Cloning Active Directory Domain Controllers with Windows Server 2012

With Windows Server 2012, you now have the option to clone domain controllers. You no longer need to install a fresh copy of an operating system, and run dcpromo. By simply using a PowerShell command you prepare that domain controller for cloning, and when you power on the cloned domain controller it will have a different name, different IP address etc base on a configuration file created by that PowerShell command.

Some prerequisites are necessary for the cloning procedure to be successful:
At least two domain controllers need to be already present in your environment, so go ahead and create an additional 2012 domain controller that will be our machine for testing this. The source VM, the one you prepare to be cloned and that is a domain controller, cannot be hosting the PDC Emulator operations master role. For this guide, the domain controller used for cloning (Server-DC2.vkernel.local) will not hold any FSMO roles.

First thing to do before cloning the server is to add the source domain controller (the one we are going to prepare for cloning) to the Cloneable Domain Controllers security group, in Active Directory. If you don’t do it, the PowerShell command that creates the configuration file for cloning will fail.

The domain controller that results from the cloning procedure will be located in the same site as the source domain controller.

Open Active Directory Users and Computers, go to the Users container and open the Cloneable Domain Controllers security group. On the Members tab click the Add button and in the object box type the name of your domain controller used for cloning. Before you click OK make sure on the Object Types, the Computers object is selected.


Now let’s prepare the domain controller for cloning. Open a PowerShell window and import the Active Directory module.

Import-Module Activedirectory

The next step in cloning a virtual domain controller is to run the Get-ADDCCloningExcludedApplicationList command. This will present a list of applications or services that are not evaluated for cloning and that are installed on the source VM. If such an application is found, you will get an output similar to the one in the bellow picture. Review the list and make sure that no software components are affected by a change in computer name or SID. If so, contact the software vendors or remove the software from the domain controller prior to cloning, or the process will fail.

If you know that those applications listed are safe for cloning you can add them to an inclusion list (CustomDCCloneAllowList.xml) by using the -GenerateXml option with the same cmdlet. If you don’t change the path for the .xml file it will be created by default in C:\Windows\NTDS. Also, by adding the -Force parameter will overwrite any file by that name found at that path location.

Get-ADDCCloningExcludedApplicationList -GenerateXml -Force

By opening that path after issuing the command you can see the .xml file.

The last cmdlet that we are going to issue will create the configuration file for the new domain controller. This configuration file will hold the new name for the domain controller, IP address, gateway, etc.

New-ADDCCloneConfigFile -CloneComputerName "Server-DC3" -SiteName "Default-First-Site-Name" -Static -IPv4Address "" -IPv4SubnetMask "" -IPv4DefaultGateway "" -IPv4DNSResolver ""

Off course, you will need to replace the information between the quotes with your own.

By default the configuration files is also saved in C:\Windows\NTDS.

Shut down the domain controller and export the VM by either using the PowerShell cmdlet or the Hyper-V Manager.

Export-VM -Name "Server-DC2" - ComputerName "Server-HyperV" -Path "D:\DCClone"


After the VM was exported successfully we now need to imported it. Click the Import Virtual Machine link from the Actions pane in the Hyper-V Manager.

You need to delete any snapshots the machine may have before importing.

Specify the path where the exported VM is located and click Next.

If you have multiple VMs exported in the specified path, select the correct one from the list and continue the  wizard.

A new ID has to be generated or the VM will not know that it was cloned and you will have the same name and IP address for the domain controller.

When cloning VMs using System Center Virtual Machine Manager or VMware vCenter the ID, is automatically generated for you.

If you don’t like the default path, type a different one where the VM files and the virtual disk will be stored.


On the Summary screen click Finish to start importing the VM.


You will need to rename the VM after it was imported. Right-click it and choose Rename.

All we have to do now is power on the cloned domain controller and let the script do its job.

You can take a look in AD Sites and Services and in the Domain Controllers container in AD and see if is there.


As you can see the IP settings are the ones I configured when I issued the New-ADDCloneConfigFile command. Job done.

Want content like this delivered right to your

email inbox?

Leave a Reply

Your email address will not be published. Required fields are marked *