understand and troubleshoot virtualized domain controller in windows server 8 beta
DESCRIPTION
Windows Server 8 - Understanding Virtual Domain ControllersTRANSCRIPT
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Microsoft Corporation
Published: February 2012
Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,
and troubleshooting methods for Virtualized Domain Controller in Windows Server “8” Beta. This UTG
provides you with:
A technical overview and functional description of this feature.
Technical concepts to help you successfully install, configure, and manage this feature.
User Interface options and settings for configuration and management.
Relevant architecture of this feature, with dependencies, and technical implementation.
Primary troubleshooting tools and methods for this feature.
Copyright information
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, Visual Studio, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
About the Author
Author: Ned Pyle
Bio: Ned Pyle is a Senior Support Escalation Engineer with Microsoft Commercial Technical Support in Charlotte, North Carolina, USA. He specializes in Directory Services troubleshooting and advisory services. He has authored and contributed to TechNet whitepapers and Knowledgebase articles. Ned also has credits in several Microsoft Press books. He teaches Microsoft employees new product architecture, is a Microsoft Certified Master instructor, and is a Microsoft Certified Trainer. He edits the official Microsoft Directory Services blog, AskDS.
ContentsUnderstand and Troubleshoot Guides.........................................................................................................1
About the Understand and Troubleshoot Guides................................................................................................1
Introducing Virtualized Domain Controller..............................................................................................................2
What Is Virtualized Domain Controller?..........................................................................................................2
Purpose & Benefits..........................................................................................................................................3
Technical Overview..................................................................................................................................................5
Prerequisites........................................................................................................................................................5
Functional Descriptions.......................................................................................................................................5
Virtual Domain Controller Cloning...................................................................................................................5
Virtual Domain Controller Safe Restore...........................................................................................................6
Deploying Virtualized Domain Controller................................................................................................................7
Installation Considerations..................................................................................................................................7
Platform Requirements........................................................................................................................................7
Critical Caveats....................................................................................................................................................8
Virtualized Domain Controller Cloning.....................................................................................................................9
1. Validate the Hypervisor.................................................................................................................................11
2. Create XML....................................................................................................................................................11
Using a Blank DcCloneConfig.xml File............................................................................................................11
Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml........................................................................................................................11
XML Details and Behaviors............................................................................................................................14
Using an XML Editor......................................................................................................................................18
Adding XML to the Running Source DC..........................................................................................................29
3. Verify the PDCE FSMO role............................................................................................................................32
Active Directory Users and Computers Method............................................................................................32
Windows PowerShell Method.......................................................................................................................32
Validate PDCE Availability..............................................................................................................................33
4. Authorize a Source DC...................................................................................................................................34
Active Directory Administrative Center Method...........................................................................................34
Windows PowerShell Method.......................................................................................................................34
Rebuilding Default Permissions.....................................................................................................................35
5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml).........................36
6. Take the Source Domain Controller Offline...................................................................................................36
Graphical Method..........................................................................................................................................36
Windows PowerShell Method.......................................................................................................................37
7. Copy Disks......................................................................................................................................................38
Manually Copying Disks.................................................................................................................................39
Exporting the VM...........................................................................................................................................42
Adding XML to the Offline System Disk.........................................................................................................43
8. Create the New Virtual Machine....................................................................................................................47
Associating a New VM with Copied Disks......................................................................................................47
Import VM.....................................................................................................................................................48
9. Clone the New Virtual Machine.....................................................................................................................53
Virtualized Domain Controller Safe Restore..........................................................................................................55
Validate the Hypervisor.....................................................................................................................................55
Validate the Replication Topology.....................................................................................................................55
Writable Domain Controller Contact.............................................................................................................55
Simultaneous Restore....................................................................................................................................56
Post-Snapshot Replication.............................................................................................................................56
Windows PowerShell Snapshot Cmdlets...........................................................................................................58
Further Recommendations................................................................................................................................58
Troubleshooting.....................................................................................................................................................60
Introduction.......................................................................................................................................................60
Troubleshooting VDC Cloning............................................................................................................................60
Tools for Troubleshooting.............................................................................................................................62
General Methodology for Troubleshooting Domain Controller Cloning........................................................63
Troubleshooting Specific Problems...............................................................................................................65
Advanced Troubleshooting............................................................................................................................86
Troubleshooting VDC Safe Restore..................................................................................................................111
Tools for Troubleshooting............................................................................................................................111
General Methodology for Troubleshooting Domain Controller Safe Restore..............................................112
Troubleshooting Specific Problems.............................................................................................................113
Advanced Troubleshooting..........................................................................................................................121
Appendices..........................................................................................................................................................130
Terminology.....................................................................................................................................................130
VDC Cloning Architecture................................................................................................................................131
Overview.....................................................................................................................................................132
Detailed Processing (using Microsoft Hyper-V)............................................................................................132
VDC Safe Restore Architecture........................................................................................................................136
Overview.....................................................................................................................................................136
Detailed Processing (using Microsoft Hyper-V)............................................................................................137
FixVDCPermissions.ps1....................................................................................................................................139
The DCCloneConfigSchema.XSD......................................................................................................................140
The SampleDCCloneConfig.XML......................................................................................................................142
The DefaultDCCloneAllowList.XML..................................................................................................................142
List of default compatible cloning components...............................................................................................155
DRS API Extension for Cloning.........................................................................................................................160
Windows PowerShell Module Loading............................................................................................................161
Additional Resources...........................................................................................................................................162
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Understand and Troubleshoot GuidesAbout the Understand and Troubleshoot Guides
The Understand and Troubleshoot Windows Server "8" Beta Guides support you in developing awareness of key technical concepts, architecture, functionality, and troubleshooting tools and techniques. This understanding enables a successful early adoption experience during the pre-RTM product evaluation phase. This guide contains Level 300 material intended for administrators and architects, and assumes the reader already has extensive knowledge of existing features in previous operating systems.
1
Understand and Troubleshoot Guides
Introducing Virtualized Domain ControllerWindows Server "8" Beta introduces the first specific virtualization capabilities to Active Directory Domain Services. Virtualized Domain Controller (VDC) takes lessons learned from twelve years of virtualizing Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators.
What Is Virtualized Domain Controller?Virtualized Domain Controller creates two new key capabilities:
Domain controllers can be safely cloned to deploy additional capacity and save configuration time
Accidental restoration of domain controller snapshots does not disrupt your AD DS environment.
More Information:
To read more about new features that are not in this document’s scope:For AD DS deployment and management improvements, see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta.http://go.microsoft.com/fwlink/p/?LinkId=237244For Dynamic Access Control and kerberos capabilities, see the Understand and Troubleshoot Dynamic Access Control in Windows Server "8" Beta guide.http://go.microsoft.com/fwlink/p/?LinkId=237254For GMSA and kerberos capabilities, see the Understand and Troubleshoot Enhanced Security in Windows Server Beta 8 guide.http://go.microsoft.com/fwlink/p/?LinkId=237243
VDC also profits from many other new features included in Windows Server "8" Beta, such as:
NIC teaming and Datacenter Bridging
Unified Remote Access AD site awareness
DNS Security and faster AD-integrated zone availability after boot
Hyper-V reliability and scalability improvements
BitLocker Network Unlock
Additional Windows PowerShell component administration modules
2 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
More Information:
To read more about new features that are not in this document’s scope:For Unified Remote Access capabilities, see the Understand and Troubleshoot Unified Remote Access in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237246For DNS capabilities, see the Understand and Troubleshoot DNS Security Extensions (DNSSEC) in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237248For Hyper-V capabilities, see the Understand and Troubleshoot Hyper-V Virtual Network Switch in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237247and the Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237258For BitLocker capabilities, see the Understand and Troubleshoot BitLocker in Windows Server "8" Beta guidehttp://go.microsoft.com/fwlink/p/?LinkId=237139
Purpose & BenefitsCloning Domain Controllers
Domain controllers have unique characteristics that make duplication very dangerous. For instance, two domain controllers cannot coexist in the same forest with the same name, invocation ID, and security identifier. In Windows Server 2008 R2 and older operating systems, every virtualized domain controller requires manual promotion as a uniquely built guest computer.
Windows Server "8" Beta introduces virtualized domain controller cloning. You no longer have to repeatedly deploy a sysprepped server image and then manually promote the domain controller. Instead, the cloned domain controller automatically syspreps (based on settings in DefaultDCCloneAllowList.xml) and promotes with the existing local AD DS data as installation media, consuming administrator-provided settings like computer name and IP address. This allows faster deployment of new domain controllers in production or test labs, simpler disaster recovery, and the ability to scale out in hosting and branch office scenarios.
Safe Backup and Restore of Domain Controllers Virtualization creates unique challenges to distributed multi-master workloads that depend upon logical clock-based replication schemes. AD DS replication uses an increasing transaction value assigned to transactions on each domain controller, known as an Update Sequence Number. If a domain controller "rolls back" time during application of a snapshot, a USN may be reused an entirely different transaction; replication cannot converge since other domain controllers believe they already received the update.
Virtualization technology such as Hyper-V includes snapshot abilities, where you create an image of a domain controller at a point in time. Restoring the snapshot discards all changes
3
Understand and Troubleshoot Guides
made since that checkpoint and in previous operating systems, forces the domain controller to quarantine itself with a process called USN rollback protection. Once USN rollback protection is in place, a domain controller no longer replicates again and must be either forcibly demoted or manually restored non-authoritatively. In cases where the domain controller has originated changes since the snapshot was taken, it also leads to lingering objects.
Windows Server "8" Beta now detects rollbacks and non-authoritatively synchronizes the delta of changes between a domain controller and its partners for AD DS and SYSVOL. You can now use snapshots without risk of permanently crippling domain controllers and requiring manually forced demotion, metadata cleanup, and re-promotion. While this does not prevent other issues with snapshots - such as inconsistent databases for other technologies and applications - it does make domain controller virtualization safer.
More Information:
For more information about USN and Invocation ID, review How the Active Directory Replication Model Workshttp://technet.microsoft.com/en-us/library/cc772726(WS.10).aspxFor more information about USN Rollback protection in Windows Server 2008 R2, review Running Domain Controllers in Hyper-Vhttp://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=WS.10)#usn_and_usn_rollback
4 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Technical OverviewPrerequisites
This guide assumes familiarity with previous releases of Active Directory Domain Services as well as virtualization technology like Hyper-V or other hypervisors, and does not provide foundation detail around their purpose and functionality. The focus of this guide is to provide information and guidance on the new features and improvements introduced in Windows Server "8" Beta.
More Information:
For more information about AD DS, see the TechNet Portal pages linked below:Active Directory Domain Services for Windows Server 2008 R2 - http://technet.microsoft.com/en-us/library/dd378801(WS.10).aspxActive Directory Domain Services for Windows Server 2008 - http://technet.microsoft.com/en-us/library/dd378891(WS.10).aspxWindows Server Technical Referencehttp://technet.microsoft.com/en-us/library/cc739127(WS.10).aspxFor more information about Hyper-V, see the TechNet Portal pages linked below:Hyper-V Server Portal -http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspxWindows Server 2008 R2 Hyper-V Portal -http://www.microsoft.com/en-us/server-cloud/windows-server/hyper-v.aspxHyper-V TechNet Library for Windows Server 2008 R2 -http://technet.microsoft.com/en-us/library/cc753637(WS.10).aspx
Functional Descriptions
Virtual Domain Controller CloningWindows Server "8" Beta implements cloning by extending the existing virtualization and domain controller promotion processes. Instead of creating sysprepped copies of workgroup computers and then manually promoting them using Server Manger+ or the ADDSDeployment Windows PowerShell, an administrator creates a DcCloneConfig.xml file containing the unique server configuration and copies it into the DSA Working Directory (the location where the AD DS database resides; C:\Windows\NTDS, by default). A virtualization administrator takes the domain administrator-authorized virtual machine offline and copies its drive or exports computer. The administrator creates a new virtual machine - using the copied or exported computer - without any other changes required, and the server automatically promotes as a unique domain controller, using the previous domain controller data as source media.
Alternatively, domain administrators can mount the offline disk and add the XML files, which allows for factory-like automation using new Windows PowerShell options included in
5
Understand and Troubleshoot Guides
Windows Server "8" Beta. If there are any problems or signs of uniqueness duplication - such as IP address or name - the promotion blocks and the cloned domain controller switches to DS Restore Mode for analysis. Cloning can be made entirely automatic, to include name generation and IP addressing using DHCP.
VDC cloning allows:
• Swift domain controller deployment in a new forest or domain
• Scalable provisioning of domain controllers to handle increased load
• Rapid rollout of replacement domain controllers during disaster recovery, such as flooding or fire, an AD DS forest compromised by intrusion, or loss of virtualization host hardware
• Quick provisioning of test lab environments
There is clear role separation between domain administrators and virtualization administrators when cloning. Hypervisor admins cannot deploy replica domain controllers by simply copying virtual machines; the domain admins authorize selected domain controllers for cloning. The virtualization admins then deploy the authorized clones. This ensures that unauthorized users do not create new rogue domain controllers.
Critical:Anyone allowed to administer the hypervisor must be highly trusted and audited in the environment. They still have the ability to make copies of domain controllers for offline attack or sale to malicious third parties. Microsoft suggests legally bonding administrators against exceeding their access and contacting law enforcement authorities if suspecting employees of theft.
Note:There is no graphical interface to create the cloning xml files. However, there is a Windows PowerShell script in development for out of band release, and the XML schema is included. These - and use of simple XML editorial tools - are described later in this guide.
Virtual Domain Controller Safe RestoreWindows Server "8" Beta virtualized domain controller safe restore resets the DC's unique Invocation ID. Since other domain controllers do not recognize the new Invocation ID, they conclude that they have not already seen these USNs and accept the updates, allowing the directory to converge. The domain controller also discards the now-duplicated local Relative Identifier (RID) pool and non-authoritatively restores the SYSVOL folder. This means that accidentally restoring a snapshot is no longer an unsafe operation on domain controllers.
More Information:
For more information about these topics, review the architecture section of this guide in the appendix.
6 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Deploying Virtualized Domain ControllerInstallation Considerations
There is no special role or feature installation for VDC; all domain controllers automatically contain cloning and safe restore capabilities. You cannot remove or disable these capabilities.
Use of Windows Server "8" Beta domain controllers - and therefore VDC - requires a Windows Server "8" Beta AD DS Schema 52 and Windows Server 2003 Native or higher Forest Functional Level.
Both writable and read-only domain controllers support all aspects of virtualized DC, as do Global Catalogs and FSMO roles, with the exception that the PDC emulator must be accessible during cloning.
Important:In Windows Server "8" Beta only, you cannot use the PDC emulator as a source computer to copy and clone. Naturally, this also means you cannot use a domain that contains only one domain controller. This may change in future releases of Windows Server "8" Beta.
Platform RequirementsVirtualized Domain Controller cloning requires:
PDC emulator FSMO role transferred to a Windows Server "8" Beta DC
PDC emulator available during cloning operations
Both VDC cloning and safe restore require:
Windows Server "8" Beta virtualized guests
Virtualization host platform supports VM-Generation ID(VMGID)
Review the table below for known configurations as of this writing:
Virtualization Product Supports VDC and VMGID
Microsoft Windows Server "8" Beta server with Hyper-V Feature
Yes
Microsoft Windows Server "8" Beta Hyper-V Server Yes
Microsoft Windows 8 Consumer Preview with Hyper-V Client Feature
Yes
Microsoft Windows Server 2008 and Windows Server 2008 R2
No
Non-Microsoft virtualization solutions Contact vendor
7
Understand and Troubleshoot Guides
Figure 1
Note:Even though Microsoft supports Windows 7 Virtual PC, Virtual PC 2007, Virtual PC 2004, and Virtual Server 2005 as of this writing, they are incapable of running 64-bit guests.
More Help:For help with third party virtualization products and their support stance with VDC, contact that vendor directly.For more information, review Support policy for Microsoft software running in non-Microsoft hardware virtualization software
Critical CaveatsVDC does not support safe restore of the following:
VHD and VHDX files manually copied over existing VHD files
VHD and VHDX files restored using file backup or full disk backup software
Note:VHDX files are new to Windows Server "8" Beta Hyper-V.
Neither of these operations is a snapshot restoration and therefore do not invoke the VM-Generation ID process. Restoring domain controllers using these methods could either result in a USN rollback and either quarantine the domain controller or introduce lingering objects. If the restoration is older than tombstone lifetime, this creates the potential for lingering objects and a USN bubble; the bubble is the set of changes that are divergent between the two domain controllers. USN Rollback protection does not quarantine the domain controller in this case, potentially leading to lingering objects and the need for forest wide cleanup operations.
Critical:VDC safe restore is not a replacement for system state backups and the AD DS Recycle Bin. After restoring a snapshot, the deltas of previously un-replicated changes originating from that domain controller after snapshot are permanently lost. Safe restore implements automated non-authoritative restoration to prevent accidental domain controller quarantine only.
More Information:
For more information about USN bubbles and lingering objects, see Troubleshooting Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object"
8 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Virtualized Domain Controller CloningThere are a number of stages and steps to cloning a virtualized domain controller, regardless of using graphical tools or Windows PowerShell. At a high level, the three stages are:
A. Prepare the environment
1. Validate that the hypervisor supports VM-Generation ID and therefore, cloning
2. Create XML and copy it to the source DC
3. Verify the PDCE FSMO role
B. Prepare the source domain controller
4. Authorize a domain controller for cloning
5. Remove incompatible components
6. Take the source domain controller offline
C. Create the cloned domain controller
7. Copy or export the source VM and add the XML if not already copied
8. Create a new virtual machine from the copy
9. Start the new virtual machine to commence cloning
Because Microsoft only maintains Hyper-V and cannot include steps for third party products like Citrix's Xen or EMC's VMware, this document implements all steps with Windows Server "8" Beta Hyper-V. Contact your vendor for their product-specific steps; Microsoft cannot document them here.
There are no procedural differences in the operation when using graphical tools like the Hyper-V Management Console or command-line tools like Windows PowerShell, so the steps are presented only once with both interfaces. This guide provides Windows PowerShell samples for you to explore end-to-end automation of the cloning process; they are not required for any steps. There is no graphical management tool for VDC included in Windows Server "8" Beta.
There are several points in the procedure where you have choices for how to create the cloned computer and how you add the xml files; these steps noted in the details below. The process is otherwise unalterable.
The diagram below illustrates the virtualized domain controller cloning process, where the domain already exists.
9
Understand and Troubleshoot Guides
Figure 2
Important:For details on how the cloning process works at first boot, see the Architecture section. For issues, see the Troubleshooting section.For test lab steps, see Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC)http://go.microsoft.com/fwlink/p/?LinkId=237261For a step-by-step guide, see the AD DS Virtualization (Cloning and Virtualization safe improvements) guidehttp://go.microsoft.com/fwlink/p/?LinkID=238316
10 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Note:All scenarios described using the following sample conventions:
The Windows Server "8" Beta forest is corp.contoso.com Domain controllers are named in the pattern DC1, DC2, etc.
1. Validate the HypervisorEnsure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. VDC is hypervisor agnostic and does not require Hyper-V.
Review the previous Platform Requirements section in this guide for known VM-Generation ID support.
2. Create XML The DcCloneConfig.xml file is required for cloning Domain controllers. Its contents allow you to specify unique details like the new computer name and IP address.
The CustomDCCloneAllowList.xml file is optional unless you install applications or incompatible Windows services on the source domain controller. The files require precise naming, formatting, and placement; otherwise, cloning fails.
Using a Blank DcCloneConfig.xml FileOptionally, you can create a blank DcCloneConfig.xml file. If provided a blank file, cloning configures the domain controller automatically, using the rules specified in section DcCloneConfig.XML Definitions and Behaviors below. Otherwise, you must populate that file with valid custom settings.
Using Get-ADDCCloningExcludedApplicationList to Detect Compatibility Issues and Create CustomDCCloneAllowList.xml
The ActiveDirectory Windows PowerShell module contains a new cmdlet in Windows Server "8" Beta:
Get-ADDCCloningExcludedApplicationList
You must run this cmdlet on a source domain controller before cloning it. The cmdlet has no arguments. This cmdlet scans a source computer for applications not listed as allowed with VDC cloning and returns the list; any services or installed programs in that list cause the cloning engine to abort.
11
Understand and Troubleshoot Guides
In the example below, there are no incompatible services or programs installed.
Figure 3
In this example though, there are incompatibilities detected because of the DHCP service:
Figure 4
In this final example, there are potential incompatibilities because you installed the Microsoft Forefront Endpoint Protection program:
Figure 5
Important:Microsoft Forefront is not necessarily incompatible with cloning. VDC in Windows Server "8" Beta always assumes that any programs not included with Windows are risky and as a safeguard, forces you to allow them.
The allow list of supported cloneable applications and services is stored in c:\windows\system32\DefaultDCCloneAllowList.XML. See the Appendix for more information.
12 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
You must choose to either remove the incompatible applications and components or override the cloning block using the CustomDCCloneAllowList.xml file. For the previous example, where you installed Microsoft Forefront Endpoint Protection, the CustomDCCloneAllowList.xml configuration needed is:
<?xml version="1.0" encoding="utf-8" ?><!-- Allow migration of a computer using MSFFEP file --><AllowList> <Allow> <Name>Microsoft Forefront Endpoint Protection</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Antimalware</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Forefront Endpoint Protection 2010 Server Management</Name> <Type>Program</Type> </Allow> <Allow> <Name>Microsoft Security Client</Name> <Type>Program</Type> </Allow> <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow> <Allow> <Name>MsMpSvcy</Name> <Type>Service</Type> </Allow> <Allow> <Name>NisSrv</Name> <Type>Service</Type> </Allow></AllowList>
The guide describes the definitions of this XML file and using an XML editor later in this section.
13
Understand and Troubleshoot Guides
XML Details and BehaviorsFormatting Rules
The DcCloneConfig.xml and CustomDCCloneAllowList.xml files are critical to cloning. Since editing XML files is uncommon for domain administrators and these files are proprietary, it is important to understand the terms and rules around formatting:
Figure 6
1. The file names are not alterable and are:
DcCloneConfig.xmlCustomDcCloneAllowList.xml
2. The elements (fields inside of <>) are case-sensitive
3. The element's start and end tags must match
4. The data inside elements are not case-sensitive, but are format-sensitive. For example, you cannot provide the IPv4 address in any form but w.x.y.z, with valid IPv4 integers provided in each octet. Likewise, a computer name must be 15 characters or fewer and use only valid characters
5. Any empty or missing elements are handled automatically during cloning (see DcCloneConfig.XML Definitions and Behaviors section below)
6. If any element data duplicates the source computer, cloning does not proceed. For example, you cannot set the IP address to match the old computer IP address
7. The XML follows the rules of included XML schema file c:\windows\system32\DCCloneConfigSchema.xsd
More Information:
For explanations of XML terms, review the MSDN XML Glossary:
14 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Template SampleDcCloneConfig.xmlThe following sample is also located at %systemroot%\system32\SampleDCCloneConfig.xml on any Windows Server "8" Beta domain controller.
<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings></d3c:DCCloneConfig>
15
Understand and Troubleshoot Guides
DcCloneConfig.XML Definitions and BehaviorsEach of the elements in the DcCloneConfig.xml describes a unique aspect of the computer. Not providing certain elements may lead to an unfavorable administrative experience, or cause cloning to fail:
Element Data Result if not provided
SiteName AD logical site domain controller joins at promotion
Joins the same site as the source computer being cloned (even for cloned read-only domain controllers)
ComputerName New computer name of DC Automatically assigned as first seven characters of the source computer, a hyphen, the letters "CL", and an incrementing number from 0001 to 9999(example: a server named DCWaukeganIL becomesDCWauke-CL0001)
Address(within <IPv4Settings><StaticSettings> )
New IPv4 address of DC Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available
SubnetMask(within <IPv4Settings><StaticSettings> )
New IPv4 subnet of Ipv4 address
Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available
DefaultGateway(within <IPv4Settings><StaticSettings> )
New IPv4 gateway of Ipv4 address and subnet
Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available
DNSResolver(within <IPv4Settings><StaticSettings> )
IPv4 Address of a DNS server. If using multiple entries, in order of primary, secondary, tertiary, etc.
Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available
PreferredWINSServer(within <IPv4Settings><StaticSettings> )
IPv4 Address of primary WINS server
Cloning proceeds
AlternateWINSServer(within <IPv4Settings>
IPv4 Address of secondary WINS server
Cloning proceeds
16 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<StaticSettings> )
DNSResolver(within <IPv4Settings><DynamicSettings>)
IPv4 Address of a DNS server when using DHCP without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc.
Cloning fails if no valid IPv6 DHCP or dynamic addressing received from router stateless address auto-configuration (SLAAC) and no Ipv4 DHCP is available
PreferredWINSServer(within <IPv4Settings>< DynamicSettings > )
IPv4 Address of primary WINS server when using DHCP without scope options
Cloning proceeds
AlternateWINSServer(within <IPv4Settings>< DynamicSettings > )
IPv4 Address of secondary WINS server when using DHCP without scope options
Cloning proceeds
DNSResolver(within <IPv6Settings><DynamicSettings>)
IPv6 Address of a DNS server when using DHCP or SLAAC without scope options. If using multiple entries, in order of primary, secondary, tertiary, etc.
Cloning fails if no valid dynamic IPv6 set and no Ipv4 DHCP is available
Figure 7
Important:Cloning does not support using static Ipv6 entries in Windows Server "8" Beta. You must use IPv6 DHCP or IPv6 Stateless address auto-configuration (SLAAC)
Template CustomDCCloneAllowList.xml<?xml version="1.0" encoding="utf-8" ?><!-- Empty sample CustomDCCloneAllowList.xml file --><AllowList> <Allow> <Name></Name> <Type>Service</Type> </Allow> <Allow> <Name></Name> <Type>Program</Type> </Allow></AllowList>
Note:Post-beta versions of Windows Server "8" Beta may include the ability to generate a CustomDCCloneAllowList.xml populated with all detected non-allow list programs and services. In Windows Server "8" Beta however, you must create this XML file manually.
17
Understand and Troubleshoot Guides
CustomDCCloneAllowList.XML DefinitionsEach of the elements in the CustomDCCloneAllowList.xml describes a service or program. Cloning fails unless you uninstall the offending service or program, or use the CustomDCCloneAllowList.XML to override the detection.
Element Data
Name Can contain value: The same service name as the SERVICE_NAME returned by SC.EXE QUERY The programs listed in the DisplayName registry value name of subkeys in:
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Type Can contain value: Service Program
Figure 8
Using an XML EditorThere are two XML editors provided by Microsoft:
Visual Studio 2010 Express (free, supported) - Download: http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-csharp-express
XML Notepad (free, unsupported) - Download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7973
Both tools can either create or modify the Dccloneconfig.xml and CustomDCCloneAllowList.xml files safely, if used correctly. In the example below, you see how to create or customize a Dccloneconfig.xml file. You can use the same steps (with one exception noted below) for the CustomDCCloneAllowList.XML file.
Warning:Do not use simple text editors - such as Notepad.exe - that do not understand XML formatting and schema. The XML has strict syntax requirements and is case-sensitive; most mistakes in the XML are fatal to cloning.
18 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Using Visual Studio 2010 Express C#The VS 2010 Express suite of development tools contains an advanced, built-in XML editor. This guide uses the C# version, but any is acceptable and the steps do not change.
1. Install Visual Studio 2010.
2. Create a new empty project. This contains all your XML files.
Figure 9
19
Understand and Troubleshoot Guides
Figure 10
3. Enable Expert Settings, using the Tools menu option. This exposes the XML schema later.
Figure 11
20 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
4. Using the Project menu, Add New Item and make it an XML file. The name is unimportant, as this is a sample for generating new XML files.
Figure 12
Figure 13
21
Understand and Troubleshoot Guides
5. Using the XML menu, add the Schema DCCloneConfigSchema.xsd (which you can copy from any Windows Server "8" Beta domain controller's %windir%\system32 directory).
Figure 14
Figure 15
Important:This is only when creating or editing the DCCloneConfig.xml file. There is no schema file provided for CustomDCCloneAllowList.XML.
6. Paste in sample XML from this guide or from the provided templates and save your file and project. Using the View menu, add the Error List pane.
Note:All Windows Server "8" Beta domain controllers contain template XML %windir%\system32\ SampleDcCloneConfig.xml. The template CustomDCCloneAllowList.xml is described previously in this guide.
You now have a base xml file to use for all subsequent work. The base dccloneconfig.xml includes the schema, highlights all issues with underlining and explanation, and supports Intellisense modification and autocomplete. You can modify any element for your new clones, make copies, and can save off different versions of the XML for later review. You can also add comments.
22 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
For instance, here is a dccloneconfig.xml sample including the computer name, site, and IPv4 information for a new DC. In this instance, the XML element for Address is malformed in one tag (missing an s):
Figure 16
23
Understand and Troubleshoot Guides
In this instance, the elements are complete, but the case is incorrect (should be uppercase A on Address):
Figure 17
As you can see from these examples, catching these mistakes in a text editor would have been very difficult and require extraordinary attention to detail.
For environments using the full version of Visual Studio 2010 and Team Foundation Server, you can create a source control database to guarantee that all cloning info is tracked and checked in or out, minimizing the chance of duplication between administrators.
24 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Using XML Notepad 2007The older XML Notepad 2007 utility provides a simpler - albeit less sophisticated - editorial experience. This tool runs on Windows 8 Consumer Preview and Windows Server "8" Beta as long as the .Net 3.5.x runtimes are installed (they are not included with the OS by default). It is a free tool; it is not tested or supported by Microsoft Support and is provided strictly "as-is".
1. Install XML Notepad 2007 and launch it.
2. Paste in a sample from a SampleDccloneconfig.xml and save the file. Note how XML Notepad hides the XML tags from the reader in the tree view pane and shows the data in the right-hand pane, and how it does not expand the elements by default.
Figure 18
25
Understand and Troubleshoot Guides
3. Use the View menu to Expand All nodes.
Figure 19
Figure 20
26 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
4. Use the View menu to add the c:\windows\system32\DCCloneConfigSchema.xsd, which you can find on any Windows Server "8" Beta domain controller.
Figure 21
Figure 22
You now have a dccloneconfig.xml to use for all subsequent work. It includes the schema, shows all issues in the Error List, and supports a dropdown menu of available elements in a given context. You can modify any element for your new clones and make copies.
27
Understand and Troubleshoot Guides
For instance, here is a sample including the computer name, site, and IPv4 information for a new DC:
Figure 23
28 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
In this instance, the IPV4NetworkConfig Address element is invalid (should have an uppercase A):
Figure 24
Adding XML to the Running Source DCPlacement of the XML files is critical; if the DcCloneConfig.xml does not exist in the correct folder, then cloning does not occur. If the CustomDCCloneAllowList.xml does not exist in the correct folder, cloning may fail due to program or service allow list checking.
DcCloneConfig.xml LocationThe following locations can contain the DcCloneConfig.xml file:
1. DSA Working Directory
2. %windir%\NTDS
3. Removable read/write media, in order of drive letter, at the root of the drive
29
Understand and Troubleshoot Guides
These paths are not configurable. After cloning begins, the cloning checks these locations in that specific 1-3 order and uses the first XML file found, regardless of the other folder's contents.
CustomDCCloneAllowList.xml LocationThe following locations can contain the CustomDCCloneAllowList.xml file:
1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters
AllowListFolder (REG_SZ)
2. DSA Working Directory
3. %windir%\NTDS
4. Removable read/write media, in order of drive letter, at the root of the drive
After cloning begins, the cloning checks these locations in that specific 1-4 order and uses the first XML file found, regardless of the other folder's contents.
Optionally, you can copy the updated XML files file to the running source domain controller. There is no harm in copying the files at this stage and restarting the source DC: the original domain controller will not clone, because the VM-Generation ID does not change on the computer until the copied virtual computer boots up and reads its AD DS information. After restarting, the source domain controller renames the clone file, appending a date-time stamp.
Copying the XML to the original source domain controller before taking offline is advisable when cloning only once or when using a blank dccloneconfig.xml file.
To copy the file using Windows PowerShell, use the following cmdlet:
Copy-Item
Figure 25
Alternatively, you can copy the XML file to the mounted offline disk copied later in the cloning process below.
Determining the DSA Working DirectoryIt is critical to note the path to the AD DS database folder while the source domain controller is still online and running, as determining on an offline domain controller is difficult. This can be determined by examining the following DSA Working Directory REG_SZ registry key:
HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\ParametersDSA Working Directory
30 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
To return the key without manually navigating through Regedit.exe, you can use the following Reg.exe command:
reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /t reg_sz /v "dsa working directory"
Figure 26
You can also use the following Windows PowerShell command:
get-itemproperty -path registry::hklm\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -name "dsa working directory" | format-list "dsa working directory"
Figure 27
You can combine get-itemproperty and copy-item in order to create automation. For example, to copy a remote dccloneconfig.xml to the local DSA working directory:
Figure 28
Note:Ntdsutil.exe can also provide this information, but requires stopping the NTDS service, which prevents the domain controller from answering requests.
31
Understand and Troubleshoot Guides
3. Verify the PDCE FSMO roleBefore you attempt to clone a DC, you must validate that the domain controller hosting the Primary Domain Controller Emulator FSMO runs Windows Server "8" Beta. The PDC emulator (PDCE) is required for several reasons:
1. The PDCE creates the special Cloneable Domain Controllers group and sets its permission on the root of the domain to allow a domain controller to clone itself.
2. The cloning domain controller contacts the PDCE directly using the DRSUAPI RPC protocol, in order to create computer objects.
This also means when using non-fully routed networks, VDC cloning requires network segments with access to the PDCE. It is acceptable to move a cloned domain controller to a different network after cloning - just like a physical domain controller - as long as you are careful to update the AD DS logical site information.
Important:You cannot clone a domain controller in a domain that contains only that single domain controller. A domain must contain at least two domain controllers and the clone source cannot be the PDC emulator.
Active Directory Users and Computers Method 1. Using the Dsa.msc snap-in, right click the domain and click Operations Masters. Note the
domain controller named on the PDC tab and close the dialog.
2. Right click that DC's computer object and click Properties, and then validate the Operating System info.
Windows PowerShell Method You can combine the following ActiveDirectory Windows PowerShell Module cmdlets to return the version of the PDC emulator:
Get-adddomaincontrollerGet-adcomputer
If not provided the domain, these cmdlets assume the domain of the computer where run.
The following command returns PDCE and Operating System info:
get-adcomputer(Get-ADDomainController -Discover -Service "PrimaryDC").name -property * | format-list dnshostname,operatingsystem,operatingsystemversion
32 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
This example below demonstrates specifying the domain name and filtering the returned properties before the Windows PowerShell pipeline:
Figure 29
Validate PDCE AvailabilityTo validate that the PDCE can be located, run the following Dcdiag.exe command from the server you plan to clone:
Dcdiag /test:locatorcheck /v
This returns the DCLocator status of the PDCE. For example:
Figure 30
33
Understand and Troubleshoot Guides
To validate that the PDCE is accessible through the DRSUAPI RPC protocol, use Nltest.exe /dclist against the PDCE. That test exercises the DsGetDomainControllerInfo function, which is part of DRSUAPI.
Nltest /server:<PDCE> /dclist:<domain>
For example:
Figure 31
Important:Always perform these tests from a computer on the same network where the clone will reside.
4. Authorize a Source DCThe source domain controller must have the special domain head permission Allow a DC to create a clone of itself. By default, the well-known group Cloneable Domain Controllers has this permission and contains no members. The PDCE creates this group when that FSMO role transfers to a Windows Server "8" Beta domain controller.
Active Directory Administrative Center Method1. Start Dsac.exe and navigate to the source DC, then open its detail page.
2. In the Member Of section, add the Cloneable Domain Controllers group for that domain.
Windows PowerShell MethodYou can combine the following ActiveDirectory Windows PowerShell Module cmdlets to return the version of the PDC emulator:
get-adcomputer add-adgroupmember
For instance, this adds server DC1 to the group, without the need to specify the distinguished name of the group member:
34 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 32
Rebuilding Default PermissionsIf you remove this permission from the domain head, cloning fails. You can recreate the permission using the Active Directory Administrative Center or Windows PowerShell
Active Directory Administrative Center Method 1. Open Active Directory Administrative Center, right click the domain head, click
Properties, click the Extensions tab, click Security, and then click Advanced. Click This Object Only.
2. Click Add, under Enter the object name to select, type the group name Cloneable Domain Controllers.
3. Under Permissions, click Allow a DC to create a clone of itself, and then click OK.
Note:You can also remove the default permission and add individual Domain controllers. Doing so is likely to cause ongoing maintenance problems however, where new administrators are unaware of this customization. Changing the default setting does not increase security and is discouraged.
Windows PowerShell MethodUse the following commands in an administrator-elevated Windows PowerShell console prompt. These commands detect the domain name and add back in the default permissions:
import-module activedirectorycd ad:$domainNC = get-addomain$dcgroup = get-adgroup "Cloneable Domain Controllers"$sid1 = (get-adgroup $dcgroup).sid$acl = get-acl $domainNC$objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid$acl.AddAccessRule($ace1)set-acl -aclobject $acl $domainNCcd c:
Alternatively, run the sample FixVDCPermissions.ps1 in a Windows PowerShell console, where the console starts as an elevated administrator on a domain controller in the affected domain. It automatically set the permissions. The sample is located in the appendix of this guide.
35
Understand and Troubleshoot Guides
Critical:The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue.For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replicationhttp://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
5. Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml)
Any programs or services previously returned by Get-ADDCCloningExcludedApplicationList - and not added to the CustomDCCloneAllowList.xml - must be removed prior to cloning. Uninstalling the application or service is the recommended method.
Critical:Any incompatible programs or services not uninstalled or added to the CustomDCCloneAllowList.xml prevent cloning.
6. Take the Source Domain Controller OfflineYou cannot copy a running source DC; it must be shutdown gracefully. Do not clone a domain controller stopped by graceless power loss.
Graphical MethodUse the shutdown button within the running DC, or the Hyper-V Manager shutdown button.
36 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 33
Figure 34
Windows PowerShell MethodYou can shut down a virtual machine using either of the following cmdlets:
Stop-computerStop-vm
Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous to the legacy Shutdown.exe utility. Stop-vm is a new cmdlet in the Windows Server "8" Beta Hyper-V Windows PowerShell module, and is equivalent to the power options in Hyper-V Manager. The latter is useful in lab environments where the domain controller often operates on a private virtualized network.
37
Understand and Troubleshoot Guides
Figure 35
Figure 36
Critical:The source Windows Server "8" Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL. Due to a known incompatibility in Windows Server "8" Beta, doing so will not correctly populate SYSVOL. See the Troubleshooting VDC Cloning section below for more details on this issue.For more information on FRS to DFSR SYSVOL migration, review SYSVOL Replication Migration Guide: FRS to DFS Replicationhttp://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
7. Copy DisksAn administrative choice is required in the copying phase:
1. Copying the disks manually, without Hyper-V
2. Exporting the VM, using Hyper-V
All of a virtual machine's disks must be copied, not just the system drive. If the source domain controller uses differencing disks and you plan to move your cloned domain controller to another Hyper-V host, you must export.
Copying disks manually is recommended if the source domain controller has only one drive. Export is recommended for VMs with more than one drive or other complex virtualized hardware customizations like multiple NICs.
If copying files manually, delete any snapshots prior to copying. If exporting the VM, delete snapshots prior to exporting or from the new VM after importing.
Critical:Snapshots are differencing disks that can return a domain controller to previous state. If you were clone a domain controller then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest. There is no value in prior snapshots on a newly cloned domain controller.Once cloned, the source domain controller can create a new snapshot.
38 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Manually Copying DisksHyper-V Manager Method
Use the Hyper-V Manager snap-in to determine which disks are associated with the source domain controller. Use the Inspect option to validate if the domain controller uses differencing disks (which requires that you copy the parent disk also)
Figure 37
39
Understand and Troubleshoot Guides
To delete snapshots, select a VM and delete the snapshot subtree.
Figure 38
You can then manually copy the VHD or VHDX files using Windows Explorer, Xcopy.exe, or Robocopy.exe. No special steps are required. It is a best practice to change the file names even if moving to another folder.
Note:.
Windows PowerShell MethodTo determine the disks using Windows PowerShell, use the Hyper-V Modules:
Get-vmidecontrollerGet-vmscsicontrollerGet-vmfibrechannelhbaGet-vmharddiskdrive
40 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
For example, you can return all IDE hard drives from a VM named DC2 with the following sample:
Figure 39
If the disk path points to an AVHD or AVHDX file, it is a snapshot. To delete the snapshots associated with a disk and merge in the real VHD or VHDX, use cmdlets:
Get-VMSnapshotRemove-VMSnapshot
For example, to delete all snapshots from a VM named DC2-SOURCECLONE:
To copy the files using Windows PowerShell, use the following cmdlet:
Copy-Item
41
Understand and Troubleshoot Guides
Combine with VM cmdlets in pipelines to aid automation. The pipeline is a channel used between multiple cmdlets to pass data. For example, to copy the drive of an offline source domain controller named DC2-SOURCECLONE to a new disk called c:\temp\copy.vhd without the need to know the exact path to its system drive:
Important:You cannot use passthru disks with VDC cloning, as they do not use a virtual disk file but instead an actual hard disk.
More Information:
For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows PowerShellhttp://technet.microsoft.com/en-us/library/ee176927.aspx
Exporting the VMAs an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. Exporting automatically creates a folder named for the VM and containing all disks and configuration information.
Figure 40
42 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Hyper-V Manager MethodTo export a VM with Hyper-V Manager:
1. Right click the source domain controller and click Export
2. Select an existing folder as the export container
3. Wait for the Status column to stop showing Exporting
Windows PowerShell MethodTo export a VM using the Hyper-V Windows PowerShell module, use cmdlet:
Export-vm
For example, to export a VM named DC2-SOURCECLONE to a folder named C:\VM:
Figure 41
Adding XML to the Offline System DiskIf you did copy the Dccloneconfig.xml to the running source DC, you must copy the updated dccloneconfig.xml file to the offline copied/exported system disk now. Depending on installed applications detected with Get-ADDCCloningExcludedApplicationList earlier, you may also need to copy the CustomDCCloneAllowList.xml file to the disk.
The following locations can contain the DcCloneConfig.xml file:
1. DSA Working Directory
2. %windir%\NTDS
3. Removable read/write media, in order of drive letter, at the root of the drive
These paths are not configurable. After cloning begins, the cloning checks these locations in that specific order and uses the first XML files found, regardless of the other folder's contents.
The following locations can contain the CustomDCCloneAllowList.xml file:
1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters
AllowListFolder (REG_SZ)
2. DSA Working Directory
3. %windir%\NTDS
4. Removable read/write media, in order of drive letter, at the root of the drive
43
Understand and Troubleshoot Guides
Windows Explorer MethodWindows Server "8" Beta now offers a graphical option for mounting VHD and VHDX files:
1. Click the newly copied VHD/VHDX file that contains the source DC's system drive or DSA Working Directory location folder, and then click Mount from the Disc Image Tools menu
2. In the now-mounted drive, copy the XML files to a valid location. You may be prompted for permissions to the folder
3. Click the mounted drive and click Eject from the Disk Tools menu
Figure 42
44 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Figure 43
Figure 44
45
Understand and Troubleshoot Guides
Windows PowerShell MethodAlternatively, you can mount the offline disk and copy the XML file using the Windows PowerShell cmdlets:
mount-vhdget-diskget-partitionget-volumeAdd-PartitionAccessPathCopy-Item
This allows you complete control over the process. For instance, the drive can be mounted with a specific drive letter, the file copied, and the drive dismounted.
mount-vhd <disk path> -passthru -nodriveletter | get-disk | get -partition | get-volume | get-partition | Add-PartitionAccessPath -accesspath <drive letter>
copy-item <xml file path> <destination path>\dccloneconfig.xml
dismount-vhd <disk path>
For example:
Figure 45
46 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
8. Create the New Virtual MachineThe final configuration step before starting the cloning process is creating a new VM that uses the disks from the copied source domain controller. Depending on the selection made in the copying disks phase, you have two options:
1. Associate a new VM with the copied disk
2. Import the exported VM
Associating a New VM with Copied DisksIf you copied the system disk manually, you must create a new virtual machine using the copied disk. The hypervisor automatically sets the VM-Generation ID for copied disks; no configuration changes are required in the VM or Hyper-V host.
Hyper-V Manager Method
Figure 46
47
Understand and Troubleshoot Guides
1. Create a new virtual machine
2. Specify the VM name, memory, and network
3. On the Connect Virtual Hard Disk page, specify the copied system disk.
4. Complete the wizard to create the VM.
If there were multiple disks, NICs, or other customizations, configure them before starting the domain controller. The "Export-Import" method of copying disks is recommended for complex VMs.
Windows PowerShell MethodYou can use the Hyper-V Windows PowerShell module to automate VM creation in Windows Server "8" Beta, using the following cmdlet:
New-VM
For example, here the DC4-CLONEDFROMDC2 VM is created, using 1GB of RAM, booting from the c:\vm\dc4-systemdrive-clonedfromdc2.vhd file, and using the 10.0 virtual network:
Figure 47
Import VMIf you previously exported your VM, you now need to import it back in as a copy. This uses the exported XML to recreate the computer using all the previous settings, drives, networks, and memory settings.
Important:It is important to use the Copy option, as export preserves all information from the source; importing the server with Move or In Place causes information collision if done on the same Hyper-V host server.
48 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Hyper-V Manager MethodTo import using the Hyper-V Manager snap-in:
1. Click Import Virtual Machine
2. On the Locate Folder page, select the exported VM definition file using the Browse button
3. On the Select Virtual Machine page, click the source computer.
4. On the Choose Import Type page, click Copy the virtual machine (create a new unique ID), then click Finish
5. Rename the imported VM if importing on the same Hyper-V host; it will have the same name as the exported source domain controller.
Figure 48
49
Understand and Troubleshoot Guides
Figure 49
Figure 50
50 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Remember to remove any imported snapshots, using the Hyper-V Management snap-in:
Figure 51
Critical:Deleting any imported snapshots is critically important; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.
51
Understand and Troubleshoot Guides
Windows PowerShell MethodYou can use the Hyper-V Windows PowerShell module to automate VM import in Windows Server "8" Beta, using the following cmdlets:
Import-VMRename-VM
For example, here the exported VM DC2-CLONED is imported using its automatically determined XML file, then renamed immediately to its new VM name DC5-CLONEDFROMDC2:
Figure 52
Remember to remove any imported snapshots, using the following cmdlets:
Get-VMSnapshotRemove-VMSnapshot
For example:
Figure 53
Critical:Deleting any imported snapshots is critical; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.
52 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
9. Clone the New Virtual MachineOptionally, before you begin cloning, turn the offline clone source domain controller back on. Ensure that the PDC emulator is online, regardless.
To begin cloning, simply start the new virtual machine. The process initiates automatically and the domain controller reboots automatically after cloning is complete.
Important:Keeping domain controllers turned off for an extended period of time is not recommended and if the clone is joining the same site as its source DC, the initial intra and inter-site replication topology may take longer to build if the source domain controller is offline.
Figure 54
If using Windows PowerShell to start a VM, the new Hyper-V Module cmdlet is:
Start-VM
53
Understand and Troubleshoot Guides
For example:
Figure 55
Once the computer restarts after cloning completes, it is a domain controller and you can logon on normally to confirm normal operation. If there are any errors, the server boots up in DS Restore Mode for investigation. See the Troubleshooting section below if that occurs.
54 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Virtualized Domain Controller Safe RestoreUnlike virtualized domain controller cloning, Windows Server "8" Beta VDC safe restore has no configuration steps. The feature works without intervention as long as you meet some simple conditions:
The hypervisor supports VM-Generation ID
There is a valid partner domain controller that a restored domain controller can replicate changes from non-authoritatively.
Validate the HypervisorEnsure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. VDC is hypervisor agnostic and does not require Hyper-V.
Review the previous Platform Requirements section in this guide for known VM-generation ID support.
Validate the Replication TopologyVDC safe restore initiates non-authoritative inbound replication for the delta of AD replication as well as non-authoritative resynchronization of all SYSVOL contents. This ensures the domain controller returns from a snapshot with full functionality and all object knowledge.
With this new capability come several requirements and limitations:
A restored domain controller must be able to contact a writable DC
All domain controllers in a domain must not be restored simultaneously
Any changes originating from a restored domain controller that have not yet replicated outbound since the snapshot was taken are lost forever
While the troubleshooting section covers these scenarios, details below ensure you do not create a dangerous topology.
Writable Domain Controller ContactIf restored, a domain controller must have connectivity to a writable domain controller; a read-only domain controller cannot send the delta of updates. The topology is likely correct for this already, as a writable domain controller always needed a writable partner. However, if all writable domain controllers are restoring simultaneously, none of them can find a valid source. The same goes if the writable domain controllers are offline for maintenance or otherwise unreachable through the network.
55
Understand and Troubleshoot Guides
Simultaneous RestoreDo not restore all domain controllers in a single domain simultaneously. If all snapshots restore at once, AD replication works normally but SYSVOL replication halts. The restore architecture of FRS and DFSR require setting their replica instance to non-authoritative sync mode. If all domain controllers restore at once, and each domain controller marks itself non-authoritative for SYSVOL, they all will then try to synchronize group policies and scripts from an authoritative partner; at that point, though, all partners are also non-authoritative.
Important:If all domain controllers are restored at once, use the following articles to set one domain controller - typically the PDC emulator - as authoritative, so that the other domain controllers can return to normal operation:
Using the BurFlags registry key to reinitialize File Replication Service replica sets - http://support.microsoft.com/kb/290762How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) - http://support.microsoft.com/kb/2218556
Warning:Do not run all domain controllers in a forest or domain on the same hypervisor host. That introduces a single point of failure that cripples AD DS, Exchange, SQL, and other enterprise operations each time the hypervisor goes offline. This is no different from using only one domain controller for an entire domain or forest. Multiple domain controllers on multiple platforms are simple prudence in a modern IT environment, just like fire and flood insurance.
Post-Snapshot ReplicationDo not restore snapshots until all locally originating changes made since snapshot creation have replicated outbound. Any original changes are lost forever if other domain controllers did not already receive them through replication.
Use Repadmin.exe to show any un-replicated outbound changes between a domain controller and its partners:
1. Return the DC's partner names and DSA Object GUIDs with:
Repadmin.exe /showrepl <DC Name of the partner> /repsto
2. Return the pending inbound replication of the partner domain controller to the domain controller to be restored:
Repadmin.exe /showchanges < Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare>
Alternatively, just to see the count of un-replicated changes:
56 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Repadmin.exe /showchanges <Name of partner DC> <DSA Object GUID of the domain controller being restored> <naming context to compare> /statistics
For example (with output modified for readability and important entries in italic bold), here you look at the replication partnerships of DC4:
C:\>repadmin.exe /showrepl dc4.corp.contoso.com /repsto
Default-First-Site-Name\DC4DSA Options: IS_GCSite Options: (none)DSA object GUID: 5d083398-4bd3-48a4-a80d-fb2ebafb984fDSA invocationID: 730fafec-b6d4-4911-88f2-5b64e48fc2f1
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
DC=corp,DC=contoso,DC=com Default-First-Site-Name\DC3 via RPC DSA object GUID: f62978a8-fcf7-40b5-ac00-40aa9c4f5ad3 Last attempt @ 2011-11-11 15:04:12 was successful. Default-First-Site-Name\DC2 via RPC DSA object GUID: 3019137e-d223-4b62-baaa-e241a0c46a11 Last attempt @ 2011-11-11 15:04:15 was successful.
Now you know that it is replicating with DC2 and DC3. You then show the list of changes that DC2 states it still does not have from DC4, and see that there is one new group:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f dc=corp,dc=contoso,dc=com
==== SOURCE DSA: (null) ====Objects returned: 1(0) add CN=newgroup4,CN=Users,DC=corp,DC=contoso,DC=com 1> parentGUID: 55fc995a-04f4-4774-b076-d6a48ac1af99 1> objectGUID: 96b848a2-df1d-433c-a645-956cfbf44086 2> objectClass: top; group 1> instanceType: 0x4 = ( WRITE ) 1> whenCreated: 11/11/2011 3:03:57 PM Eastern Standard Time
You would also test the other partner to ensure that it had not already replicated.
Alternatively, if you did not care which objects had not replicated and only cared that any objects were outstanding, you can use the /statistics option:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f dc=corp,dc=contoso,dc=com /statistics
******************************************************** Grand total *************************Packets: 1Objects: 1Object Additions: 1Object Modifications: 0Object Deletions: 0Object Moves: 0
57
Understand and Troubleshoot Guides
Attributes: 12Values: 13
Important:Test all writable partners if you see any failures or outstanding replication. As long as at least one is converged, it is generally safe to restore the snapshot, as transitive replication eventually reconciles the other servers.Be sure to note any errors in replication shown by /showchanges as well and do not proceed until they are fixed.
Windows PowerShell Snapshot CmdletsThe following Windows PowerShell Hyper-V module cmdlets provide snapshot capabilities in Windows Server "8" Beta:
Checkpoint-VMExport-VMSnapshotGet-VMSnapshotRemove-VMSnapshotRename-VMSnapshotRestore-VMSnapshot
Further Recommendations VDC safe restore requires administrative responsibility; you can still configure virtualized domain controllers in ways that prevent use of safe restore. Review the following best practices to insure reliable operation.
Do not use snapshots in lieu of frequent system state backups and the AD Recycle Bin. A snapshot does not preserve changes originating from the DC; it merely prevents replication quarantine. Objects created, modified, or deleted since snapshot are lost forever if they were not successfully replicated outbound before the restore. Safe restore is a safeguard to administrators when used in production so that restoring a snapshot does not instantly quarantine domain controllers or introduce lingering objects. This is a very real risk in previous virtualization environments, where the hypervisor admins may not have deep knowledge of domain administration or multi-master replication technologies. Limit intentional use of snapshots on domain controllers to test environments whenever possible.
Do not to restore snapshots of a VM from before it was a domain controller. Once promoted to a DC, you must delete all previous snapshots immediately. If a snapshot restores to when a domain controller was a member server and there are no later domain controller snapshots, you must either re-promote the domain controller and re-attach to its existing computer account or perform metadata cleanup of the domain controller and then re-promote it.
Domain controllers should not point to themselves for primary DNS. While Microsoft has been stating this in best practice analyzer tools and online documentation for
58 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
years, many customers still believe otherwise. If a domain controller points to itself for DNS and restores to a point in time where it did not have knowledge of other Domain controllers or where the current domain controllers did not exist, it cannot source from them. Because the domain controller points to a responsive DNS service, it will not try other servers. This is especially likely when restoring the oldest domain controller in a forest root domain, which may have no knowledge of any domain controller but itself in a very old snapshot.
Do not host all virtual domain controllers on a single hypervisor; this introduces a single point of failure in the AD DS environment, even when clustered.
59
Understand and Troubleshoot Guides
Troubleshooting Introduction
The most important way to improve your troubleshooting skills is build a test lab and rigorously examine normal, working scenarios. If you encounter errors, they are more obvious and easily understand, since you then have a solid foundation of how domain controller promotion works. This also allows you to build your analysis and network analysis skills. This goes for all distributed systems technologies, not just VDC deployment. This lab does not even have to be in the office - Microsoft provides reasonably priced TechNet subscriptions that allow anyone to run any software without time limits. With free virtualization the norm, it is easy to configure any test environment you need.
More Information:
For more information about TechNet subscriptions, see:
The critical elements to advanced troubleshooting of domain controller configuration are:
1. To solve the most complex domain controller promotion issues, you must master all three. Linear analysis combined with focus and attention to detail.
2. Understanding network capture analysis
3. Understanding the built-in logs
The first and second are beyond the scope of this guide, but the third can be explained in some detail. Virtualized domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using the data provided and only resort to complex tools and analysis when you have exhausted the provided output and logging.
Troubleshooting VDC CloningThe troubleshooting strategy for VDC cloning follows this general format (see next page):
60 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Guides
Tools for Troubleshooting Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller cloning. All of these logs are enabled and configured for maximum verbosity, by default.
Operation Log
Cloning Event viewer\Windows logs\System Event viewer\Applications and services logs\Directory
Service %systemroot%\debug\dcpromo.log
Promotion %systemroot%\debug\dcpromo.log Event viewer\Applications and services logs\Directory
Service Event viewer\Windows logs\System Event viewer\Applications and services logs\File
Replication Service Event viewer\Applications and services logs\DFS
Replication
Tools and Commands for Troubleshooting Domain Controller ConfigurationTo troubleshoot issues not explained by the logs, use the following tools as a starting point:
Dcdiag.exe
Repadmin.exe
Network Monitor 3.4 (or a third party network capture and analysis tool)
More Information:
For more information and downloads, see:Netmonhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865
62 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
General Methodology for Troubleshooting Domain Controller Cloning
1. Is the VM booting into DS Repair Mode?
a. Examine the System and Directory Services event logs and the dccloneconfig.xml and CustomDCCloneAllowList.xml
i. Does an incompatible application need to be in the CustomDCCloneAllowList.xml allow list? Does the CustomDCCloneAllowList.xml contain valid entries?
ii. Is the IP address or computer name either duplicated or invalid in the dccloneconfig.xml?
iii. Is the AD site invalid in the dccloneconfig.xml?
iv. Is the IP address not set in the dccloningconfig.xml and there is no DHCP server available?
v. Is the PDC emulator online and available through the RPC protocol?
vi. Is the domain controller a member of the Cloneable Domain Controllers group? Is the permission Allow a DC to create a clone of itself set on the domain root for that group?
vii. Does the Dccloneconfig.xml file contain syntax errors that prevent correct parsing?
viii. Is the hypervisor supported?
ix. Did domain controller promotion fail after cloning begin successfully?
x. Was the maximum number of auto-generated domain controller names (9999) exceeded?
b. Examine the Dcpromo.log.
i. Did initial cloning steps succeed but domain controller promotion fail?
ii. Do errors indicate issues with the local domain controller or with the AD DS environment, such as errors returned from the PDCE?
2. Is the VM booting into normal mode without cloning?
a. Is there a Dccloneconfig.xml file in one of the allowed locations?
3. Is the VM booting into normal mode and cloning completing, but the domain controller is not functioning correctly?
a. Does the domain controller have a duplicate IP address of the source domain controller from the dccloneconfig.xml, but the source domain controller was offline during cloning?
63
Understand and Troubleshoot Guides
b. If the domain controller is advertising, treat the issue as any normal post-promotion issue you would have without cloning.
c. If the domain controller is not advertising, examine the Directory Services, System, Application, File Replication and DFS Replication event logs for post-promotion errors.
Disabling DSRM BootOnce booted into DSRM due to any error, a clone does not return to normal mode on its own on the next reboot; you must remove the DS Restore Mode boot flag in order to try cloning again. All of these steps require running as an elevated administrator.
Removing DSRM with Msconfig.exe
To turn DSRM boot off graphically, use the System Configuration tool:
1. Run msconfig.exe
2. On the Boot tab, under Boot Options, de-select Safe boot (it is already selected with the option Active Directory repair enabled)
3. Click OK and restart when prompted
Removing DSRM with Bcdedit.exe
To turn DSRM boot off from the command-line, use the Boot Configuration Data Store Editor:
1. Open a CMD prompt and run:
Bcdedit.exe /deletevalue safeboot
2. Restart the computer with:
Shutdown.exe /t /0 /r
Note:. The commands there are:
Bcdedit.exe /deletevalue safebootRestart-computer
Important:Contact Microsoft Beta Product Support when you have exhausted these avenues.
64 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Troubleshooting Specific ProblemsEvents
All VDC cloning events write to the System and Directory Services event log of the clone domain controller VM. The Application, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed cloning.
Below are the Windows Server "8" Beta cloning-specific events in the System and Directory Services event logs, with notes and suggested resolutions for errors.
System event log
Event ID 29218
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed. The cloning operation could not be completed and a reboot of the cloned machine into DSRM was requested. Please check previous events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt.Please fix the error and reboot into normal mode. Upon reboot, the cloning operation will be re-initiated.Details on virtual domain controller clone errors can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolution
Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed.
Event ID 29248
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed to obtain Winlogon Notification.The returned error code is %1 (%2).For more information on this error, please review %systemroot%\debug\dcpromo.log for errors that correspond to the virtual domain controller cloning attempt.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolutio
Contact Microsoft Beta Product Support
65
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Event ID 29249
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed to parse virtual domain controller configuration file.The returned HRESULT code is %1.The configuration file is:%2Please fix the errors in the configuration file and retry the cloning operation. For more information about this error, please see %systemroot%\debug\dcpromo.log.Details on virtual domain controller clone configuration file can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolution
Examine the dclconeconfig.xml file for syntax errors using an XML editor and the DCCloneConfigSchema.xsd schema file.
Event ID 29250
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed. There are software, services, or tasks currently enabled on the cloned machine that are not present in the allowed application list for virtual domain controller cloning. The cloning operation cannot be completed if there are non-cloneable applications installed.Please run Active Directory Powershell Cmdlet Get-ADDCCloningExcludedApplicationList to check which applications are installed on the cloned machine, but not included in the allow list, and add them to the allow list if they are compatible with virtual domain controller cloning. If any of these applications are not compatible with virtual domain controller cloning, please uninstall them before re-trying the cloning operation.The virtual domain controller cloning process searches for the allowed application list file, CustomDCCloneAllowList.xml, based on the following search order; the first file found is used and all others are ignored:
1. The registry value name: HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters\AllowListFolder
2. The same directory where the DSA Working Directory folder resides3. %windir%\NTDS4. Removable read/write media in order of drive letter at the root of the drive
Details on virtual domain controller clone allow list can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and Follow the message instructions
67
Understand and Troubleshoot Guides
resolution
Event ID 29251
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed to reset the IP addresses of the clone machine.The returned error code is %1 (%2).This error might be caused by misconfiguration in network configuration sections in the virtual domain controller configuration file. Please see %systemroot%\debug\dcpromo.log for more information about errors that correspond to IP addresses resetting during virtual domain controller cloning attempts.Details on resetting machine IP addresses on the cloned machine can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolution
Verify the IP information set in the dccloneconfig.xml is valid and does not duplicate the original source machine.
Event ID 29253
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed. The clone domain controller was unable to locate the primary domain controller (PDC) operations master in the cloned computer's home domain of the cloned machine.The returned error code is %1 (%2).Please verify that the primary domain controller in the home domain of the cloned machine is assigned to a live domain controller, is online, and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolution
Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.
Event ID 29254
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
68 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Severity Error
Message Virtual domain controller cloning failed to bind to the primary domain controller %1.The returned error code is %2 (%3).Please verify that the primary domain controller %1 is online and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolution
Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic.
Event ID 29255
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning failed. An attempt to create objects on the primary domain controller %1 required for the image being cloned returned error %2 (%3).Please check for related events in the Directory Service event log on primary domain controller %1.Details on virtual domain controller cloning can be found at http://go.microsoft.com/fwlink/?LinkId=208030
Notes and resolution
Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its typical meaning, and then troubleshoot based on those results.
Event ID 29256
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message An attempt to set the Boot into Directory Services Restore Mode flag failed with error code %1.Please see %systemroot%\debug\dcpromo.log for more information about errors.
Notes and resolution
Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
69
Understand and Troubleshoot Guides
Event ID 29257
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning has done. An attempt to reboot the machine failed with error code %1.Please reboot the machine to finish the cloning operation.
Notes and resolution
Examine the Directory Services log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
Event ID 29264
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message An attempt to clear the Boot into Directory Services Restore Mode flag failed with error code %1.Please see %systemroot%\debug\dcpromo.log for more information about errors.
Notes and resolution
Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
Event ID 29265
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Informational
Message Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file %1 has been renamed to %2.
Notes and resolution
N/A, this is a success event.
Event ID 29266
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Message Virtual domain controller cloning succeeded. The attempt to rename virtual domain
70 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
controller cloning configuration file %1 failed with error code %2 (%3).
Notes and resolution
Manually rename the dccloneconfig.xml file.
71
Understand and Troubleshoot Guides
Directory Services Event Log
Event ID 2160
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message The local <COMPUTERNAME> has found a virtual domain controller cloning configuration file.The virtual domain controller cloning configuration file is found at: %1The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The <COMPUTERNAME> will start to clone itself.
Notes and resolution
This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
Event ID 2161
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message The local <COMPUTERNAME> did not find the virtual domain controller cloning configuration file. The local machine is not a cloned DC.
Notes and resolution
This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
Event ID 2162
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Virtual domain controller cloning failed.Please check events logged in System event logs and %systemroot%\debug\dcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt.Error code: %1
Notes and resolution
Follow message instructions, this error is a catchall.
72 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Event ID 2163
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message DsRoleSvc service was started to clone the local virtual domain controller.
Notes and resolution
This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%\ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
Event ID 2164
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Notes and resolution
Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to manual. Validate that no third party program is preventing the start of this service.
Event ID 2165
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to start a thread during the cloning of the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.Error code:%1Error message:%2Thread name:%3
Notes and resolution
Contact Microsoft Beta Product Support
Event ID 2166
Source Microsoft-Windows-ActiveDirectory_DomainService
73
Understand and Troubleshoot Guides
Severity Error
Message <COMPUTERNAME> needs RPCSS service to initiate rebooting into DSRM. Waiting for RPCSS to initialize into a running state failed.Error code:%1
Notes and resolution
Examine the System event log and service settings for the RPC Server service (Rpcss)
Event ID 2167
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> could not initialize virtual domain controller knowledge. See previous event log entry for details.Additional DataFailure code:%1
Notes and resolution
Follow message instructions, this error is a catchall.
Event ID 2168
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Microsoft-Windows-ActiveDirectory_DomainServiceThe DC is running on a supported hypervisor. VM Generation ID is detected.Current value of VM Generation ID: %1
Notes and resolution
This is a success event and only an issue if unexpected.
Event ID 2169
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message There is no VM Generation ID detected. The DC is hosted on a physical machine, a
74 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
down-level version of Hyper-V, or a hypervisor that does not support the VM Generation ID.Additional DataFailure code returned when checking VM Generation ID:%1
Notes and resolution
This is a success event if not intending to clone. Otherwise, examine the System event log and review hypervisor product VDC support documentation.
Event ID 2170
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Warning
Message A Generation ID change has been detected.Generation ID cached in DS (old value):%1Generation ID currently in VM (new value):%2The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.
Notes and resolution
This is a success event if intending to clone. Otherwise, examine the System event log.
Event ID 2171
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message No Generation ID change has been detected.Generation ID cached in DS (old value):%1Generation ID currently in VM (new value):%2
Notes and resolution
This is a success event if not intending to clone, and should be seen at every reboot of a virtualized DC. Otherwise, examine the System event log.
75
Understand and Troubleshoot Guides
Event ID 2172
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Read the msDS-GenerationId attribute of the Domain Controller's computer object.msDS-GenerationId attribute value:%1
Notes and resolution
This is a success event if intending to clone. Otherwise, examine the System event log.
Event ID 2173
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller.Additional DataFailure code:%1
Notes and resolution
This is a success event if intending to clone and it is the first VM reboot after cloning has completed. It can also be ignored on non-virtual Domain controllers. Otherwise, examine the System event log.
Event ID 2174
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot.
Notes and resolution
This is a success event if not intending to clone. Otherwise, examine the System event log.
Event ID 2175
Source Microsoft-Windows-ActiveDirectory_DomainService
76 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Severity Error
Message Virtual domain controller clone configuration file exists on an unsupported platform.
Notes and resolution
This is a success event if not intending to clone. Otherwise, examine the System event log.
Event ID 2176
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Renamed virtual domain controller clone configuration file.Additional DataOld file name:%1New file name:%2
Notes and resolution
Rename expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.
Event ID 2177
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Renaming virtual domain controller clone configuration file failed.Additional DataFile name:%1Failure code:%2 %3
Notes and resolution
Rename attempt expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. Manually rename the file and investigate installed third party products that may be preventing the file rename.
Event ID 2178
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Detected virtual domain controller clone configuration file, but VM Generation ID has not been changed. The local DC is the clone source DC. Rename the clone
77
Understand and Troubleshoot Guides
configuration file.
Notes and resolution
Expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone.
Event ID 2179
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter:GenerationID attribute:%1
Notes and resolution
This is a success event and only an issue if unexpected.
Event ID 2180
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Warning
Message Failed to set the msDS-GenerationId attribute of the Domain Controller's computer object.Additional DataFailure code:%1
Notes and resolution
Examine the System event log and Dcpromo.log. Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.
Event ID 2182
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Internal event: The Directory Service has been asked to clone a remote DSA:
Notes and resolution
This is a success event and only an issue if unexpected.
78 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Event ID 2183
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Internal event: <COMPUTERNAME> completed the request to clone the remote Directory System Agent.Original DC name:%3Request clone DC name:%4Request clone DC site:%5Additional DataError value:%1 %2
Notes and resolution
This is a success event and only an issue if unexpected.
Event ID 2184
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to create a domain controller account for the cloned DC.Original DC name:%1Allowed number of cloned DC:%2The limit on the number of domain controller accounts that can be generated by cloning <COMPUTERNAME>was exceeded. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Notes and resolution
A single source domain controller name can only automatically generate 9999 times if domain controllers are not demoted, based on the naming convention. Use the <computername> element in the XML to generate a new unique name or clone from a differently named DC.
Event ID 2191
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> set the following registry value to disable DNS updates.Registry Key:%1Registry Value: %2
79
Understand and Troubleshoot Guides
Registry Value data: %3During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed.
Notes and resolution
This is a success event and only an issue if unexpected.
Event ID 2192
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to set the following registry value to disable DNS updates.Registry Key:%1Registry Value: %2Registry Value data: %3Error code:%4Error message:%5During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
Notes and resolution
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
Event ID 2193
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> set the following registry value to enable DNS updates.Registry Key:%1Registry Value: %2Registry Value data: %3During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine
80 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
undergoing cloning.
Notes and resolution
This is a success event and only an issue if unexpected.
Event ID 2194
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to set the following registry value to enable DNS updates.Registry Key:%1Registry Value: %2Registry Value data: %3Error code:%4Error message:%5During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning.
Notes and resolution
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
Event ID 2195
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Failed to set DSRM boot.Error code:%1Error message:%2When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Setting DSRM boot failed.
Notes and resolution
Examine Application and System event logs. Investigate third party application that may be blocking registry updates.
81
Understand and Troubleshoot Guides
Event ID 2196
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Failed to enable shutdown privilege.Error code:%1Error message:%2When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Enabling shutdown privilege failed.
Notes and resolution
Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
Event ID 2197
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Failed to initiate system shutdown.Error code:%1Error message:%2When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Initiating system shutdown failed.
Notes and resolution
Examine Application and System event logs. Investigate third party application that may be blocking privilege usage.
Event ID 2198
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to create or modify the following cloned DC object.Additional data:Object:%1Error value: %2%3
82 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Notes and resolution
Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results.
Event ID 2199
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to create the following cloned DC object because the object already exists.Additional data:Source DC:%1Object:%2
Notes and resolution
Validate the dccloneconfig.xml did not specify an existing domain controller or that copies of the dccloneconfig.xml have been used on multiple clones without editing the name. If the collision is still unexpected, determine which administrator promoted it; contact them to discuss if the existing domain controller should be demoted, the existing domain controller metadata cleaned, or if the VDC clone should use a different name.
Event ID 2203
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Last virtual domain controller cloning failed. This is the first reboot since then so this should be a re-try of the cloning. However, neither virtual domain controller clone configuration file exists nor virtual machine generation ID change is detected. Boot into DSRM.Last virtual domain controller cloning failed:%1Virtual domain controller clone configuration file exists:%2Virtual machine generation ID change is detected:%3
Notes and resolution
Expected if cloning failed previously, due to missing or invalid dccloneconfig.xml
83
Understand and Troubleshoot Guides
Error MessagesThere are no direct interactive errors for failed VDC cloning; all cloning information logs in the System and Directory Services event logs and the domain controller promotion logs in dcpromo.log. However, if the server boots into DS Restore Mode, consider that an "interactive error" and investigate immediately, as promotion or cloning failed.
The dcpromo.log contains cloning-specific errors as they pertain to the actual promotion process. Otherwise, they are simply domain controller promotion errors, as you would see on non-virtual or non-cloned Domain controllers.
Known/Likely Issues and Support ScenariosThe following are common issues seen during the Windows Server "8" Beta development process. All of these issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server "8".
Issue Cloning fails, DSRM
Symptoms Clone boots into Directory Services Restore Mode
Resolution and Notes
Validate all steps followed from sections Deploying Virtualized Domain Controller section and General Methodology for Troubleshooting Domain Controller Cloning
Issue Metadata cleaning a clone RODC generates access sis denied errors on the original RODC when attempting to logon
Symptoms After cloning an RODC but later deciding to remove it through metadata cleanup, where you force reset the password of all cached users and computers, you can no longer log on the original source RODC used for cloning.Attempts to logon to the source RODC always return "access is denied" or "bad username or password".Any further clones made from that source RODC always show error "The trust relationship between this workstation and the primary domain failed" at logon.
Resolution and Notes
To prevent the issue, always gracefully demote cloned RODCs using Server Manager or ADDSDeployment Windows PowerShell and do not force their demotion.If already experiencing the issue, forcibly demote the source and clone RODC domain controllers, clean their metadata, then promote the source RODC computer again as an RODC. Since RODCs cannot originate local changes, there is no data loss in this scenario. It is fixed in later releases of Windows Server "8".
Issue Duplicate IP addresses when using DHCP to clone
Symptoms After successfully cloning a DC and using DHCP, the first boot of the clone takes a DHCP lease. Then when the server is renamed and restarted as a DC, it takes a second DHCP lease. The first IP address is not released and you end up with a
84 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
"phantom" lease
Resolution and Notes
Manually delete the unused address lease in DHCP or allow it to expire normally.
85
Understand and Troubleshoot Guides
Issue Cloning RODC fails when there is a pre-existing server object in a renamed AD site
Symptoms After cloning an RODC that already has a computer object in the appropriate AD logical site (in DSSITE.MSC), cloning fails with Directory Services events
1168 Internal Processing "Internal error: An Active Directory Domain Services error has occurred.
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
30017b3"
And for the same event number:
Additional Data
Error value (decimal):
2
Error value (hex):
2
Internal ID:
7011658"
Resolution and Notes
To prevent the issue, remove the pre-existing computer object for the RODC by using DSSITE.MSC
Issue CustomDCCloneAllowList.xml does not support unpredictable service names
Symptoms When attempting to use a single CustomDCCloneAllowList.xml to clone a variety of domain controllers, you cannot proceed because of services that user unpredictable names. For example, services that are Microsoft SQL instances.
Resolution and Notes
This is a design limitation of VDC and CustomDCCloneAllowList.xml. You cannot use a common CustomDCCloneAllowList.xml to clone domain controllers that have unpredictable service names.To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml per-server.
86 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Issue PrintNotify service always detected by Get-ADDCCloningExcludedApplicationList
Symptoms Even on a brand new server with no programs or roles installed, the Get-ADDCCloningExcludedApplicationList cmdlet always detects the PrintNotify service.
This service is not in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list even though it is a standard service with no known VDC incompatibilities.
Resolution and Notes
To work around this issue, always use the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet to assist in creating CustomDCCloneAllowList.xml per-server.As a less-recommended alternative, grant yourself permissions to the c:\windows\system32\DefaultDCCloneAllowList.XML allow list file on the source domain controller and edit the AllowList to also contain: <Allow> <Name>PrintNotify</Name> <Type>Service</Type> </Allow>
Issue Cloning fails into DSRM after very long delay
Symptoms Cloning appears to pause at "Domain controller cloning is at X% completion" for between 8 and 15 minutes. After this, the cloning fails and boots into DSRM.
Resolution and Notes
The cloned computer cannot get a dynamic IP address from DHCP or SLAAC, or is using a duplicate IP address. Multiple retry attempts performed by cloning lead to the delay. Resolve the networking issue to allow cloning.
Issue Cloning does not recreate all service principal names
Symptoms If a set of three-part service principal names (SPN) includes both a NetBIOS name with a port and an otherwise identical NetBIOS name without a port, the non-port entry is not recreated with the new computer name. For example:
customspn/DC1:200/app1 this is recreated with the new computer namecustomspn/DC1/app1 this is not recreated with the new computer name
Fully-qualified names are recreated and SPN s without three parts are recreated, regardless of ports. For example, these are recreate successfully on the clone:
customspn/DC1:202 this is recreated customspn/DC1 this is recreated customspn/DC1.corp.contoso.com:202 this is recreated namecustomspn/DC1.corp.contoso.com this is recreated
Resolution and Notes
This is a limitation of the domain controller rename process in Windows, not just in cloning. Three-part SPNS are not handled by the renaming logic in any scenario. Most included Windows services are unaffected by this, as they recreate any missing SPNs as needed. Other applications may require manually entering the SPN
87
Understand and Troubleshoot Guides
to resolve the issue.
Issue Cloning fails, boots into normal mode as a duplicate of the source DC
Symptoms A new clone boots up without cloning. The dclconeconfig.xml is not renamed and the server is not in DS Restore Mode. The Directory Services event log shows Error 2164
<COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. Please see http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Resolution and Notes
Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to Manual. Validate that no third party program is preventing the start of this service.
Issue Cloning succeeds, but SYSVOL is empty and does not replicate inbound or outbound
Symptoms A new clone appears to succeed. Later you notice that the SYSVOL and NETLOGON shares are empty. No SYSVOL files replicate inbound our outbound. The source server was previously migrated from FRS to DFSR.
Examining the DFS Replication event log shows event 8028 and repeated 8010 events:
Event ID: 8028Level: ErrorDFSR Migration was unable to transition to the 'PREPARED' state for Domain Controller <name>. DFSR will retry the next time it polls the Active Directory. To force an immediate retry, execute the command 'dfsrdiag /pollad'.Additional Information:Domain Controller: <name>Error: 2 The system cannot find the file specified
Event ID: 8010Level: InformationalDFSR has started preparing the Domain Controller %1 formigration. DFSR will now create the SYSVOL_DFSR folder, createobjects in the local Active Directory and create DFSR memberobjects for the Domain Controller %1.
Examining the DFSR debug log shows:
20120208 17:12:07.187 2096 SYSM 586 [ERROR] Migration::SysvolMigrationTask::Step [MIG] Failed Migration task. Error:
88 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
+ [Error:2(0x2) Migration::SysVolMigration::Migrate migration.cpp:1200 2096 W The system cannot find the file specified.]+ [Error:2(0x2) Migration::SysVolMigration::StepToNextStableState migration.cpp:1271 2096 W The system cannot find the file specified.]+ [Error:2(0x2) Migration::SysVolMigration::Prepare migration.cpp:1431 2096 W The system cannot find the file specified.]+ [Error:2(0x2) Migration::SysVolMigration::CreateJunctionPointsForDfsrSysvolFolder migration.cpp:2637 2096 W The system cannot find the file specified.]
Resolution and Notes
The source domain controller used for cloning once participated in an FRS to DFSR SYSVOL migration (http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx). A known incompatibility in Windows Server "8" Beta VDC cloning prevents previously migrated servers from populating or replicating SYSVOL after cloning.To resolve this issue, forcibly demote the clone domain controller and remove the metadata using NTDSUTIL.EXE or DSA.MSC. Choose a new Windows Server "8" Beta source domain controller that has not previously migrated FRS to DFSR. If there are no such domain controllers, promote a new Windows Server "8" Beta into the domain using Server Manager or ADDSDeployment Windows PowerShell, then use it as the source of cloning.Do not attempt to fix the issues based on the events or debug logs, as there is a strong possibility that you will unintentionally delete all data from all other SYSVOL copies on all domain controllers in the domain.This issue will be resolved in versions later than Windows Server "8" Beta.
89
Understand and Troubleshoot Guides
Advanced TroubleshootingThis guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events (even when they are warnings and errors) related to a cloned domain controller within each log.
Cloning a Domain Controller In this example, the clone domain controller uses DHCP to get an IP address, replicates SYSVOL using FRS or DFSR (see the appropriate log as necessary), is a global catalog, and uses a blank dccloneconfig.cml file.
Directory Services Event Log
The Directory Services log contains the majority of event-based cloning operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
Event ID
Source Message
2160 ActiveDirectory_DomainService
The local Active Directory Domain Services has found a virtual domain controller cloning configuration file. The virtual domain controller cloning configuration file is found at:<path>\DCCloneConfig.xmlThe existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The Active Directory Domain Services will start to clone itself.
2191 ActiveDirectory_DomainService
Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key:SYSTEM\CurrentControlSet\Services\Netlogon\ParametersRegistry Value:UseDynamicDnsRegistry Value data:0During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after
90 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
cloning is completed.
2191 ActiveDirectory_DomainService
Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key:SYSTEM\CurrentControlSet\Services\Dnscache\ParametersRegistry Value:RegistrationEnabledRegistry Value data:0During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed."Information 2/7/2012 3:12:49 PM Microsoft-Windows-ActiveDirectory_DomainService 2191 Internal Configuration
"Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key:SYSTEM\CurrentControlSet\Services\Tcpip\ParametersRegistry Value:DisableDynamicUpdateRegistry Value data:1During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed.
2172 ActiveDirectory_DomainService
Read the msDS-GenerationId attribute of the Domain Controller's computer object.msDS-GenerationId attribute value:<Number>
2170 ActiveDirectory_DomainService
A Generation ID change has been detected. Generation ID cached in DS (old value):<Number>Generation ID currently in VM (new value):<Number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services
91
Understand and Troubleshoot Guides
will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.
1109 ActiveDirectory_DomainService
The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value):<GUID>InvocationID attribute (new value):<GUID>Update sequence number:<Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.
1000 ActiveDirectory_DomainService
Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0
1394 ActiveDirectory_DomainService
All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted
2163 ActiveDirectory_DomainService
DsRoleSvc service was started to clone the local virtual domain controller.
326 NTDS ISAM NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.Saved Cache: 1
103 NTDS ISAM NTDS (536) NTDSA: The database engine stopped the instance (0).
Dirty Shutdown: 0
92 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.032, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102 NTDS ISAM NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0).
105 NTDS ISAM NTDS (536) NTDSA: The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.015, [4] 0.078, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.046, [10] 0.000, [11] 0.000.
1004 ActiveDirectory_DomainService
Active Directory Domain Services was shut down successfully.
102 NTDS ISAM NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0).
326 NTDS ISAM NTDS (536) NTDSA: The database engine attached a database (1, C:\Windows\NTDS\ntds.dit). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.016, [4] 0.000, [5] 0.031, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.Saved Cache: 1
105 NTDS ISAM NTDS (536) NTDSA: The database engine started a new instance (0). (Time=1 seconds) Internal Timing Sequence: [1] 0.031, [2] 0.000, [3] 0.000, [4] 0.391, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000.
1109 ActiveDirectory_DomainService
The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows: InvocationID attribute (old value):<GUID>InvocationID attribute (new value):<GUID>Update sequence number:<Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the
93
Understand and Troubleshoot Guides
content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.
1168 ActiveDirectory_DomainService
Internal error: An Active Directory Domain Services error has occurred. Additional DataError value (decimal):2Error value (hex):2Internal ID:7011658
1110 ActiveDirectory_DomainService
Promotion of this domain controller to a global catalog will be delayed for the following interval. Interval (minutes):5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide
103 NTDS ISAM NTDS (536) NTDSA: The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.047, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.016, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
1004 ActiveDirectory_DomainService
Active Directory Domain Services was shut down successfully.
1539 ActiveDirectory_DomainService
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk. Hard disk:c: Data might be lost during system failures
2179 ActiveDirectory_DomainService
The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute:<Number>
2173 ActiveDirectory_DomainService
Failed to read the msDS-GenerationId attribute of the Domain Controller's computer object. This may be caused by database
94 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller. Additional DataFailure code:6
1000 ActiveDirectory_DomainService
Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0
1394 ActiveDirectory_DomainService
All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted.
1128 ActiveDirectory_DomainService
1128 Knowledge Consistency Checker "A replication connection was created from the following source directory service to the local directory service. Source directory service:CN=NTDS Settings,<Domain Controller DN>Local directory service:CN=NTDS Settings, <Domain Controller DN> Additional DataReason Code:0x2Creation Point Internal ID:f0a025d
1999 ActiveDirectory_DomainService
The source directory service has optimized the update sequence number (USN) presented by the destination directory service. The source and destination directory services have a common replication partner. The destination directory service is up to date with the common replication partner, and the source directory service was installed using a backup of this partner. Destination directory service ID:<GUID> (<FQDN>)Common directory service ID:<GUID>Common property USN:<Number> As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous object USN:0Previous property USN:0
95
Understand and Troubleshoot Guides
Database GUID:<GUID>Object USN:<Number>Property USN:<Number>
System Event Log
The next indications of cloning operations are in the System Event log. As the hypervisor tells the guest computer that it was cloned or restored from a snapshot, the domain controller immediately invalidates its RID pool to avoid duplicating security principals later. As cloning proceeds, various expected operations and messages appear, mostly around services starting and stopping and some expected errors caused by this. When completed the System event log notes overall cloning success.
Event ID
Source Message
16654 Directory-Services-SAM
A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:1. A domain controller is restored from backup.2. A domain controller running on a virtual machine is restored from snapshot.3. An administrator has manually invalidated the pool
7036 Service Control Manager
The Active Directory Domain Services service entered the running state.
7036 Service Control Manager
The Kerberos Key Distribution Center service entered the running state.
3096 Netlogon The primary Domain Controller for this domain could not be located.
7036 Service Control Manager
The Security Accounts Manager service entered the running state.
7036 Service Control Manager
The Server service entered the running state.
7036 Service Control Manager
The Netlogon service entered the running state.
7036 Service Control Manager
The Active Directory Web Services service entered the running state.
7036 Service Control Manager
The DFS Replication service entered the running state.
96 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
7036 Service Control Manager
The File Replication Service service entered the running state.
14533 Microsoft-Windows-DfsSvc
DFS has finished building all namespaces.
14531 Microsoft-Windows-DfsSvc
DFS server has finished initializing.
7036 Service Control Manager
The DFS Namespace service entered the running state.
7023 Service Control Manager
The Intersite Messaging service terminated with the following error:The specified server cannot perform the requested operation.
7036 Service Control Manager
The Intersite Messaging service entered the stopped state.
5806 Netlogon Dynamic DNS updates have been manually disabled on this domain controller.USER ACTIONReconfigure this domain controller to use dynamic DNS updates or manually add the DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the DNS database."
16651 Directory-Services-SAM
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is The requested FSMO operation failed. The current FSMO holder could not be contacted.
7036 Service Control Manager
The DNS Server service entered the running state.
7036 Service Control Manager
The DS Role Server service entered the running state.
7036 Service Control Manager
The Netlogon service entered the stopped state.
7036 Service Control Manager
The File Replication Service service entered the stopped state.
7036 Service Control Manager
The Kerberos Key Distribution Center service entered the stopped state.
7036 Service Control Manager
The DNS Server service entered the stopped state.
7036 Service Control Manager
The Active Directory Domain Services service entered the stopped state.
97
Understand and Troubleshoot Guides
7036 Service Control Manager
The Netlogon service entered the running state.
7040 Service Control Manager
The start type of the Active Directory Domain Services service was changed from auto start to disabled.
7036 Service Control Manager
The Netlogon service entered the stopped state.
7036 Service Control Manager
The File Replication Service service entered the running state.
29219 DirectoryServices-DSROLE-Server
Virtual domain controller cloning succeeded.
29223 DirectoryServices-DSROLE-Server
This server is now a Domain Controller.
29265 DirectoryServices-DSROLE-Server
Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file C:\Windows\NTDS\DCCloneConfig.xml has been renamed to C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml.
1074 User32 The process C:\Windows\system32\lsass.exe (DC2) has initiated the restart of computer DC2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Reconfiguration (Planned) Reason Code: 0x80020004 Shutdown Type: restart Comment: "
DCPROMO.LOG
The Dcpromo.log contains the actual promotion portion of cloning that the Directory Services event log does not describe. Since the log does not provide the level of explanation that the event log entries impart, this section of the guide contains additional annotation.
The promotion process means that the cloning starts, the DC is scrubbed of its current configuration and re-promoted using the existing AD database (much like an IFM promotion), then the DC replicates inbound change deltas of AD and SYSVOL, and cloning is complete.
Note:The log has been modified in this guide for readability, by removing the date column. Points of interest are italicized bold.
More Information:
For further explanation of the dcpromo.log see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta.http://go.microsoft.com/fwlink/p/?LinkId=237244
98 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Start clone-based promotion
Set the Directory Services Restore Mode flag so that the server does not boot back up normally as the original clone and cause naming or Directory Service collisions
Update the Directory Services event log
15:14:01 [INFO] vDC Cloneing: Setting Boot into DSRM flag succeeded.15:14:01 [WARNING] Cannot get user Token for Format Message: 1725l15:14:01 [INFO] vDC Cloning: Created vDCCloningUpdate event.15:14:01 [INFO] vDC Cloning: Created vDCCloningComplete event.
Stop the NetLogon service so that the domain controller does not advertise
15:14:01 [INFO] Stopping service NETLOGON15:14:01 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)15:14:01 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states15:14:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=315:14:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=115:14:02 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state15:14:02 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 015:14:02 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)15:14:02 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state15:14:02 [INFO] StopService on NETLOGON returned 015:14:02 [INFO] Configuring service NETLOGON to 1 returned 015:14:02 [INFO] Updating service status to 415:14:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Examine the dccloneconfig.xml file for administrator-specified customizations.
In this sample case it is a blank file, so all settings are automatically generated and automatic IP addressing is required from the network
15:14:02 [INFO] vDC Cloning: Clone config file C:\Windows\NTDS\DCCloneConfig.xml is considered to be a blank file (containing 0 bytes)15:14:02 [INFO] vDC Cloning: Parsing clone config file C:\Windows\NTDS\DCCloneConfig.xml returned HRESULT 0x0
Validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml
15:14:02 [INFO] vDC Cloning: Checking allowed list:15:14:03 [INFO] vDC Cloning: Completed checking allowed list:15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Enable DHCP on the network adapters, since IP information was not specified by the administrator
15:14:03 [INFO] vDC Cloning: Enable DHCP:
99
Understand and Troubleshoot Guides
15:14:03 [INFO] WMI Instance: Win32_NetworkAdapterConfiguration.Index=1215:14:03 [INFO] Method: EnableDHCP15:14:03 [INFO] HRESULT code: 0x0 (0)15:14:03 [INFO] Return Value: 0x0 (0)15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Locate the PDC emulator
Set the clone's site (automatically generated in this case)
Set the clone's name (automatically generated in this case)
15:14:03 [INFO] vDC Cloning: Found PDC. Name: DC1.root.fabrikam.com15:14:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:04 [INFO] vDC Cloning: Winlogon UI Notification #1: Domain Controller cloning is at 5% completion...15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #2: Domain Controller cloning is at 10% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] Site of the cloned DC: Default-First-Site-Name
Create the new clone computer object
Rename the clone to match the new name
15:14:05 [INFO] vDC Cloning: Clone DC objects are created on PDC.15:14:05 [INFO] Name of the cloned DC: DC2-CL000115:14:05 [INFO] DsRolepSetRegStringValue on System\CurrentControlSet\Services\NTDS\Parameters\CloneMachineName to DC2-CL0001 returned 015:14:05 [INFO] vDC Cloning: Save CloneMachineName in registry: 0x0 (0)
Provide the promotion settings, based on previous dccloneconfig.xml or automatic generation rules
15:14:05 [INFO] vDC Cloning: Promotion parameters setting:15:14:05 [INFO] DNS Domain Name: root.fabrikam.com15:14:05 [INFO] Replica Partner: \\DC1.root.fabrikam.com15:14:05 [INFO] Site Name: Default-First-Site-Name15:14:05 [INFO] DS Database Path: C:\Windows\NTDS15:14:05 [INFO] DS Log Path: C:\Windows\NTDS15:14:05 [INFO] SysVol Root Path: C:\Windows\SYSVOL15:14:05 [INFO] Account: root.fabrikam.com\DC2-CL0001$15:14:05 [INFO] Options: DSROLE_DC_CLONING (0x800400)
Start promotion
15:14:05 [INFO] Promote DC as a clone15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #3: Domain Controller cloning is at 15% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #4: Domain Controller cloning is at 16% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] Validate supplied paths15:14:05 [INFO] Validating path C:\Windows\NTDS.
100 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:14:05 [INFO] Path is a directory15:14:05 [INFO] Path is on a fixed disk drive.15:14:05 [INFO] Validating path C:\Windows\NTDS.15:14:05 [INFO] Path is a directory15:14:05 [INFO] Path is on a fixed disk drive.15:14:05 [INFO] Validating path C:\Windows\SYSVOL.15:14:05 [INFO] Path is on a fixed disk drive.15:14:05 [INFO] Path is on an NTFS volume15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #5: Domain Controller cloning is at 17% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] Start the worker task15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #6: Domain Controller cloning is at 20% completion...15:14:05 [INFO] Request for promotion returning 015:14:05 [INFO] vDC Cloning: Winlogon UI Notification #7: Domain Controller cloning is at 21% completion...15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Stop and configure all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)
Note:The DNS service taking a long time to shutdown is expected in this scenario, as it is using AD-integrated zones that were no longer available even before the NTDS service stopped - see the DNS events described later in this section of the guide.
15:14:15 [INFO] Stopping service NTDS15:14:15 [INFO] Stopping service NtFrs15:14:15 [INFO] ControlService(STOP) on NtFrs returned 1(gle=0)15:14:15 [INFO] DsRolepWaitForService: waiting for NtFrs to enter one of 7 states15:14:15 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 (gle=0), SvcStatus.dwCS=315:14:16 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 (gle=0), SvcStatus.dwCS=115:14:16 [INFO] DsRolepWaitForService: exiting because NtFrs entered STOPPED state15:14:16 [INFO] DsRolepWaitForService(for any end state) on NtFrs service returned 015:14:16 [INFO] ControlService(STOP) on NtFrs returned 0(gle=1062)15:14:16 [INFO] Exiting service-stop loop after service NtFrs entered STOPPED state15:14:16 [INFO] StopService on NtFrs returned 015:14:16 [INFO] Configuring service NtFrs to 1 returned 015:14:16 [INFO] Stopping service Kdc15:14:16 [INFO] ControlService(STOP) on Kdc returned 1(gle=0)15:14:16 [INFO] DsRolepWaitForService: waiting for Kdc to enter one of 7 states15:14:16 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 (gle=0), SvcStatus.dwCS=315:14:17 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 (gle=0), SvcStatus.dwCS=115:14:17 [INFO] DsRolepWaitForService: exiting because Kdc entered STOPPED state
101
Understand and Troubleshoot Guides
15:14:17 [INFO] DsRolepWaitForService(for any end state) on Kdc service returned 015:14:17 [INFO] ControlService(STOP) on Kdc returned 0(gle=1062)15:14:17 [INFO] Exiting service-stop loop after service Kdc entered STOPPED state15:14:17 [INFO] StopService on Kdc returned 015:14:17 [INFO] Configuring service Kdc to 1 returned 015:14:17 [INFO] Stopping service DNS15:14:17 [INFO] ControlService(STOP) on DNS returned 1(gle=0)15:14:17 [INFO] DsRolepWaitForService: waiting for DNS to enter one of 7 states15:14:17 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:18 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:19 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:20 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:21 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:22 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:23 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:24 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:25 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:26 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:27 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:28 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:29 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:30 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:31 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:32 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:33 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:34 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:35 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:36 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:37 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:38 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
102 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:14:39 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:40 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:41 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:42 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:43 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:44 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:45 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:46 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:47 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:48 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:49 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:50 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:51 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:52 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:53 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:54 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:55 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:56 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:57 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:58 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:14:59 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=315:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=115:15:00 [INFO] DsRolepWaitForService: exiting because DNS entered STOPPED state15:15:00 [INFO] DsRolepWaitForService(for any end state) on DNS service returned 015:15:00 [INFO] ControlService(STOP) on DNS returned 0(gle=1062)15:15:00 [INFO] Exiting service-stop loop after service DNS entered STOPPED state15:15:00 [INFO] StopService on DNS returned 015:15:00 [INFO] Configuring service DNS to 1 returned 015:15:00 [INFO] ControlService(STOP) on NTDS returned 1(gle=1062)
103
Understand and Troubleshoot Guides
15:15:00 [INFO] DsRolepWaitForService: waiting for NTDS to enter one of 7 states15:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=315:15:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=115:15:01 [INFO] DsRolepWaitForService: exiting because NTDS entered STOPPED state15:15:01 [INFO] DsRolepWaitForService(for any end state) on NTDS service returned 015:15:01 [INFO] ControlService(STOP) on NTDS returned 0(gle=1062)15:15:01 [INFO] Exiting service-stop loop after service NTDS entered STOPPED state15:15:01 [INFO] StopService on NTDS returned 015:15:01 [INFO] Configuring service NTDS to 1 returned 015:15:01 [INFO] Configuring service NTDS15:15:01 [INFO] Configuring service NTDS to 64 returned 015:15:01 [INFO] vDC Cloning: Winlogon UI Notification #8: Domain Controller cloning is at 22% completion...15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #9: Domain Controller cloning is at 25% completion...15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Force NT5DS (NTP) time synchronization with another domain controller (typically the PDCE)
15:15:02 [INFO] Forcing time sync
Contact a domain controller that holds the source domain controller account of the clone
Flush any existing Kerberos tickets
15:15:02 [INFO] Searching for a domain controller for the domain root.fabrikam.com that contains the account DC2$15:15:02 [INFO] Located domain controller DC1.root.fabrikam.com for domain root.fabrikam.com15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #10: Domain Controller cloning is at 26% completion...15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:02 [INFO] Directing kerberos authentication to DC1.root.fabrikam.com returns 015:15:02 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #11: Domain Controller cloning is at 27% completion...15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:02 [INFO] Using site Default-First-Site-Name for server \\DC1.root.fabrikam.com15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
104 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Stop the NetLogon service and set its start type
15:15:02 [INFO] Stopping service NETLOGON15:15:02 [INFO] Stopping service NETLOGON15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #12: Domain Controller cloning is at 29% completion...15:15:02 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)15:15:02 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states15:15:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=315:15:03 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=115:15:03 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state15:15:03 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 015:15:03 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)15:15:03 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state15:15:03 [INFO] StopService on NETLOGON returned 015:15:03 [INFO] Configuring service NETLOGON to 1 returned 015:15:03 [INFO] Stopped NETLOGON15:15:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:03 [INFO] vDC Cloning: Winlogon UI Notification #13: Domain Controller cloning is at 30% completion...
Configure the DFSR/NTFRS services to run automatically
Delete their existing database files to force non-authoritative sync of SYSVOL when the service next starts
15:15:03 [INFO] Configuring service DFSR15:15:03 [INFO] Configuring service DFSR to 256 returned 015:15:03 [INFO] Configuring service NTFRS15:15:03 [INFO] Configuring service NTFRS to 256 returned 015:15:03 [INFO] Removing DFSR Database files for SysVol15:15:03 [INFO] Removing FRS Database files in C:\Windows\ntfrs\jet15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edb.log15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00001.jrs15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbres00002.jrs15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\log\edbtmp.log15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\ntfrs.jdb15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\sys\edb.chk15:15:03 [INFO] Removed C:\Windows\ntfrs\jet\temp\tmp.edb15:15:04 [INFO] Created system volume path15:15:04 [INFO] Configuring service DFSR15:15:04 [INFO] Configuring service DFSR to 128 returned 015:15:04 [INFO] Configuring service NTFRS15:15:04 [INFO] Configuring service NTFRS to 128 returned 015:15:04 [INFO] vDC Cloning: Winlogon UI Notification #14: Domain Controller cloning is at 40% completion...15:15:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.
105
Understand and Troubleshoot Guides
Start the promotion process using the existing NTDS database file
Contact the RID Master
Note:The AD DS service is not actually installed here, this is legacy instrumentation in the log
15:15:04 [INFO] Installing the Directory Service15:15:04 [INFO] Calling NtdsInstall for root.fabrikam.com15:15:04 [INFO] Starting Active Directory Domain Services installation15:15:04 [INFO] Validating user supplied options15:15:04 [INFO] Determining a site in which to install15:15:04 [INFO] Examining an existing forest...15:15:04 [INFO] Starting a replication cycle between DC1.root.fabrikam.com and the RID operations master (2008r2-01.root.fabrikam.com), so that the new replica will be able to create users, groups, and computer objects...15:15:04 [INFO] Configuring the local computer to host Active Directory Domain Services15:15:04 [INFO] EVENTLOG (Warning): NTDS General / Service Control : 1539Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.Hard disk:c:Data might be lost during system failures.15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Processing : 2041Duplicate event log entries were suppressed.See the previous event log entry for details. An entry is considered a duplicate ifthe event code and all of its insertion parameters are identical. The time period forthis run of duplicates is from the time of the previous event to the time of this event.Event Code:80000603Number of duplicate entries: 215:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2121This Active Directory Domain Services server is disabling the Recycle Bin. Deleted objects may not be undeleted at this time.
Change the existing invocation ID that existed in the source computers database
Create a new NTDS Settings object for this clone
Replicate in AD object delta from the partner domain controller
Note:Even though all objects are listed as replicated, this is just metadata needed to subsume the updates. All the unchanged objects in the cloned NTDS database already exist and do not require replication again, just like using IFM-based promotion.
106 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:15:10 [INFO] EVENTLOG (Informational): NTDS Replication / Replication : 1109The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:InvocationID attribute (old value):24e7b22f-4706-402d-9b4f-f2690f730b40InvocationID attribute (new value):f74cefb2-89c2-442c-b1ba-3234b0ed62f8Update sequence number:20520The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.15:15:10 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168Internal error: An Active Directory Domain Services error has occurred.Additional DataError value (decimal):2Error value (hex):2Internal ID:701165815:15:11 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC1.root.fabrikam.com...15:15:11 [INFO] Replicating the schema directory partition15:15:11 [INFO] Replicated the schema container.15:15:12 [INFO] Active Directory Domain Services updated the schema cache.15:15:12 [INFO] Replicating the configuration directory partition15:15:12 [INFO] Replicating data CN=Configuration,DC=root,DC=fabrikam,DC=com: Received 2612 out of approximately 2612 objects and 94 out of approximately 94 distinguished name (DN) values...15:15:12 [INFO] Replicated the configuration container.15:15:13 [INFO] Replicating critical domain information...15:15:13 [INFO] Replicating data DC=root,DC=fabrikam,DC=com: Received 109 out of approximately 109 objects and 35 out of approximately 35 distinguished name (DN) values...15:15:13 [INFO] Replicated the critical objects in the domain container.
Populate the GC partitions as needed with any missing updates
Complete the critical AD DS portion of the promotion
15:15:13 [INFO] EVENTLOG (Informational): NTDS General / Global Catalog : 1110
107
Understand and Troubleshoot Guides
Promotion of this domain controller to a global catalog will be delayed for the following interval.Interval (minutes):5This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.15:15:14 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1000Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 15:15:15 [INFO] Creating new domain users, groups, and computer objects15:15:16 [INFO] Completing Active Directory Domain Services installation15:15:16 [INFO] NtdsInstall for root.fabrikam.com returned 015:15:16 [INFO] DsRolepInstallDs returned 015:15:16 [INFO] Installed Directory Service
Complete the inbound replication of SYSVOL
15:15:16 [INFO] vDC Cloning: Winlogon UI Notification #15: Domain Controller cloning is at 60% completion...15:15:16 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] Completed system volume replication15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #16: Domain Controller cloning is at 70% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] SetProductType to 2 [LanmanNT] returned 015:15:18 [INFO] Set the product type15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #17: Domain Controller cloning is at 71% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #18: Domain Controller cloning is at 72% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] Set the system volume path for NETLOGON15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #19: Domain Controller cloning is at 73% completion...15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] Replicating non critical information15:15:18 [INFO] User specified to not replicate non-critical data15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #20: Domain Controller cloning is at 80% completion...15:15:18 [INFO] Stopped the DS15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #21: Domain Controller cloning is at 90% completion...15:15:18 [INFO] Configuring service NTDS15:15:18 [INFO] Configuring service NTDS to 16 returned 0
Enable client DNS registration
108 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
15:15:18 [INFO] vDC Cloning: Set DisableDynamicUpdate reg value to 0 to enaable dynamic DNS records registration.15:15:18 [INFO] vDC Cloning: Set UseDynamicDns reg value to 1 to enable dynamic DNS records registration.15:15:18 [INFO] vDC Cloning: Set RegistrationEnabled reg value to 1 to enable dynamic DNS records registration.
109
Understand and Troubleshoot Guides
Run the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element.
15:15:18 [INFO] vDC Cloning: Running sysprep providers.15:15:32 [INFO] vDC Cloning: Completed running sysprep providers.
Cloning promotion is complete
Remove the DSRM boot flag so the server boots normally next time
Rename the dccloneconfig.xml so that it is not read again at next bootup
Restart the computer
15:15:32 [INFO] The attempted domain controller operation has completed15:15:32 [INFO] Updating service status to 415:15:32 [INFO] DsRolepSetOperationDone returned 015:15:32 [INFO] vDC Cloning: Set vDCCloningComplete event.15:15:32 [INFO] vDC Cloneing: Clearing Boot into DSRM flag succeeded.15:15:32 [INFO] vDC Cloning: Winlogon UI Notification #22: Cloning Domain Controller succeeded. Now rebooting...15:15:33 [INFO] vDC Cloning: Renamed vDC clone configuration file.15:15:33 [INFO] vDC Cloning: The old name is: C:\Windows\NTDS\DCCloneConfig.xml15:15:33 [INFO] vDC Cloning: The new name is: C:\Windows\NTDS\DCCloneConfig.20120207-151533.xml15:15:34 [INFO] vDC Cloning: Release Ipv4 on interface 'Wired Ethernet Connection 2', result=0.15:15:34 [INFO] vDC Cloning: Release Ipv6 on interface 'Wired Ethernet Connection 2', result=0.15:15:34 [INFO] Rebooting machine
Active Directory Web Services Event Log
While cloning is occurring, the NTDS.DIT database is often offline for extended periods. The ADWS service logs at least one event for this. After cloning is complete, the ADWS service starts, notes that there is not yet a valid computer certificate yet (there may or may not be, depending on your environment deploying a Microsoft PKI with auto-enrollment or not) and then starts the instance for the new domain controller.
Event ID
Source Message
1202 ADWS Instance Events
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636
1000 ADWS Instance Events
Active Directory Web Services is starting
1008 ADWS Instance Active Directory Web Services has successfully reduced its security
110 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Events privileges
1100 ADWS Instance Events
The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors.
1400 ADWS Instance Events
ADWS Certificate Events "Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine. Certificate name: <Server FQDN>
1100 ADWS Instance Events
The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors.
1200 ADWS Instance Events
Active Directory Web Services is now servicing the specified directory instance. Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636
DNS Server Event Log
The DNS service will experience brief expected outages while cloning occurs, as the DNS service is still running while the AD DS database is offline. This occurs if using Active Directory Integrated DNS, but not if using Standard Primary or Secondary DNS. These errors log multiple times. After cloning completes, DNS comes back online normally.
Event ID
Source Message
4013 DNS-Server-Service
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
4015 DNS-Server-Service
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is """". The event data contains the error.
111
Understand and Troubleshoot Guides
4000 DNS-Server-Service
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
4013 DNS-Server-Service
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
2 DNS-Server-Service
The DNS server has started.
4 DNS-Server-Service
The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.
File Replication Service Event Log
The File Replication Service synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the NTFRS database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.
Event ID
Source Message
13562 NtFrs Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC2.root.fabrikam.com for FRS replica set configuration information. Could not bind to a Domain Controller. Will try again at next polling cycle
13502 NtFrs The File Replication Service is stopping.
13565 NtFrs File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.To check for the SYSVOL share, at the command prompt, type:net share
112 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
When File Replication Service completes the initialization process, the SYSVOL share will appear.The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
13501 NtFrs The File Replication Service is starting
13502 NtFrs The File Replication Service is stopping.
13503 NtFrs The File Replication Service has stopped.
13565 NtFrs File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.To check for the SYSVOL share, at the command prompt, type:net shareWhen File Replication Service completes the initialization process, the SYSVOL share will appear.The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
13501 NtFrs The File Replication Service is starting.
13553 NtFrs The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"Information related to this event is shown below:Computer DNS name is <Domain Controller FQDN>Replica set member name is <Domain Controller>Replica set root path is <path>Replica staging directory path is <path>Replica working directory path is <path>
13520 NtFrs The File Replication Service moved the preexisting files in <path>to <path>\NtFrs_PreExisting___See_EventLog.The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into c:\windows\sysvol\domain may lead to name conflicts if the files already exist on some other replicating partner.In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner.
113
Understand and Troubleshoot Guides
Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog."
13508 NtFrs he File Replication Service is having trouble enabling replication from \\<Domain Controller FQDN> to <Domain Controller> for <path> using theDNS name \\<Domain Controller FQDN>. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name \\<Domain Controller FQDN> from this computer. [2] FRS is not running on \\<Domain Controller FQDN>. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
13509 NtFrs The File Replication Service has enabled replication from \\<Domain Controller FQDN> to <Domain Controller> for <Path> after repeated retries.
13516 NtFrs The File Replication Service is no longer preventing the computer <Domain Controller> from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.Type "net share" to check for the SYSVOL share."
DFS Replication Event Log
The DFSR services synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the DFSR database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.
Event ID
Source Message
1004 DFSR The DFS Replication service has started.
1314 DFSR The DFS Replication service successfully configured the debug log files. Additional Information:Debug Log File Path: C:\Windows\debug
6102 DFSR The DFS Replication service has successfully registered the WMI provider
1206 DFSR The DFS Replication service successfully contacted domain
114 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
controller DC2.corp.contoso.com to access configuration information.
1210 DFSR The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information:Port: 0"
4614 DFSR The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Read-Only: 0
4604 DFSR The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type ""net share"". Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Sync partner: <domain controller FQDN>
115
Understand and Troubleshoot Guides
Troubleshooting VDC Safe Restore
Tools for Troubleshooting Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller safe snapshot restore. All of these logs are enabled and configured for maximum verbosity, by default.
Operation Log
Snapshot creation Event viewer\Applications and services logs\Microsoft\Windows\Hyper-V-Worker
Snapshot restore Event viewer\Applications and services logs\Directory Service
Event viewer\Windows logs\System Event viewer\Windows logs\Application Event viewer\Applications and services logs\File
Replication Service Event viewer\Applications and services logs\DFS
Replication Event viewer\Applications and services logs\DNS Event viewer\Applications and services logs\Microsoft\
Windows\Hyper-V-Worker
Tools and Commands for Troubleshooting Domain Controller ConfigurationTo troubleshoot issues not explained by the logs, use the following tools as a starting point:
Dcdiag.exe
Repadmin.exe
Network Monitor 3.4 (or a third party network capture and analysis tool)
More Information:
For more information and downloads, see:Netmonhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865
116 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
General Methodology for Troubleshooting Domain Controller Safe Restore
1. Is the safe snapshot restore expected, but having issues?
a. Examine the Directory Services event log
i. Are there snapshot restore errors?
ii. Are there AD replication errors?
b. Examine the System event log
i. Are there communications errors?
ii. Are there AD errors?
2. Is the safe snapshot restore unexpected?
a. Examine the hypervisor audit logs to determine who or what caused a rollback
b. Contact all administrators of the hypervisor and interrogate them as to who rolled back the VM without notification
3. Is the server implementing USN rollback protection and not safely restoring?
a. Examine the Directory Services event log for an unsupported hypervisor
b. Examine the OS and validate running Windows Server "8" Beta?
Important:Contact Microsoft Beta Product Support when you have exhausted these avenues.
117
Understand and Troubleshoot Guides
Troubleshooting Specific ProblemsEvents
All VDC safe snapshot restore events write to the Directory Services event log of the restored domain controller VM. The Application, System, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed restores.
Below are the Windows Server "8" Beta safe restore-specific events in the Directory Services event log.
Event ID 2170
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Warning
Message A Generation ID change has been detected.Generation ID cached in DS (old value):%1Generation ID currently in VM (new value):%2The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.
Notes and resolution
This is a success event if the snapshot was expected. If not, examine the Hyper-V-Worker event log or contact all administrators of the hypervisor.
Event ID 2174
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot.
Notes and resolution
Expected event when starting physical domain controllers or VDCs not restored from snapshot
Event ID 2181
Source Microsoft-Windows-ActiveDirectory_DomainService
118 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Severity Informational
Message The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation.
Notes and resolution
Expected when restoring a snapshot. Transactions track the VM Generation ID changing
Event ID 2185
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> stopped the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted.
Notes and resolution
Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
Event ID 2186
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to stop the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Error code:%2Error message:%3Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR replication service used to replicate the SYSVOL folder and then starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to stop the current running service and cannot complete the non-authoritative
119
Understand and Troubleshoot Guides
restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Notes and resolution
Examine the System, FRS and DFSR event logs for further information.
Event ID 2187
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> started the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore.
Notes and resolution
Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
Event ID 2188
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder.Service name:%1Error code:%2Error message:%3Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL and starting it with appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually and restart the service. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
120 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Notes and resolution
Examine the System, FRS and DFSR event logs for further information.
Event ID 2189
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> set the following registry values to initialize SYSVOL replica during a non-authoritative restore:Registry Key:%1Registry Value: %2Registry Value data: %3Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore.
Notes and resolution
Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC's copy.
Event ID 2190
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to set the following registry values to initialize the SYSVOL replica during a non-authoritative restore:Registry Key:%1Registry Value: %2Registry Value data: %3Error code:%4Error message:%5Active Directory detected that the virtual machine that hosts the domain controller role was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to set the above registry values and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. See http://go.microsoft.com/fwlink/?
121
Understand and Troubleshoot Guides
LinkId=208030 for more information.
Notes and resolution
Examine Application and System event logs. Investigate third party applications that may be blocking registry updates.
Event ID 2200
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> initializes replication to bring the domain controller current. Event 2201 will be logged when the replication is finished.
Notes and resolution
Expected when restoring a snapshot. Marks the beginning of inbound AD replication.
Event ID 2201
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> has finished replication to bring the domain controller current.
Notes and resolution
Expected when restoring a snapshot. Marks the end of inbound AD replication.
Event ID 2202
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> failed replication to bring the domain controller up-to-date. The domain controller will be updated after next periodic replication.
Notes and
Examine the Directory Services and System event logs. Use repadmin.exe to attempt
122 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
resolution
forcing replication and note any failures.
Event ID 2204
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. <COMPUTERNAME> will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs:Create a new invocation IDInvalidate current RID poolOwnership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable.Start SYSVOL replication service restore operation.Start replication to bring the reverted domain controller to the most current state.Request a new RID pool.
Notes and resolution
Expected when restoring a snapshot. This explains all the various reset operations that will occur as part of the safe restore process.
Event ID 2205
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> invalidated current RID pool after virtual domain controller was reverted to previous state.
Notes and resolution
Expected when restoring a snapshot. The local RID pool must be destroyed as the domain controller has time travelled and they may have already been issued.
Event ID 2206
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity ERROR
Message <COMPUTERNAME> failed to invalidate current RID pool after virtual domain
123
Understand and Troubleshoot Guides
controller was reverted to previous state.Additional data:Error code: %1Error value: %2
Notes and resolution
Examine the Directory Services and System event logs. Validate that the RID Master is online can be reached from this server using Dcdiag.exe /test:ridmanager
Event ID 2207
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity ERROR
Message <COMPUTERNAME> failed to restore after virtual domain controller was reverted to previous state. A reboot into DSRM was requested. Please check previous events for more information. See http://go.microsoft.com/fwlink/?LinkId=208030 for more information.
Notes and resolution
Examine the Directory Services and System event logs.
Event ID 2208
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message <COMPUTERNAME> deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore.
Notes and resolution
Expected when restoring a snapshot. This guarantees DFSR non-authoritatively synchronizes SYSVOL from a partner DC. Note that any other DFSR Replicated Folders on the same volume as SYSVOL will also non-authoritatively sync (domain controllers are not recommended to host custom DFSR sets on the same volume as SYSVOL).
Event ID 2209
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message <COMPUTERNAME> failed to delete DFSR databases.Additional data:Error code: %1Error value: %2
124 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuild the databases and start the initial sync.
Notes and resolution
Examine the DFSR event log.
Error MessagesThere are no direct interactive errors for failed VDC safe snapshot restore; all cloning information logs in the Directory Services event logs. Naturally, any critical replication or server advertising errors manifest themselves as symptoms elsewhere.
125
Understand and Troubleshoot Guides
Known/Likely Issues and Support ScenariosThe following are common issues seen during the Windows Server "8" Beta development process. All of these issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server "8".
The General Methodology for Troubleshooting Domain Controller Safe Restore section and events listed in the Troubleshooting Specific Problems are usually adequate to troubleshoot most issues.
Issue Cannot create new security principals on recently safe restored domain controller
Symptoms After restoring a snapshot, attempts to create a new security principal (user, computer, group) on that domain controller fail with:Error 0x2010The directory service was unable to allocate a relative identifier.
Resolution and Notes
This issue is caused by the restored computer's stale knowledge of the RID Master FSMO role. If the role moved to this or another domain controller after a snapshot was taken and then later restored, the restored domain controller will not have knowledge of the RID master until initial replication has completed.To resolve the issue, allow AD replication to complete inbound to the restored domain controller. If still not working, validate that all domain controllers have the same correct knowledge of which DC hosts the RID Master.
Figure 57
126 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Advanced TroubleshootingThis guide seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful VDC operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events related to a cloned domain controller within each log.
Restoring a Domain Controller that Replicates SYSVOL Using DFSRDirectory Services Event Log
The Directory Services log contains the majority of safe restore operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
Event ID
Source Message
2170 ActiveDirectory_DomainService
A Generation ID change has been detected. Generation ID cached in DS (old value):<number>Generation ID currently in VM (new value):<number>The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application."
2181 ActiveDirectory_DomainService
The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation.
2204 ActiveDirectory_DomainService
Active Directory Domain Services has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. Active Directory Domain Services will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs: Create a new invocation ID Invalidate current RID pool
127
Understand and Troubleshoot Guides
Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool."
2181 ActiveDirectory_DomainService
The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation.
1109 ActiveDirectory_DomainService
The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:InvocationID attribute (old value):<GUID>InvocationID attribute (new value):<GUID>Update sequence number:<number>The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application."
2179 ActiveDirectory_DomainService
The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: GenerationID attribute:<number>
2200 ActiveDirectory_DomainService
Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services initializes replication to bring the domain controllercurrent. Event 2201 will be logged when the replication is finished.
2201 ActiveDirectory_DomainService
Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services has finished replication to bring the domain controller current.
128 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
2185 ActiveDirectory_DomainService
Active Directory Domain Services stopped the FRS or DFSR service used to replicate the SYSVOL folder.Service name:DFSRActive Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted."
2208 ActiveDirectory_DomainService
Active Directory Domain Services deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore.Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuid the databases and start the initial sync. "
2187 ActiveDirectory_DomainService
Active Directory Domain Services started the FRS or DFSR service used to replicate the SYSVOL folder.Service name:DFSRActive Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. "
1587 ActiveDirectory_DomainService
This directory service has been restored or has been configured to host an application directory partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted. The destination directory service corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local directory service was restored from backup media. Object GUID:<GUID> (<FQDN of partner domain controller>)USN at the time of restore:<number>
129
Understand and Troubleshoot Guides
As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous database GUID:<GUID>Previous object USN:<number>Previous property USN:<number>New database GUID:<GUID>New object USN:<number>New property USN:<number>
System Event Log
The System event log notes that the machine time that occurs when bringing an offline virtual machine back online and synchronizing with host time. The RID pool invalidates and the DFSR or FRS services are restarted.
Event ID Source Message
1 Kernel-General The system time has changed to <now> from <snapshot time/date>.
Change Reason: An application or system component changed the time.
16654 Directory-Services-SAM
A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:1. A domain controller is restored from backup.2. A domain controller running on a virtual machine is restored from snapshot.3. An administrator has manually invalidated the pool.See http://go.microsoft.com/fwlink/?LinkId=226247 for more information.
7036 Service Control Manager
The DFS Replication service entered the stopped state.
7036 Service Control Manager
The DFS Replication service entered the running state.
Application Event Log
The Application event log notes the DFSR database stopping and starting.
Event ID Source Message
130 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
103 ESENT DFSRs (1360) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine stopped the instance (0). Dirty Shutdown: 0Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.141, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102 ESENT DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine (6.02.8189.0000) is starting a new instance (0).
105 ESENT DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine started a new instance (0). (Time=0 seconds)Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000.
DFSRs (532) \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db: The database engine created a new database (1, \\.\C:\System Volume Information\DFSR\database_<GUID>\dfsr.db). (Time=0 seconds)Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.062, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.015, [10] 0.000, [11] 0.000.
DFS Replication Event Log
The DFSR service is stopped and the database that contains SYSVOL is deleted, forcing a non-authoritative synchronization inbound.
Event ID Source Message
1006 DFSR The DFS Replication service is stopping.
1008 DFSR The DFS Replication service has stopped.
1002 DFSR The DFS Replication service is starting.
1004 DFSR The DFS Replication service has started.
1314 DFSR The DFS Replication service successfully configured the debug log files. Additional Information:Debug Log File Path: C:\Windows\debug
6102 DFSR The DFS Replication service has successfully registered the WMI provider.
1206 DFSR The DFS Replication service successfully contacted domain controller <domain controller FQDN> to access configuration information.
1210 DFSR The DFS Replication service successfully set up an RPC listener for incoming replication requests. Additional Information:Port: 0
4614 DFSR The DFS Replication service initialized SYSVOL at local path C:\
131
Understand and Troubleshoot Guides
Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner . If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Read-Only: 0
4604 DFSR The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share". Additional Information:Replicated Folder Name: SYSVOL ShareReplicated Folder ID: <GUID>Replication Group Name: Domain System VolumeReplication Group ID: <GUID>Member ID: <GUID>Sync partner: <partner domain controller FQDN>
Restoring a Domain Controller that Replicates SYSVOL Using FRSThe File Replication Event log is used instead of the DFSR event log in this case. The Application event log also writes different FRS-related events. Otherwise, the Directory Services and System Event log messages are generally the same and in the same order as previously described.
File Replication Service Event Log
The FRS service is stopped and restarted with a D2 BURFLAGS value to non-authoritatively synchronize SYSVOL.
Event ID Source Message
13502 NTFRS The File Replication Service is stopping.
13503 NTFRS The File Replication Service has stopped.
13501 NTFRS The File Replication Service is starting
13512 NTFRS The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet
132 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
on the computer DC4. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
13565 NTFRS File Replication Service is initializing the system volume with data from another domain controller. Computer DC4 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. To check for the SYSVOL share, at the command prompt, type:net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers."
13520 NTFRS The File Replication Service moved the preexisting files in <path> to <path>\NtFrs_PreExisting___See_EventLog. The File Replication Service may delete the files in <path>\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>\NtFrs_PreExisting___See_EventLog. Copying the files into <path> may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>\NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in <path>\NtFrs_PreExisting___See_EventLog.
13553 NTFRS The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Information related to this event is shown below:Computer DNS name is "<domain controller FQDN>"Replica set member name is "<domain controller name>"Replica set root path is "<path>"Replica staging directory path is "<path> "Replica working directory path is "<path>"
13554 NTFRS The File Replication Service successfully added the connections shown below to the replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Inbound from "<partner domain controller FQDN>" Outbound to "<partner domain controller FQDN>" More information may appear in subsequent event log
133
Understand and Troubleshoot Guides
messages.
13516 NTFRS The File Replication Service is no longer preventing the computer DC4 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. Type "net share" to check for the SYSVOL share.
Application Event Log
The FRS database stops and starts, and is purged due to the D2 BURFLAGS operation.
Event ID Source Message
327 ESENT ntfrs (1424) The database engine detached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.516, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.063, [12] 0.000.Revived Cache: 0
103 ESENT ntfrs (1424) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.047, [15] 0.000.
102 ESENT ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0).
105 ESENT ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.062, [10] 0.000, [11] 0.141.
103 ESENT ntfrs (3000) The database engine stopped the instance (0). Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.015, [14] 0.000, [15] 0.000.
102 ESENT ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0).
105 ESENT ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.000, [11] 0.109.
325 ESENT ntfrs (3000) The database engine created a new database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.016, [5] 0.000, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.016, [11] 0.000.
103 ESENT ntfrs (3000) The database engine stopped the instance (0). Dirty Shutdown: 0
134 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.078, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.125, [10] 0.016, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000.
102 ESENT ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0).
105 ESENT ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds) Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.000, [4] 0.094, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.032, [10] 0.000, [11] 0.000.
326 ESENT ntfrs (3000) The database engine attached a database (1, c:\windows\ntfrs\jet\ntfrs.jdb). (Time=0 seconds) Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.016, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.Saved Cache: 1
135
Understand and Troubleshoot Guides
AppendicesTerminology
Snapshot – The state of a virtual machine at a particular point in time. It is dependent on the chain of previous snapshots taken, on the hardware, and on the virtualization platform.
Clone – A complete and separate copy of a virtual machine. It is dependent on the virtual hardware (hypervisor).
Full Clone – A full clone is an independent copy of a virtual machine that shares no resources with the parent virtual machine after the cloning operation. Ongoing operation of a full clone is entirely separate from the parent virtual machine.
Differencing disk - A copy of a virtual machine that shares virtual disks with the parent virtual machine in an ongoing manner. This usually conserves disk space and allows multiple virtual machines to use the same software installation.
VM Copy- A file system copy of all the related files and folders of a virtual machine.
VHD File Copy – A copy of a virtual machine’s VHD
VM Generation ID – a 128-bit integer given to the virtual machine by the hypervisor. This ID is stored in memory and reset every time a snapshot is applied. The design uses a hypervisor-agnostic mechanism for surfacing the VM-Generation ID in the virtual machine. The Hyper-V implementation exposes the ID in the ACPI table of the virtual machine.
Import/Export – A Hyper-V feature that allows the user to save the entire virtual machine (VM files, VHD and the machine configuration). It then allows users to using that set of files to bring the machine back on the same machine as the same VM (Restore), on a different machine as the same VM (Move), or a new VM (copy)
136 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
VDC Cloning Architecture
Figure 58
137
Understand and Troubleshoot Guides
OverviewAD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's creation. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. The domain controller then reads the contents of the dcloneconfig.xml, defaultdccloneallowlist.xml, and any customdccloneallowlist.xml and begins cloning. The domain controller renames itself and alters its IP information. The server re-promotes itself as a new domain controller using the existing NTDS.DIT and SYSVOL contents as source media. Cloning is complete.
Detailed Processing (using Microsoft Hyper-V)1. An existing virtual machine domain controller boots up in a hypervisor that supports VM-
Generation ID. This VM already has an existing VM Generation-ID set on its AD DS computer object when it was promoted (ex: cn=dc2,ou=domain controllers,dc=corp,dc=contoso,dc=com) as part of the msDS-GenerationID attribute (a binary valued octet string added by the Windows Server "8" Beta Schema version 52). This attribute's value is stored in memory.
2. The virtual machine then reads the VM-Generation ID provided by Hyper-V's VMGenerationCounter driver. It compares the two VM-Generation IDs.
a. If the IDs match, this is not a new virtual machine and cloning will not proceed. If a dcloneconfig.xml file exists, the domain controller renames the file with a time-date stamp in order to prevent cloning. The server continues booting normally. This is how every reboot of any virtual domain controller operates in Windows Server "8" Beta.
b. If there are two IDs that do not match, this is a new virtual machine that contains an NTDS.DIT from a previous domain controller (or it's a restored snapshot). If a dcloneconfig.xml file exists, the domain controller proceeds with cloning operations. If not, it continues with snapshot restoration operations (see that section of this guide).
c. If the hypervisor does not provide a VM-Generation ID for comparison but there is a dccloneconfig.xml file, the guest renames the file and the boots into DSRM to protect the network from a duplicate domain controller. If there is no dccloneconfig.xml file, the guest boots normally (with the potential for a duplicate domain controller on the network).
3. The NTDS service checks the value of the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters).
138 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
a. If does not exist, this is a first attempt at cloning for this virtual machine. The guest implements the VDC object duplication safety measures of invalidating the local RID pool and setting a new replication invocation ID for the domain controller.
b. If already set to 0x1, this is a "retry" cloning attempt, where a previous cloning operation failed. The VDC object duplication safety measures are not taken as they had to have already run once before and would unnecessarily alter the guest multiple times.
4. The IsClone DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters)
5. The NTDS service changes the guest boot flag to start in DS Restore Mode for any further reboots.
6. The NTDS service attempts to read the DcCloneConfig.xml in one of the three accepted locations (DSA Working Directory, %windir%\NTDS, or removable read/write media, in order of drive letter, at the root of the drive)
a. If the file does not exist in any valid location, the guest checks the IP address for duplication. If not duplicated, the server boots up normally. If there is a duplicate IP address, the computer boots into DSRM to protect the network from a duplicate domain controller.
b. If the file does exist in a valid location, the NTDS service validates its settings. If the file is blank (or any particular settings are blank) then NTDS uses automatic values for those settings.
More Information:
See the previous section XML Details and Behaviors for specific automatic generation rules
c. If the DcCloneConfig.xml exists but contains any invalid entries or is unreadable, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller.
7. The guest disables all DNS auto-registration to prevent accidental hijacking of the source computer name and IP addresses.
8. The guest stops the Netlogon service to prevent any advertising or answering of network AD DS requests from clients.
9. NTDS validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml
a. If there are services or programs installed that are not in the default exclusion allow list or the custom exclusion allow list, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller.
b. If there are no incompatibilities, cloning continues.
139
Understand and Troubleshoot Guides
More Information:
See the previous section XML Details and Behaviors for specific automatic generation rules
10. If using automatic IP addressing due to blank dccloneconfig.xml network settings, the guest enables DHCP on the network adapters to gain an IP address lease, network routing, and name resolution information.
11. The guest locates and contacts the domain controller running the PDC emulator FSMO role. This uses DNS and the DCLocator protocol. It makes an RPC connection calls the method IDL_DRSAddCloneDC to clone the domain controller computer object.
a. If the guest's source compute object holds the domain head extended permission of "'Allow a DC to create a clone of itself" then cloning proceeds.
b. If the guest's source computer object does not hold that extended permission, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller
12. The AD DS computer object is set to match the dcloneconfig.xml or automatic generation and created on the PDCE. NTDS creates the correct NTDS setting object for the appropriate AD logical site. The guest renames the local computer name to match the new domain controller object name.
13. The guest provides the promotion settings to the DS Role Server service, which commences promotion
14. The DS Role Server service stops all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)
15. The guest forces NT5DS (Windows NTP) time synchronization with another domain controller (in a default time hierarchy, this means using the PDCE). The guest contacts a domain controller that holds the source domain controller account of the clone (likely to be the PDCE). All existing Kerberos tickets flush.
16. The guest configures the DFSR or NTFRS services to run automatically. The guest deletes all existing DFSR and NTFRS database files (default: c:\windows\ntfrs and c:\system volume information\dfsr\<database_GUID>), in order to force non-authoritative synchronization of SYSVOL when the service is next started. The guest does not delete the file contents of SYSVOL, to pre-seed the SYSVOL when the synchronization starts later.
17. The DS Role Server service on the guest begins AD DS configuration (promotion), using the existing NTDS.SIT database file as a source, rather than the template database included in c:\windows\system32 like a promotion normally does.
18. The guest contacts the RID Master FSMO role holder to get a new RID pool allocation.
140 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
19. The promotion process creates a new invocation ID and recreates the NTDS Settings object for the cloned domain controller (irrespective of cloning, this is part of domain promotion when using an existing NTDS.DIT database).
20. NTDS replicates in objects that are missing, newer, or a higher version from a partner domain controller. The NTDS.DIT already contains objects from the time the source domain controller went offline, and those are used as possible in order to minimize replication traffic inbound. The global catalog partitions are populated.
21. The DFSR or FRS service starts and because there is no database, SYSVOL non-authoritatively synchronizes inbound from a replication partner. This process re-uses pre-existing data in the SYSVOL folder, in order to minimize network replication traffic.
22. The guest re-enables DNS client registration now that the computer is uniquely named and networked.
23. The guest runs the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element in order to scrub out references to the previous computer name and SID.
24. Cloning promotion is complete.
a. The guest removes the DSRM boot flag so the next reboot will be normal.
b. The guest renames the dccloneconfig.xml with an appended date-time stamp, so that it is not read again at next boot up.
c. The guest removes the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters).
d. The guest sets the "Vdc cloning done" DWORD registry value name (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) to 0x1. Windows does not use this value, but instead provides it as a marker for third parties.
25. The guest updates the msDS-GenerationID attribute on its own cloned domain controller object to match the current guest VM-Generation ID.
26. The guest restarts. It is now a normal, advertising domain controller.
141
Understand and Troubleshoot Guides
VDC Safe Restore Architecture
Figure 59
OverviewAD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect a virtual machine's restoration from a previous snapshot. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When an administrator restores the virtual machine from a previous snapshot, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. The domain controller then synchronizes AD object differences with a partner. It also non-authoritatively synchronizes the SYSVOL folder. Safe restoration is complete.
142 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Detailed Processing (using Microsoft Hyper-V)1. An administrator restores an existing virtual machine domain controller from a snapshot
in a hypervisor that supports VM-Generation ID. This VM already has an existing VM Generation-ID set on its AD DS computer object when it was promoted (ex: cn=dc2,ou=domain controllers,dc=corp,dc=contoso,dc=com) as part of the msDS-GenerationID attribute (a binary valued octet string added by the Windows Server "8" Beta Schema version 52). This attribute's value is stored in memory.
2. The virtual machine then reads the VM-Generation ID provided by Hyper-V's VMGenerationCounter driver. It compares the VM-Generation IDs from step 1 and 2.
a. If there are two IDs that do not match, it continues with snapshot restoration operations (see that section of this guide). After the snap finishes applying, the Generation-ID set on its AD DS computer object is updated to match the new ID provide by the hypervisor host.
b. If the hypervisor does not provide a VM-Generation ID for comparison, the hypervisor does not support safe restore and the guest will operate like a Windows Server 2008 R2 or older virtualized domain controller. The guest implements USN Rollback protection quarantining if there is an attempt to start replicating with USNs that haven’t advanced past the partner DCs last highest seen USN.
More Information:
For more information about this topic, see USN and USN Rollback
3. The guest implements the VDC AD object synchronization operations of:
a. Invalidating the local RID pool
b. Setting a new invocation ID for the domain controller database.
4. NTDS replicates AD object differences inbound non-authoritatively from a partner domain controller. The domain controller requests changes starting at a USN that precedes the USN at which the local directory service was restored. The up-to-dateness vector of the destination directory service is changes appropriately.
5. The guest synchronizes SYSVOL:
a. If using FRS, the guest stops the NTFRS service and sets D2 BURFLAGS registry value. It then starts the NTFRS service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.
b. If using DFSR, the guest stops the DFSR service and deletes the DFSR database files (default location: c:\system volume information\dfsr\<database GUID>). It then starts the DFSR service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.
143
Understand and Troubleshoot Guides
6. The guest updates the msDS-GenerationID attribute on its own domain controller object to match the current guest VM-Generation ID.
7. Safe snapshot restore completes.
144 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
FixVDCPermissions.ps1# Unsigned script, requires use of set-executionpolicy remotesigned -force# You must run the Windows PowerShell console as an elevated administrator
# Load Active Directory Windows PowerShell Module and switch to AD DS driveimport-module activedirectorycd ad:
## Get Domain NC$domainNC = get-addomain
## Get groups and obtain their SIDs $dcgroup = get-adgroup "Cloneable Domain Controllers"
$sid1 = (get-adgroup $dcgroup).sid
## Get the DACL of the domain$acl = get-acl $domainNC
## The following object specific ACE grants extended right 'Allow a DC to create a clone of itself' for the CDC group to the Domain NC## 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e is the schemaIDGuid for 'DS-Clone-Domain-Controller"
$objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid
## Add the ACE in the ACL and set the ACL on the object
$acl.AddAccessRule($ace1)set-acl -aclobject $acl $domainNCwrite-host "Done writing new VDC permissions."cd c:
145
Understand and Troubleshoot Guides
The DCCloneConfigSchema.XSD<?xml version="1.0" encoding="utf-8"?><xs:schema elementFormDefault="unqualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="uri:microsoft.com:schemas:DCCloneConfig"> <xs:element name="DCCloneConfig"> <xs:complexType> <xs:all> <!-- if no SiteName is specified clone will be created in the same site as source--> <xs:element name="SiteName" type="xs:string" minOccurs="0" maxOccurs="1"/> <!-- if no ComputerName is specified a pseudo-random name will be generated --> <xs:element name="ComputerName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPSettings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:all> <xs:element name="IPv4Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="Address" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="SubnetMask" minOccurs="1" maxOccurs="1" type="xs:string" /> <xs:element name="DefaultGateway" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element> <!--End of IPV4 StaticSettings element--> <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> <xs:element name="PreferredWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> <xs:element name="AlternateWINSServer" minOccurs="0" maxOccurs="1" type="xs:string" /> </xs:sequence>
146 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
</xs:complexType> </xs:element> <!--End of IPV4 DynamicSettings element--> </xs:choice> <!--End of Static / Dynamic IPV4 choice--> </xs:complexType> </xs:element> <!--End of IPV4NetworkConfig element--> <xs:element name="IPv6Settings" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="StaticSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="1" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element> <!--End of IPV6 StaticSettings element--> <xs:element name="DynamicSettings"> <xs:complexType> <xs:sequence> <xs:element name="DNSResolver" minOccurs="0" maxOccurs="4" type="xs:string" /> </xs:sequence> <xs:attribute name="Reserved" type="xs:string" /> </xs:complexType> </xs:element> <!--End of IPV6 DynamicSettings element--> </xs:choice> </xs:complexType> </xs:element> <!--End of IPV6Settings element--> </xs:all> </xs:complexType> </xs:element> <!--End of IPSettings element--> </xs:all> </xs:complexType> </xs:element></xs:schema>
147
Understand and Troubleshoot Guides
The SampleDCCloneConfig.XML<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName></ComputerName> <SiteName></SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address></Address> <SubnetMask></SubnetMask> <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <PreferredWINSServer></PreferredWINSServer> <AlternateWINSServer></AlternateWINSServer> </StaticSettings> </IPv4Settings> <IPv6Settings> <StaticSettings> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> <DNSResolver></DNSResolver> </StaticSettings> </IPv6Settings> </IPSettings></d3c:DCCloneConfig>
The DefaultDCCloneAllowList.XML<DefaultCloneConfig> <AllowList> <!-- Service types --> <Allow> <Name>ADWS</Name> <Type>Service</Type> </Allow> <Allow> <Name>AeLookupSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>ALG</Name> <Type>Service</Type> </Allow> <Allow> <Name>AllUserInstallAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppIDSvc</Name>
148 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Type>Service</Type> </Allow> <Allow> <Name>Appinfo</Name> <Type>Service</Type> </Allow> <Allow> <Name>AppMgmt</Name> <Type>Service</Type> </Allow> <Allow> <Name>AudioEndpointBuilder</Name> <Type>Service</Type> </Allow> <Allow> <Name>Audiosrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>AxInstSV</Name> <Type>Service</Type> </Allow> <Allow> <Name>BFE</Name> <Type>Service</Type> </Allow> <Allow> <Name>BITS</Name> <Type>Service</Type> </Allow> <Allow> <Name>BrokerInfrastructure</Name> <Type>Service</Type> </Allow> <Allow> <Name>Browser</Name> <Type>Service</Type> </Allow> <Allow> <Name>CertPropSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>COMSysApp</Name> <Type>Service</Type> </Allow> <Allow> <Name>CryptSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>CscService</Name> <Type>Service</Type> </Allow> <Allow>
149
Understand and Troubleshoot Guides
<Name>DcomLaunch</Name> <Type>Service</Type> </Allow> <Allow> <Name>defragsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceAssociationService</Name> <Type>Service</Type> </Allow> <Allow> <Name>DeviceInstall</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dfs</Name> <Type>Service</Type> </Allow> <Allow> <Name>DFSR</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dhcp</Name> <Type>Service</Type> </Allow> <Allow> <Name>DNS</Name> <Type>Service</Type> </Allow> <Allow> <Name>Dnscache</Name> <Type>Service</Type> </Allow> <Allow> <Name>dot3svc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DPS</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsmSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>DsRoleSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Eaphost</Name> <Type>Service</Type> </Allow>
150 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Allow> <Name>EFS</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventLog</Name> <Type>Service</Type> </Allow> <Allow> <Name>EventSystem</Name> <Type>Service</Type> </Allow> <Allow> <Name>FCRegSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>fdPHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>FDResPub</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache</Name> <Type>Service</Type> </Allow> <Allow> <Name>FontCache3.0.0.0</Name> <Type>Service</Type> </Allow> <Allow> <Name>gpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>hidserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>hkmsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>idsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IKEEXT</Name> <Type>Service</Type> </Allow> <Allow> <Name>IPBusEnum</Name> <Type>Service</Type>
151
Understand and Troubleshoot Guides
</Allow> <Allow> <Name>iphlpsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>IsmServ</Name> <Type>Service</Type> </Allow> <Allow> <Name>Kdc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KdsSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>KeyIso</Name> <Type>Service</Type> </Allow> <Allow> <Name>KPSSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>KtmRm</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanServer</Name> <Type>Service</Type> </Allow> <Allow> <Name>LanmanWorkstation</Name> <Type>Service</Type> </Allow> <Allow> <Name>lltdsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>lmhosts</Name> <Type>Service</Type> </Allow> <Allow> <Name>LSM</Name> <Type>Service</Type> </Allow> <Allow> <Name>MMCSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>MpsSvc</Name>
152 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Type>Service</Type> </Allow> <Allow> <Name>MSDTC</Name> <Type>Service</Type> </Allow> <Allow> <Name>MSiSCSI</Name> <Type>Service</Type> </Allow> <Allow> <Name>msiserver</Name> <Type>Service</Type> </Allow> <Allow> <Name>napagent</Name> <Type>Service</Type> </Allow> <Allow> <Name>NcaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netlogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>Netman</Name> <Type>Service</Type> </Allow> <Allow> <Name>netprofm</Name> <Type>Service</Type> </Allow> <Allow> <Name>NetTcpPortSharing</Name> <Type>Service</Type> </Allow> <Allow> <Name>NlaSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>nsi</Name> <Type>Service</Type> </Allow> <Allow> <Name>NTDS</Name> <Type>Service</Type> </Allow> <Allow> <Name>NtFrs</Name> <Type>Service</Type> </Allow> <Allow>
153
Understand and Troubleshoot Guides
<Name>PerfHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>pla</Name> <Type>Service</Type> </Allow> <Allow> <Name>PlugPlay</Name> <Type>Service</Type> </Allow> <Allow> <Name>PolicyAgent</Name> <Type>Service</Type> </Allow> <Allow> <Name>Power</Name> <Type>Service</Type> </Allow> <Allow> <Name>PrintService</Name> <Type>Service</Type> </Allow> <Allow> <Name>ProfSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasAuto</Name> <Type>Service</Type> </Allow> <Allow> <Name>RasMan</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>RemoteRegistry</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcEptMapper</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcLocator</Name> <Type>Service</Type> </Allow> <Allow> <Name>RpcSs</Name> <Type>Service</Type> </Allow>
154 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Allow> <Name>RSoPProv</Name> <Type>Service</Type> </Allow> <Allow> <Name>sacsvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>SamSs</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCardSvr</Name> <Type>Service</Type> </Allow> <Allow> <Name>Schedule</Name> <Type>Service</Type> </Allow> <Allow> <Name>SCPolicySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>seclogon</Name> <Type>Service</Type> </Allow> <Allow> <Name>SENS</Name> <Type>Service</Type> </Allow> <Allow> <Name>SessionEnv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SharedAccess</Name> <Type>Service</Type> </Allow> <Allow> <Name>ShellHWDetection</Name> <Type>Service</Type> </Allow> <Allow> <Name>SidKeySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SNMPTRAP</Name> <Type>Service</Type> </Allow> <Allow> <Name>Spooler</Name> <Type>Service</Type>
155
Understand and Troubleshoot Guides
</Allow> <Allow> <Name>sppsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>SSDPSRV</Name> <Type>Service</Type> </Allow> <Allow> <Name>SstpSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>stisvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>svsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>swprv</Name> <Type>Service</Type> </Allow> <Allow> <Name>SysMain</Name> <Type>Service</Type> </Allow> <Allow> <Name>SystemEventsBroker</Name> <Type>Service</Type> </Allow> <Allow> <Name>TabletInputService</Name> <Type>Service</Type> </Allow> <Allow> <Name>TapiSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>TermService</Name> <Type>Service</Type> </Allow> <Allow> <Name>Themes</Name> <Type>Service</Type> </Allow> <Allow> <Name>THREADORDER</Name> <Type>Service</Type> </Allow> <Allow> <Name>TimeBroker</Name>
156 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Type>Service</Type> </Allow> <Allow> <Name>TrkWks</Name> <Type>Service</Type> </Allow> <Allow> <Name>TrustedInstaller</Name> <Type>Service</Type> </Allow> <Allow> <Name>UALSVC</Name> <Type>Service</Type> </Allow> <Allow> <Name>UI0Detect</Name> <Type>Service</Type> </Allow> <Allow> <Name>UmRdpService</Name> <Type>Service</Type> </Allow> <Allow> <Name>upnphost</Name> <Type>Service</Type> </Allow> <Allow> <Name>VaultSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>vds</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicheartbeat</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmickvpexchange</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicrdv</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmicshutdown</Name> <Type>Service</Type> </Allow> <Allow> <Name>vmictimesync</Name> <Type>Service</Type> </Allow> <Allow>
157
Understand and Troubleshoot Guides
<Name>vmicvss</Name> <Type>Service</Type> </Allow> <Allow> <Name>VSS</Name> <Type>Service</Type> </Allow> <Allow> <Name>W32Time</Name> <Type>Service</Type> </Allow> <Allow> <Name>WbioSrvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WcsPlugInService</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiServiceHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WdiSystemHost</Name> <Type>Service</Type> </Allow> <Allow> <Name>WebClient</Name> <Type>Service</Type> </Allow> <Allow> <Name>Wecsvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>wercplsupport</Name> <Type>Service</Type> </Allow> <Allow> <Name>WerSvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WiaRpc</Name> <Type>Service</Type> </Allow> <Allow> <Name>WinHttpAutoProxySvc</Name> <Type>Service</Type> </Allow> <Allow> <Name>Winmgmt</Name> <Type>Service</Type> </Allow>
158 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
<Allow> <Name>WinRM</Name> <Type>Service</Type> </Allow> <Allow> <Name>wmiApSrv</Name> <Type>Service</Type> </Allow> <Allow> <Name>WPDBusEnum</Name> <Type>Service</Type> </Allow> <Allow> <Name>WSService</Name> <Type>Service</Type> </Allow> <Allow> <Name>wuauserv</Name> <Type>Service</Type> </Allow> <Allow> <Name>wudfsvc</Name> <Type>Service</Type> </Allow> </AllowList> <sysprepInformation> <imaging> <sysprepModule methodName="CAPISysPrep_Generalize" moduleName="$(runtime.windows)\system32\capisp.dll" /> <sysprepModule methodName="DhcpClient_Generalize" moduleName="$(runtime.system32)\dhcpcsvc.dll" /> <sysprepModule methodName="RdpSysPrepGeneralize" moduleName="$(runtime.system32)\setup\tssysprep.dll" /> <!--sysprepModule methodName="CryptoSysPrep_Specialize" moduleName="$(runtime.windows)\system32\capisp.dll" /--> <sysprepModule methodName="RdpSysPrepRestore" moduleName="$(runtime.system32)\setup\tssysprep.dll" /> <sysprepModule methodName="RacSysprepSpecialize" moduleName="RacEngn.dll" /> <sysprepModule methodName="WerSysprepCleanup" moduleName="wer.dll" /> <sysprepModule methodName="SqmSysprepGeneralize" moduleName="sqmapi.dll" /> <sysprepModule methodName="SqmSysprepSpecialize" moduleName="sqmapi.dll" /> <sysprepModule methodName="GeneralizeForImaging" moduleName="$(runtime.system32)\wuaueng.dll" /> <sysprepModule methodName="SLReArmWindows" moduleName="$(runtime.system32)\slc.dll" /> </imaging> </sysprepInformation>
</DefaultCloneConfig>
159
Understand and Troubleshoot Guides
Note:The DefaultDCCloneAllowList also contains the SYSPREP modules called during cloning. These "mini-sysprep" steps are performed to ensure the cloned domain controller is unique in the important aspects.
160 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
List of default compatible cloning components The following services support for cloning and are included in the c:\windows\system32\DefaultDCCloneAllowList.XML allow list.
Name Name Caption (aka "friendly name")
Service ADWS Active Directory Web Services
Service AeLookupSvc Application Experience
Service ALG Application Layer Gateway Service
Service AllUserInstallAgent Windows All-User Install Agent
Service AppIDSvc Application Identity
Service Appinfo Application Information
Service AppMgmt Application Management
Service AudioEndpointBuilder Windows Audio Endpoint Builder
Service Audiosrv Windows Audio
Service AxInstSV
Service BFE Base Filtering Engine
Service BITS Background Intelligent Transfer Service
Service BrokerInfrastructure Broker Infrastructure
Service Browser Computer Browser
Service CertPropSvc Certificate Propagation
Service COMSysApp COM+ System Application
Service CryptSvc Cryptographic Services
Service CscService
Service DcomLaunch DCOM Server Process Launcher
Service defragsvc Optimize drives
Service DeviceAssociationService
Device Association Service
Service DeviceInstall Device Install Service
Service Dfs DFS Namespace
Service DFSR DFS Replication
Service Dhcp DHCP Client
Service DNS DNS Server
161
Understand and Troubleshoot Guides
Service Dnscache DNS Client
Service dot3svc Wired AutoConfig
Service DPS Diagnostic Policy Service
Service DsmSvc Device Setup Manager
Service DsRoleSvc DS Role Server
Service Eaphost Extensible Authentication Protocol
Service EFS Encrypting File System (EFS)
Service EventLog Windows Event Log
Service EventSystem COM+ Event System
Service FCRegSvc
Service fdPHost Function Discovery Provider Host
Service FDResPub Function Discovery Resource Publication
Service FontCache Windows Font Cache Service
Service FontCache3.0.0.0
Service gpsvc Group Policy Client
Service hidserv Human Interface Device Access
Service hkmsvc Health Key and Certificate Management
Service idsvc
Service IKEEXT IKE and AuthIP IPsec Keying Modules
Service IPBusEnum
Service iphlpsvc Function Discovery Provider Host
Service IsmServ Intersite Messaging
Service Kdc Kerberos Key Distribution Center
Service KdsSvc Microsoft Key Distribution Service
Service KeyIso CNG Key Isolation
Service KPSSVC KDC Proxy Server service (KPS)
Service KtmRm KtmRm for Distributed Transaction Coordinator
Service LanmanServer Server
Service LanmanWorkstation Workstation
Service lltdsvc Link-Layer Topology Discovery Mapper
Service lmhosts TCP/IP NetBIOS Helper
162 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Service LSM Local Session Manager
Service MMCSS Multimedia Class Scheduler
Service MpsSvc Windows Firewall
Service MSDTC Distributed Transaction Coordinator
Service MSiSCSI Microsoft iSCSI Initiator Service
Service msiserver Windows Installer
Service napagent Network Access Protection Agent
Service NcaSvc Network Connectivity Assistant
Service Netlogon Netlogon
Service Netman Network Connections
Service netprofm Network List Service
Service NetTcpPortSharing Net.Tcp Port Sharing Service
Service NlaSvc Network Location Awareness
Service nsi Network Store Interface Service
Service NTDS Active Directory Domain Services
Service NtFrs File Replication
Service PerfHost Performance Counter DLL Host
Service pla Performance Logs & Alerts
Service PlugPlay Plug and Play
Service PolicyAgent IPsec Policy Agent
Service Power Power
Service PrintService
Service ProfSvc User Profile Service
Service RasAuto Remote Access Auto Connection Manager
Service RasMan Remote Access Connection Manager
Service RemoteAccess Routing and Remote Access
Service RemoteRegistry Remote Registry
Service RpcEptMapper RPC Endpoint Mapper
Service RpcLocator Remote Procedure Call (RPC) Locator
Service RpcSs Remote Procedure Call (RPC)
Service RSoPProv Resultant Set of Policy Provider
163
Understand and Troubleshoot Guides
Service sacsvr Special Administration Console Helper
Service SamSs Security Accounts Manager
Service SCardSvr Smart Card
Service Schedule Task Scheduler
Service SCPolicySvc Smart Card Removal Policy
Service seclogon Secondary Logon
Service SENS System Event Notification Service
Service SessionEnv Remote Desktop Configuration
Service SharedAccess Internet Connection Sharing (ICS)
Service ShellHWDetection Shell Hardware Detection
Service SidKeySvc
Service SNMPTRAP SNMP Trap
Service Spooler Print Spooler
Service sppsvc Software Protection
Service SSDPSRV SSDP Discovery
Service SstpSvc Secure Socket Tunneling Protocol Service
Service stisvc
Service svsvc Spot Verifier
Service swprv Microsoft Software Shadow Copy Provider
Service SysMain Superfetch
Service SystemEventsBroker System Events Broker
Service TabletInputService
Service TapiSrv Telephony
Service TermService Remote Desktop Services
Service Themes Themes
Service THREADORDER Thread Ordering Server
Service TimeBroker Time Broker
Service TrkWks Distributed Link Tracking Client
Service TrustedInstaller Windows Modules Installer
Service UALSVC User Access Logging Service
Service UI0Detect Interactive Services Detection
164 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Service UmRdpService Remote Desktop Services UserMode Port Redirector
Service upnphost UPnP Device Host
Service VaultSvc Credential Manager
Service vds Virtual Disk
Service vmicheartbeat Hyper-V Heartbeat Service
Service vmickvpexchange Hyper-V Data Exchange Service
Service vmicrdv Hyper-V Remote Desktop Virtualization Service
Service vmicshutdown Hyper-V Guest Shutdown Service
Service vmictimesync Hyper-V Time Synchronization Service
Service vmicvss Hyper-V Volume Shadow Copy Requestor
Service VSS Volume Shadow Copy
Service W32Time Windows Time
Service WbioSrvc
Service WcsPlugInService Windows Color System
Service WdiServiceHost Diagnostic Service Host
Service WdiSystemHost Diagnostic System Host
Service WebClient
Service Wecsvc Windows Event Collector
Service wercplsupport Problem Reports and Solutions Control Panel Support
Service WerSvc Windows Error Reporting Service
Service WiaRpc
Service WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service
Service Winmgmt Windows Management Instrumentation
Service WinRM Windows Remote Management (WS-Management)
Service wmiApSrv WMI Performance Adapter
Service WPDBusEnum Portable Device Enumerator Service
Service WSService Windows Store Service (WSService)
Service wuauserv Windows Update
Service wudfsvc Windows Driver Foundation - User-mode Driver Framework
165
Understand and Troubleshoot Guides
DRS API Extension for CloningWindows Server "8" Beta extends the existing Directory Replication Service (DRS) Remote Protocol (UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2) to include a new RPC method IDL_DRSAddCloneDC (Opnum 28). The IDL_DRSAddCloneDC method creates a new domain controller object by copying attributes from an existing domain controller object.
The states of a domain controller are composed of computer, server, NTDS settings, FRS, DFSR, and connection objects maintained for each domain controller. When duplicating an object, this RPC method replaces all references to the original domain controller with corresponding objects of the new domain controller. The caller must have the control access right DS-Clone-Domain-Controller on the domain naming context.
Use of this new method always requires direct access to the PDC emulator domain controller from the caller.
Because this RPC method is new, your network analysis software requires updated parsers to include fields for the new Opnum 28 in the existing UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2. Otherwise, you cannot parse this traffic. For example, using an older parser in Netmon 3.4:
More Information:
For more information about this topic, see 4.1.29 IDL_DRSAddCloneDC (Opnum 28)
166 © 2012 Microsoft Corporation. All rights reserved.
Understand and Troubleshoot Virtualized Domain Controller in Windows Server "8" Beta
Windows PowerShell Module LoadingWindows PowerShell 3.0 implements dynamic module loading. Using the Import-Module cmdlet is typically no longer required; instead, simply invoking the cmdlet, alias, or function automatically loads the module.
To see loaded modules, use the Get-Module cmdlet.
Get-Module
Figure 60
To see all installed modules with their exported functions and cmdlets, use:
Get-Module -ListAvailable
The main case for using the import-module command is when you need access to the "AD:" Windows PowerShell virtual drive and nothing else has already loaded the module. For example, using the following commands:
import-module activedirectorycd ad:dir
167
Understand and Troubleshoot Guides
Additional ResourcesFor information about Windows Server "8" Beta Virtualized Domain Controllers, see:
Understand and Troubleshoot Virtualized Domain Controllers in Windows Server "8" Beta
Test Lab Guide: Demonstrate Windows Server "8" Beta Virtualized Domain Controller (VDC)
AD DS Virtualization (Cloning and Virtualization safe improvements)
For more information about Windows Server "8" Beta AD DS Simplified Administration, see:
Understand and Troubleshoot ADDS Simplified Administration in Windows Server "8" Beta
Active Directory Administrative Center Enhancements (FGPP UI, Recycle Bin UI, and Windows PowerShell Script Viewer)
Active Directory Replication and Topology Management Using Windows PowerShell AD DS Deployment Guide Test Lab Guide: Demonstrate ADDS Simplified Administration in Windows Server "8 "
Beta
For more information about Active Directory Domain services, see:
Active Directory Domain Services (TechNet Portal) Active Directory Domain Services for Windows Server 2008 R2 Active Directory Domain Services for Windows Server 2008 Windows Server Technical Reference (Windows Server 2003) Active Directory Administrative Center: Getting Started (Windows Server 2008 R2) Running Adprep (Windows Server 2008 R2) USN and USN Rollback Protection (Windows Server 2008 R2) Active Directory Administration with Windows PowerShell (Windows Server 2008 R2) Ask the Directory Services Team (Official Microsoft Commercial Technical Support Blog)
For a list of all of the Windows Server "8" Beta TLGs, see Windows Server "8" Beta Test Lab Guides in the TechNet Wiki.
To provide the authors of this guide with feedback or suggestions for improvement, send email to [email protected].
168 © 2012 Microsoft Corporation. All rights reserved.