Cloning Virtual Domain Controllers in Windows Server 2012
In versions of Microsoft Windows Server prior to Windows Server 2012, the process of adding an additional virtual domain controller involved copying data using one of two options during the domain controller promotion process: "Replicate over the Network" or "Using IFM Media."
Depending on the size of the database (NTDS.DIT), it can take a considerable amount of time to copy the Active Directory database with either option.
The new cloning feature introduced in Windows Server 2012, however, not only speeds up the process for building a new additional domain controller but also saves time when it comes to provisioning domain controllers for rapid deployment.
A Windows Server 2012 Virtual Domain Controller running on a Hyper-V Version 3.0 and VMware's vSphere 5.1 knows that it is running on a virtualization platform. This is a significant change from virtual domain controllers running on Windows Server 2008 R2 and earlier.
A Windows Server 2012 Domain Controller running on a virtualization platform comes with cloning and safe restore capabilities features, and these features cannot be disabled. This article is geared primarily towards explaining the cloning process, and we'll leave exploration of the safe restore capability for another time.
To avoid replication of old objects or lingering objects, Microsoft modified the Hyper-V Hypervisor code to include a capability called VM-Generation-ID. The VM-Generation-ID (VMGID) feature allows a Windows Server 2012 Virtual Domain Controller to be cloned safely and successfully.
Beginning with Microsoft Windows Server 2012, there's a new attribute in Windows Server 2012 Active Directory on the computer object of the Virtual Domain Controller and a VM Instance container that is running the Virtual Domain Controller. This attribute is called the VM-Generation-ID unique identifier.
When the Windows Server 2012 Virtual Domain Controller starts up, it matches the data of VM-Generation-ID with the VM Instance container data. If there's a mismatch with the data, Windows Server 2012 Virtual Domain Controller knows that either a snapshot has been applied or a cloning event has taken place. Hence, in the case of cloning event, Active Directory Administrators never need to worry and can safely clone a Virtual Domain Controller running Windows Server 2012.
The following requirements are imposed to successfully clone a Virtual Domain Controller:
- Virtualization platform that supports VMGID. VMGID is currently supported on Hyper-V Version 3.0 on Windows Server 2012 and vSphare 5.1
- Windows Server 2012 operating system running as a Guest Domain Controller
- PDC Emulator to be available on a Windows Server 2012 Domain Controller before the cloning process begins.
- Forest Functional Level to be Windows Server 2003 or higher
- Schema version should be set to 56.
- Cloneable Domain Controllers group and permissions set on Domain Naming Context of the Source Virtual Domain Controller
Note: The PDC Emulator must be running on a Windows Server 2012 Domain Controller and is required for the following reasons:
- A special Cloneable Domain Controllers group is created in the Active Directory and permissions are set for this group on the root of the domain naming context. By default, the group has no members in it. The PDC Emulator, if it is transferred from an earlier domain controller to Windows Server 2012, creates this group if it does not exist already.
- The cloning Domain Controller uses the DRSUAPI RPC protocol to contact the PDC Emulator directly for creating the computer object for the Domain Controller which is being cloned.
The safe cloning feature of VM-Generation-ID provides an opportunity to clone the Windows Server 2012 domain controller successfully. At a high level, the process for cloning involves the following steps:
- Preparing the environment
- Authorizing a domain controller as a source for the cloning
- Reviewing and generating the list of applications and services
- Configuring the source domain controller
- Exporting, copying, importing and renaming the source domain controller as a new virtual machine
- Starting the new virtual machine
- Wrapping up
Read more on "Server Virtualization Spotlight" »