Cloning of Virtualized Domain Controller

Starting with Windows 2012, It is possible to do a Cloning of Domain Controller. AD DS provides greater support for virtualizing domain controllers by introducing virtualization-safe capabilities and enabling rapid deployment of virtual domain controllers through cloning. Here are some benefits of cloning Domain Controllers:-

  • Rapid deployment of additional domain controllers in a new domain
  • Quickly restore business continuity during disaster recovery by restoring AD DS capacity via rapid deployment of domain controllers using cloning
  • Optimize private cloud deployments by leveraging elastic provisioning of domain controllers to accommodate increased scale requirements
  • Rapid provisioning of test environments enabling deployment and testing of new features and capabilities before production rollout
  • Quickly meet increased capacity needs in branch offices by cloning existing domain controllers in branch offices

Cloning of Domain Controllers process requires three steps:

1. Verify that the environment meets cloning requirements.

2. Prepare the source domain controller for cloning.

3. Create the new, cloned domain controller.

1. Verify the environment :-

The environment must meet the following requirements:

Image The PDC emulator FSMO role must be hosted on a domain controller running Windows Server 2012 or later.

To check run below:-

Get-ADComputer (Get-ADDomainController “Discover “Service “PrimaryDC”).name “Property operatingsystemversion | fl

The PDC emulator must be available during the entire cloning process.

The source and target domain controllers must be running Windows Server 2012 or later.

The virtualization host platform must support VM-Generation ID (VMGID).

Note:- The following server roles are not supported for cloning:

Dynamic Host Configuration Protocol (DHCP)

Active Directory Certificate Services (AD CS)

Active Directory Lightweight Directory Services (AD LDS)

2. Prepare the source domain controller:-

If the requirements for cloning have been met, you can prepare the source domain controller. The steps are:

a). Add the source domain controller to the Cloneable Domain Controllers security group.

Before you can clone a domain controller, you must first add it to the Cloneable Domain Controllers security group in Active Directory. This is a special group that should only contain members during the actual process of cloning. After the cloning is complete, remove the source domain controller from the group.

Add-ADGroupMember -Identity “Cloneable Domain Controllers” `
-Members (Get-ADComputer -Identity DC1).SAMAccountName `


Add-ADGroupMember “Identity “CN=Cloneable Domain Controllers,CN=Users, DC=Fabrikam,DC=Com” “Member “CN=DC1,OU=Domain Controllers,DC=Fabrikam,DC=com”

To remove the source domain controller from the Cloneable Domain Controllers group,

Remove-ADGroupMember -Identity “Cloneable Domain Controllers” `
-Members (Get-ADComputer -Identity trey-dc-04).SAMAccountName `


Remove-ADGroupMember “Identity “CN=Cloneable Domain Controllers,CN=Users, DC=Fabrikam,DC=Com” “Member “CN=DC1,OU=Domain Controllers,DC=Fabrikam,DC=com”

b). Identify any applications that will prevent cloning, and add any safe applications that aren’t identified to the CustomDCCloneAllowList.xml.

In this procedure, run the Get-ADDCCloningExcludedApplicationList cmdlet on the source virtualized domain controller to identify any programs or services that are not evaluated for cloning. You need to run the Get-ADDCCloningExcludedApplicationList cmdlet before the New-ADDCCloneConfigFile cmdlet because if the New-ADDCCloneConfigFile cmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.

To identify applications or services that run on a source domain controller which have not been evaluated for cloning

On the source domain controller (DC1), click Server Manager, click Tools, click Active Directory Module for Windows PowerShell and then type the following command:


Get the list of the returned services and installed programs with the software vendor to determine whether they can be safely cloned. If applications or services in the list cannot be safely cloned, you must remove them from the source domain controller or cloning will fail.

For the set of services and installed programs that were determined to be safely cloned, run the command again with the “GenerateXML switch to provision these services and programs in the CustomDCCloneAllowList.xml file.

Get-ADDCCloningExcludedApplicationList -GenerateXml

The inclusion list was written to ‘C:\Windows\NTDS\CustomDCCloneAllowList.xml’.

c). Remove any stand-alone managed service accounts (MSAs) from the source domain controller. Group MSAs (gMSAs) are supported.

Windows stand-alone MSAs are not supported for domain controller cloning operations. If you have any on the source controller, you need to remove them prior to cloning, and then add them back after.

Get-ADComputer -Identity DC1 | Get-ADComputerServiceAccount

If there are no MSAs, you’ll get nothing back from the command, but if any are found, you’ll get a listing of each of them. Use Uninstall-ADServiceAccount to remove them, and then Install-ADServiceAccount to add the account back after cloning has completed.

Note:- Group MSAs (gMSAs) are supported for cloning and can be left in place. Only stand-alone MSAs need to be removed.

d). Create the DCCloneConfig.xml file.

Run New-ADDCCloneConfigFile on the source domain controller, and optionally specify configuration settings for the clone domain controller, such as the name, the IP address, and DNS resolver.

For example, to create a clone domain controller named DC2 with a static IPv4 address, Run below command:-

New-ADDCCloneConfigFile “Static -IPv4Address “” -IPv4DNSResolver “” -IPv4SubnetMask “” -CloneComputerName “DC2” -IPv4DefaultGateway “” -SiteName “Boston”

Note:- A global catalog server (GC) is required for the New-ADDCCloneConfigFile cmdlet to work successfully. If a GC is not available, the command fails with the error “The server is not operational.

e). Shut down the source domain controller:-

When New-ADDCCloneConfigFile has been successfully run against the source domain controller, shut down the source domain controller before proceeding. Remove any snapshots of the source domain controller, and merge any differencing disks.

3. Create the cloned domain controller:-

After shutting down source DC, you can then choose a method to use to create a new VM from a copy of the source domain controller VHDs. If you’re copying a single-NIC (network interface card), single-VHD source domain controller, you can just create a new VM from the copied VHD.

Here is sample Comand to get ti done:-

Copy-Item “E:\VMs\DC1\DC1.vhdx” `
$ClonedDC=New-VM -Name DC2 `
-MemoryStartupBytes 2048MB `
-Generation 2 `
-BootDevice VHD `
-Path “F:\” `
-VHDPath “F:\VMs\DC2\DC2.vhdx” `
-Switch “Local-10”
Set-VM -VM $ClonedDC -ProcessorCount 2 -DynamicMemory -PassThru
Start-VM $ClonedDC

Note:- The virtual machine for your clone domain controller must be the same generation as the source domain controller.

After the files from the source domain controller have been copied, you can restart that domain controller.

Note:- Remove the source and target domain controllers from the Cloneable Domain Controllers security group. This group should only be populated during the actual cloning process.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.