模擬的網域控制站部署和設定Virtualized Domain Controller Deployment and Configuration

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題涵蓋:This topic covers:

安裝考量Installation Considerations

未特殊角色或模擬的網域控制站; 安裝的功能所有網域控制站自動都包含複製且安全還原功能。There is no special role or feature installation for virtualized domain controllers; all domain controllers automatically contain cloning and safe restore capabilities. 您無法移除或停用這些功能。You cannot remove or disable these capabilities.

使用 Windows Server 2012 網域控制站需要的 Windows Server 2012 AD DS 架構 56 或更高版本和樹系功能等級等於 Windows Server 2003 原生或更高版本。Use of Windows Server 2012 domain controllers requires a Windows Server 2012 AD DS Schema version 56 or higher and forest functional level equal to Windows Server 2003 Native or higher.

這兩個寫入和唯讀的網域控制站支援模擬俠的各個層面全球目錄和 FSMO 角色一樣。Both writable and read-only domain controllers support all aspects of virtualized DC, as do Global Catalogs and FSMO roles.


複製開始時,必須 online PDC 模擬器 FSMO 角色擁有者。The PDC Emulator FSMO role holder must be online when cloning begins.

平台需求Platform Requirements

模擬網域控制站複製需要:Virtualized Domain Controller cloning requires:

  • 在 Windows Server 2012 網域控制站裝載 PDC 模擬器 FSMO 角色PDC emulator FSMO role hosted on a Windows Server 2012 DC

  • 使用複製的作業時肯定PDC emulator available during cloning operations

複製和安全還原需要:Both cloning and safe restore require:

  • Windows Server 2012 擬化檔案來賓Windows Server 2012 virtualized guests

  • 模擬主機平台支援 VM 新一代 ID (VMGID)Virtualization host platform supports VM-Generation ID (VMGID)

檢視模擬你下的表,並是否支援擬化檔案網域控制站及 VM 新一代 id。Review the table below for virtualization products and whether they support virtualized domain controllers and VM-Generation ID.

模擬 ProductVirtualization Product 網域控制站和 VMGID 擬化檔案支援Supports virtualized domain controllers and VMGID
Microsoft Windows Server 2012 伺服器 HYPER-V 功能Microsoft Windows Server 2012 server with Hyper-V Feature [是]Yes
Microsoft Windows Server 2012 HYPER-V ServerMicrosoft Windows Server 2012 Hyper-V Server [是]Yes
Microsoft Windows 8 HYPER-V Client 的功能Microsoft Windows 8 with Hyper-V Client Feature [是]Yes
Windows Server 2008 R2 和 Windows Server 2008Windows Server 2008 R2 and Windows Server 2008 否]No
非 Microsoft 模擬方案Non-Microsoft virtualization solutions 請連絡製造商Contact vendor

即使 Microsoft 支援 Windows 7 Virtual PC、 Virtual PC 2007、 Virtual PC 2004 年和 Virtual Server 2005,他們無法執行 64 位元來賓,也不他們支援 VM-GenerationID。Even though Microsoft supports Windows 7 Virtual PC, Virtual PC 2007, Virtual PC 2004, and Virtual Server 2005, they cannot run 64-bit guests, nor do they support VM-GenerationID.

第三方模擬你協助和模擬的網域控制站其支援態勢,請直接連絡該廠商。For help with third party virtualization products and their support stance with virtualized domain controllers, contact that vendor directly.

如需詳細資訊,檢視支援原則Microsoft 軟體非 Microsoft 硬體的軟體模擬執行For more information, review Support policy for Microsoft software running in non-Microsoft hardware virtualization software.

重要的注意事項Critical Caveats

模擬的網域控制站執行支援安全還原的動作:Virtualized domain controllers do not support safe restore of the following:

  • VHD 和 VHDX 檔案手動覆寫現有的 VHD 檔案VHD and VHDX files manually copied over existing VHD files

  • VHD 和 VHDX 檔案還原使用檔案備份或完整磁碟備份軟體VHD and VHDX files restored using file backup or full disk backup software


VHDX 檔案是以 Windows Server 2012 HYPER-V 新。VHDX files are new to Windows Server 2012 Hyper-V.

這兩個這些作業涵蓋在 VM-GenerationID 語意,因此不會變更 VM 新一代編號。Neither of these operations is covered under VM-GenerationID semantics and therefore do not change the VM-Generation ID. 還原的網域使用這些方法控制器可能會造成 USN 回復,並隔離的網域控制站或介紹延遲物件和需要的樹系的寬形清除作業。Restoring domain controllers using these methods could either result in a USN rollback and either quarantine the domain controller or introduce lingering objects and the need for forest wide cleanup operations.


模擬的網域控制站安全還原並不備份系統狀態並 AD DS 資源回收筒]。Virtualized domain controller safe restore is not a replacement for system state backups and the AD DS Recycle Bin.

還原快照之後, 將會永久遺失的開發進程的快照之後來自網域控制站之前取消複寫變更 delta。After restoring a snapshot, the deltas of previously un-replicated changes originating from that domain controller after the snapshot are permanently lost. 安全還原實作以防止誤網域控制站隔離自動化未經授權還原Safe restore implements automated non-authoritative restoration to prevent accidental domain controller quarantine only.

如需有關 USN 泡泡延遲物件,請失敗,錯誤 8606 疑難排解 Active Directory 作業: 「 不足屬性已給予建立物件]For more information about USN bubbles and lingering objects, see Troubleshooting Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object".

擬化檔案網域控制站複製Virtualized Domain Controller Cloning

有許多階段與複製模擬的網域控制站,不論使用的圖形工具或 Windows PowerShell 中的步驟。There are a number of stages and steps to cloning a virtualized domain controller, regardless of using graphical tools or Windows PowerShell. 高階,三個階段︰At a high level, the three stages are:

準備環境Prepare the environment

  • 步驟 1: 驗證 hypervisor 支援 VM 新一代 ID 和因此,複製Step 1: Validate that the hypervisor supports VM-Generation ID and therefore, cloning

  • 步驟 2: 驗證期間複製的網域控制站執行 Windows Server 2012 和是 online,且可以複製的網域控制站裝載 PDC 模擬器角色。Step 2: Verify the PDC emulator role is hosted by a domain controller that runs Windows Server 2012 and that it is online and reachable by the cloned domain controller during cloning.

準備來源網域控制站Prepare the source domain controller

  • 步驟 3: 授權的來源網域控制站複製Step 3: Authorize the source domain controller for cloning

  • 步驟 4: 移除相容服務或程式,或將它們新增到 CustomDCCloneAllowList.xml 檔案。Step 4: Remove incompatible services or programs or add them to the CustomDCCloneAllowList.xml file.

  • 步驟 5: 建立 DCCloneConfig.xmlStep 5: Create DCCloneConfig.xml

  • 步驟 6: 拍攝來源網域控制站 offlineStep 6: Take the source domain controller offline

建立複製的網域控制站Create the cloned domain controller

  • 步驟 7: 複製或匯出 VM 的來源,並加入 XML 如果尚未複製Step 7: Copy or export the source VM and add the XML if not already copied

  • 步驟 8: 建立新的一樣從複本Step 8: Create a new virtual machine from the copy

  • [開始] 的新一樣開始複製到執行 「 步驟 9:Step 9: Start the new virtual machine to commence cloning

當使用圖形工具,例如 HYPER-V Management Console 或命令列工具,例如 Windows PowerShell,步驟會看到一次介面有操作無程序不同。There are no procedural differences in the operation when using graphical tools such as the Hyper-V Management Console or command-line tools such as Windows PowerShell, so the steps are presented only once with both interfaces. 本主題提供適用於您探索的複製程序; 端點-自動化的 Windows PowerShell 範例他們並不需要任何步驟。This topic provides Windows PowerShell samples for you to explore end-to-end automation of the cloning process; they are not required for any steps. 還有圖形管理工具,則模擬的網域控制站包含 Windows Server 2012 中。There is no graphical management tool for virtualized domain controllers included in Windows Server 2012.

有幾個點程序,您有選擇如何建立複製的電腦,以及您如何將 xml 檔案。下列步驟進行所述的下列詳細資料。There are several points in the procedure where you have choices for how to create the cloned computer and how you add the xml files; these steps are noted in the details below. 此程序會否則不變。The process is otherwise unalterable.

下圖顯示模擬的網域控制站複製程序,已經有網域。The following diagram illustrates the virtualized domain controller cloning process, where the domain already exists.


步驟 1-驗證 HypervisorStep 1 - Validate the Hypervisor

確定支援 hypervisor 執行來源網域控制站查看廠商文件。Ensure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. 模擬的網域控制站 hypervisor 無關並不需要 HYPER-V。Virtualized domain controllers are hypervisor-independent and do not require Hyper-V.

如果 Microsoft HYPER-V hypervisor,確定它已在 Windows Server 2012 上執行。If the hypervisor is Microsoft Hyper-V, ensure it is running on Windows Server 2012 . 您可以驗證這使用管理的裝置You can validate this using Device Management

開放Devmgmt.msc ,然後檢查系統裝置適用於已安裝 Microsoft HYPER-V 裝置和驅動程式。Open Devmgmt.msc and examine System Devices for installed Microsoft Hyper-V devices and drivers. 所需的模擬的網域控制站裝置特定的系統Microsoft HYPER-V 代計數器(驅動程式︰ vmgencounter.sys)。The specific system device required for a virtualized domain controller is the Microsoft Hyper-V Generation Counter (driver: vmgencounter.sys).


步驟 2-驗證 PDCE FSMO 角色Step 2 - Verify the PDCE FSMO role

您嘗試複製 DC 之前,您將必須驗證網域控制站裝載主要網域控制站模擬器 FSMO 執行 Windows Server 2012。Before you attempt to clone a DC, you must validate that the domain controller hosting the Primary Domain Controller Emulator FSMO runs Windows Server 2012. 肯定 (PDCE) 是需要幾個原因:The PDC emulator (PDCE) is required for several reasons:

  1. PDCE 建立特殊的網域控制站複製群組和設定的網域允許網域控制站複製本身根本身的權限。The PDCE creates the special Cloneable Domain Controllers group and sets its permission on the root of the domain to allow a domain controller to clone itself.

  2. 複製網域控制站連絡人使用 DRSUAPI RPC 通訊協定,以建立電腦物件的複製俠直接 PDCE。The cloning domain controller contacts the PDCE directly using the DRSUAPI RPC protocol, in order to create computer objects for the clone DC.


    Windows Server 2012 延伸現有 Directory 複寫服務 (DRS) 遠端通訊協定 (UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2) 包含新的 RPC 方法IDL_DRSAddCloneDC (Opnum 28)。Windows Server 2012 extends the existing Directory Replication Service (DRS) Remote Protocol (UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2) to include a new RPC method IDL_DRSAddCloneDC (Opnum 28). IDL_DRSAddCloneDC方法建立新的網域控制站物件複製從現有的網域控制站物件的屬性。The IDL_DRSAddCloneDC method creates a new domain controller object by copying attributes from an existing domain controller object.

    網域控制站的狀態的電腦,伺服器、 NTDS 設定、 FRS、 DFSR 和連接物件針對每個網域控制站維護所組成。The states of a domain controller are composed of computer, server, NTDS settings, FRS, DFSR, and connection objects maintained for each domain controller. 複製物件,當這個 RPC 方法會取代原始的網域控制站的所有參考使用新的網域控制站的對應的物件。When duplicating an object, this RPC method replaces all references to the original domain controller with corresponding objects of the new domain controller. 播報來電者必須控制項存取權限 DS-複製-網域控制站在網域命名操作。The caller must have the control access right DS-Clone-Domain-Controller on the domain naming context.

    這個新的方法使用一律會需要 PDC 模擬器網域控制站直接存取從播報來電者。Use of this new method always requires direct access to the PDC emulator domain controller from the caller.

    這個 RPC 方法的新功能,因為您的網路分析的軟體需要更新以包含欄位中現有 UUID E3514235-4B06-11 D 1-AB04-00C04FC2DCD2 新 Opnum 28 的分析。Because this RPC method is new, your network analysis software requires updated parsers to include fields for the new Opnum 28 in the existing UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2. 否則,您不能剖析此資料傳輸。Otherwise, you cannot parse this traffic.

    如需詳細資訊,請查看4.1.29 IDL_DRSAddCloneDC (Opnum 28)For more information, see 4.1.29 IDL_DRSAddCloneDC (Opnum 28).

這也表示使用非完全路由的網路時模擬的網域控制站複製需要 PDCE 存取網路區段This also means when using non-fully routed networks, virtualized domain controller cloning requires network segments with access to the PDCE. 接受之後,只要您有仔細地更新 AD DS 邏輯網站資訊複製-一樣實體網域控制站-移動到不同的網路的複製的網域控制站是。It is acceptable to move a cloned domain controller to a different network after cloning - just like a physical domain controller - as long as you are careful to update the AD DS logical site information.


複製包含只有單一網域控制站網域,當您必須確定來源 DC 恢復先複製複本。When cloning a domain that contains only a single domain controller, you must ensure the source DC is back online before starting the clone copies. Production 網域一律應至少兩個網域控制站。A production domain should always contain at least two domain controllers.

Active Directory 使用者和電腦方法Active Directory Users and Computers Method

  1. 使用 [Dsa.msc 嵌入式管理單元,網域上按一下滑鼠右鍵,然後按一下操作主機Using the Dsa.msc snap-in, right click the domain and click Operations Masters. 請注意名 PDC 索引標籤上的網域控制站,並關閉對話方塊。Note the domain controller named on the PDC tab and close the dialog.

  2. 以滑鼠右鍵按一下該俠的電腦,然後按一下屬性,然後驗證的作業系統資訊。Right-click that DC's computer object and click Properties, and then validate the Operating System info.

Windows PowerShell 方法Windows PowerShell Method

您可結合下列 Active Directory Windows PowerShell 模組 cmdlet 返回肯定版本:You can combine the following Active Directory Windows PowerShell Module cmdlets to return the version of the PDC emulator:


如果未提供網域,這些 cmdlet 假設網域的電腦執行的位置。If not provided the domain, these cmdlets assume the domain of the computer where run.

下列命令傳回 PDCE 和的作業系統資訊:The following command returns PDCE and Operating System info:

get-adcomputer(Get-ADDomainController -Discover -Service "PrimaryDC").name -property * | format-list dnshostname,operatingsystem,operatingsystemversion  

此以下的範例指定的網域名稱及篩選之前的 Windows PowerShell 管線傳回的屬性:This example below demonstrates specifying the domain name and filtering the returned properties before the Windows PowerShell pipeline:


步驟 3-授權俠來源Step 3 - Authorize a Source DC

來源網域控制站必須控制存取權限 (汽車)允許建立自己的複本 DC上 NC 標頭的網域。The source domain controller must have the control access right (CAR) Allow a DC to create a clone of itself on the domain NC head. 根據預設,已知群組複製網域控制站有此權限,以及不包含任何成員。By default, the well-known group Cloneable Domain Controllers has this permission and contains no members. PDCE 該 FSMO 角色傳輸網域控制站 Windows Server 2012 時,會建立此群組。The PDCE creates this group when that FSMO role transfers to a Windows Server 2012 domain controller.

Active Directory 系統管理員中心方法Active Directory Administrative Center Method

  1. 開始 Dsac.exe 並瀏覽至來源 DC,然後打開其詳細資料頁面。Start Dsac.exe and navigate to the source DC, then open its detail page.

  2. 成員的區段,我們新增複製網域控制站的群組。In the Member Of section, add the Cloneable Domain Controllers group for that domain.

Windows PowerShell 方法Windows PowerShell Method

您可結合下列 Active Directory Windows PowerShell 模組 cmdlet取得-adcomputer新增 adgroupmember加入網域控制站複製網域控制站群組:You can combine the following Active Directory Windows PowerShell Module cmdlets get-adcomputer and add-adgroupmember to add a domain controller to the Cloneable Domain Controllers group:

Get-adcomputer <dc name> | %{add-adgroupmember "cloneable domain controllers" $_.samaccountname}  

例如,這會將伺服器 DC1 加入該群組,而不需要的群組成員分辨的名稱指定:For instance, this adds server DC1 to the group, without the need to specify the distinguished name of the group member:


重建預設的權限Rebuilding Default Permissions

如果您的網域標頭移除此權限,請複製失敗。If you remove this permission from the domain head, cloning fails. 您可以重新使用 Windows PowerShell 的 Active Directory 管理中心權限。You can recreate the permission using the Active Directory Administrative Center or Windows PowerShell.

Active Directory 系統管理員中心方法Active Directory Administrative Center Method
  1. 開放Active Directory 管理中心,以滑鼠右鍵按一下網域標頭,按一下 [屬性,按一下擴充功能索引標籤上,按一下 [安全性,然後按一下 [進階Open Active Directory Administrative Center, right-click the domain head, click Properties, click the Extensions tab, click Security, and then click Advanced. 按一下這個物件只Click This Object Only.

  2. 按一下新增輸入物件名稱來選取 [,輸入群組名稱複製網域控制站。Click Add, under Enter the object name to select, type the group name Cloneable Domain Controllers.

  3. 權限] 下,按一下 [允許建立自己的複本 DC,然後按一下 [ [確定]Under Permissions, click Allow a DC to create a clone of itself, and then click OK.


您也可以移除預設的權限,以及新增個人網域控制站。You can also remove the default permission and add individual domain controllers. 這是可能造成不少問題,不過,新的系統管理員是不知道這個自訂的位置。Doing so is likely to cause ongoing maintenance problems however, where new administrators are unaware of this customization. 變更預設不提高安全性,而且不建議使用。Changing the default setting does not increase security and is discouraged.

Windows PowerShell 方法Windows PowerShell Method

在已提升權限管理員 Windows PowerShell 主機命令提示字元使用下列命令。Use the following commands in an administrator-elevated Windows PowerShell console prompt. 這些命令偵測到的網域名稱,新增入預設的權限:These commands detect the domain name and add back in the default permissions:

import-module activedirectory  
cd ad:  
$domainNC = get-addomain  
$dcgroup = get-adgroup "Cloneable Domain Controllers"  
$sid1 = (get-adgroup $dcgroup).sid  
$acl = get-acl $domainNC  
$objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e  
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid1,"ExtendedRight","Allow",$objectguid  
set-acl -aclobject $acl $domainNC  
cd c:  

或者,執行範例FixVDCPermissions.ps1在 Windows PowerShell 主控台中,以提升權限網域控制站受影響的網域中的系統管理員身分在主機開始的位置。Alternatively, run the sample FixVDCPermissions.ps1 in a Windows PowerShell console, where the console starts as an elevated administrator on a domain controller in the affected domain. 它會自動設定的權限。It automatically set the permissions. 範例位於這個模組本文附件。The sample is located in the appendix of this module.

步驟 4-移除不相容應用程式或服務 (如果不使用 CustomDCCloneAllowList.xml)Step 4 - Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml)

任何程式或服務所取得-ADDCCloningExcludedApplicationList-先前傳回未加入 CustomDCCloneAllowList.xml 和-之前複製必須移除。Any programs or services previously returned by Get-ADDCCloningExcludedApplicationList - and not added to the CustomDCCloneAllowList.xml - must be removed prior to cloning. 解除安裝的應用程式或服務是建議的方法。Uninstalling the application or service is the recommended method.


任何不相容的程式或服務無法解除安裝或新增至 CustomDCCloneAllowList.xml 防止複製。Any incompatible program or service not uninstalled or added to the CustomDCCloneAllowList.xml prevents cloning.

使用中找不到任何獨立管理服務帳號 (MSAs) 網域取得-AdComputerServiceAccount cmdlet,如果這台電腦使用這其中任一個。Use the Get-AdComputerServiceAccount cmdlet to locate any standalone Managed Service Accounts (MSAs) in the domain and if this computer is using any of them. 如果已安裝任何 MSA,使用解除安裝-ADServiceAccount cmdlet 移除帳號本機安裝的服務。If any MSA is installed, use the Uninstall-ADServiceAccount cmdlet to remove the locally installed service account. 一旦您完成在執行 「 步驟 6 拍攝來源網域控制站 offline,您可以重新新增恢復伺服器時使用 ADServiceAccount 安裝 MSA。Once you are done with taking the source domain controller offline in step 6, you can re-add the MSA using Install-ADServiceAccount when the server is back online. 如需詳細資訊,請查看ADServiceAccount 解除安裝的For more information, see Uninstall-ADServiceAccount.


第一次在 Windows Server 2008 R2 推出的-獨立 MSAs 所取代群組 MSAs 與 Windows Server 2012 中。Standalone MSAs - first released in Windows Server 2008 R2 - were replaced in Windows Server 2012 with group MSAs. 群組 MSAs 支援複製。Group MSAs support cloning.

步驟 5-建立 DCCloneConfig.xmlStep 5 - Create DCCloneConfig.xml

需要複製網域控制站的 DcCloneConfig.xml 檔案。The DcCloneConfig.xml file is required for cloning Domain controllers. 內容可讓您指定獨特的詳細資訊,例如新的電腦名稱與 IP 位址。Its contents allow you to specify unique details like the new computer name and IP address.

除非您安裝的應用程式或可能不相容的 Windows 服務來源網域控制站 CustomDCCloneAllowList.xml 檔案是選擇性的。The CustomDCCloneAllowList.xml file is optional unless you install applications or potentially incompatible Windows services on the source domain controller. 將檔案需要精確命名、 格式和位置。否則,複製失敗。The files require precise naming, formatting, and placement; otherwise, cloning fails.

基於這個原因,您一定要使用 Windows PowerShell cmdlet 建立 XML 檔案,並將它們放在正確的位置。For that reason, you should always use the Windows PowerShell cmdlets to create the XML files and place them in the correct location.

使用新 ADDCCloneConfigFile 產生Generating with New-ADDCCloneConfigFile

Active Directory Windows PowerShell 模組包含 Windows Server 2012 中的新 cmdlet:The Active Directory Windows PowerShell module contains a new cmdlet in Windows Server 2012:


您建議的來源網域控制站您想複製到執行 cmdlet。You run the cmdlet on the proposed source domain controller that you intend to clone. Cmdlet 支援多個引數,並使用時,一律測試的環境,它會執行除非您指定與電腦-離線引數。The cmdlet supports multiple arguments and when used, always tests the computer and environment where it is run unless you specify the -offline argument.


引數Arguments 解釋Explanation
新 ADDCCloneConfigFileNew-ADDCCloneConfigFile 在 DSA 運作 Directory 中建立空白 DcCloneConfig.xml 檔案 (預設值︰ %systemroot%\ntds)Creates a blank DcCloneConfig.xml file in the DSA Working Directory (default: %systemroot%\ntds)
-CloneComputerName-CloneComputerName 指定複製俠電腦名稱。Specifies the clone DC computer name. 資料類型的字串。String data type.
路徑-Path 指定要建立 DcCloneConfig.xml 的資料夾。Specifies the folder to create the DcCloneConfig.xml. 如果您不指定,寫入 DSA 運作 Directory (預設值︰ %systemroot%\ntds)。If not specified, writes to the DSA Working Directory (default: %systemroot%\ntds). 資料類型的字串。String data type.
-站台名稱-SiteName 指定加入複製的電腦 account 建立期間 AD 邏輯網站名稱。Specifies the AD logical site name to join during cloned computer account creation. 資料類型的字串。String data type.
-IPv4Address-IPv4Address 指定複製電腦靜態 IPv4 位址。Specifies the static IPv4 address of the cloned computer. 資料類型的字串。String data type.
-IPv4SubnetMask-IPv4SubnetMask 指定靜態 IPv4 子網路遮罩複製的電腦。Specifies the static IPv4 subnet mask of the cloned computer. 資料類型的字串。String data type.
-IPv4DefaultGateway-IPv4DefaultGateway 指定複製電腦的靜態 IPv4 預設閘道位址。Specifies the static IPv4 default gateway address of the cloned computer. 資料類型的字串。String data type.
-IPv4DNSResolver-IPv4DNSResolver 指定 IPv4 DNS 項目複製電腦的靜態以逗號分隔的清單。Specifies the static IPv4 DNS entries of the cloned computer in a comma-separated list. 陣列資料類型。Array data type. 最四個項目提供。Up to four entries can be provided.
-PreferredWINSServer-PreferredWINSServer 指定主要 WINS 伺服器靜態 IPv4 位址。Specifies the static IPv4 address of the primary WINS server. 資料類型的字串。String data type.
-AlternateWINSServer-AlternateWINSServer 指定次要 WINS 伺服器靜態 IPv4 位址。Specifies the static IPv4 address of the secondary WINS server. 資料類型的字串。String data type.
-IPv6DNSResolver-IPv6DNSResolver 指定 IPv6 DNS 項目複製電腦的靜態以逗號分隔的清單。Specifies the static IPv6 DNS entries of the cloned computer in a comma-separated list. 還有不模擬的網域控制站複製設定 Ipv6 靜態資訊的方式。There is no way to set Ipv6 static information in virtualized domain controller cloning. 陣列資料類型。Array data type.
-Offline-Offline 不會執行驗證測試,並會覆寫任何的現有 dccloneconfig.xml。Does not perform the validation tests and overwrites any existing dccloneconfig.xml. 不具有參數。Has no parameters. 如需詳細資訊,請查看執行新-ADDCCloneConfigFile 離線模式在For more information, see Running New-ADDCCloneConfigFile in offline mode.
靜態-Static 如果指定靜態 IP 引數 IPv4SubnetMask、 IPv4SubnetMask 或 IPv4DefaultGateway,需要。Required if specifying static IP arguments IPv4SubnetMask, IPv4SubnetMask, or IPv4DefaultGateway. 不具有參數。Has no parameters.

測試執行時 online 模式中執行:Tests performed when run in online mode:

  • 肯定是 Windows Server 2012 或更新版本PDC Emulator is Windows Server 2012 or later

  • 來源網域控制站是複製網域控制站群組成員Source domain controller is a member of Cloneable Domain Controllers group

  • 來源網域控制站不包含任何排除的應用程式或服務Source domain controller does not include any excluded applications or services

  • 來源網域控制站尚未包含 DcCloneConfig.xml 指定的路徑。Source domain controller does not already contain a DcCloneConfig.xml at the specified path


步驟 6-拍攝來源網域控制站 OfflineStep 6 - Take the Source Domain Controller Offline

您無法將的執行來源俠; 複製它必須關機正常。You cannot copy a running source DC; it must be shutdown gracefully. 請勿複製網域控制站停止 graceless 電源中斷。Do not clone a domain controller stopped by graceless power loss.

圖形方法Graphical Method

使用 DC 執行,在 [關機] 按鈕或 [HYPER-V 管理員關機] 按鈕。Use the shutdown button within the running DC, or the Hyper-V Manager shutdown button.



Windows PowerShell 方法Windows PowerShell Method

您可以關閉一樣,使用下列 cmdlet 其中一項:You can shut down a virtual machine using either of the following cmdlets:


停止電腦是 cmdlet 支援關機模擬,無論電腦及類似傳統 Shutdown.exe 公用程式。Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous to the legacy Shutdown.exe utility. 停止-vm 新 cmdlet 在 Windows Server 2012 HYPER-V Windows PowerShell 模組,並相當於 HYPER-V 管理員電源選項。Stop-vm is a new cmdlet in the Windows Server 2012 Hyper-V Windows PowerShell module, and is equivalent to the power options in Hyper-V Manager. 第二個適用於 lab 位置的網域控制站通常運作模擬私人網路的環境。The latter is useful in lab environments where the domain controller often operates on a private virtualized network.



步驟 7-複製磁碟Step 7 - Copy Disks

管理選擇需要在複製階段:An administrative choice is required in the copying phase:

  • 複製磁碟手動,而不需要 HYPER-VCopy the disks manually, without Hyper-V

  • 使用 HYPER-V VM 匯出Export the VM, using Hyper-V

  • 匯出合併的磁碟,使用 HYPER-VExport the merged disks, using Hyper-V

必須複製所有一樣的磁碟,而不只系統磁碟機。All of a virtual machine's disks must be copied, not just the system drive. 如果來源網域控制站使用差異磁碟且想要將您複製的網域控制站移到另一個 HYPER-V 主機,您必須匯出。If the source domain controller uses differencing disks and you plan to move your cloned domain controller to another Hyper-V host, you must export.

如果來源網域控制站僅有手動複製磁碟建議一個磁碟機。Copying disks manually is recommended if the source domain controller has only one drive. / 匯出建議 vm 的多個磁碟機或其他複雜的模擬的硬體的自訂項目像多個 Nic。Export/Import is recommended for VMs with more than one drive or other complex virtualized hardware customizations like multiple NICs.

手動複製檔案時,如果 delete 之前複製任何快照。If copying files manually, delete any snapshots prior to copying. 若要匯出 VM、 delete 快照之前匯出或加以移除新 VM 匯入後。If exporting the VM, delete snapshots prior to exporting or delete them from the new VM after importing.


快照的不同磁碟,可以網域控制站回到先前的狀態。Snapshots are differencing disks that can return a domain controller to previous state. 如果您要複製的網域控制站並還原預先複製快照,最後會森林中的重複的網域控制站的。If you were to clone a domain controller and then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest. 不還有任何值先前快照中新複製的網域控制站。There is no value in prior snapshots on a newly cloned domain controller.

手動複製磁碟Manually Copying Disks

HYPER-V 管理員方法Hyper-V Manager Method

使用 HYPER-V 管理員嵌入式管理單元,以判斷來源網域控制站相關聯的磁碟。Use the Hyper-V Manager snap-in to determine which disks are associated with the source domain controller. 使用檢查選項來驗證網域控制站使用差異磁碟 (這需要複製父系磁碟也)Use the Inspect option to validate if the domain controller uses differencing disks (which requires that you copy the parent disk also)


Delete 快照,並選取 VM delete 快照樹狀。To delete snapshots, select a VM and delete the snapshot subtree.


您可以再手動複製使用 Windows 檔案總管、 Xcopy.exe 或 Robocopy.exe VHD 或 VHDX 檔案。You can then manually copy the VHD or VHDX files using Windows Explorer, Xcopy.exe, or Robocopy.exe. 不特殊的步驟會需要。No special steps are required. 最好變更檔名,即使移動到另一個資料夾。It is a best practice to change the file names even if moving to another folder.


如果主機區域網路上的電腦之間複製 (1-Gbit 或更高)、 Xcopy.exe /J選項 VHD 日 VHDX 將檔案複製任何其他工具,但這會容量較大的頻寬降低比變快。If copying between host computers on a LAN (1-Gbit or greater), the Xcopy.exe /J option copies VHD/VHDX files considerably faster than any other tool, at the cost of much greater bandwidth usage.

Windows PowerShell 方法Windows PowerShell Method

若要判斷磁碟使用 Windows PowerShell,使用 HYPER-V 模組:To determine the disks using Windows PowerShell, use the Hyper-V Modules:


例如,您可以從 VM 名傳回所有 IDE 硬碟DC2的下列範例:For example, you can return all IDE hard drives from a VM named DC2 with the following sample:


如果磁碟路徑 AVHD 或 AVHDX 的檔案,則開發進程的快照。If the disk path points to an AVHD or AVHDX file, it is a snapshot. 若要 delete 相關聯的磁碟和合併真實 VHD 或 VHDX 快照,使用 cmdlet:To delete the snapshots associated with a disk and merge in the real VHD or VHDX, use cmdlets:


例如,以 delete 所有快照從 VM 命名為 DC2-SOURCECLONE:For example, to delete all snapshots from a VM named DC2-SOURCECLONE:


使用 Windows PowerShell 將檔案複製,使用下列 cmdlet:To copy the files using Windows PowerShell, use the following cmdlet:


結合 VM cmdlet 來幫助自動化管線與。Combine with VM cmdlets in pipelines to aid automation. 管線是之間傳送資料的多個 cmdlet 所使用的通道。The pipeline is a channel used between multiple cmdlets to pass data. 例如,複製離線來源網域控制站的磁碟機命名為 DC2-SOURCECLONE 到新磁碟稱為 c:\temp\copy.vhd 而不需要知道確切路徑其系統磁碟機:For example, to copy the drive of an offline source domain controller named DC2-SOURCECLONE to a new disk called c:\temp\copy.vhd without the need to know the exact path to its system drive:

Get-VMIdeController dc2-sourceclone | Get-VMHardDiskDrive | select-Object {copy-item -path $_.path -destination c:\temp\copy.vhd}  



您無法使用過渡磁碟複製、 為它們不會使用 virtual 磁碟檔案而實際硬碟。You cannot use passthru disks with cloning, as they do not use a virtual disk file but instead an actual hard disk.


如需有關更多的 Windows PowerShell 作業管線的詳細資訊,請查看傳送及 Windows PowerShell 中的管線For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows PowerShell.

匯出 VMExporting the VM

複製磁碟的替代方案,您可以匯出整個的 HYPER-V VM 做為備份。As an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. 自動匯出建立資料夾 vm 命名,並包含所有的磁碟和設定的資訊。Exporting automatically creates a folder named for the VM and containing all disks and configuration information.


HYPER-V 管理員方法Hyper-V Manager Method

若要匯出的管理員 HYPER-V VM:To export a VM with Hyper-V Manager:

  1. 來源網域控制站上按一下滑鼠右鍵,然後按一下匯出Right-click the source domain controller and click Export.

  2. 做為匯出容器選取現有的資料夾。Select an existing folder as the export container.

  3. 等待停止顯示 \ [狀態] 欄匯出Wait for the Status column to stop showing Exporting.

Windows PowerShell 方法Windows PowerShell Method

若要匯出使用 HYPER-V Windows PowerShell 模組 VM 中,使用 cmdlet:To export a VM using the Hyper-V Windows PowerShell module, use cmdlet:


例如,匯出 VM 命名為 DC2-SOURCECLONE 名 C:\VM 的資料夾:For example, to export a VM named DC2-SOURCECLONE to a folder named C:\VM:



新的 Windows Server 2012 HYPER-V 支援匯出與匯入的此訓練範圍的功能。Windows Server 2012 Hyper-V supports new export and import capabilities that are outside the scope of this training. 檢視 TechNet 如需詳細資訊。Review TechNet for more information.

使用 HYPER-V 的匯出合併的磁碟]Exporting merged disks, using Hyper-V

使用 HYPER-V 中的磁碟跨欄轉換選項是最後的選項。The final option is to use the disk merge and conversion options within Hyper-V. 這些可讓您將一份現有的磁碟結構-即使是在包含快照 AVHD 日 AVHDX 檔案時-成單一的新磁碟。These allow you to make a copy of an existing disk structure - even when including snapshot AVHD/AVHDX files - into a single new disk. 手動磁碟複製案例中,例如此主要是僅使用單一磁碟機,例如 C:\ 簡單虛擬電腦。Like the manual disk copy scenario, this is primarily intended for simpler virtual machines that only use a single drive, such as C:\. 其單獨利用是的然而手動複製,不需要您第一次 delete 快照。Its lone advantage is that, unlike manually copying, it does not require you to first delete snapshots. 這項操作是一定低於只要刪除快照和複製磁碟。This operation is necessarily slower than simply deleting the snapshots and copying disks.

HYPER-V 管理員方法Hyper-V Manager Method

若要建立磁碟合併使用 HYPER-V 管理員:To create a merged disk using Hyper-V Manager:

  1. 按一下編輯磁碟Click Edit Disk.

  2. 針對最低的子女磁碟瀏覽。Browse for the lowest child disk. 例如,如果您使用差異磁碟,子女磁碟已最低的子女。For example, if you are using a differencing disk, the child disk is the lowest child. 如果一樣快照 (或多個列出),選取目前開發進程的快照是最低子女磁碟。If the virtual machine has a snapshot (or multiple ones), the currently selected snapshot is the lowest child disk.

  3. 選取 [合併選項來建立退出整個的父系子女結構單一磁碟。Select the Merge option to create a single disk out of the entire parent-child structure.

  4. 選取 [新增 virtual 硬碟與提供的路徑。Select a new virtual hard disk and provide a path. 這一個新可移植單位風險還原之前快照的不是插入協調現有 VHD 日 VHDX 檔案。This reconciles the existing VHD/VHDX files into a single new portable unit that is not at risk of restoring previous snapshots.

Windows PowerShell 方法Windows PowerShell Method

若要建立合併的磁碟的一組複雜的家長使用 HYPER-V Windows PowerShell 模組,使用 cmdlet:To create a merged disk from a complex set of parents using the Hyper-V Windows PowerShell module, use cmdlet:


例如,匯出整個一連串 VM 的磁碟快照 (不包括任何差異磁碟這次) 與到新的單一磁碟父磁碟命名為 DC4 複製。VHDX:For example, to export the entire chain of a VM's disk snapshots (this time not including any differencing disks) and parent disk into a new single disk named DC4-CLONED.VHDX:


新增 XML 離線系統磁碟Adding XML to the Offline System Disk

如果您未複製 Dccloneconfig.xml DC 的執行來源,您必須將更新的 dccloneconfig.xml 檔案複製到離線複製/匯出系統磁碟現在。If you did copy the Dccloneconfig.xml to the running source DC, you must copy the updated dccloneconfig.xml file to the offline copied/exported system disk now. 根據稍早偵測到取得-ADDCCloningExcludedApplicationList 安裝的應用程式,您也可能需要 CustomDCCloneAllowList.xml 檔案複製到磁碟。Depending on installed applications detected with Get-ADDCCloningExcludedApplicationList earlier, you may also need to copy the CustomDCCloneAllowList.xml file to the disk.

在下列位置可以包含 DcCloneConfig.xml 檔案:The following locations can contain the DcCloneConfig.xml file:

  1. 使用 Directory DSADSA Working Directory

  2. %windir%\NTDS%windir%\NTDS

  3. 讀取/寫入卸除式媒體,在磁碟機代號,在磁碟機的根的訂單Removable read/write media, in order of drive letter, at the root of the drive

這些路徑不進行設定。These paths are not configurable. 複製開始之後,複製檢查該特定順序和第一次 DcCloneConfig.xml 使用這些位置檔案找到,不論的其他資料夾。After cloning begins, the cloning checks these locations in that specific order and uses the first DcCloneConfig.xml file found, regardless of the other folder's contents.

在下列位置可以包含 CustomDCCloneAllowList.xml 檔案:The following locations can contain the CustomDCCloneAllowList.xml file:

  1. HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\ParametersHKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters

    AllowListFolder (REG_SZ)AllowListFolder (REG_SZ)

  2. 使用 Directory DSADSA Working Directory

  3. %windir%\NTDS%windir%\NTDS

  4. 讀取/寫入卸除式媒體,在磁碟機代號,在磁碟機的根的訂單Removable read/write media, in order of drive letter, at the root of the drive

您可以執行新-ADDCCloneConfigFile 使用-離線引數 (也稱為離線模式),以建立 DcCloneConfig.xml 檔案,並將它放在正確的位置。You can run New-ADDCCloneConfigFile with the -offline argument (also known as offline mode) to create the DcCloneConfig.xml file and place it in a correct location. 下列範例顯示如何執行離線模式中的新-ADDCCloneConfigFile。The following examples show how to run New-ADDCCloneConfigFile in offline mode.

若要建立複製網域控制站名 CloneDC1 離線模式,靜態 IPv4 位址,稱為 「 REDMOND 「 網站中輸入:To create a clone domain controller named CloneDC1 in offline mode, in a site called "REDMOND" with static IPv4 address, type:

New-ADDCCloneConfigFile -Offline -CloneComputerName CloneDC1 -SiteName REDMOND -IPv4Address "" -IPv4DNSResolver "" -IPv4SubnetMask "" -IPv4DefaultGateway "" -Static -Path F:\Windows\NTDS  

若要建立複製網域控制站名 Clone2 靜態 IPv4 與靜態 IPv6 設定中,輸入離線模式:To create a clone domain controller named Clone2 in offline mode with static IPv4 and static IPv6 settings, type:

New-ADDCCloneConfigFile -Offline -IPv4Address "" -IPv4DNSResolver "" -IPv4SubnetMask "" -Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -CloneComputerName "Clone2" -PreferredWINSServer "" -AlternateWINSServer "" -Path F:\Windows\NTDS  

若要建立複製網域控制站離線模式靜態 IPv4 與動態 IPv6 設定中指定 DNS 解析設定多個 DNS 伺服器,鍵入:To create a clone domain controller in offline mode with static IPv4 and dynamic IPv6 settings and specify multiple DNS servers for the DNS resolver settings, type:

New-ADDCCloneConfigFile -Offline -IPv4Address "" -IPv4SubnetMask "" -IPv4DefaultGateway "" -IPv4DNSResolver @( "","" ) -Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -Path F:\Windows\NTDS   

若要建立複製網域控制站名 Clone1 動態 IPv4 與靜態 IPv6 設定中,輸入離線模式:To create a clone domain controller named Clone1 in offline mode with dynamic IPv4 and static IPv6 settings, type:

New-ADDCCloneConfigFile -Offline -Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -CloneComputerName "Clone1" -PreferredWINSServer "" -AlternateWINSServer "" -SiteName "REDMOND" -Path F:\Windows\NTDS  

若要建立複製網域控制站在動態 IPv4 與動態 IPv6 設定離線模式,請輸入:To create a clone domain controller in offline mode with dynamic IPv4 and dynamic IPv6 settings, type:

New-ADDCCloneConfigFile -Offline -IPv4DNSResolver "" -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -Path F:\Windows\NTDS  
Windows 檔案總管的方法Windows Explorer Method

Windows Server 2012 現在提供圖形裝載 VHD 和 VHDX 檔案的選項。Windows Server 2012 now offers a graphical option for mounting VHD and VHDX files. 這需要安裝在 Windows Server 2012 上桌面體驗功能。This requires installation of the Desktop Experience feature on Windows Server 2012.

  1. 按一下含有來源俠的系統磁碟機或 DSA 運作 Directory 位置的資料夾,新複製的 VHD 日 VHDX 檔案,然後按一下光碟影像工具功能表。Click the newly copied VHD/VHDX file that contains the source DC's system drive or DSA Working Directory location folder, and then click Mount from the Disc Image Tools menu.

  2. 現在裝載的磁碟機,XML 檔案複製到有效的位置。In the now-mounted drive, copy the XML files to a valid location. 您可能會資料夾的權限提示。You may be prompted for permissions to the folder.

  3. 按一下 [裝載的磁碟機,然後按一下退出磁碟工具功能表。Click the mounted drive and click Eject from the Disk Tools menu.




Windows PowerShell 方法Windows PowerShell Method

或者,您可以雷離線磁碟,然後使用 Windows PowerShell cmdlet 將 XML 檔案複製:Alternatively, you can mount the offline disk and copy the XML file using the Windows PowerShell cmdlets:


這可讓您掌控程序。This allows you complete control over the process. 例如,在磁碟機可以裝載的特定磁碟機代號,複製的檔案,以及解下磁碟機。For instance, the drive can be mounted with a specific drive letter, the file copied, and the drive dismounted.

mount-vhd <disk path> -passthru -nodriveletter | get-disk | get -partition | get-volume | get-partition | where {$_.partition number -eq 2} | Add-PartitionAccessPath -accesspath <drive letter>  

copy-item <xml file path><destination path>\dccloneconfig.xml  

dismount-vhd <disk path>  

例如:For example:


或者,您可以使用新的DiskImage 山的cmdlet 裝載 VHD (或 ISO) 的檔案。Alternatively, you can use the new Mount-DiskImage cmdlet to mount a VHD (or ISO) file.

步驟 8-建立新一樣Step 8 - Create the New Virtual Machine

最後的設定步驟開始複製程序之前已建立新 VM 使用複製的來源網域控制站的磁碟。The final configuration step before starting the cloning process is creating a new VM that uses the disks from the copied source domain controller. 視磁碟階段複製中所做選擇,您有兩個選項:Depending on the selection made in the copying disks phase, you have two options:

  1. 新 VM 關聯複製磁碟Associate a new VM with the copied disk

  2. 匯入匯出 VMImport the exported VM

新 VM 關聯複製磁碟Associating a New VM with Copied Disks

如果您要複製的系統磁碟以手動方式,您必須建立新的一樣使用複製的磁碟。If you copied the system disk manually, you must create a new virtual machine using the copied disk. Hypervisor 時,自動設定 VM 新一代 ID 建立新 VM;任何設定變更,在 VM 或 HYPER-V 主機不需要。The hypervisor automatically sets the VM-Generation ID when a new VM is created; no configuration changes are required in the VM or Hyper-V host.


HYPER-V 管理員方法Hyper-V Manager Method
  1. 建立新的一樣。Create a new virtual machine.

  2. 指定 VM 名稱、 記憶體及網路。Specify the VM name, memory, and network.

  3. 在連接 Virtual 硬碟頁面上指定的複製的系統磁碟。On the Connect Virtual Hard Disk page, specify the copied system disk.

  4. 完成精靈,以建立 VM。Complete the wizard to create the VM.

如果有多個磁碟、 網路介面卡或其他的自訂項目,先網域控制站設定。If there were multiple disks, network adapters, or other customizations, configure them before starting the domain controller. 「 匯出匯入] 的方法複製磁碟複雜 Vm 的建議。The "Export-Import" method of copying disks is recommended for complex VMs.

Windows PowerShell 方法Windows PowerShell Method

您可以使用 HYPER-V Windows PowerShell 模組間,將 VM 建立 Windows Server 2012,使用下列 cmdlet 中:You can use the Hyper-V Windows PowerShell module to automate VM creation in Windows Server 2012, using the following cmdlet:


例如,以下 DC4-CLONEDFROMDC2 VM,使用建立 1 GB ram,開機從 c:\vm\dc4-systemdrive-clonedfromdc2.vhd 檔案,並使用 10.0 virtual 網路:For example, here the DC4-CLONEDFROMDC2 VM is created, using 1GB of RAM, booting from the c:\vm\dc4-systemdrive-clonedfromdc2.vhd file, and using the 10.0 virtual network:


匯入 VMImport VM

如果您先前匯出您 VM 之後,您要匯入該回做為備份。If you previously exported your VM, you now need to import it back in as a copy. 這會使用匯出的 XML 重新建立使用所有先前的設定、 磁碟、 網路和記憶體設定的電腦。This uses the exported XML to recreate the computer using all the previous settings, drives, networks, and memory settings.

如果您想要從相同匯出 VM 建立其他複本,視需要進行 VM 匯出多個複本。If you intend to create additional copies from the same exported VM, make as many copies of the exported VM as necessary. 然後使用匯入的每個複本。Then use Import for each copy.


請務必使用複製選項,匯出會保留所有資訊來源。匯入的伺服器移動中的地方如果相同 HYPER-V 主機伺服器上執行此動作,會導致資訊衝突。It is important to use the Copy option, as export preserves all information from the source; importing the server with Move or In Place causes information collision if done on the same Hyper-V host server.

HYPER-V 管理員方法Hyper-V Manager Method

若要匯入使用 HYPER-V 管理員:To import using the Hyper-V Manager snap-in:

  1. 按一下一樣匯入Click Import Virtual Machine

  2. 找出資料夾頁面上,選取 [匯出的 VM 定義檔使用瀏覽按鈕On the Locate Folder page, select the exported VM definition file using the Browse button

  3. 選擇一樣頁面上,按一下 [來源電腦。On the Select Virtual Machine page, click the source computer.

  4. 選擇匯入類型頁面上,按一下 [複製一樣 (建立新的唯一 ID),然後按一下 [完成]On the Choose Import Type page, click Copy the virtual machine (create a new unique ID), then click Finish.

  5. 若要匯入上相同的 HYPER-V 主機; 重新命名匯入的 VM它將會有匯出的來源網域控制站相同的名稱。Rename the imported VM if importing on the same Hyper-V host; it will have the same name as the exported source domain controller.




請記住移除 HYPER-V 嵌入式管理單元使用任何匯入的快照:Remember to remove any imported snapshots, using the Hyper-V Management snap-in:



刪除任何匯入的快照時極為重要。如果套用,它們會回到複製的網域控制站的狀態先前-以及可能動態-DC,導致︰ 複寫失敗、 重複 IP 資訊,以及其他受到干擾。Deleting any imported snapshots is critically important; if applied, they would return the cloned domain controller to the state of a previous - and possibly live - DC, leading to replication failure, duplicate IP information, and other disruptions.

Windows PowerShell 方法Windows PowerShell Method

您可以使用 HYPER-V Windows PowerShell 模組間,將 VM 匯入 Windows Server 2012,使用下列 cmdlet 中:You can use the Hyper-V Windows PowerShell module to automate VM import in Windows Server 2012, using the following cmdlets:


例如 here 匯出使用其自動判斷的 XML 檔案,然後立刻重新命名為新 VM 名稱 DC5-CLONEDFROMDC2 VM DC2 複製匯入:For example, here the exported VM DC2-CLONED is imported using its automatically determined XML file, then renamed immediately to its new VM name DC5-CLONEDFROMDC2:


請記住,若要移除的任何匯入的快照,使用下列 cmdlet:Remember to remove any imported snapshots, using the following cmdlets:


例如:For example:



確定,當匯入電腦,靜態的 MAC 位址已不指派網域控制站來源。Ensure that, when importing the computer, static MAC addresses were not assigned to the source domain controller. 如果複製靜態 MAC 的來源電腦,將不正確會傳送或接收任何網路流量複製的電腦。If a source computer with a static MAC is cloned, those copied computers will not correctly send or receive any network traffic. 如果這種情形,設定新唯一靜態或動態的 MAC 位址。Set a new unique static or dynamic MAC address if this is the case. 您可以看到 VM 是否使用的命令靜態的 MAC 位址:You can see if a VM uses static MAC addresses with the command:

取得-VM-VMNameGet-VM -VMName
測試 vm 的|取得-VMNetworkAdapter |fl \ *test-vm | Get-VMNetworkAdapter | fl *

步驟 9-複製新一樣Step 9 - Clone the New Virtual Machine

(選擇性) 複製您開始之前,請重新開機離線複製來源網域控制站。Optionally, before you begin cloning, restart the offline clone source domain controller. 請確定肯定 online,無論。Ensure that the PDC emulator is online, regardless.

若要開始複製,只需開始新一樣。To begin cloning, simply start the new virtual machine. 此程序會自動初始化並網域控制站自動重新開機之後複製完成。The process initiates automatically and the domain controller reboots automatically after cloning is complete.


不建議維持關閉一段時間為網域控制站和複製加入做為來源俠相同的網站,如果的初始站和間網站複寫拓撲可能需要較長的時間來源網域控制站離線是否組建。Keeping domain controllers turned off for an extended period of time is not recommended and if the clone is joining the same site as its source DC, the initial intra and inter-site replication topology may take longer to build if the source domain controller is offline.

如果您可以使用 Windows PowerShell 來開始 VM,新的 HYPER-V 模組 cmdlet 是:If using Windows PowerShell to start a VM, the new Hyper-V Module cmdlet is:


例如:For example:


電腦重新開機複製完成之後,一旦是網域控制站,您可以登入上通常確認正常運作。Once the computer restarts after cloning completes, it is a domain controller and you can logon on normally to confirm normal operation. 如果有任何錯誤,開始 Directory 服務還原模式中的調查設定伺服器。If there are any errors, the server is set to start in Directory Services Restore Mode for investigation.

模擬防護功能Virtualization safeguards

之前模擬的網域控制站複製不同的是 Windows Server 2012 模擬防護功能會有任何設定步驟。Unlike virtualized domain controller cloning, Windows Server 2012 virtualization safeguards have no configuration steps. 此功能運作介入,只要將您認識某些簡單的條件:The feature works without intervention as long as you meet some simple conditions:

  • Hypervisor 支援 VM 新一代 IDThe hypervisor supports VM-Generation ID

  • 還有有效協力廠商網域控制站還原的網域控制站可以非系統授權複寫變更。There is a valid partner domain controller that a restored domain controller can replicate changes from non-authoritatively.

驗證 HypervisorValidate the Hypervisor

確定支援 hypervisor 執行來源網域控制站查看廠商文件。Ensure the source domain controller is running on a supported hypervisor by reviewing vendor documentation. 模擬的網域控制站 hypervisor 無關並不需要 HYPER-V。Virtualized domain controllers are hypervisor-independent and do not require Hyper-V.

檢視先前平台需求區段已知 VM 新一代 ID 支援。Review the previous Platform Requirements section for known VM-Generation ID support.

如果您的移轉的來源 hypervisor Vm,以不同的目標 hypervisor,可能會模擬保護,或可能不會觸發根據 hypervisors 是否支援 VM 新一代 ID,如下表所述。If you are migrating VMs from a source hypervisor to a different target hypervisor, virtualization safeguards may or may not be triggered depending on whether the hypervisors support VM-Generation ID, as explained in the following table.

來源 hypervisorSource hypervisor 目標 hypervisorTarget hypervisor 結果Result
支援 VM 新一代 IDSupports VM-Generation ID 不支援 VM 新一代 IDDoes not support VM-Generation ID 不觸發防護功能 (如果有 DCCloneConfigFile.xml,DC 將開機進入 DSRM)Safeguards not triggered (if a DCCloneConfigFile.xml is present, DC will boot into DSRM)
不支援 VM 新一代 IDDoes not support VM-Generation ID 支援 VM 新一代 IDSupports VM-Generation ID 觸發防護功能Safeguards triggered
支援 VM 新一代 IDSupports VM-Generation ID 支援 VM 新一代 IDSupports VM-Generation ID 不觸發 VM 定義未變更,這表示 VM 新一代 ID 保持不變,因為防護功能Safeguards not triggered because VM definition has not changed, which means so VM-Generation ID remains the same

驗證複寫拓撲Validate the Replication Topology

模擬保護起始未經授權的輸入的複寫的 delta 複寫 Active Directory,以及在同步未經授權的所有 SYSVOL 內容。Virtualization safeguards initiate non-authoritative inbound replication for the delta of Active Directory replication as well as non-authoritative resynchronization of all SYSVOL contents. 這樣可確保網域控制站的完整功能的開發進程的快照傳回和最後一致的環境中的其餘部分。This ensures the domain controller returns from a snapshot with full functionality and is eventually consistent with the rest of the environment.

使用此新功能有幾個要求和限制︰With this new capability come several requirements and limitations:

  • 還原的網域控制站必須能連絡寫入 DCA restored domain controller must be able to contact a writable DC

  • 網域中的所有網域控制站必須同時還原All domain controllers in a domain must not be restored simultaneously

  • 來自還原的網域控制站尚未複寫輸出因為掃瞄的任何變更永遠都會遺失Any changes originating from a restored domain controller that have not yet replicated outbound since the snapshot was taken are lost forever

[疑難排解] 區段涵蓋這些案例中,當下列詳細資料確保您不會建立拓撲可能造成問題。While the troubleshooting section covers these scenarios, details below ensure you do not create a topology that could cause problems.

寫入網域控制站可用性Writable Domain Controller Availability

如果還原,網域控制站必須連接到寫入網域控制站;唯讀模式網域控制站無法傳送 delta 的更新。If restored, a domain controller must have connectivity to a writable domain controller; a read-only domain controller cannot send the delta of updates. 拓撲很可能已經,此為寫入網域控制站正確一定需要寫入合作夥伴。The topology is likely correct for this already, as a writable domain controller always needed a writable partner. 不過,如果還原所有寫入網域控制站同時,都可以找到有效的來源。However, if all writable domain controllers are restoring simultaneously, none of them can find a valid source. 相同進入如果寫入網域控制站離線維護或透過網路否則無法存取。The same goes if the writable domain controllers are offline for maintenance or otherwise unreachable through the network.

同時還原Simultaneous Restore

不還原單一網域中的所有網域控制站同時。Do not restore all domain controllers in a single domain simultaneously. 如果所有快照都還原一次,Active Directory 複寫運作正常,但 SYSVOL 複寫會停止。If all snapshots restore at once, Active Directory replication works normally but SYSVOL replication halts. 還原的架構 FRS 以及 DFSR 需要他們複本執行個體設為非授權同步模式。The restore architecture of FRS and DFSR require setting their replica instance to non-authoritative sync mode. 如果所有網域控制站都還原的每個網域控制站標示本身未經授權的 SYSVOL,它們將會再試同步處理群組原則和指令碼的授權夥伴;此時,但,所有合作夥伴也都是未經授權。If all domain controllers restore at once, and each domain controller marks itself non-authoritative for SYSVOL, they all will then try to synchronize group policies and scripts from an authoritative partner; at that point, though, all partners are also non-authoritative.


還原所有網域控制站同時,如果使用下列文件來設定一個網域控制站-通常肯定-授權,因此的網域控制站傳回正常運作:If all domain controllers are restored at once, use the following articles to set one domain controller - typically the PDC emulator - as authoritative, so that the other domain controllers can return to normal operation:

使用 BurFlags 登錄鍵初始化檔案複寫服務複本設定Using the BurFlags registry key to reinitialize File Replication Service replica sets

如何將 SYSVOL DFSR 複寫 (例如 「 D4 /d2 」 的 FRS) 的強迫授權和未經授權同步處理How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)


所有網域控制站森林或網域中無法在執行相同的 hypervisor 主機。Do not run all domain controllers in a forest or domain on the same hypervisor host. 導入的每次 hypervisor 離線 cripples AD DS、 換貨,SQL 和其他企業操作失敗單點。That introduces a single point of failure that cripples AD DS, Exchange, SQL, and other enterprise operations each time the hypervisor goes offline. 這是不使用只有一個網域控制站的完整網域或樹系不同。This is no different from using only one domain controller for an entire domain or forest. 多個網域控制站在多個平台上的協助提供冗餘和容錯。Multiple domain controllers on multiple platforms help provide redundancy and fault tolerance.

後快照複寫Post-Snapshot Replication

直到後快照建立已複寫進行輸出原始在本機變更無法還原的快照。Do not restore snapshots until all locally originating changes made since snapshot creation have replicated outbound. 如果其他網域控制站未已經收到這些透過複寫,會需要遺失原始的任何變更。Any originating changes are lost forever if other domain controllers did not already receive them through replication.

使用 Repadmin.exe 顯示網域控制站與其夥伴之間任何取消複寫輸出變更:Use Repadmin.exe to show any un-replicated outbound changes between a domain controller and its partners:

  1. 返回 [DC 的合作夥伴名稱與 DSA 物件 Guid 使用:Return the DC's partner names and DSA Object GUIDs with:

    Repadmin.exe /showrepl <DC Name of the partner> /repsto  
  2. 回到還原網域控制站的合作夥伴網域控制站擱置中輸入的複寫:Return the pending inbound replication of the partner domain controller to the domain controller to be restored:

    Repadmin.exe /showchanges < Name of partner DC><DSA Object GUID of the domain controller being restored><naming context to compare>  

或者,只是想看到未複寫變更次數:Alternatively, just to see the count of un-replicated changes:

Repadmin.exe /showchanges <Name of partner DC><DSA Object GUID of the domain controller being restored><naming context to compare> /statistics  

例如 (輸出修改可讀性和重要的項目使用斜體),查看的複寫合作關係 DC4 以下:For example (with output modified for readability and important entries italicized), here you look at the replication partnerships of DC4:

C:\>repadmin.exe /showrepl dc4.corp.contoso.com /repsto  

DSA Options: IS_GC  
Site Options: (none)  
DSA object GUID: 5d083398-4bd3-48a4-a80d-fb2ebafb984f  
DSA invocationID: 730fafec-b6d4-4911-88f2-5b64e48fc2f1  


    Default-First-Site-Name\DC3 via RPC  
        DSA object GUID: f62978a8-fcf7-40b5-ac00-40aa9c4f5ad3  
        Last attempt @ 2011-11-11 15:04:12 was successful.  
    Default-First-Site-Name\DC2 via RPC  
        DSA object GUID: 3019137e-d223-4b62-baaa-e241a0c46a11  
        Last attempt @ 2011-11-11 15:04:15 was successful.  

現在,您知道它已複寫 DC2 與 DC3。Now you know that it is replicating with DC2 and DC3. 然後顯示變更清單,DC2 聲明仍然不已從 DC4,然後查看一個新的群組:You then show the list of changes that DC2 states it still does not have from DC4, and see that there is one new group:

C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f dc=corp,dc=contoso,dc=com  

==== SOURCE DSA: (null) ====  
Objects returned: 1  
(0) add CN=newgroup4,CN=Users,DC=corp,DC=contoso,DC=com  
    1> parentGUID: 55fc995a-04f4-4774-b076-d6a48ac1af99  
    1> objectGUID: 96b848a2-df1d-433c-a645-956cfbf44086  
    2> objectClass: top; group  
    1> instanceType: 0x4 = ( WRITE )  
    1> whenCreated: 11/11/2011 3:03:57 PM Eastern Standard Time  

您也想測試以確定它已不已複寫的其他合作夥伴。You would also test the other partner to ensure that it had not already replicated.

或者,如果不是由您最不需要複製的物件,只有在意這次的任何物件已未完成,您可以使用/statistics選項:Alternatively, if you did not care which objects had not replicated and only cared that any objects were outstanding, you can use the /statistics option:

C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f dc=corp,dc=contoso,dc=com /statistics  

********* Grand total *************************  
Packets:              1  
Objects:              1Object Additions:     1Object Modifications: 0Object Deletions:     0Object Moves:         0Attributes:           12Values:               13  


測試所有寫入合作夥伴,如果您看到的任何失敗或複寫未完成。Test all writable partners if you see any failures or outstanding replication. 只要至少會聚集,是一般放心地還原快照,如轉移複寫最後協調其他伺服器。As long as at least one is converged, it is generally safe to restore the snapshot, as transitive replication eventually reconciles the other servers.

請務必注意複寫顯示 /showchanges 中的任何錯誤,並不會繼續他們的修正。Be sure to note any errors in replication shown by /showchanges and do not proceed until they are fixed.

Windows PowerShell 快照 CmdletWindows PowerShell Snapshot Cmdlets

Windows PowerShell HYPER-V 下列模組 cmdlet 提供快照功能在 Windows Server 2012 中:The following Windows PowerShell Hyper-V module cmdlets provide snapshot capabilities in Windows Server 2012: