Assume that you are using the Virtualized Domain Controller (VDC) cloning feature introduced in Windows Server 2012. If you run the New-AdDcCloneConfigFile Windows PowerShell cmdlet to clone a domain controller (DC), you receive the following error message:
Starting PDC test: Verifying that the domain controller hosting the PDC FSMO role is running Windows Server 2012 or later... Passed: The domain controller hosting the PDC FSMO role (DC2-FULL.root.fabrikam.com) was located and running Windows Server 2012 or later.
Verifying authorization: Checking if this domain controller is a member of the 'Cloneable Domain Controllers' group... Located the local domain controller: (DC2-FULL.root.fabrikam.com).
New-ADDCCloneConfigFile : The server is not operational At line:1 char:1 + New-ADDCCloneConfigFile + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ReadError: (Get-AdPrincipal...server:String) [New-ADDCCloneConfigFile], CmdletInvocationException FullyQualifiedErrorId : 0,MIcrosoft.ActiveDirectory.Management.Commands.Newaddccloneconfigfile
Warning: The local domain controller is not a member of any groups
This problem occurs because the server cannot contact a Global Catalog server.
To resolve this problem, make sure that the following conditions are true:
A Global Catalog server is available.
The server on which this problem occurs can reach the Global Catalog server through TCP ports 3268 and 3269.
If you expect that a Global Catalog server will not be available when you run the New-AdDcCloneConfigFile cmdlet, add the -offline argument to the cmdlet. After you add this argument, the cmdlet no longer checks environmental settings, such as server availability.
During the cloning operation, a clone contacts the PDC emulator (PDCe) by using the RPC network protocol, and then validates the "Allow a DC to create a clone of itself" permission. This permission is usually granted through membership in the Cloneable Domain Controllers group. Therefore, make sure that the PDCe has replicated this group membership inbound. The PDCe does not have to be a Global Catalog server to perform the cloning operation. The Global Catalog server behavior in the cmdlet is used only in the server's internal tests, not in the cloning architecture itself.