The following requirements are imposed to successfully clone a Virtual Domain Controller:

  • You must be a member of the Domain Admins group
  • When running PowerShell commands ensure that you are in elevated mode. (Run as administrator)

First, find your source VM information

Get-ADComputer (Get-ADDomainController –Discover –Service “PrimaryDC”).name –Property operatingsystemversion | fl

  • A deployed Windows Server 2012 guest virtualized domain controller (in our case ITCAMP-DC2) that is in the same domain as the Windows Server 2012 domain controller hosting the PDC emulator role (ITCAMP-DC1). This will be the source domain controller used for cloning. The guest virtual domain controller will be hosted on a Windows Server 2012 Hyper-V server (VMHost10A).
  • Forest Functional Level to be Windows Server 2003 or higher
  • Schema version should be set to 56.
  • Make sure to eject any media (any virtual floppy drive (VFD) or any ISO mounted as DVDs)

Now that we have everything set. Let’s clone ourselves a DC….

Step 1: Grant the source virtualized domain controller the permission to be cloned

We need to grant the source domain controller (ITCAMP-DC2) the permission to be cloned by adding it to the Cloneable Domain Controllers group using Active Directory Administrative Center or the following PowerShell command.

Add-ADGroupMember –Identity “CN=Cloneable Domain Controllers,CN=Users, DC=ITCAMP,DC=Local” –Member “CN=ITCAMP-DC2,OU=Domain Controllers,DC=ITCAMP,DC=Local

Step 2: Run Get-ADDCCloningExcludedApplicationList cmdlet

Here we need to run the Get-ADDCCloningExcludedApplicationList cmdlet on the ITCAMP-DC2 to identify any programs or services that are not evaluated for cloning.  Review the output and ensure that you do not have any application, roles or Services that need to be removed.  for example:

The following server roles are not supported for cloning:

  • Dynamic Host Configuration Protocol (DHCP)
  • Active Directory Certificate Services (AD CS)
  • Active Directory Lightweight Directory Services (AD LDS)

You need to run the Get-ADDCCloningExcludedApplicationList cmdlet before the New-ADDCCloneConfigFile cmdlet because if the New-ADDCCloneConfigFile cmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.

Step 3: Run New-ADDCCloneConfigFile

Next we must run New-ADDCCloneConfigFile on ITCamp-DC2 and optionally specify configuration settings for the clone domain controller, such as the name, the IP address, and DNS resolver.

To create a clone domain controller named ITCamp-Clone with dynamic IPv4 settings, type:


New-ADDCCloneConfigFile -CloneComputerName "ITCAMP-ClONE" –IPv4DNSResolver “"

The output will confirm that all preliminary validation check passed and it will create the clone config file as seen in the screen shot below.


Step 4: Export and then import the virtual machine of the source domain controller

Next we’ll need to export ITCAMP-DC2 and then import it on our other Hyper-V host. This will creates a clone virtualized domain controller in your domain.

1- Shut down ITCAMP-DC2

2- Export it to a folder that the other Hyper-v (VMHOST10B) hosts has access to.  In our case we will export it directly in a Export directory on the root of C: on VMHOST10A and then copy it to the Import directory on the root of C: on VMHOST10B.

3- On VMHOST10B, using Hyper-V Manager, import the virtual machine from the folder c:\Import\ITCAMP-DC2. Use the Copy the virtual machine (create new unique ID) option when importing the virtual machine. You can import and create multiple clones by importing it multiple times to different location.

4- On VMHOST10A , restart the source domain controller (ITCAMP-DC2) to bring it back online.

5- On VMHOST10B, start the virtual machine (ITCAMP-Clone) to bring it online as a clone domain controller in the domain.

Then you can see the following screen in the cloned VM


The cloned domain controller will be a member of the Cloneable Domain Controllers group because it copies the membership from the source domain controller. As a best practice, you should leave the Cloneable Domain Controllers group empty until you are ready to perform cloning operations, and you should remove members after cloning operations are complete.