Domain controller cloning event 2224 provides incorrect guidance

Article translations Article translations
Article ID: 2747974 - View products that this article applies to.
Expand all | Collapse all

Summary

The Virtualized Domain Controller (VDC) cloning feature that is introduced in Windows Server 2012 implements a new event ID 2224 to report on why cloning failed.

For example, an event that resembles the following is logged:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 8/8/2012 12:11:25 PM
Event ID: 2224
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: DC2-FULL.root.fabrikam.com
Description:
Virtual domain controller cloning failed. The following %1 Managed Service Account(s) exist on the cloned machine:

%2

For cloning to succeed, all Managed Service Accounts must be removed. This can be done using the Remove-ADComputerServiceAccount PowerShell cmdlet.


However, the information in this event is incorrect or provides incomplete guidance:
  • The event does not state the kind of Managed Service Account that exists on the cloned machine.
  • The event does not provide the correct Windows PowerShell cmdlet.

More information

Managed Service Accounts

VDC does not support the stand-alone Managed Service Accounts (sMSA) that are introduced in Windows Server 2008 R2. An sMSA cannot exist on more than one computer at the same time. Therefore, Windows detects sMSAs and prevents cloning.

For more information about sMSAs, see the following web pages:
http://technet.microsoft.com/en-us/library/dd378925(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx
Group Managed Service Accounts (gMSAs) can exist on multiple computers, and cloning does not block gMSAs. Nevertheless, you must make sure that the new clone computer is authorized to use the gMSA. If authorization is provided through group membership, gMSA works automatically on a clone. This occurs because all group memberships are copied during cloning. However, if the gMSA authorization comes through the direct computer account, you must use the Set-AdServiceAccount Windows PowerShell cmdlet together with the following argument to authorize the clone:
-PrincipalsAllowedToRetrieveManagedPassword
For more information about gMSA, go to the following Microsoft TechNet websites:
http://technet.microsoft.com/en-us/library/jj128431.aspx

http://technet.microsoft.com/en-us/library/hh852274

Windows PowerShell cmdlets

To uninstall the sMSA from the source computer, do not use the Remove-ADComputerServiceAccount cmdlet. That cmdlet deletes Managed Service Accounts from Active Directory Domain Services and would cause an outage on the source computer. Instead, use the following cmdlet to temporarily uninstall the sMSA from the source computer:
Uninstall-AdServiceAccount

To temporarily uninstall the sMSA from the source computer, follow these steps:
  1. On the source computer that is to be cloned, run the following Windows PowerShell cmdlet:
    Uninstall-AdServiceAccount -identity <name of the managed service account>
  2. Shut down the source computer, and then copy the source computer for cloning.
  3. Start the source computer, and add the MSA back by using the following cmdlet:
    Install-AdServiceAccount -identity <name of the managed service account>

    Note If you already tried to clone the domain controller and were blocked, run the Uninstall-AdServiceAccount cmdlet on the clone while Directory Services Repair Mode (DSRM) is running. Then, remove the DSRM safe boot option, and retry cloning. To do this, run the following command:
    Bcdedit.exe /deletevalue

    safeboot Shutdown.exe /r /t 0

Properties

Article ID: 2747974 - Last Review: September 13, 2012 - Revision: 8.0
Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard
Keywords: 
KB2747974

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com