cloning a vm domain controller

We know this is a complex topic.  We are looking for some insight and possible links that can helps in cloning a VM of vmware which is a the main domain controller server without damaging configuration of said domain.  We understand to-that if we disconnect the DC in order to clone it, the DC will lose  vital configuration required for the domain (reason we haven't proceeded until all info at hand for proper process).
rayluvsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Hi,

Can I ask why you need to clone a DC? Because this is something that we should never, never do.

This type of task will have lot of issues in the domain.

If you need a second domain controller, or a backup, just create a new VM and add as a domain controller for the domain. Is easier and faster.
1
rayluvsAuthor Commented:
No need of a second domain controller.  We need to run a series of upgrades to series of apps that are server-installed.  We want to have an exact copy of the server as a test-environment server.  That way we can run all the test accordingly and at the same time leave the DC server running as usual.

If we would run these upgrade and tests on the original DC and something goes wrong, most probably would mean be down time and that is what we are trying not to do.
0
R@f@r P@NC3RVirtualization SpecialistCommented:
Hello,

Do you have backup of that vm ?, If you have backup, you can do a restoration of that vm, placing another name. And once the restoration completes it disconnects the network card from the vm, so that it does not conflict with the original DC.

If you do not have a backup, you can do the following:

Option 1:
- Perform a snapshot of the vm (You can do it with the vm on).
- Clone the vm and convert it to template.
- Display a vm of that template.
- Disconnect the network card from the vm, when the cloning is finished.
- Execute the sysprep on the vm to generate a new ID.
- Performs the update tests on the server.

option 2:
- Perform a snapshot of the vm (You can do it with the vm on).
- Clone the vm (You can do it with the vm on).
- Disconnect the network card from the vm, when the cloning is finished. (The new cloned vm will come without the snapshot)
- Execute the sysprep on the vm to generate a new ID.
- Performs the update tests on the server.

option 3:
- Perform a snapshot of the vm (You can do it with the vm on).
- Turn off the vm.
- Clone the vm. (VM Off).
- Disconnect the network card from the vm, when the cloning is finished. (The new cloned vm will come without the snapshot)
- Execute the sysprep on the vm to generate a new ID.
- Performs the update tests on the server.

option 4:
- Turn off the vm.
- Export the vm to a template ovf or ova (To have a backup of your DC).
- Clone the vm. (VM Off).
- Disconnect the network card from the vm, when the cloning is finished.
- Execute the sysprep on the vm to generate a new ID.
- Performs the update tests on the server.

Note: As it is a DC, I recommend that you perform these tests outside of working hours, so that you do not have service impact, as well as analyze the impact you can have on your platform.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

rayluvsAuthor Commented:
Don't know if  there is an actual VM backup, there are folder backups of data but don't know if VM backup.

If we were to be aware of any possible disruption of the domain during this process, would be when: Performing the snapshot of the vm?  Cloning the vm and convert it to template? Disconnecting the network card from the vm, when the cloning is finished?  

any advice of what to be aware of?
0
R@f@r P@NC3RVirtualization SpecialistCommented:
Hello

During the process of executing the snapshot and cloning, your domain will not be affected.

You are going to disconnect the network card, it is the cloned vm, NOT IN THE ORIGINAL DC.
0
rayluvsAuthor Commented:
Thank you very much for the information.  We were informed the DC will lose vital configuration if we "cloned" it, but with your info it doesn't seem that way.

The above said, prior closing the question, what possible problem one can perceived in this type task?  Or better yet, what should one be aware of during doing this work?
0
Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Hi

First DCs should have snapshots, or better, should not be restores with a snapshot. So even something goes wrong, restore a DC from a snapshot is never recommended.

Snapshots on a DC should only be done to perform a backup(using proper backup tools).

Secondly, is not recommended create clones, or templates from VMs with snapshots. There is even some issues in ESXi 5.5 and 6.0

Third, using sysprep in a DC will change all Guest OS settings (and UID and other settings) is not something we should do in a DC. Suing sysprep you not have a copy of the original DC, but a different one.

Fourth, you should never have only one DC in your Domain. Always a minimum of 2.

Particularly doing any these tasks when a DC is live.

I wrote an article some time ago regarding Backup DCs or cloning and using the new Windows features called VM-Generation – ID for virtualize DCs.

https://www.provirtualzone.com/backup-virtual-domain-controllers/

To answer your question what can you do here?

A safe and proper process, will do a proper Backup from the DC and do your tests.

If you had a backup tool like Veeam, you can even Backup and Restore in a isolated environment and do your testings without disturbing the original DC.

If not, last option  and you do on your own risk, should do clone without any snapshots and with DC power off and then do the tests in the clone machine without connected to your internal domain network.

But I would create a second DC, put it online with all DC services and as a Global Catalog after is live and all working, then I would do the updates in the original DC.
2
Wayne88Commented:
"We understand to-that if we disconnect the DC in order to clone it, the DC will lose  vital configuration required for the domain"

Not sure what this meant and never heard of it.  Do you only have one DC?  If yes then you can only shut it down when no one is working because people won't be able to login to their workstations.

Since you just wanted to clone the server for testing purpose I will also assume you will run this in a separate network (whether vlan or physical) from the production one.  If you can shutdown the server in question for a time to either create an OVA as mentioned above or do a full backup of the machine (I have used Acronis, Norton, Paragon) then restore to the new host will work just fine.  I have done this many times when testing before a big upgrade or migration.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
In general I completely agree with Luciano Patrão - his comments and guidance are excellent.  The only place I take even a small issue with is the recommendation for a second DC.  And it's only a small issue because in general, he's right about that too - I've come to understand that when you have environments where people don't understand active directory, it's often better to maintain image based backups of a SINGLE DC as it minimizes the chance of corrupting AD.  But if you know what you're doing and how to perform PROPER restores of a domain controller (and likely, when not to), then I would completely agree with a 2 DCs at the primary site.
0
rayluvsAuthor Commented:
Luciano, we don't want to create a second DC, but yes, your recommendation make sense: using the backup tool Veeam I can Backup and Restore for a test environment without disrupting the original DC (that's what we want).

Wayne88, what I meant was "We understand to-date that if we disconnect the DC in order to clone it, the DC will lose  vital configuration required for the domain".  We want to clone the DC for it's contents, not to have another DC.  That said, we want to have the cloned server within the same network

Reading all the entries seems to point as best bet, backup the DC and restore it as a separate computer.  Just want to make sure, backing up with Veeam, can we have the DC on?
0
Wayne88Commented:
"We want to clone the DC for it's contents, not to have another DC.  That said, we want to have the cloned server within the same network"

Thanks for clarifying then in this case it's definitely not advised.  You cannot just clone a DC then deploy on the same network and will definitely create issues as already stated by others.
0
Wayne88Commented:
"We want to clone the DC for it's contents, not to have another DC.  That said, we want to have the cloned server within the same network"

Thanks for clarifying then in this case it's definitely not advised.  You cannot just clone a DC then deploy on the same network and will definitely create issues as already stated by others.
0
rayluvsAuthor Commented:
We don’t want to clone the DC and deploy another DC within the network.  After cloning there has to be additional tasks as to change the computer name and strip any DC attributes to make it just a stand alone server.  Afterwards, connect it to the lan as another computer.
0
Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Hi

If you want to create a clone of a VM, then this is completely different from creating a clone from a DC and testing.

If you not plan to test the DC itself, what is the purpose to clone the DC? Because if the aim to test the impact of those updates or changes in the DC, if there is no DC there is no real test here.

To use Veeam as an alternative(you could have a full Veeam version for 30 days trial) , you also need to understand how it works and how to use the feature Veeam On-Demand Sandbox.

You can read a little bit here: On-Demand Sandbox

If you could work with this option, no need to remove anything from the backup DC, since this tests are done in a completely isolated environment. If not very easy to implement, but not hard at the same time, but after is working is very useful
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Wow, there a lot of waffle here....

For what purpose, for use in Production - No.

For use in a Lab - yes.

Right Click and select CLONE.

(it will not affect or damage production!)

Deploy a new Server and add the AD Role, simple and easy, it will take you 7 minutes.

If you have a template Deploy from Template even quicker...

Do not re-use a CLONED DC for Production.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rayluvsAuthor Commented:
Yes, that’s a good way of putting it “a lot of waffle here”! HaHaHa!

Hi, thank you all for so much valuable information, this thread has been most helpful.

We want to create a clone, an exact replica of a DC server for testing purposes of apps installed, convert that copy to a stand-alone computer VM and run the test; we don’t want to re-use the cloned DC for production.

The domain controller server has a series a apps that is shared throughout the network.  We need to run a series of test, updates and upgrade to these applications but don’t want to do this to live DC server; don’t want to disrupt operations.  So we want to make a copy of this server (a test environment) to test only the apps within it, we don’t want to test its DC attributes or security authentications.  When everything checks out in the test environment, then we would proceed to run these upgrades to the DC server.

So we place the question in EE ‘cloning a vm domain controller’; however, the main reason for the question, was because we were informed that if we clone the DC server, the entire domain may suffer; thus the question.

Our main concern is not to damage any DC configurations or attributes while cloning it.  We don’t want to have the domain in an extended down-time due to re-configurations due to some mistake done while cloning.

So it seems that Veeam, and better yet it's the sandbox option, would be a good alternative and also what Andrew suggested in right-click & clone (not affecting production).
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Right Click CLONE, and then disconnect from Production Network, or add to an Internet network with no host network uplinks.

Connect to CLONED DC, and do what you need to do

SIMPLES!

We do this weekly at most client sites to create Replica Network Infrastructure for Tests! - Change Control...

in doing what you want to do may require you have ALL the other DCs as clones as well, so you can demote the DC in question! which is the smart way of removing AD from a DC....
0
Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:
Was not clear in the beginning of this question that the goal was to clone and remove the DC services.
0
rayluvsAuthor Commented:
Sorry for the delay... thanx all!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.