinkId=237244
94
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Start clone-based promotion Set the Directory Services Restore Mode flag so that the server does not boot back up normally as the original clone and cause naming or Directory Service collisions Update the Directory Services event log
[INFO] vDC Cloneing: Setting Boot into DSRM flag succeeded. [WARNING] Cannot get user Token for Format Message: 1725l [INFO] vDC Cloning: Created vDCCloningUpdate event. [INFO] vDC Cloning: Created vDCCloningComplete event.
Stop the NetLogon service so that the domain controller does not advertise
15:14:01 [INFO] Stopping service NETLOGON 15:14:01 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0) 15:14:01 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states 15:14:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3 15:14:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1 15:14:02 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state 15:14:02 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0 15:14:02 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062) 15:14:02 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state 15:14:02 [INFO] StopService on NETLOGON returned 0 15:14:02 [INFO] Configuring service NETLOGON to 1 returned 0 15:14:02 [INFO] Updating service status to 4 15:14:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Examine the dccloneconfig.xml file for administrator-specified customizations. In this sample case it is a blank file, so all settings are automatically generated and automatic IP addressing is required from the network
15:14:02 [INFO] vDC Cloning: Clone config file C:\Windows\NTDS\DCCloneConfig.xml is considered to be a blank file (containing 0 bytes) 15:14:02 [INFO] vDC Cloning: Parsing clone config file C:\Windows\NTDS\DCCloneConfig.xml returned HRESULT 0x0
Validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml
15:14:02 [INFO] vDC Cloning: Checking allowed list: 15:14:03 [INFO] vDC Cloning: Completed checking allowed list: 15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Enable DHCP on the network adapters, since IP information was not specified by the administrator
95
[INFO] WMI Instance: Win32_NetworkAdapterConfiguration.Index=12 [INFO] Method: EnableDHCP [INFO] HRESULT code: 0x0 (0) [INFO] Return Value: 0x0 (0) [INFO] vDC Cloning: Set vDCCloningUpdate event. [INFO] vDC Cloning: Set vDCCloningUpdate event.
Locate the PDC emulator Set the clone's site (automatically generated in this case) Set the clone's name (automatically generated in this case)
15:14:03 [INFO] vDC Cloning: Found PDC. Name: DC1.root.fabrikam.com 15:14:04 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:04 [INFO] vDC Cloning: Winlogon UI Notification #1: Domain Controller cloning is at 5% completion... 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #2: Domain Controller cloning is at 10% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] Site of the cloned DC: Default-First-Site-Name
Create the new clone computer object Rename the clone to match the new name
15:14:05 [INFO] vDC Cloning: Clone DC objects are created on PDC. 15:14:05 [INFO] Name of the cloned DC: DC2-CL0001 15:14:05 [INFO] DsRolepSetRegStringValue on System\CurrentControlSet\Services\NTDS\Parameters\CloneMachineName to DC2CL0001 returned 0 15:14:05 [INFO] vDC Cloning: Save CloneMachineName in registry: 0x0 (0)
Provide the promotion settings, based on previous dccloneconfig.xml or automatic generation rules
[INFO] vDC Cloning: Promotion parameters setting: [INFO] DNS Domain Name: root.fabrikam.com [INFO] Replica Partner: \\DC1.root.fabrikam.com [INFO] Site Name: Default-First-Site-Name [INFO] DS Database Path: C:\Windows\NTDS [INFO] DS Log Path: C:\Windows\NTDS [INFO] SysVol Root Path: C:\Windows\SYSVOL [INFO] Account: root.fabrikam.com\DC2-CL0001$ [INFO] Options: DSROLE_DC_CLONING (0x800400)
Start promotion
15:14:05 [INFO] Promote DC as a clone 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #3: Domain Controller cloning is at 15% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #4: Domain Controller cloning is at 16% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] Validate supplied paths
96
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:14:05 [INFO] Validating path C:\Windows\NTDS. 15:14:05 [INFO] Path is a directory 15:14:05 [INFO] Path is on a fixed disk drive. 15:14:05 [INFO] Validating path C:\Windows\NTDS. 15:14:05 [INFO] Path is a directory 15:14:05 [INFO] Path is on a fixed disk drive. 15:14:05 [INFO] Validating path C:\Windows\SYSVOL. 15:14:05 [INFO] Path is on a fixed disk drive. 15:14:05 [INFO] Path is on an NTFS volume 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #5: Domain Controller cloning is at 17% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] Start the worker task 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #6: Domain Controller cloning is at 20% completion... 15:14:05 [INFO] Request for promotion returning 0 15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #7: Domain Controller cloning is at 21% completion... 15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Stop and configure all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)
The DNS service taking a long time to shutdown is expected in this scenario, as it is using ADintegrated zones that were no longer available even before the NTDS service stopped - see the DNS events described later in this section of the guide.
Note:
15:14:15 15:14:15 15:14:15 15:14:15 states 15:14:15 (gle=0), 15:14:16 (gle=0), 15:14:16 state 15:14:16 returned 15:14:16 15:14:16 state 15:14:16 15:14:16 15:14:16 15:14:16 15:14:16 15:14:16 (gle=0), 15:14:17 (gle=0),
Stopping service NTDS Stopping service NtFrs ControlService(STOP) on NtFrs returned 1(gle=0) DsRolepWaitForService: waiting for NtFrs to enter one of 7
[INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 SvcStatus.dwCS=1 [INFO] DsRolepWaitForService: exiting because NtFrs entered STOPPED [INFO] DsRolepWaitForService(for any end state) on NtFrs service 0 [INFO] ControlService(STOP) on NtFrs returned 0(gle=1062) [INFO] Exiting service-stop loop after service NtFrs entered STOPPED [INFO] StopService on NtFrs returned 0 [INFO] Configuring service NtFrs to 1 returned 0 [INFO] Stopping service Kdc [INFO] ControlService(STOP) on Kdc returned 1(gle=0) [INFO] DsRolepWaitForService: waiting for Kdc to enter one of 7 states [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 SvcStatus.dwCS=1
97
15:14:17 state 15:14:17 returned 15:14:17 15:14:17 state 15:14:17 15:14:17 15:14:17 15:14:17 15:14:17 15:14:17 (gle=0), 15:14:18 (gle=0), 15:14:19 (gle=0), 15:14:20 (gle=0), 15:14:21 (gle=0), 15:14:22 (gle=0), 15:14:23 (gle=0), 15:14:24 (gle=0), 15:14:25 (gle=0), 15:14:26 (gle=0), 15:14:27 (gle=0), 15:14:28 (gle=0), 15:14:29 (gle=0), 15:14:30 (gle=0), 15:14:31 (gle=0), 15:14:32 (gle=0), 15:14:33 (gle=0), 15:14:34 (gle=0), 15:14:35 (gle=0), 15:14:36 (gle=0), 15:14:37 (gle=0),
[INFO] DsRolepWaitForService: exiting because Kdc entered STOPPED [INFO] DsRolepWaitForService(for any end state) on Kdc service 0 [INFO] ControlService(STOP) on Kdc returned 0(gle=1062) [INFO] Exiting service-stop loop after service Kdc entered STOPPED [INFO] StopService on Kdc returned 0 [INFO] Configuring service Kdc to 1 returned 0 [INFO] Stopping service DNS [INFO] ControlService(STOP) on DNS returned 1(gle=0) [INFO] DsRolepWaitForService: waiting for DNS to enter one of 7 states [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 SvcStatus.dwCS=3
98
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:14:38 (gle=0), 15:14:39 (gle=0), 15:14:40 (gle=0), 15:14:41 (gle=0), 15:14:42 (gle=0), 15:14:43 (gle=0), 15:14:44 (gle=0), 15:14:45 (gle=0), 15:14:46 (gle=0), 15:14:47 (gle=0), 15:14:48 (gle=0), 15:14:49 (gle=0), 15:14:50 (gle=0), 15:14:51 (gle=0), 15:14:52 (gle=0), 15:14:53 (gle=0), 15:14:54 (gle=0), 15:14:55 (gle=0), 15:14:56 (gle=0), 15:14:57 (gle=0), 15:14:58 (gle=0), 15:14:59 (gle=0), 15:15:00 (gle=0), 15:15:00 state 15:15:00 returned 15:15:00 15:15:00 state 15:15:00 15:15:00
[INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=3 [INFO] DsRolepWaitForService: SvcStatus.dwCS=1 [INFO] DsRolepWaitForService:
QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 QueryServiceStatus on DNS returned 1 exiting because DNS entered STOPPED
[INFO] DsRolepWaitForService(for any end state) on DNS service 0 [INFO] ControlService(STOP) on DNS returned 0(gle=1062) [INFO] Exiting service-stop loop after service DNS entered STOPPED [INFO] StopService on DNS returned 0 [INFO] Configuring service DNS to 1 returned 0
99
15:15:00 [INFO] ControlService(STOP) on NTDS returned 1(gle=1062) 15:15:00 [INFO] DsRolepWaitForService: waiting for NTDS to enter one of 7 states 15:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=3 15:15:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=1 15:15:01 [INFO] DsRolepWaitForService: exiting because NTDS entered STOPPED state 15:15:01 [INFO] DsRolepWaitForService(for any end state) on NTDS service returned 0 15:15:01 [INFO] ControlService(STOP) on NTDS returned 0(gle=1062) 15:15:01 [INFO] Exiting service-stop loop after service NTDS entered STOPPED state 15:15:01 [INFO] StopService on NTDS returned 0 15:15:01 [INFO] Configuring service NTDS to 1 returned 0 15:15:01 [INFO] Configuring service NTDS 15:15:01 [INFO] Configuring service NTDS to 64 returned 0 15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #8: Domain Controller cloning is at 22% completion... 15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #9: Domain Controller cloning is at 25% completion... 15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Force NT5DS (NTP) time synchronization with another domain controller (typically the PDCE)
Contact a domain controller that holds the source domain controller account of the clone Flush any existing Kerberos tickets
15:15:02 [INFO] Searching for a domain controller for the domain root.fabrikam.com that contains the account DC2$ 15:15:02 [INFO] Located domain controller DC1.root.fabrikam.com for domain root.fabrikam.com 15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #10: Domain Controller cloning is at 26% completion... 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:02 [INFO] Directing kerberos authentication to DC1.root.fabrikam.com returns 0 15:15:02 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache 15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #11: Domain Controller cloning is at 27% completion... 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:02 [INFO] Using site Default-First-Site-Name for server \\DC1.root.fabrikam.com 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
100
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:15:02 [INFO] Stopping service NETLOGON 15:15:02 [INFO] Stopping service NETLOGON 15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #12: Domain Controller cloning is at 29% completion... 15:15:02 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0) 15:15:02 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states 15:15:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3 15:15:03 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1 15:15:03 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state 15:15:03 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0 15:15:03 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062) 15:15:03 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state 15:15:03 [INFO] StopService on NETLOGON returned 0 15:15:03 [INFO] Configuring service NETLOGON to 1 returned 0 15:15:03 [INFO] Stopped NETLOGON 15:15:03 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:03 [INFO] vDC Cloning: Winlogon UI Notification #13: Domain Controller cloning is at 30% completion...
Configure the DFSR/NTFRS services to run automatically Delete their existing database files to force non-authoritative sync of SYSVOL when the service next starts
15:15:03 [INFO] Configuring service DFSR 15:15:03 [INFO] Configuring service DFSR to 256 returned 0 15:15:03 [INFO] Configuring service NTFRS 15:15:03 [INFO] Configuring service NTFRS to 256 returned 0 15:15:03 [INFO] Removing DFSR Database files for SysVol 15:15:03 [INFO] Removing FRS Database files in C:\Windows\ntfrs\jet 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edb.log 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00001.jrs 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00002.jrs 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbtmp.log 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\ntfrs.jdb 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\sys\edb.chk 15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\temp\tmp.edb 15:15:04 [INFO] Created system volume path 15:15:04 [INFO] Configuring service DFSR 15:15:04 [INFO] Configuring service DFSR to 128 returned 0 15:15:04 [INFO] Configuring service NTFRS 15:15:04 [INFO] Configuring service NTFRS to 128 returned 0 15:15:04 [INFO] vDC Cloning: Winlogon UI Notification #14: Domain Controller cloning is at 40% completion... 15:15:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.
101
Start the promotion process using the existing NTDS database file Contact the RID Master
The AD DS service is not actually installed here, this is legacy instrumentation in the log
Note:
15:15:04 [INFO] Installing the Directory Service 15:15:04 [INFO] Calling NtdsInstall for root.fabrikam.com 15:15:04 [INFO] Starting Active Directory Domain Services installation 15:15:04 [INFO] Validating user supplied options 15:15:04 [INFO] Determining a site in which to install 15:15:04 [INFO] Examining an existing forest... 15:15:04 [INFO] Starting a replication cycle between DC1.root.fabrikam.com and the RID operations master (2008r2-01.root.fabrikam.com), so that the new replica will be able to create users, groups, and computer objects... 15:15:04 [INFO] Configuring the local computer to host Active Directory Domain Services 15:15:04 [INFO] EVENTLOG (Warning): NTDS General / Service Control : 1539 Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk. Hard disk: c: Data might be lost during system failures. 15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Processing : 2041 Duplicate event log entries were suppressed. See the previous event log entry for details. An entry is considered a duplicate if the event code and all of its insertion parameters are identical. The time period for this run of duplicates is from the time of the previous event to the time of this event. Event Code: 80000603 Number of duplicate entries: 2 15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2121 This Active Directory Domain Services server is disabling the Recycle Bin. Deleted objects may not be undeleted at this time.
Change the existing invocation ID that existed in the source computers database Create a new NTDS Settings object for this clone Replicate in AD object delta from the partner domain controller
Even though all objects are listed as replicated, this is just metadata needed to subsume the updates. All the unchanged objects in the cloned NTDS database already exist and do not require replication again, just like using IFM-based promotion.
Note:
102
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:15:10 [INFO] EVENTLOG (Informational): NTDS Replication / Replication : 1109 The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): 24e7b22f-4706-402d-9b4f-f2690f730b40 InvocationID attribute (new value): f74cefb2-89c2-442c-b1ba-3234b0ed62f8 Update sequence number: 20520 The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. 15:15:10 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168 Internal error: An Active Directory Domain Services error has occurred. Additional Data Error value (decimal): 2 Error value (hex): 2 Internal ID: 7011658 15:15:11 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC1.root.fabrikam.com... 15:15:11 [INFO] Replicating the schema directory partition 15:15:11 [INFO] Replicated the schema container. 15:15:12 [INFO] Active Directory Domain Services updated the schema cache. 15:15:12 [INFO] Replicating the configuration directory partition 15:15:12 [INFO] Replicating data CN=Configuration,DC=root,DC=fabrikam,DC=com: Received 2612 out of approximately 2612 objects and 94 out of approximately 94 distinguished name (DN) values... 15:15:12 [INFO] Replicated the configuration container. 15:15:13 [INFO] Replicating critical domain information... 15:15:13 [INFO] Replicating data DC=root,DC=fabrikam,DC=com: Received 109 out of approximately 109 objects and 35 out of approximately 35 distinguished name (DN) values... 15:15:13 [INFO] Replicated the critical objects in the domain container.
Populate the GC partitions as needed with any missing updates Complete the critical AD DS portion of the promotion
15:15:13 [INFO] EVENTLOG (Informational): NTDS General / Global Catalog : 1110 Promotion of this domain controller to a global catalog will be delayed for the following interval. Interval (minutes): 5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before
103
promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide. 15:15:14 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1000 Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 15:15:15 [INFO] Creating new domain users, groups, and computer objects 15:15:16 [INFO] Completing Active Directory Domain Services installation 15:15:16 [INFO] NtdsInstall for root.fabrikam.com returned 0 15:15:16 [INFO] DsRolepInstallDs returned 0 15:15:16 [INFO] Installed Directory Service
15:15:16 [INFO] vDC Cloning: Winlogon UI Notification #15: Domain cloning is at 60% completion... 15:15:16 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] Completed system volume replication 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #16: Domain cloning is at 70% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] SetProductType to 2 [LanmanNT] returned 0 15:15:18 [INFO] Set the product type 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #17: Domain cloning is at 71% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #18: Domain cloning is at 72% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] Set the system volume path for NETLOGON 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #19: Domain cloning is at 73% completion... 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] Replicating non critical information 15:15:18 [INFO] User specified to not replicate non-critical data 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #20: Domain cloning is at 80% completion... 15:15:18 [INFO] Stopped the DS 15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event. 15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #21: Domain cloning is at 90% completion... 15:15:18 [INFO] Configuring service NTDS 15:15:18 [INFO] Configuring service NTDS to 16 returned 0
Controller
Controller
Controller
Controller
Controller
Controller
15:15:18 [INFO] vDC Cloning: Set DisableDynamicUpdate reg value to 0 to enaable dynamic DNS records registration. 15:15:18 [INFO] vDC Cloning: Set UseDynamicDns reg value to 1 to enable dynamic DNS records registration. 15:15:18 [INFO] vDC Cloning: Set RegistrationEnabled reg value to 1 to enable dynamic DNS records registration.
104
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:15:18 [INFO] vDC Cloning: Running sysprep providers. 15:15:32 [INFO] vDC Cloning: Completed running sysprep providers.
Cloning promotion is complete Remove the DSRM boot flag so the server boots normally next time Rename the dccloneconfig.xml so that it is not read again at next bootup Restart the computer
15:15:32 [INFO] The attempted domain controller operation has completed 15:15:32 [INFO] Updating service status to 4 15:15:32 [INFO] DsRolepSetOperationDone returned 0 15:15:32 [INFO] vDC Cloning: Set vDCCloningComplete event. 15:15:32 [INFO] vDC Cloneing: Clearing Boot into DSRM flag succeeded. 15:15:32 [INFO] vDC Cloning: Winlogon UI Notification #22: Cloning Domain Controller succeeded. Now rebooting... 15:15:33 [INFO] vDC Cloning: Renamed vDC clone configuration file. 15:15:33 [INFO] vDC Cloning: The old name is: C:\Windows\NTDS\DCCloneConfig.xml 15:15:33 [INFO] vDC Cloning: The new name is: C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml 15:15:34 [INFO] vDC Cloning: Release Ipv4 on interface 'Wired Ethernet Connection 2', result=0. 15:15:34 [INFO] vDC Cloning: Release Ipv6 on interface 'Wired Ethernet Connection 2', result=0. 15:15:34 [INFO] Rebooting machine
1000 1008
105
privileges The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors. ADWS Certificate Events "Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine. Certificate name: <Server FQDN> The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors. Active Directory Web Services is now servicing the specified directory instance. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636
1400
1100
1200
4015
DNS-ServerService
106
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
4000
DNS-ServerService
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code. The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. The DNS server has started. The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.
4013
DNS-ServerService
2 4
DNS-ServerService DNS-ServerService
13502 13565
NtFrs NtFrs
107
When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. 13501 13502 13503 13565 NtFrs NtFrs NtFrs NtFrs The File Replication Service is starting The File Replication Service is stopping. The File Replication Service has stopped. File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. 13501 13553 NtFrs NtFrs The File Replication Service is starting. The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Information related to this event is shown below: Computer DNS name is <Domain Controller FQDN> Replica set member name is <Domain Controller> Replica set root path is <path> Replica staging directory path is <path> Replica working directory path is <path> 13520 NtFrs The File Replication Service moved the preexisting files in <path>to <path>\NtFrs_PreExisting___See_EventLog. The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into c:\windows\sysvol\domain may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner.
108
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog." 13508 NtFrs he File Replication Service is having trouble enabling replication from \\<Domain Controller FQDN> to <Domain Controller> for <path> using the DNS name \\<Domain Controller FQDN>. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name \\<Domain Controller FQDN> from this computer. [2] FRS is not running on \\<Domain Controller FQDN>. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. 13509 NtFrs The File Replication Service has enabled replication from \\<Domain Controller FQDN> to <Domain Controller> for <Path> after repeated retries. The File Replication Service is no longer preventing the computer <Domain Controller> from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share."
13516
NtFrs
6102 1206
DFSR DFSR
109
controller DC2.corp.contoso.com to access configuration information. 1210 DFSR The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information: Port: 0" 4614 DFSR The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Read-Only: 0 4604 DFSR The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type ""net share"". Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Sync partner: <domain controller FQDN>
110
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
More Information:
111
112
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2174 Microsoft-Windows-ActiveDirectory_DomainService Informational The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. Expected event when starting physical domain controllers or VDCs not restored from snapshot
2181 Microsoft-Windows-ActiveDirectory_DomainService Informational The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual
113
machine import operation, or after a live migration operation. Notes and resolution Expected when restoring a snapshot. Transactions track the VM Generation ID changing
2185 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> stopped the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a nonauthoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted.
Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
2186 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to stop the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Error code:%2 Error message:%3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR replication service used to replicate the SYSVOL folder and then starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to stop the current running service and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Examine the System, FRS and DFSR event logs for further information.
114
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2187 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> started the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needed to initialize a nonauthoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
2188 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder. Service name:%1 Error code:%2 Error message:%3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL and starting it with appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually and restart the service. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Examine the System, FRS and DFSR event logs for further information.
2189 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> set the following registry values to initialize SYSVOL replica during a non-authoritative restore:
115
Registry Key:%1 Registry Value: %2 Registry Value data: %3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Notes and resolution Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
2190 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to set the following registry values to initialize the SYSVOL replica during a non-authoritative restore: Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 Active Directory detected that the virtual machine that hosts the domain controller role was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to set the above registry values and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Examine Application and System event logs. Investigate third party applications that may be blocking registry updates.
2200 Microsoft-Windows-ActiveDirectory_DomainService Informational Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> initializes replication to bring the domain controller current. Event 2201 will be logged when the replication is finished.
116
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2201 Microsoft-Windows-ActiveDirectory_DomainService Informational Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> has finished replication to bring the domain controller current. Expected when restoring a snapshot. Marks the end of inbound AD replication.
2202 Microsoft-Windows-ActiveDirectory_DomainService Error Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> failed replication to bring the domain controller up-to-date. The domain controller will be updated after next periodic replication. Examine the Directory Services and System event logs. Use repadmin.exe to attempt forcing replication and note any failures.
2204 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. <COMPUTERNAME> will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs: Create a new invocation ID Invalidate current RID pool Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool.
117
Expected when restoring a snapshot. This explains all the various reset operations that will occur as part of the safe restore process.
2205 Microsoft-Windows-ActiveDirectory_DomainService Informational <COMPUTERNAME> invalidated current RID pool after virtual domain controller was reverted to previous state. Expected when restoring a snapshot. The local RID pool must be destroyed as the domain controller has time travelled and they may have already been issued.
2206 Microsoft-Windows-ActiveDirectory_DomainService ERROR <COMPUTERNAME> failed to invalidate current RID pool after virtual domain controller was reverted to previous state. Additional data: Error code: %1 Error value: %2
Examine the Directory Services and System event logs. Validate that the RID Master is online can be reached from this server using Dcdiag.exe /test:ridmanager
2207 Microsoft-Windows-ActiveDirectory_DomainService ERROR <COMPUTERNAME> failed to restore after virtual domain controller was reverted to previous state. A reboot into DSRM was requested. Please check previous events for more information. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information. Examine the Directory Services and System event logs.
118
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<COMPUTERNAME> deleted DFSR databases to initialize SYSVOL replica during a nonauthoritative restore. Expected when restoring a snapshot. This guarantees DFSR non-authoritatively synchronizes SYSVOL from a partner DC. Note that any other DFSR Replicated Folders on the same volume as SYSVOL will also non-authoritatively sync (domain controllers are not recommended to host custom DFSR sets on the same volume as SYSVOL).
2209 Microsoft-Windows-ActiveDirectory_DomainService Error <COMPUTERNAME> failed to delete DFSR databases. Additional data: Error code: %1 Error value: %2 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a nonauthoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuild the databases and start the initial sync.
Error Messages
There are no direct interactive errors for failed VDC safe snapshot restore; all cloning information logs in the Directory Services event logs. Naturally, any critical replication or server advertising errors manifest themselves as symptoms elsewhere.
119
120
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Advanced Troubleshooting
This guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events related to a cloned domain controller within each log.
2204
ActiveDirectory_ DomainService
121
Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool." 2181 ActiveDirectory_ DomainService The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application." 2179 ActiveDirectory_ DomainService The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute: <number> Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services initializes replication to bring the domain controllercurrent. Event 2201 will be logged when the replication is finished. Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services has finished replication to bring the domain controller current.
1109
ActiveDirectory_ DomainService
2200
ActiveDirectory_ DomainService
2201
ActiveDirectory_ DomainService
122
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2185
ActiveDirectory_ DomainService
Active Directory Domain Services stopped the FRS or DFSR service used to replicate the SYSVOL folder. Service name: DFSR Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted."
2208
ActiveDirectory_ DomainService
Active Directory Domain Services deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore. Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuid the databases and start the initial sync. " Active Directory Domain Services started the FRS or DFSR service used to replicate the SYSVOL folder. Service name: DFSR Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. "
2187
ActiveDirectory_ DomainService
1587
ActiveDirectory_ DomainService
This directory service has been restored or has been configured to host an application directory partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted. The destination directory service corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local directory service was restored from backup media. Object GUID: <GUID> (<FQDN of partner domain controller>) USN at the time of restore: <number> As a result, the up-to-dateness vector of the destination directory
123
service has been configured with the following settings. Previous database GUID: <GUID> Previous object USN: <number> Previous property USN: <number> New database GUID: <GUID> New object USN: <number> New property USN: <number>
16654
DirectoryServices-SAM
A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases: 1. A domain controller is restored from backup. 2. A domain controller running on a virtual machine is restored from snapshot. 3. An administrator has manually invalidated the pool. See http://go.microsoft.com/fwlink/?LinkId=226247 for more information. The DFS Replication service entered the stopped state. The DFS Replication service entered the running state.
7036 7036
124
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Information\DFSR\database_<GUID>\dfsr.db: The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.141, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102
ESENT
DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine (6.02.8189.0000) is starting a new instance (0).
DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine created a new database (1, \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.062, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.015, [10] 0.000, [11] 0.000.
105
ESENT
4614
DFSR
125
has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Read-Only: 0
4604
DFSR
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share". Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Sync partner: <partner domain controller FQDN>
126
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
when power to the drive is interrupted and critical updates are lost. 13565 NTFRS File Replication Service is initializing the system volume with data from another domain controller. Computer DC4 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers." 13520 NTFRS The File Replication Service moved the preexisting files in <path> to <path>\NtFrs_PreExisting___See_EventLog. The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into <path> may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog. 13553 NTFRS The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Information related to this event is shown below: Computer DNS name is "<domain controller FQDN>" Replica set member name is "<domain controller name>" Replica set root path is "<path>" Replica staging directory path is "<path> " Replica working directory path is "<path>" 13554 NTFRS The File Replication Service successfully added the connections shown below to the replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Inbound from "<partner domain controller FQDN>" Outbound to "<partner domain controller FQDN>" More information may appear in subsequent event log messages.
127
13516
NTFRS
The File Replication Service is no longer preventing the computer DC4 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share.
103
ESENT
102 105
ESENT ESENT
103
ESENT
102 105
ESENT ESENT
325
ESENT
103
ESENT
128
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
[6] 0.000, [7] 0.000, [8] 0.000, [9] 0.125, [10] 0.016, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102 105
ESENT ESENT
ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.000, [4] 0.094, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.032, [10] 0.000, [11] 0.000. ntfrs (3000) The database engine attached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.016, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1
326
ESENT
129
Appendices
Terminology
Snapshot The state of a virtual machine at a particular point in time. It is dependent on the chain of previous snapshots taken, on the hardware, and on the virtualization platform. Clone A complete and separate copy of a virtual machine. It is dependent on the virtual hardware (hypervisor). Full Clone A full clone is an independent copy of a virtual machine that shares no resources with the parent virtual machine after the cloning operation. Ongoing operation of a full clone is entirely separate from the parent virtual machine. Differencing disk - A copy of a virtual machine that shares virtual disks with the parent virtual machine in an ongoing manner. This usually conserves disk space and allows multiple virtual machines to use the same software installation. VM Copy- A file system copy of all the related files and folders of a virtual machine. VHD File Copy A copy of a virtual machines VHD VM Generation ID a 128-bit integer given to the virtual machine by the hypervisor. This ID is stored in memory and reset every time a snapshot is applied. The design uses a hypervisor-agnostic mechanism for surfacing the VM-Generation ID in the virtual machine. The Hyper-V implementation exposes the ID in the ACPI table of the virtual machine. Import/Export A Hyper-V feature that allows the user to save the entire virtual machine (VM files, VHD and the machine configuration). It then allows users to using that set of files to bring the machine back on the same machine as the same VM (Restore), on a different machine as the same VM (Move), or a new VM (copy)
130
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 58
131
Overview
AD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's creation. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. The domain controller then reads the contents of the dcloneconfig.xml, defaultdccloneallowlist.xml, and any customdccloneallowlist.xml and begins cloning. The domain controller renames itself and alters its IP information. The server re-promotes itself as a new domain controller using the existing NTDS.DIT and SYSVOL contents as source media. Cloning is complete.
132
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
a. If does not exist, this is a first attempt at cloning for this virtual machine. The guest implements the VDC object duplication safety measures of invalidating the local RID pool and setting a new replication invocation ID for the domain controller. b. If already set to 0x1, this is a "retry" cloning attempt, where a previous cloning operation failed. The VDC object duplication safety measures are not taken as they had to have already run once before and would unnecessarily alter the guest multiple times. 4. The IsClone DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) 5. The NTDS service changes the guest boot flag to start in DS Restore Mode for any further reboots. 6. The NTDS service attempts to read the DcCloneConfig.xml in one of the three accepted locations (DSA Working Directory, %windir%\NTDS, or removable read/write media, in order of drive letter, at the root of the drive) a. If the file does not exist in any valid location, the guest checks the IP address for duplication. If not duplicated, the server boots up normally. If there is a duplicate IP address, the computer boots into DSRM to protect the network from a duplicate domain controller. b. If the file does exist in a valid location, the NTDS service validates its settings. If the file is blank (or any particular settings are blank) then NTDS uses automatic values for those settings.
More Information: See the previous section XML Details and Behaviors for specific automatic generation rules and network behaviors
c. If the DcCloneConfig.xml exists but contains any invalid entries or is unreadable, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller. 7. The guest disables all DNS auto-registration to prevent accidental hijacking of the source computer name and IP addresses. 8. The guest stops the Netlogon service to prevent any advertising or answering of network AD DS requests from clients. 9. NTDS validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml a. If there are services or programs installed that are not in the default exclusion allow list or the custom exclusion allow list, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller. b. If there are no incompatibilities, cloning continues.
133
More Information:
See the previous section XML Details and Behaviors for specific automatic generation rules and network behaviors
10. If using automatic IP addressing due to blank dccloneconfig.xml network settings, the guest enables DHCP on the network adapters to gain an IP address lease, network routing, and name resolution information. 11. The guest locates and contacts the domain controller running the PDC emulator FSMO role. This uses DNS and the DCLocator protocol. It makes an RPC connection calls the method IDL_DRSAddCloneDC to clone the domain controller computer object. a. If the guest's source compute object holds the domain head extended permission of "'Allow a DC to create a clone of itself" then cloning proceeds. b. If the guest's source computer object does not hold that extended permission, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller 12. The AD DS computer object is set to match the dcloneconfig.xml or automatic generation and created on the PDCE. NTDS creates the correct NTDS setting object for the appropriate AD logical site. The guest renames the local computer name to match the new domain controller object name. 13. The guest provides the promotion settings to the DS Role Server service, which commences promotion 14. The DS Role Server service stops all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS) 15. The guest forces NT5DS (Windows NTP) time synchronization with another domain controller (in a default time hierarchy, this means using the PDCE). The guest contacts a domain controller that holds the source domain controller account of the clone (likely to be the PDCE). All existing Kerberos tickets flush. 16. The guest configures the DFSR or NTFRS services to run automatically. The guest deletes all existing DFSR and NTFRS database files (default: c:\windows\ntfrs and c:\system volume information\dfsr\<database_GUID>), in order to force non-authoritative synchronization of SYSVOL when the service is next started. The guest does not delete the file contents of SYSVOL, to pre-seed the SYSVOL when the synchronization starts later. 17. The DS Role Server service on the guest begins AD DS configuration (promotion), using the existing NTDS.SIT database file as a source, rather than the template database included in c:\windows\system32 like a promotion normally does. 18. The guest contacts the RID Master FSMO role holder to get a new RID pool allocation.
134
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
19. The promotion process creates a new invocation ID and recreates the NTDS Settings object for the cloned domain controller (irrespective of cloning, this is part of domain promotion when using an existing NTDS.DIT database). 20. NTDS replicates in objects that are missing, newer, or a higher version from a partner domain controller. The NTDS.DIT already contains objects from the time the source domain controller went offline, and those are used as possible in order to minimize replication traffic inbound. The global catalog partitions are populated. 21. The DFSR or FRS service starts and because there is no database, SYSVOL nonauthoritatively synchronizes inbound from a replication partner. This process re-uses preexisting data in the SYSVOL folder, in order to minimize network replication traffic. 22. The guest re-enables DNS client registration now that the computer is uniquely named and networked. 23. The guest runs the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element in order to scrub out references to the previous computer name and SID. 24. Cloning promotion is complete. a. The guest removes the DSRM boot flag so the next reboot will be normal. b. The guest renames the dccloneconfig.xml with an appended date-time stamp, so that it is not read again at next boot up. c. The guest removes the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters). d. The guest sets the "Vdc cloning done" DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) to 0x1. Windows does not use this value, but instead provides it as a marker for third parties. 25. The guest updates the msDS-GenerationID attribute on its own cloned domain controller object to match the current guest VM-Generation ID. 26. The guest restarts. It is now a normal, advertising domain controller.
135
Figure 59
Overview
AD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's restoration from a previous snapshot. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When an administrator restores the virtual machine from a previous snapshot, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate securityprincipals. The domain controller then synchronizes AD object differences with a partner. It also non-authoritatively synchronizes the SYSVOL folder. Safe restoration is complete.
136
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
3. The guest implements the VDC AD object synchronization operations of: a. Invalidating the local RID pool b. Setting a new invocation ID for the domain controller database. 4. NTDS replicates AD object differences inbound non-authoritatively from a partner domain controller. The domain controller requests changes starting at a USN that precedes the USN at which the local directory service was restored. The up-to-dateness vector of the destination directory service is changes appropriately. 5. The guest synchronizes SYSVOL: a. If using FRS, the guest stops the NTFRS service and sets D2 BURFLAGS registry value. It then starts the NTFRS service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible. b. If using DFSR, the guest stops the DFSR service and deletes the DFSR database files (default location: c:\system volume information\dfsr\<database GUID>). It then starts the DFSR service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.
137
6. The guest updates the msDS-GenerationID attribute on its own domain controller object to match the current guest VM-Generation ID. 7. Safe snapshot restore completes.
138
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
FixVDCPermissions.ps1
# Unsigned script, requires use of set-executionpolicy remotesigned -force # You must run the Windows PowerShell console as an elevated administrator # Load Active Directory Windows PowerShell Module and switch to AD DS drive import-module activedirectory cd ad: ## Get Domain NC $domainNC = get-addomain ## Get groups and obtain their SIDs $dcgroup = get-adgroup "Cloneable Domain Controllers" $sid1 = (get-adgroup $dcgroup).sid ## Get the DACL of the domain $acl = get-acl $domainNC ## The following object specific ACE grants extended right 'Allow a DC to create a clone of itself' for the CDC group to the Domain NC ## 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e is the schemaIDGuid for 'DS-CloneDomain-Controller" $objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid ## Add the ACE in the ACL and set the ACL on the object $acl.AddAccessRule($ace1) set-acl -aclobject $acl $domainNC write-host "Done writing new VDC permissions." cd c:
139
The DCCloneConfigSchema.XSD
<?xml version="1.0" encoding="utf-8"?> <xs:schema elementFormDefault="unqualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="uri:microsoft.com:schemas:DCCloneConfig"> <xs:element name="DCCloneConfig"> <xs:complexType> <xs:all> <!-- if no SiteName is specified clone will be created in the same site as source--> <xs:element name="SiteName" type="xs:string" minOccurs="0" maxOccurs="1"/> <!-- if no ComputerName is specified a pseudo-random name will be generated --> <xs:element name="ComputerName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPSettings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:all> <xs:element name="IPv4Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="Address" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="SubnetMask" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="DefaultGateway" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element> <!--End of IPV4 StaticSettings element--> <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence> </xs:complexType>
140
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
</xs:element> <!--End of IPV4 DynamicSettings element--> </xs:choice> <!--End of Static / Dynamic IPV4 choice--> </xs:complexType> </xs:element> <!--End of IPV4NetworkConfig element--> <xs:element name="IPv6Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element> <!--End of IPV6 StaticSettings element--> <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element> <!--End of IPV6 DynamicSettings element--> </xs:choice> </xs:complexType> </xs:element> <!--End of IPV6Settings element--> </xs:all> </xs:complexType> </xs:element> <!--End of IPSettings element--> </xs:all> </xs:complexType> </xs:element> </xs:schema>
141
The SampleDCCloneConfig.XML
<?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings> </d3c:DCCloneConfig>
The DefaultDCCloneAllowList.XML
<DefaultCloneConfig> <AllowList> <!-- Service types --> <Allow> <Name>ADWS</Name> <Type>Service</Type> </Allow> <Allow> <Name>AeLookupSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>ALG</Name> <Type>Service</Type> </Allow> <Allow> <Name>AllUserInstallAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppIDSvc</Name>
142
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Type>Service</Type> </Allow> <Allow> <Name>Appinfo</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppMgmt</Name> <Type>Service</Type> </Allow> <Allow> <Name>AudioEndpointBuilder</Name> <Type>Service</Type> </Allow> <Allow> <Name>Audiosrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>AxInstSV</Name> <Type>Service</Type> </Allow> <Allow> <Name>BFE</Name> <Type>Service</Type> </Allow> <Allow> <Name>BITS</Name> <Type>Service</Type> </Allow> <Allow> <Name>BrokerInfrastructure</Name> <Type>Service</Type> </Allow> <Allow> <Name>Browser</Name> <Type>Service</Type> </Allow> <Allow> <Name>CertPropSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>COMSysApp</Name> <Type>Service</Type> </Allow> <Allow> <Name>CryptSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>CscService</Name> <Type>Service</Type> </Allow> <Allow>
143
<Name>DcomLaunch</Name> <Type>Service</Type> </Allow> <Allow> <Name>defragsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceAssociationService</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceInstall</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dfs</Name> <Type>Service</Type> </Allow> <Allow> <Name>DFSR</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dhcp</Name> <Type>Service</Type> </Allow> <Allow> <Name>DNS</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dnscache</Name> <Type>Service</Type> </Allow> <Allow> <Name>dot3svc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DPS</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsmSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsRoleSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Eaphost</Name> <Type>Service</Type> </Allow>
144
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Allow> <Name>EFS</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventLog</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventSystem</Name> <Type>Service</Type> </Allow> <Allow> <Name>FCRegSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>fdPHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>FDResPub</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache3.0.0.0</Name> <Type>Service</Type> </Allow> <Allow> <Name>gpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>hidserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>hkmsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>idsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IKEEXT</Name> <Type>Service</Type> </Allow> <Allow> <Name>IPBusEnum</Name> <Type>Service</Type>
145
</Allow> <Allow> <Name>iphlpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IsmServ</Name> <Type>Service</Type> </Allow> <Allow> <Name>Kdc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KdsSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KeyIso</Name> <Type>Service</Type> </Allow> <Allow> <Name>KPSSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>KtmRm</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanServer</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanWorkstation</Name> <Type>Service</Type> </Allow> <Allow> <Name>lltdsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>lmhosts</Name> <Type>Service</Type> </Allow> <Allow> <Name>LSM</Name> <Type>Service</Type> </Allow> <Allow> <Name>MMCSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>MpsSvc</Name>
146
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Type>Service</Type> </Allow> <Allow> <Name>MSDTC</Name> <Type>Service</Type> </Allow> <Allow> <Name>MSiSCSI</Name> <Type>Service</Type> </Allow> <Allow> <Name>msiserver</Name> <Type>Service</Type> </Allow> <Allow> <Name>napagent</Name> <Type>Service</Type> </Allow> <Allow> <Name>NcaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netlogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netman</Name> <Type>Service</Type> </Allow> <Allow> <Name>netprofm</Name> <Type>Service</Type> </Allow> <Allow> <Name>NetTcpPortSharing</Name> <Type>Service</Type> </Allow> <Allow> <Name>NlaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>nsi</Name> <Type>Service</Type> </Allow> <Allow> <Name>NTDS</Name> <Type>Service</Type> </Allow> <Allow> <Name>NtFrs</Name> <Type>Service</Type> </Allow> <Allow>
147
<Name>PerfHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>pla</Name> <Type>Service</Type> </Allow> <Allow> <Name>PlugPlay</Name> <Type>Service</Type> </Allow> <Allow> <Name>PolicyAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>Power</Name> <Type>Service</Type> </Allow> <Allow> <Name>PrintService</Name> <Type>Service</Type> </Allow> <Allow> <Name>ProfSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasAuto</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasMan</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteRegistry</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcEptMapper</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcLocator</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcSs</Name> <Type>Service</Type> </Allow>
148
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Allow> <Name>RSoPProv</Name> <Type>Service</Type> </Allow> <Allow> <Name>sacsvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>SamSs</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCardSvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>Schedule</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCPolicySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>seclogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>SENS</Name> <Type>Service</Type> </Allow> <Allow> <Name>SessionEnv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SharedAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>ShellHWDetection</Name> <Type>Service</Type> </Allow> <Allow> <Name>SidKeySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SNMPTRAP</Name> <Type>Service</Type> </Allow> <Allow> <Name>Spooler</Name> <Type>Service</Type>
149
</Allow> <Allow> <Name>sppsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SSDPSRV</Name> <Type>Service</Type> </Allow> <Allow> <Name>SstpSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>stisvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>svsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>swprv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SysMain</Name> <Type>Service</Type> </Allow> <Allow> <Name>SystemEventsBroker</Name> <Type>Service</Type> </Allow> <Allow> <Name>TabletInputService</Name> <Type>Service</Type> </Allow> <Allow> <Name>TapiSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>TermService</Name> <Type>Service</Type> </Allow> <Allow> <Name>Themes</Name> <Type>Service</Type> </Allow> <Allow> <Name>THREADORDER</Name> <Type>Service</Type> </Allow> <Allow> <Name>TimeBroker</Name>
150
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Type>Service</Type> </Allow> <Allow> <Name>TrkWks</Name> <Type>Service</Type> </Allow> <Allow> <Name>TrustedInstaller</Name> <Type>Service</Type> </Allow> <Allow> <Name>UALSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>UI0Detect</Name> <Type>Service</Type> </Allow> <Allow> <Name>UmRdpService</Name> <Type>Service</Type> </Allow> <Allow> <Name>upnphost</Name> <Type>Service</Type> </Allow> <Allow> <Name>VaultSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>vds</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicheartbeat</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmickvpexchange</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicrdv</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicshutdown</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmictimesync</Name> <Type>Service</Type> </Allow> <Allow>
151
<Name>vmicvss</Name> <Type>Service</Type> </Allow> <Allow> <Name>VSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>W32Time</Name> <Type>Service</Type> </Allow> <Allow> <Name>WbioSrvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WcsPlugInService</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiServiceHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiSystemHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WebClient</Name> <Type>Service</Type> </Allow> <Allow> <Name>Wecsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>wercplsupport</Name> <Type>Service</Type> </Allow> <Allow> <Name>WerSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WiaRpc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WinHttpAutoProxySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Winmgmt</Name> <Type>Service</Type> </Allow>
152
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Allow> <Name>WinRM</Name> <Type>Service</Type> </Allow> <Allow> <Name>wmiApSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>WPDBusEnum</Name> <Type>Service</Type> </Allow> <Allow> <Name>WSService</Name> <Type>Service</Type> </Allow> <Allow> <Name>wuauserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>wudfsvc</Name> <Type>Service</Type> </Allow> </AllowList> <sysprepInformation> <imaging> <sysprepModule methodName="CAPISysPrep_Generalize" moduleName="$(runtime.windows)\system32\capisp.dll" /> <sysprepModule methodName="DhcpClient_Generalize" moduleName="$(runtime.system32)\dhcpcsvc.dll" /> <sysprepModule methodName="RdpSysPrepGeneralize" moduleName="$(runtime.system32)\setup\tssysprep.dll" /> <!--sysprepModule methodName="CryptoSysPrep_Specialize" moduleName="$(runtime.windows)\system32\capisp.dll" /--> <sysprepModule methodName="RdpSysPrepRestore" moduleName="$(runtime.system32)\setup\tssysprep.dll" /> <sysprepModule methodName="RacSysprepSpecialize" moduleName="RacEngn.dll" /> <sysprepModule methodName="WerSysprepCleanup" moduleName="wer.dll" /> <sysprepModule methodName="SqmSysprepGeneralize" moduleName="sqmapi.dll" /> <sysprepModule methodName="SqmSysprepSpecialize" moduleName="sqmapi.dll" /> <sysprepModule methodName="GeneralizeForImaging" moduleName="$(runtime.system32)\wuaueng.dll" /> <sysprepModule methodName="SLReArmWindows" moduleName="$(runtime.system32)\slc.dll" /> </imaging> </sysprepInformation> </DefaultCloneConfig>
153
Note:
The DefaultDCCloneAllowList also contains the SYSPREP modules called during cloning. These "mini-sysprep" steps are performed to ensure the cloned domain controller is unique in the important aspects.
154
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
155
Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service
Dnscache dot3svc DPS DsmSvc DsRoleSvc Eaphost EFS EventLog EventSystem FCRegSvc fdPHost FDResPub FontCache FontCache3.0.0.0 gpsvc hidserv hkmsvc idsvc IKEEXT IPBusEnum iphlpsvc IsmServ Kdc KdsSvc KeyIso KPSSVC KtmRm LanmanServer LanmanWorkstation lltdsvc lmhosts
DNS Client Wired AutoConfig Diagnostic Policy Service Device Setup Manager DS Role Server Extensible Authentication Protocol Encrypting File System (EFS) Windows Event Log COM+ Event System
Function Discovery Provider Host Function Discovery Resource Publication Windows Font Cache Service
Group Policy Client Human Interface Device Access Health Key and Certificate Management
Function Discovery Provider Host Intersite Messaging Kerberos Key Distribution Center Microsoft Key Distribution Service CNG Key Isolation KDC Proxy Server service (KPS) KtmRm for Distributed Transaction Coordinator Server Workstation Link-Layer Topology Discovery Mapper TCP/IP NetBIOS Helper
156
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service
LSM MMCSS MpsSvc MSDTC MSiSCSI msiserver napagent NcaSvc Netlogon Netman netprofm NetTcpPortSharing NlaSvc nsi NTDS NtFrs PerfHost pla PlugPlay PolicyAgent Power PrintService ProfSvc RasAuto RasMan RemoteAccess RemoteRegistry RpcEptMapper RpcLocator RpcSs RSoPProv
Local Session Manager Multimedia Class Scheduler Windows Firewall Distributed Transaction Coordinator Microsoft iSCSI Initiator Service Windows Installer Network Access Protection Agent Network Connectivity Assistant Netlogon Network Connections Network List Service Net.Tcp Port Sharing Service Network Location Awareness Network Store Interface Service Active Directory Domain Services File Replication Performance Counter DLL Host Performance Logs & Alerts Plug and Play IPsec Policy Agent Power
User Profile Service Remote Access Auto Connection Manager Remote Access Connection Manager Routing and Remote Access Remote Registry RPC Endpoint Mapper Remote Procedure Call (RPC) Locator Remote Procedure Call (RPC) Resultant Set of Policy Provider
157
Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service
sacsvr SamSs SCardSvr Schedule SCPolicySvc seclogon SENS SessionEnv SharedAccess ShellHWDetection SidKeySvc SNMPTRAP Spooler sppsvc SSDPSRV SstpSvc stisvc svsvc swprv SysMain SystemEventsBroker TabletInputService TapiSrv TermService Themes THREADORDER TimeBroker TrkWks TrustedInstaller UALSVC UI0Detect
Special Administration Console Helper Security Accounts Manager Smart Card Task Scheduler Smart Card Removal Policy Secondary Logon System Event Notification Service Remote Desktop Configuration Internet Connection Sharing (ICS) Shell Hardware Detection
SNMP Trap Print Spooler Software Protection SSDP Discovery Secure Socket Tunneling Protocol Service
Spot Verifier Microsoft Software Shadow Copy Provider Superfetch System Events Broker
Telephony Remote Desktop Services Themes Thread Ordering Server Time Broker Distributed Link Tracking Client Windows Modules Installer User Access Logging Service Interactive Services Detection
158
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service Service
UmRdpService upnphost VaultSvc vds vmicheartbeat vmickvpexchange vmicrdv vmicshutdown vmictimesync vmicvss VSS W32Time WbioSrvc WcsPlugInService WdiServiceHost WdiSystemHost WebClient Wecsvc wercplsupport WerSvc WiaRpc WinHttpAutoProxySvc Winmgmt WinRM wmiApSrv WPDBusEnum WSService wuauserv wudfsvc
Remote Desktop Services UserMode Port Redirector UPnP Device Host Credential Manager Virtual Disk Hyper-V Heartbeat Service Hyper-V Data Exchange Service Hyper-V Remote Desktop Virtualization Service Hyper-V Guest Shutdown Service Hyper-V Time Synchronization Service Hyper-V Volume Shadow Copy Requestor Volume Shadow Copy Windows Time
Windows Event Collector Problem Reports and Solutions Control Panel Support Windows Error Reporting Service
WinHTTP Web Proxy Auto-Discovery Service Windows Management Instrumentation Windows Remote Management (WS-Management) WMI Performance Adapter Portable Device Enumerator Service Windows Store Service (WSService) Windows Update Windows Driver Foundation - User-mode Driver Framework
159
160
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 60
To see all installed modules with their exported functions and cmdlets, use:
Get-Module -ListAvailable
The main case for using the import-module command is when you need access to the "AD:" Windows PowerShell virtual drive and nothing else has already loaded the module. For example, using the following commands:
import-module activedirectory cd ad: dir
161
Additional Resources
For information about Windows Server "8" Beta Virtualized Domain Controllers, see: Understand and Troubleshoot Virtualized Domain Controllers in Windows Server "8" Beta Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC) AD DS Virtualization (Cloning and Virtualization safe improvements)
For more information about Windows Server "8" Beta AD DS Simplified Administration, see: Understand and Troubleshoot ADDS Simplified Administration in Windows Server "8" Beta Active Directory Administrative Center Enhancements (FGPP UI, Recycle Bin UI, and Windows PowerShell Script Viewer) Active Directory Replication and Topology Management Using Windows PowerShell AD DS Deployment Guide Test Lab Guide: Demonstrate ADDS Simplified Administration in Windows Server "8" Beta
For more information about Active Directory Domain services, see: Active Directory Domain Services (TechNet Portal) Active Directory Domain Services for Windows Server 2008 R2 Active Directory Domain Services for Windows Server 2008 Windows Server Technical Reference (Windows Server 2003) Active Directory Administrative Center: Getting Started (Windows Server 2008 R2) Running Adprep (Windows Server 2008 R2) USN and USN Rollback Protection (Windows Server 2008 R2) Active Directory Administration with Windows PowerShell (Windows Server 2008 R2) Ask the Directory Services Team (Official Microsoft Commercial Technical Support Blog)
For a list of all of the Windows Server "8" Beta TLGs, see Windows Server "8" Beta Test Lab Guides in the TechNet Wiki. To provide the authors of this guide with feedback or suggestions for improvement, send email to utgfeedback@microsoft.com.
162