Article ID: 2747974 - View products that this article applies to.
The Virtualized Domain Controller (VDC) cloning feature that is introduced in Windows Server 2012 implements a new event ID 2224 to report on why cloning failed.
For example, an event that resembles the following is logged:
Log Name: Directory Service
However, the information in this event is incorrect or provides incomplete guidance:
Managed Service Accounts
VDC does not support the stand-alone Managed Service Accounts (sMSA) that are introduced in Windows Server 2008 R2. An sMSA cannot exist on more than one computer at the same time. Therefore, Windows detects sMSAs and prevents cloning.
For more information about sMSAs, see the following web pages:
http://technet.microsoft.com/en-us/library/dd378925(WS.10).aspxGroup Managed Service Accounts (gMSAs) can exist on multiple computers, and cloning does not block gMSAs. Nevertheless, you must make sure that the new clone computer is authorized to use the gMSA. If authorization is provided through group membership, gMSA works automatically on a clone. This occurs because all group memberships are copied during cloning. However, if the gMSA authorization comes through the direct computer account, you must use the Set-AdServiceAccount Windows PowerShell cmdlet together with the following argument to authorize the clone:
-PrincipalsAllowedToRetrieveManagedPasswordFor more information about gMSA, go to the following Microsoft TechNet websites:
Windows PowerShell cmdlets
To uninstall the sMSA from the source computer, do not use the Remove-ADComputerServiceAccount cmdlet. That cmdlet deletes Managed Service Accounts from Active Directory Domain Services and would cause an outage on the source computer. Instead, use the following cmdlet to temporarily uninstall the sMSA from the source computer:
To temporarily uninstall the sMSA from the source computer, follow these steps:
Article ID: 2747974 - Last Review: September 13, 2012 - Revision: 8.0
Contact us for more help