At last! Virtual domain controllers just work

VDCs in Server 2012 ease sysadmin headaches

Beginner's guide to SSL certificates

Bring on the clones

Not just anyone can make a clone. You need to get permission. What is more, there are all sorts of restrictions on how and when you can clone, and your clones might not quite end up being exact copies.

To clone a domain controller it must be added to the Cloneable Domain Controllers group. This can be done through the Active Directory Administrative Center. You also have to have your PDC emulator FSMO role running on a Server 2012 domain controller that is not the domain controller you are trying to clone.

Next up is Get-ADDCCloningExcludedApplicationList, a nice bit of PowerShell drudgery that gives you a list of all of the installed applications and servers not known by Microsoft to be clonable. It is then your job to run to the vendor and ask if these applications are designed to survive the cloning process.

You need to manually add each of the applications and services that you want to exist in the cloned copy of the domain controller to CustomDCCloneAllowList.xml. This goes alongside DCCloneConfig.xml which is generated via the New-ADDCCloneConfigFile PowerShell cmdlet.

DCCloneConfig.xml contains the configuration information for the eventual clone. This is mostly IP, DNS and Windows Internet Name Service configuration information.

You can specify static IPv4 addresses, but this option does not exist for IPv6. Microsoft has made it clear that it is stateless address auto configuration or nothing.

After all this is done you go to the source domain controller virtual machine you have just prepped and delete all of its snapshots. You must then power down the virtual machine and export it. Import it onto the target host and voila: a Microsoft domain controller clone.

Imperfect double

My ideal clone would work a lot like good old Symantec Ghost from way back in the beforetime. Indeed, this functionality is built right into most virtualisation management tools today. You point it at the source system, go through a cute little wizard that usually boils down to "where do you want the clone to live" and a duplicate is created.

If you want to get really ambitious you can have your cloning wizard do basic customisation when injecting the new virtual machine: things like system name, IP address and so forth.

But it is not really a cloning process so much as a hazing and initiation ritual when you have to explicitly add applications and services you want to keep around (as in not be stripped out by the cloning process).

It reminds me of the old SIF files used to preconfigure the Windows XP installer – with perhaps a splash of virtualisation template – without quite making the whole leap.

Two additional issues also move this out of the realm of what I would also call a traditional clone. The first is that the clones cannot be integrated into the Active Directory structure if the original source virtual machine has been removed or demoted.

That is not behavior I would associate with a clone so much as a "golden master" style pseudo replica. The killer is that Microsoft has dire warnings about importing templates older than the tombstone/deleted object lifetime which has a default of 60 days.

I rebuild my domain controllers once every two or three years; 60 days isn't long enough for much of anything that I would do in day-to-day administration.

VDC to the rescue

Finding a use case for the disaster recovery portion of VDCs is unnecessary. Over time, the use cases will find you. The clone functionality sees the light of day primarily as a short-term deployment tool.

If you are setting up a new network – or expanding an old one – and need to deploy fairly large numbers of new domain controllers, then the VDC cloning is the right tool for the job.

If, like me, you add domain controllers only every other year (but are too lazy to build them from scratch except during major overhauls) the old-school "demote the source domain controller, dupe it and the re-promote the source and any descendants" is still the best option.

Another area where the cloning could potentially be very useful is in tight-circle DevOps environments typically found in a cloud development. Be it a public or private cloud, deployment horizons of new versions of a service tend to be fairly short in these circles.

In this scenario, the concept of regenerating your clone every few months is not that much of a bother and the forced inclusion of applications and services you want to keep is a feature, not a bug. DevOps teams rapidly iterate layers of test environments and ultimately production ones in a manner that would benefit from the details of this cloning process.

I'd love a multi-year shelf-life version of the clone that had a "go away Microsoft I'm cloning this because it is exactly the way I want it, I just need a copy with a different name and IP" button during the creation process.

Even if you upgrade nothing else to Server 2012, the virtualisation-aware featureset is hard to ignore.

Regardless of any beefs about cloning, the VM-Generation ID–based disaster recovery elements of the new VDC features mean that you would have to spend more time looking for reasons not to upgrade your domain controllers than building the case for doing so. ®

Remote control for virtualized desktops

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Fat fingered geo-block kept Aussies in the dark
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story


Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.