The Virtualized Domain Controller (VDC) cloning feature that is introduced in Windows Server 2012 implements a new event ID 2224 to report on why cloning failed.
For example, an event that resembles the following is logged:
Log Name: Directory Service Source: Microsoft-Windows-ActiveDirectory_DomainService Date: 8/8/2012 12:11:25 PM Event ID: 2224 Task Category: None Level: Error Keywords: User: SYSTEM Computer: DC2-FULL.root.fabrikam.com Description: Virtual domain controller cloning failed. The following %1 Managed Service Account(s) exist on the cloned machine:
%2 For cloning to succeed, all Managed Service Accounts must be removed. This can be done using the Remove-ADComputerServiceAccount PowerShell cmdlet.
However, the information in this event is incorrect or provides incomplete guidance:
The event does not state the kind of Managed Service Account that exists on the cloned machine.
The event does not provide the correct Windows PowerShell cmdlet.
Managed Service Accounts
VDC does not support the stand-alone Managed Service Accounts (sMSA) that are introduced in Windows Server 2008 R2. An sMSA cannot exist on more than one computer at the same time. Therefore, Windows detects sMSAs and prevents cloning.
For more information about sMSAs, see the following web pages:
Group Managed Service Accounts (gMSAs) can exist on multiple computers, and cloning does not block gMSAs. Nevertheless, you must make sure that the new clone computer is authorized to use the gMSA. If authorization is provided through group membership, gMSA works automatically on a clone. This occurs because all group memberships are copied during cloning. However, if the gMSA authorization comes through the direct computer account, you must use the Set-AdServiceAccount Windows PowerShell cmdlet together with the following argument to authorize the clone:
For more information about gMSA, go to the following Microsoft TechNet websites:
To uninstall the sMSA from the source computer, do not use the Remove-ADComputerServiceAccount cmdlet. That cmdlet deletes Managed Service Accounts from Active Directory Domain Services and would cause an outage on the source computer. Instead, use the following cmdlet to temporarily uninstall the sMSA from the source computer:
To temporarily uninstall the sMSA from the source computer, follow these steps:
On the source computer that is to be cloned, run the following Windows PowerShell cmdlet:
Uninstall-AdServiceAccount -identity <name of the managed service account>
Shut down the source computer, and then copy the source computer for cloning.
Start the source computer, and add the MSA back by using the following cmdlet:
Install-AdServiceAccount -identity <name of the managed service account>
Note If you already tried to clone the domain controller and were blocked, run the Uninstall-AdServiceAccount cmdlet on the clone while Directory Services Repair Mode (DSRM) is running. Then, remove the DSRM safe boot option, and retry cloning. To do this, run the following command: