Domain controller cloning fails and the server restarts in DSRM in Windows Server 2012


Assume that you are using the Virtualized Domain Controller (VDC) cloning feature in Windows Server 2012. After you try to clone a new domain controller (DC), the DC starts in Directory Services Repair Mode (DSRM). This may happen immediately or after a delay of up to 20 minutes.


This behavior may occur for any of the following reasons, in order of historical likelihood. To fix this behavior for a specific cause, go to the corresponding resolution in the "Resolution" section.
  • Cause 1: An incompatible hypervisor is running.
  • Cause 2: The source computer is not a member of the Cloneable Domain Controllers group.
  • Cause 3: An incompatible application is not removed from or added to the CustomDCCloneAllowList.xml file.
  • Cause 4: A duplicate IP address is specified in the DcCloneConfig.xml file.
  • Cause 5: No IP address or DNS is specified in the DcCloneConfig.xml file, and no automatic IP addressing is available.
  • Cause 6: Only one WINS server is specified. This condition generates error 0x80041005 in the DCPpromo.exe event log.
  • Cause 7: No Windows Server 2012 PDC emulator (PDCe) can be contacted on the network by using remote procedure call (RPC) protocol, or the DC that recently assumed PDCe duties has not yet fully assumed the role because it has not yet completed a replication. This condition generates error 8610 ("ERROR_DS_ROLE_NOT_VERIFIED 8610" or 0x21A2) in the Directory Services event log.
  • Cause 8: An invalid Active Directory site is specified in the DcCloneConfig.xml file.
  • Cause 9: A duplicate or invalid computer name is specified in the DcCloneConfig.xml file. This condition generates error 8437 ("Create clone DC objects on PDC failed" or 0x20f5) in the Directory Services event log.
  • Cause 10: Syntax errors exist in the CustomDCCloneAllowList.xml file or in the DcCloneConfig.xml file.
  • Cause 11: The maximum number of auto-generated DC names (9,999) has been exceeded.
  • Cause 12: A MAC address of a clone computer is duplicated.


To resolve this behavior, use the resolution that corresponds to the relevant cause that is mentioned in the "Cause" section.
Note When you troubleshoot a VDC cloning operation, always begin by examining the Directory Services event log and the dcpromo.log file on the clone DC. These sources list all errors, often propose troubleshooting steps, and may provide links to further documentation.
  • Resolution 1: You must use a hypervisor that provides VM-Generation ID support on all computers that are running the VDC cloning feature. If you use Windows Server 2012 Hyper-V, install Windows Server 2012 Integration Services. If you use a third-party hypervisor, contact your vendor for a VM-Generation ID support statement and product documentation.
  • Resolution 2: Add the source computer to the Cloneable Domain Controllers group in that domain. Make sure that this group membership replicates to a Windows Server 2012 PDCe.
  • Resolution 3: Run the Get-ADDCCloningExcludedApplicationList cmdlet to generate a list of incompatible applications. Either uninstall those applications or use the Windows PowerShell Get-ADDCCloningExcludedApplicationList cmdlet to generate a CustomDCCloneAllowList.xml exclusion file.
  • Resolution 4: Change the IP address in the DcCloneConfig.xml file to a non-duplicated address by using the Address element.
  • Resolution 5: Make sure that a DHCPv4 or DHCpv6 server that has leases is available, or that router-based IPv6 (that is, Stateless Address Auto-Configuration, or SLAAC) is available. Manually specify at least one DNS server entry in the DcCloneConfig.xml file by using the DNSResolver element, or provide DNS information through DHCP or SLAAC.
  • Resolution 6: In the DcCloneConfig.xml file in the PreferredWINSServer and AlternateWINSServer elements, specify either no WINS servers or two unique WINS servers.
  • Resolution 7: Make sure that the following conditions are true:
    • The PDCe FSMO role is held by a Windows Server 2012 computer.
    • The PDCe completes at least one full replication, both inbound and outbound, after it assumes the PDCe role.
    • The clone DC can contact the PDCe by using the RPC protocol.
  • Resolution 8: In the DcCloneConfig.xml file, change the Active Directory site name to a valid name.
  • Resolution 9: In the DcCloneConfig.xml file, change the clone computer name to a valid 15-character NetBIOS name (unduplicated).
  • Resolution 10: Re-create the CustomDCCloneAllowList.xml and DcCloneConfig.xml files by using the Get-ADDCCloningExcludedApplicationList and New-AdDcCloneConfigFile Windows PowerShell cmdlets.

    • Perform all XML editing by using a valid XML editor, such as Visual Studio Express 2012.
    • Make sure that the DcCloneConfig.xml file contains the following line:
      <d3c:DCCloneConfig xmlns:d3c="">
  • Resolution 11: Use a new source DC for cloning when you start a new base name or you specify a unique name in the DcCloneConfig.xml file.
  • Resolution 12: Change the clone MAC address to a unique value. We recommend that you do not clone DCs by using static MAC addresses.
After you perform these repair operations, try to run the cloning operation again. To do this, run the following commands from an elevated command prompt, and then verify that the server is successfully cloned.
Bcdedit.exe /deletevalue safeboot

Shutdown.exe /r /t 0

More Information

DSRM is intentionally invoked as part of the cloning process in order to safeguard the network and domain from duplicated domain controllers.

Directory Services Repair Mode was called Directory Services Restore Mode in previous versions of Windows.

For more information about how to configure and troubleshoot VDC, go to the following Microsoft TechNet websites:

Αναγνωριστικό άρθρου: 2742844 - Τελευταία αναθεώρηση: 22 Σεπ 2012 - Αναθεώρηση: 1