Domain controller cloning event 2224 provides incorrect guidance
For example, an event that resembles the following is logged:
Log Name: Directory Service
Date: 8/8/2012 12:11:25 PM
Event ID: 2224
Task Category: None
Virtual domain controller cloning failed. The following %1 Managed Service Account(s) exist on the cloned machine:
For cloning to succeed, all Managed Service Accounts must be removed. This can be done using the Remove-ADComputerServiceAccount PowerShell cmdlet.
However, the information in this event is incorrect or provides incomplete guidance:
- The event does not state the kind of Managed Service Account that exists on the cloned machine.
- The event does not provide the correct Windows PowerShell cmdlet.
VDC does not support the stand-alone Managed Service Accounts (sMSA) that are introduced in Windows Server 2008 R2. An sMSA cannot exist on more than one computer at the same time. Therefore, Windows detects sMSAs and prevents cloning.
For more information about sMSAs, see the following web pages:
Windows PowerShell cmdlets
To uninstall the sMSA from the source computer, do not use the Remove-ADComputerServiceAccount cmdlet. That cmdlet deletes Managed Service Accounts from Active Directory Domain Services and would cause an outage on the source computer. Instead, use the following cmdlet to temporarily uninstall the sMSA from the source computer:
To temporarily uninstall the sMSA from the source computer, follow these steps:
- On the source computer that is to be cloned, run the following Windows PowerShell cmdlet: Uninstall-AdServiceAccount -identity <name of the managed service account>
- Shut down the source computer, and then copy the source computer for cloning.
- Start the source computer, and add the MSA back by using the following cmdlet: Install-AdServiceAccount -identity <name of the managed service account>
Note If you already tried to clone the domain controller and were blocked, run the Uninstall-AdServiceAccount cmdlet on the clone while Directory Services Repair Mode (DSRM) is running. Then, remove the DSRM safe boot option, and retry cloning. To do this, run the following command:Bcdedit.exe /deletevalue
safebootShutdown.exe /r /t 0
Article ID: 2747974 - Last Review: 09/13/2012 16:54:00 - Revision: 8.0