Active Directory Domain Services (AD DS) 模擬 (層級 100) 簡介Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Active Directory Domain Services (AD DS) 環境模擬已執行許多年。Virtualization of Active Directory Domain Services (AD DS) environments has been ongoing for a number of years. 開始使用 Windows Server 2012,AD DS 提供更大虛擬網域控制站化簡介模擬安全功能,並讓快速部署透過複製 virtual 網域控制站的支援。Beginning with Windows Server 2012, AD DS provides greater support for virtualizing domain controllers by introducing virtualization-safe capabilities and enabling rapid deployment of virtual domain controllers through cloning. 這些新模擬功能提供更多支援的公開和私人雲朵、混合的環境 AD DS 部分存在先和完全位於 AD DS 基礎結構和雲端,先。These new virtualization features provide greater support for public and private clouds, hybrid environments where portions of AD DS exist on-premises and in the cloud, and AD DS infrastructures that reside completely on-premises.

本文件In this document

安全 virtualization 網域控制站的Safe virtualization of domain controllers

Virtual 環境獨特的挑戰到分散式工作負載的邏輯時鐘複寫配置而定。Virtual environments present unique challenges to distributed workloads that depend upon a logical clock-based replication scheme. AD DS 複寫,例如使用單純地增加值(稱為 USN 或更新的序號)指派給在每個網域控制站交易。AD DS replication, for example, uses a monotonically increasing value (known as a USN or Update Sequence Number) assigned to transactions on each domain controller. 每個網域控制站資料庫執行個體的身分,稱為「呼叫識別碼也提供。Each domain controller's database instance is also given an identity, known as an InvocationID. 呼叫識別碼網域控制站和其 USN 它們會被與每個寫入交易相關聯的唯一每個網域控制站上執行,必須樹系的唯一。The InvocationID of a domain controller and its USN together serve as a unique identifier associated with every write-transaction performed on each domain controller and must be unique within the forest.

AD DS 複寫使用呼叫識別碼和 Usn 在每個網域控制站判斷需要複製到其他網域控制站的變更。AD DS replication uses InvocationID and USNs on each domain controller to determine what changes need to be replicated to other domain controllers. 如果網域控制站復原時間以外的網域控制站感知 USN 重複使用完全不同交易,複寫將會減少因為其他網域控制站將它們有收到已經在該呼叫識別碼部分重複使用 USN 相關聯的更新。If a domain controller is rolled back in time outside of the domain controller's awareness and a USN is reused for an entirely different transaction, replication will not converge because other domain controllers will believe they have already received the updates associated with the re-used USN under the context of that InvocationID.

例如下圖顯示,就會發生事件的順序 Windows Server 2008 R2 和更早版本作業系統上 VDC2,一樣所執行的目的地網域控制站偵測到 USN 復原時。For example, the following illustration shows the sequence of events that occurs in Windows Server 2008 R2 and earlier operating systems when USN rollback is detected on VDC2, the destination domain controller that is running on a virtual machine. 在此範例中,USN 復原偵測時發生上 VDC2 複寫合作夥伴偵測 VDC2 已送出先前已過複寫合作夥伴,表示該 VDC2 的資料庫有復原的時間不正確的最新 USN 值。In this illustration, the detection of USN rollback occurs on VDC2 when a replication partner detects that VDC2 has sent an up-to-dateness USN value that was seen previously by the replication partner, which indicates that VDC2's database has rolled back in time improperly.

AD DS 簡介

一樣 (VM) 可讓您輕鬆 hypervisor 復原網域控制站的 Usn(邏輯時鐘),系統管理員,例如網域控制站的感知以外的快照。A virtual machine (VM) makes it easy for hypervisor administrators to roll back a domain controller's USNs (its logical clock) by, for example, applying a snapshot outside of the domain controller's awareness. 如需有關 USN 和 USN 回復,包括另一個圖示範無法偵測執行個體 USN 復原,請USN 和 USN 復原For more information about USN and USN rollback, including another illustration to demonstrate undetected instances of USN rollback, see USN and USN Rollback.

開始使用 Windows Server 2012,AD DS virtual 網域控制站公開識別字稱為 VM-Generation ID hypervisor 平台上可以偵測及使用如果一樣復原時間 VM 快照的應用程式來保護 AD DS 環境的所需的安全性措施。Beginning with Windows Server 2012 , AD DS virtual domain controllers hosted on hypervisor platforms that expose an identifier called VM-Generation ID can detect and employ necessary safety measures to protect the AD DS environment if the virtual machine is rolled back in time by the application of a VM snapshot. VM-GenerationID 設計公開的地址空間來賓一樣,在此識別碼安全模擬體驗一致提供的任何 hypervisor 支援 VM-GenerationID,以便使用 hypervisor 廠商獨立機制。The VM-GenerationID design uses a hypervisor-vendor independent mechanism to expose this identifier in the address space of the guest virtual machine, so the safe virtualization experience is consistently available of any hypervisor that supports VM-GenerationID. 可以將此識別碼取樣服務及一樣中執行的應用程式來偵測如果一樣已復原時間。This identifier can be sampled by services and applications running inside the virtual machine to detect if a virtual machine has been rolled back in time.

這些模擬安全防護如何運作?How do these virtualization safeguards work?

網域控制站在安裝期間,AD DS 最初儲存 VM GenerationID 識別碼 msDS-GenerationID 屬性它(通常稱為樹狀資訊或 DIT)的資料庫中的網域控制站電腦物件的一部分。During domain controller installation, AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controller's computer object in its database (often referred to as the directory information tree, or DIT). VM GenerationID 會獨立追蹤 inside 一樣的 Windows 驅動程式。The VM GenerationID is independently tracked by a Windows driver inside the virtual machine.

當系統管理員從先前的快照還原一樣時,目前的驅動程式一樣 VM GenerationID 值比較 DIT 中的值。When an administrator restores the virtual machine from a previous snapshot, the current value of the VM GenerationID from the virtual machine driver is compared against a value in the DIT.

如果有兩個值不同,呼叫識別碼重設並 RID 集區捨棄重複使用藉此阻止 USN。If the two values are different, the invocationID is reset and the RID pool discarded thereby preventing USN re-use. 如果是相同的值,交易交付正常。If the values are the same, the transaction is committed as normal.

AD DS 也會比較 VM GenerationID 一樣對 DIT 中值從目前的值每次的網域控制站重新開機,如果不同,它會重設呼叫識別碼,會捨棄 RID 集區的更新和 DIT 使用新的值。AD DS also compares the current value of the VM GenerationID from the virtual machine against the value in the DIT each time the domain controller is rebooted and, if different, it resets the invocationID, discards the RID pool and updates the DIT with the new value. 它也非-系統授權同步 SYSVOL 資料夾時間才能完成安全還原。It also non-authoritatively synchronizes the SYSVOL folder in order to complete safe restoration. 這可讓延伸的快照,在 Vm 中,關閉應用程式防護。This enables the safeguards to extend to the application of snapshots on VMs that were shutdown. Windows Server 2012 中引進了這些安全防護讓 AD DS 系統管理員受益部署及管理網域控制站模擬的環境中唯一的優點。These safeguards introduced in Windows Server 2012 enable AD DS administrators to benefit from the unique advantages of deploying and managing domain controllers in a virtualized environment.

下圖顯示了相同的 USN 復原偵測到模擬的網域控制站支援 VM-GenerationID hypervisor 上執行 Windows Server 2012 時,如何套用模擬防護功能。The following illustration shows how virtualization safeguards are applied when the same USN rollback is detected on a virtualized domain controller that runs Windows Server 2012 on a hypervisor that supports VM-GenerationID.

AD DS 簡介

若是如此,當 hypervisor 偵測到 VM-GenerationID 值來變更,觸發模擬防護功能,包括針對(從 A 到先前的範例中為 B) 模擬網域控制站的呼叫識別碼重設並 VM 符合 hypervisor 儲存新值 (G2) 上更新 VM-GenerationID 值儲存。In this case, when the hypervisor detects a change to VM-GenerationID value, virtualization safeguards are triggered, including the reset of the InvocationID for the virtualized DC (from A to B in the preceding example) and updating the VM-GenerationID value saved on the VM to match the new value (G2) stored by the hypervisor. 保護確保複寫會聚兩個網域控制站的合成。The safeguards ensure that replication converges for both domain controllers.

與 Windows Server 2012,AD DS 受到保護 virtual 網域控制站 VM-GenerationID 注意 hypervisors 上,可確保意外應用程式的快照或其他這類 hypervisor 式機制,無法復原一樣的狀態不會中斷 AD DS 環境(由避免複寫問題,例如 USN 泡泡或延遲物件)。With Windows Server 2012 , AD DS employs safeguards on virtual domain controllers hosted on VM-GenerationID aware hypervisors and ensures that the accidental application of snapshots or other such hypervisor-enabled mechanisms that could rollback a virtual machine's state does not disrupt the AD DS environment (by preventing replication problems such as a USN bubble or lingering objects). 不過,還原網域控制站快照一樣,建議您不要做為備份的網域控制站替代機制。However, restoring a domain controller by applying a virtual machine snapshot is not recommended as an alternative mechanism to backing up a domain controller. 建議您繼續使用 Windows Server 備份或其他 VSS writer 備份方案。It is recommended that you continue to use Windows Server Backup or other VSS-writer based backup solutions.

警告

如果網域控制站在 production 環境不小心會還原成快照,建議您的應用程式,請洽詢供應商,並還原服務位於該一樣,指導方針之後快照確認這些程式的狀態。If a domain controller in a production environment is accidentally reverted to a snapshot, it's advised that you consult the vendors for the applications, and services hosted on that virtual machine, for guidance on verifying the state of these programs after snapshot restore.

如需詳細資訊,請查看擬化檔案網域控制站安全還原架構For more information, see Virtualized domain controller safe restore architecture.

模擬的網域控制站複製Virtualized domain controller cloning

開始使用 Windows Server 2012,系統管理員可以輕鬆地部署複本網域控制站複製現有 virtual 網域控制站。Beginning with Windows Server 2012 , administrators can easily and safely deploy replica domain controllers by copying an existing virtual domain controller. 在 virtual 環境中,系統管理員不再需要重複部署準備好使用 sysprep.exe 伺服器影像、 為網域控制站伺服器升級,然後完成部署每個複本網域控制站的需求額外的設定。In a virtual environment, administrators no longer have to repeatedly deploy a server image prepared by using sysprep.exe, promote the server to a domain controller and then complete additional configuration requirements for deploying each replica domain controller.

注意

系統管理員必須遵循部署,例如使用 sysprep.exe 準備伺服器 virtual 硬碟 (VHD)、 為網域控制站伺服器升級,然後完成任何額外的設定需求網域中的第一個網域控制站現有處理程序。Administrators need to follow existing processes to deploy the first domain controller in a domain, such as using a sysprep.exe to prepare a server virtual hard disk (VHD), promote the server to a domain controller and then complete any additional configuration requirements. 在損壞復原案例中,使用最新的伺服器備份還原網域中的第一個網域控制站。In a disaster recovery scenario, use the latest server backup to restore the first domain controller in a domain.

受惠於 virtual 網域控制站複製案例Scenarios that benefit from virtual domain controller cloning

  • 快速部署新的網域中的其他網域控制站Rapid deployment of additional domain controllers in a new domain

  • 快速期間損壞修復還原透過快速部署使用複製的網域控制站 AD DS 容量還原業務持續性Quickly restore business continuity during disaster recovery by restoring AD DS capacity via rapid deployment of domain controllers using cloning

  • 利用彈性提供的網域控制站容納提升的縮放需求最佳化部署私人雲端Optimize private cloud deployments by leveraging elastic provisioning of domain controllers to accommodate increased scale requirements

  • 迅速提供讓部署及測試的新功能推出 production 之前測試環境Rapid provisioning of test environments enabling deployment and testing of new features and capabilities before production rollout

  • 快速符合更高的容量,複製現有的網域控制站在分公司分公司需求Quickly meet increased capacity needs in branch offices by cloning existing domain controllers in branch offices

快速部署大量的網域控制站時, 繼續依照驗證每個網域控制站的健康狀態,在安裝完成後現有的程序。When rapidly deploying a large number of domain controllers, continue to follow your existing procedures for validating the health of each domain controller after installation finishes. 部署網域控制站合理大小分批,因此每一批的安裝完成後,您就可以驗證他們健康。Deploy domain controllers in reasonably sized batches so you can validate their health after each batch of installations is complete. 建議批次大小為 10。The recommended batch size is 10. 如需詳細資訊,請查看步驟部署複製模擬的網域控制站的For more information, see Steps for deploying a clone virtualized domain controller.

清除區隔責任Clear separation of responsibilities

複製模擬的網域控制站的授權可在 AD DS 系統管理員所控制。The authorization to clone virtualized domain controllers is under the control of the AD DS administrator. 為了讓其他網域控制站部署複製 virtual 網域控制站 hypervisor 系統管理員,AD DS 系統管理員必須選取及授權網域控制站準備要做為來源複製的步驟執行。In order for hypervisor administrators to deploy additional domain controllers by copying virtual domain controllers, the AD DS administrator has to select and authorize a domain controller and then run preparatory steps to enable it as a source for cloning.

使用一樣提供通常會在 purview hypervisor 系統管理員,hypervisor 系統管理員可以複製模擬的網域控制站的授權,並由 AD DS 系統管理員可以複製準備提供複本網域控制站虛擬電腦。With the virtual machine provisioning typically under the purview of the hypervisor administrator, hypervisor administrators can provision replica domain controller virtual machines by copying virtualized domain controllers that are authorized and prepared for cloning by the AD DS administrator.

警告

任何人都可以管理主控 virtual 網域控制站 hypervisor 必須高度信任並稽核環境中。Anyone allowed to administer the hypervisor that hosts a virtual domain controller must be highly trusted and audited in the environment.

複製工作 virtual 網域控制站如何?How does virtual domain controller cloning work?

複製的程序,包括讓複製現有 virtual 網域控制站的 VHD 的 (或,更複雜的設定,VM 網域控制站),它複製 AD ds 和建立設定檔複製授權。The process of cloning involves making a copy of an existing virtual domain controller's VHD (or, for more complex configurations, the domain controller VM), authorizing it for cloning in AD DS and creating a clone configuration file. 這樣可以降低數個步驟,而且時間參與,否則排除部署複本 virtual 網域控制站重複部署工作。This reduces the number of steps and time involved in deploying a replica virtual domain controller by eliminating otherwise repetitive deployment tasks.

複製網域控制站偵測是另一個網域控制站的複本,使用下列條件:The clone domain controller uses the following criteria to detect that it is a copy of another domain controller:

  1. 新一代 VM ID 一樣所提供的值為不同於 VM 新一代 ID DIT 中儲存的值。The value of the VM-Generation ID supplied by the virtual machine is different than the value of the VM-Generation ID stored in the DIT.

    注意

    Hypervisor 平台必須支援 VM 新一代 ID (Windows Server 2012 HYPER-V 支援 VM 新一代 ID)。The hypervisor platform must support VM-Generation ID ( Windows Server 2012 Hyper-V supports VM-Generation ID).

  2. 有某個檔案稱為 DCCloneConfig.xml 在下列位置:Presence of a file called DCCloneConfig.xml in one of the following locations:

    • 所在 DIT directoryThe directory where the DIT resides

    • %windir%\NTDS%windir%\NTDS

    • 卸除式媒體磁碟機的根The root of a removable media drive

一旦符合的條件,它會複製到為網域控制站複本本身規定的程序。Once the criteria are met, it goes through the process of cloning to provision itself as a replica domain controller.

複製網域控制站使用來源網域控制站 (網域控制站它所代表的複本) 的安全性層級連絡 Windows Server 2012 主要網域控制站 (PDC) 模擬器作業主角持有 (也稱為彈性的單一主機操作或 FSMO)。The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). 肯定必須執行 Windows Server 2012,但不需要在 hypervisor 上執行。The PDC emulator must be running Windows Server 2012 , but it does not have to be running on a hypervisor.

注意

如果您擁有的參考來源網域控制站的屬性架構延伸模組,而且屬性的其中一個物件複製電腦物件 (NTDS 設定物件) 來建立複製,該屬性會不複製或參考複製網域控制站的更新。If you have a schema extension with attributes that reference the source domain controller and the attribute is on one of the objects copied (computer object, NTDS settings object) to create the clone, that attribute will not be copied or updated to reference the clone domain controller.

確認要求網域控制站的複製的授權之後, 肯定將建立新的電腦身分包括新 account、 SID、 名稱及辨識為網域控制站複本這台電腦的密碼,並回到複製傳送此資訊。After verifying that the requesting domain controller is authorized for cloning, the PDC emulator will create a new machine identity including new account, SID, name, and password that identifies this machine as a replica domain controller and send this information back to the clone. 複製網域控制站然後將會準備 AD DS 資料庫做為複本檔案,以及它也會清除的電腦狀態。The clone domain controller will then prepare the AD DS database files to serve as a replica and it will also clean up the machine state.

如需詳細資訊,請查看Virtualized 網域控制站複製架構For more information, see Virtualized domain controller cloning architecture.

複製元件Cloning components

新 cmdlet 納入 Active Directory 模組中相關的 XML 檔案的 Windows PowerShell 複製元件:The cloning components include new cmdlets in the Active Directory module for Windows PowerShell and associated XML files:

  • 新 ADDCCloneConfigFile 「 下列 cmdlet 建立並地點 DCCloneConfig.xml,以確保已觸發複製正確的位置。New-ADDCCloneConfigFile " This cmdlet creates and places DCCloneConfig.xml at the right location to ensure it is available to trigger cloning. 它也會執行必要條件檢查以確保成功複製。It also performs prerequisite checks to ensure successful cloning. 它適用於 Windows PowerShell 包含在 Active Directory 模組。It is included in the Active Directory module for Windows PowerShell. 您可以執行本機模擬的網域控制站的已準備好可以複製,或您可以從遠端使用地執行-離線選項。You can run it locally on a virtualized domain controller that is being prepared for cloning, or you can run it remotely using the -offline option. 您可以指定複製網域控制站,例如其名稱、 網站及 IP 位址設定。You can specify settings for the clone domain controller, such as its name, site, and IP address.

    它會執行的必要條件檢查︰The prerequisite checks that it performs are:

    注意

    必要條件檢查不是執行時 」 使用離線選項。The prerequisite checks are not performed when the "offline option is used. 如需詳細資訊,請查看執行新-ADDCCloneConfigFile 離線模式在For more information, see Running New-ADDCCloneConfigFile in offline mode.

    • 正在準備 DC 授權的複製 (成員的複製網域控制站群組)The DC being prepared is authorized for cloning (is a member of the Cloneable Domain Controllers group)

    • 肯定執行 Windows Server 2012。The PDC emulator runs Windows Server 2012 .

    • 任何程式或服務列執行的取得-ADDCCloningExcludedApplicationList (此清單複製元件結尾處的更多詳細資料所述) CustomDCCloneAllowList.xml 中包含。Any programs or services listed from running Get-ADDCCloningExcludedApplicationList are included in CustomDCCloneAllowList.xml (explained in more detail at the end of this list of cloning components).

  • DCCloneConfig.xml 「 成功複製模擬的網域控制站,此檔案必須是 directory DIT 所在位置,在%windir%\NTDS,或根本卸除式媒體磁碟機。DCCloneConfig.xml " To successfully clone a virtualized domain controller, this file must be present in the directory where the DIT resides, %windir%\NTDS, or the root of a removable media drive. 除了用於發射鍵的其中一個做為偵測及起始複製,也提供一種方法來指定複製網域控制站的設定。Besides being used as one of the triggers to detect and initiate cloning, it also provides a means to specify configuration settings for the clone domain controller.

    架構和範例檔案 DCCloneConfig.xml 檔案會儲存在所有 Windows Server 2012 電腦上:The schema and a sample file for the DCCloneConfig.xml file are stored on all Windows Server 2012 computers at:

    • %windir%\system32\DCCloneConfigSchema.xsd%windir%\system32\DCCloneConfigSchema.xsd

    • %windir%\system32\SampleDCCloneConfig.xml%windir%\system32\SampleDCCloneConfig.xml

    建議您使用新的 ADDCCloneConfigFile cmdlet 建立 DCCloneConfig.xml 檔案。It is recommended that you use the New-ADDCCloneConfigFile cmdlet to create the DCCloneConfig.xml file. 您也可以使用 XML 感知編輯器使用架構檔案來建立該檔案,但手動編輯檔案增加錯誤的機會。Although you could also use the schema file with an XML-aware editor to create this file, manually editing the file increases the likelihood of errors. 如果您要編輯檔案,必須完成使用 XML 感知編輯器,Visual Studio 中,例如XML 記事本,或第三方應用程式 (無法使用 「 記事本 」)。If you edit the file, it must be done by using XML-aware editors, such as Visual Studio, XML Notepad, or third-party applications (do not use Notepad).

  • 取得-ADDCCloningExcludedApplicationList 「 來源網域控制站之後,再開始複製程序,以判斷哪一個服務或安裝的程式無法在預設支援清單中,DefaultDCCloneAllowList.xml,執行下列 cmdlet 或使用者定義包含清單命名的 CustomDCCloneAllowList.xml 的檔案,因此不評估複製影響的。Get-ADDCCloningExcludedApplicationList " This cmdlet is run on the source domain controller before beginning the cloning process to determine which services or installed programs are not on the default supported list, DefaultDCCloneAllowList.xml, or a user-defined inclusion list named CustomDCCloneAllowList.xml file, and thereby have not been evaluated for cloning impact.

    這個 cmdlet 搜尋服務的來源網域控制站在服務控制管理員中,並已安裝的程式會列在HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall ,預設清單 (DefaultDCCloneAllowList.xml) 中未指定或,如果有一個提供,使用者定義包含清單 (CustomDCCloneAllowList.xml 檔案)。This cmdlet searches the source domain controller for services in the Services Control Manager, and installed programs listed under HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall that are not specified in the default list (DefaultDCCloneAllowList.xml) or, if one is provided, the user-defined inclusion list (CustomDCCloneAllowList.xml file). 清單中的應用程式與服務執行 cmdlet 傳回有不同功能已提供 DefaultDCCloneAllowList.xml 或 CustomDCCloneAllowList.xml 檔案隨即執行階段依據來源俠上已安裝的項目清單中。The list of applications and services that is returned by running the cmdlet is the difference between what has already been provided in the DefaultDCCloneAllowList.xml or the CustomDCCloneAllowList.xml file and the list that is constructed at run time, based on what is installed on the source DC. 如果您判斷該程式與服務可以放心地複製可以取得-ADDCCloningExcludedApplicationList 的服務和程式輸出新增 CustomDCCloneAllowList.xml 檔案。The services and programs output from Get-ADDCCloningExcludedApplicationList can be added to the CustomDCCloneAllowList.xml file if you determine that the services and programs can be safely cloned. 若要判斷是否可以放心地複製服務或安裝程式,評估下列條件:To determine if a service or installed program can be safely cloned, evaluate the following conditions:

    • 為電腦的身分,例如名稱、 SID、 密碼,所受到的安裝的程式或服務?Is the service or installed program affected by the machine identity, such as name, SID, password, and so on?

    • 不會服務,或在本機可能會影響複製上的功能的電腦上安裝程式儲存區任何狀態?Does the service or installed program store any state locally on the computer that might affect its functionality on the clone?

    您必須使用與軟體廠商的應用程式,判斷是否服務或程式可以放心地複製。You must work with the software vendor of the application to determine if the service or program can be safely cloned.

    注意

    之前,提供額外的服務或 CustomDCCloneAllowList.xml 檔案中的程式,請先確認您是否擁有所需的授權複製該一樣上的該軟體。Before provisioning additional services or programs in the CustomDCCloneAllowList.xml file, verify whether you have the necessary license to copy that software contained on that virtual machine.

    如果不複製應用程式,請移除來源網域控制站的之前建立複製媒體。If the applications are not cloneable, remove them from the source domain controller before you create the clone media. 如果應用程式在 cmdlet 輸出中,會顯示,但不是會納入 CustomDCCloneAllowList.xml 檔案,將會失敗複製。If an application appears in the cmdlet output, but is not included in the CustomDCCloneAllowList.xml file, cloning will fail. 複製才能繼續,cmdlet 輸出不應該列出程式或服務。For cloning to succeed, the cmdlet output should not list any services or programs. 亦即,應用程式必須會包含在 CustomDCCloneAllowList.xml 檔案或移除來源網域控制站。In other words, an application should either be included in the CustomDCCloneAllowList.xml file or removed from the source domain controller.

    下表解釋執行取得-ADDCCloningExcludedApplicationList 的選項。The following table explains the options for running Get-ADDCCloningExcludedApplicationList.

    引數Argument 解釋Explanation
    不已達到複製的主機上顯示服務的程式清單。Displays a list of services or programs on the console that have not been accounted for cloning. 如果已經有任何允許位置 CustomDCCloneAllowList.XML,它會使用的檔案以顯示的剩餘服務和程式 (如果清單符合可能會執行任何動作)。If there is already a CustomDCCloneAllowList.XML in any of the permissible locations, it uses that file to displays the remaining services and programs (which may be nothing if the lists match).
    -GenerateXml-GenerateXml 建立的填入服務 CustomDCCloneAllowList.XML 檔案和主機上所列的程式。Creates the CustomDCCloneAllowList.XML file populated with the services and programs listed on the console.
    -推動-Force 覆寫現有的 CustomDCCloneAllowList.XML 檔案。Overwrites an existing CustomDCCloneAllowList.XML file.
    路徑-Path 若要建立 CustomDCCloneAllowList.XML 資料夾路徑。Folder path to create the CustomDCCloneAllowList.XML.
  • DefaultDCCloneAllowList.xml 「 這個檔案已存在預設每個 Windows Server 2012 網域控制站在%windir%\system32DefaultDCCloneAllowList.xml " This file is present by default on every Windows Server 2012 domain controller in the %windir%\system32. 它會列出的服務,並安裝的程式可以放心地複製預設。It lists the services and installed programs that can be safely cloned by default. 您必須變更的位置或檔案的內容或複製將會失敗。You must not change the location or contents of this file or cloning will fail.

  • CustomDCCloneAllowList.xml 「 您有服務或安裝的程式位於來源網域控制站以外,這些 DefaultDCCloneAllowList.xml 檔案中列出的如果那些服務和程式必須包含此檔案中。CustomDCCloneAllowList.xml " If you have services or installed programs that reside on your source domain controller that are outside of those listed in the DefaultDCCloneAllowList.xml file, those services and programs must be included in this file. 若要尋找的服務或安裝的程式,不會列在 DefaultDCCloneAllowList.xml 檔案,在執行取得-ADDCCloningExcludedApplicationList cmdlet。To find the services or installed programs that are not listed in the in the DefaultDCCloneAllowList.xml file, run the Get-ADDCCloningExcludedApplicationList cmdlet. 您應該使用「 GenerateXml引數建立 XML 檔案。You should use the "GenerateXml argument to generate the XML file.

    複製程序會檢查以下位置訂單此檔案中的,並使用找到,無論其他資料夾的第一個 XML 檔案:The cloning process checks the following locations in order for this file and uses the first XML file found, regardless of the other folder's contents:

    1. 下列機碼:The following registry key:

      HKey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters
      AllowListFolder (REG_SZ)
      
    2. 使用 Directory DSADSA Working Directory

    3. %systemroot%\NTDS%systemroot%\NTDS

    4. 讀取/寫入卸除式媒體,在磁碟機代號,在磁碟機的根的訂單Removable read/write media, in order of drive letter, at the root of the drive

部署案例Deployment scenarios

下列部署案例的支援 virtual 網域控制站複製:The following deployment scenarios are supported for virtual domain controller cloning:

  • 部署複製網域控制站藉由來源網域控制站的 virtual 硬碟 (vhd) 檔案的複本。Deploy a clone domain controller by making a copy of a source domain controller's virtual hard disk (vhd) file.

  • 部署複製網域控制站複製使用/匯出語意 hypervisor 公開的來源網域控制站的一樣。Deploy a clone domain controller by copying the virtual machine of a source domain controller using the export/import semantics exposed by the hypervisor.

注意

一節中的步驟執行步驟部署複製模擬的網域控制站的示範複製使用匯出日匯入功能的 Windows Server 2012 HYPER-V 一樣。The steps in the section Steps for deploying a clone virtualized domain controller demonstrate copying a virtual machine using the export/import feature of Windows Server 2012 Hyper-V.

步驟部署複製擬化檔案網域控制站Steps for deploying a clone virtualized domain controller

必要條件Prerequisites

  • 若要完成下列程序中的步驟,您必須網域管理群組成員或相同的權限指派給它。To complete the steps in the following procedures, you must be a member of the Domain Admins group or have the equivalent permissions assigned to it.

  • 本指南使用的 Windows PowerShell 命令必須從提升權限的命令提示字元中執行。The Windows PowerShell commands used in this guide must be run from an elevated command prompt. 若要這樣做,請以滑鼠右鍵按一下Windows PowerShell圖示,然後再按一下以系統管理員身分執行To do this, right click the Windows PowerShell icon, and then click Run as administrator.

  • Windows Server 2012 伺服器安裝 HYPER-V 伺服器角色 (HyperV1)。A Windows Server 2012 server with the Hyper-V server role installed (HyperV1).

  • Windows Server 2012 第二個安裝 HYPER-V 伺服器角色伺服器 (HyperV2)。A second Windows Server 2012 server with the Hyper-V server role installed (HyperV2).

    注意

    • 如果您使用其他 hypervisor,您應該連絡該 hypervisor 廠商,以確認是否 hypervisor 支援 VM 新一代 id。If you are using another hypervisor, you should contact the vendor of that hypervisor to verify if the hypervisor supports VM-Generation ID. 如果 hypervisor 不支援 VM 新一代 ID,您所提供的 DCCloneConfig.xml 新 VM 會開機至 Directory 服務還原模式 (DSRM)。If the hypervisor does not support VM-Generation ID and you have provided a DCCloneConfig.xml, the new VM will boot into Directory Services Restore Mode (DSRM).
    • 若要增加 AD DS 服務的可用性、 本指南建議您,並提供使用兩個不同的 HYPER-V 主機,有助於避免潛在一點失敗的指示操作。To increase the availability of the AD DS service, this guide recommends and provides instructions using two different Hyper-V hosts, which helps prevent a potentially single point of failure. 不過,您不需要執行 virtual 網域控制站複製兩個 HYPER-V 主機。However, you do not need two Hyper-V hosts to perform virtual domain controller cloning.
    • 您必須在每個 HYPER-V server 本機系統管理員群組成員 (HyperV1HyperV2)。You need to be a member of the local Administrators group on each Hyper-V server (HyperV1 and HyperV2).
    • 成功匯入及匯出使用 HYPER-V VHD 檔案,以便在兩個 HYPER-V 主機 virtual 網路參數應該會有相同的名稱。In order to successfully import and export a VHD file using Hyper-V, the virtual network switches on both Hyper-V hosts should have the same name. 例如,如果您有 virtual 網路開機HyperV1然後需要有 virtual 網路開機名 VNet HyperV2名 VNet。For example, if you have a virtual network switch on HyperV1 named VNet then there needs to be a virtual network switch on HyperV2 named VNet.
    • 如果有兩個 HYPER-V 主機 (HyperV1HyperV2) 有不同的處理器、 關機一樣 (VirtualDC1) 想要匯出,VM 上按一下滑鼠右鍵按一下設定,按一下 [處理器,並在處理器的相容性選取移轉實體處理器不同版本的電腦,按一下 [ [確定]If the two Hyper-V hosts (HyperV1 and HyperV2) have different processors, shut down the virtual machine (VirtualDC1) that you plan to export, right-click the VM, click Settings, click Processor, and under Processor compatibility select Migrate to a physical computer with a different processor version and click OK.
  • 部署的 Windows Server 2012 裝載網域控制站 (模擬或實體) PDC 模擬器角色 (DC1)。A deployed Windows Server 2012 domain controller (virtualized or physical) that hosts the PDC emulator role (DC1). 若要確認是否 PDC 模擬器角色裝載網域控制站 Windows Server 2012 上,執行下列 Windows PowerShell 命令:To verify whether the PDC emulator role is hosted on a Windows Server 2012 domain controller, run the following Windows PowerShell command:

    Get-ADComputer (Get-ADDomainController "Discover "Service "PrimaryDC").name "Property operatingsystemversion | fl
    

    OperatingSystemVersion 值應為版本 6.2 傳回。The OperatingSystemVersion value should return as a version 6.2. 必要時,您可以執行 Windows Server 2012 」 的網域控制站傳輸 PDC 模擬器角色。If necessary, you can transfer the PDC emulator role to a domain controller that runs Windows Server 2012 . 如需詳細資訊,請查看使用傳輸或抓取故障網域控制站的 Ntdsutil.exeFor more information, see Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

  • 部署的 Windows Server 2012 來賓模擬的網域控制站 (VirtualDC1),位於與 Windows Server 2012 網域控制站裝載 PDC 模擬器角色相同的網域 (DC1)。A deployed Windows Server 2012 guest virtualized domain controller (VirtualDC1) that is in the same domain as the Windows Server 2012 domain controller hosting the PDC emulator role (DC1). 這將會使用複製的來源網域控制站。This will be the source domain controller used for cloning. 將會在 Windows Server 2012 HYPER-V server 裝載來賓 virtual 網域控制站 (HyperV1)。The guest virtual domain controller will be hosted on a Windows Server 2012 Hyper-V server (HyperV1).

    注意

    • 複製才能繼續,用來建立複製來源網域控制站不能從因為來源 VHD 媒體建立降級 DC。For cloning to succeed, the source domain controller that is used to create the clone cannot be from a DC that has been demoted since the source VHD media was created.
    • 關閉之前複製 VM 或其 VHD 來源網域控制站。Shut down the source domain controller prior to copying the VM or its VHD.
    • 您不應該複製 VHD 或還原標記期間值 (或 Active Directory 資源回收桶支援的刪除的物件期間值) 較舊的快照。You should not clone a VHD or restore a snapshot that is older than the tombstone lifetime value (or the deleted object lifetime value if Active Directory Recycle Bin is enabled). 如果您要複製的現有的網域控制站 VHD,請務必 VHD 檔案不是較舊的標記期間值 (預設 60 天)。If you are copying a VHD of an existing domain controller, be sure the VHD file is not older that the tombstone lifetime value (by default, 60 days). 您不應該複製執行網域控制站 VHD 建立複製媒體。You should not copy a VHD of a running domain controller to create clone media.

    退出 (VFD) 來源俠可能會有任何 virtual 磁碟機。Eject any virtual floppy drive (VFD) the source DC may have. 嘗試新 VM 匯入時,這會造成共用的問題。This can cause a sharing problem when trying to import the new VM.

    僅限 Windows Server 2012 網域控制站 VM-GenerationID hypervisor 上可做為來源的複製。Only Windows Server 2012 domain controllers hosted on a VM-GenerationID hypervisor can be used as a source for cloning. 使用複製的來源 Windows Server 2012 網域控制站應該健全狀態。The source Windows Server 2012 domain controller used for cloning should be in a healthy state. 若要判斷的執行來源網域控制站狀態dcdiagTo determine the state of the source domain controller run dcdiag. 若要獲得更好了解傳回 dcdiag 的輸出中,查看的功能 DCDIAG 確實...?.To gain a better understanding of the output returned by dcdiag, see What does DCDIAG actually...do?.

    如果來源網域控制站的 DNS 伺服器,複製的網域控制站也會 DNS 伺服器。If the source domain controller is a DNS server, the cloned domain controller will also be a DNS server. 您應該選擇該主機只 Active Directory 整合區域 DNS 伺服器。You should choose a DNS server that hosts only Active Directory-integrated zones.

    不會複製 DNS client 設定,但改為詳列於 DCCloneConfig.xml 檔案。DNS client settings are not cloned but are instead specified in the DCCloneConfig.xml file. 如果未指定其,複製的網域控制站將指向本身為慣用 DNS 伺服器預設。If they are not specified, the cloned domain controller will point to itself as Preferred DNS server by default. 複製的網域控制站不會有 DNS 委派。The cloned domain controller will not have a DNS delegation. 家長 DNS 區域的系統管理員應該更新視需要複製的網域控制站 DNS 委派。The administrator of the parent DNS zone should update the DNS delegation for the cloned domain controller as needed.

    警告

    Active Directory 輕量型 Directory services (AD LDS) 延伸模擬防護功能。The virtualization safeguards do not extend to Active Directory Lightweight Directory Services (AD LDS). 因此您應該嘗試複製 AD DS 網域控制站 AD LDS 焦加入 CustomDCCloneAllowList.xml 裝載的廣告 LDS 執行個體。Therefore you should not attempt to clone an AD DS domain controller that hosts an AD LDS instance by adding this AD LDS instance to the CustomDCCloneAllowList.xml. 廣告 LDS 不是 VM 新一代 ID 注意,因為複製網域控制站的廣告 LDS 會導致 USN 復原引入分歧該 AD LDS 組態的設定。Because AD LDS is not VM-Generation ID aware, cloning a domain controller with AD LDS can cause USN rollback-induced divergence on that AD LDS configuration set.

    不支援下列伺服器角色複製:The following server roles are not supported for cloning:

    • 動態主機設定通訊協定」(DHCP)Dynamic Host Configuration Protocol (DHCP)

    • Active Directory 憑證 Services (AD CS)Active Directory Certificate Services (AD CS)

    • Active Directory 輕量 Directory Services (AD LDS)Active Directory Lightweight Directory Services (AD LDS)

步驟 1: 來源模擬的網域控制站權限授與複製Step 1: Grant the source virtualized domain controller the permission to be cloned

此程序,在您授與來源網域控制站的權限複製使用Active Directory 管理中心來新增來源網域控制站複製網域控制站群組。In this procedure, you grant the source domain controller the permission to be cloned by using Active Directory Administrative Center to add the source domain controller to the Cloneable Domain Controllers group.

若要複製的權限授與來源模擬的網域控制站To grant the source virtualized domain controller the permission to be cloned
  1. 正在準備複製的網域控制站相同的網域中的任何網域控制站 (VirtualDC1),開放Active Directory 管理中心(ADAC),找不到模擬的網域控制站物件 (通常位於網域控制站在網域控制站中 ADAC 容器),以滑鼠右鍵按一下它,選擇新增到群組和在輸入物件名稱來選取輸入複製網域控制站,然後按一下 [ [確定]On any domain controller in the same domain as the domain controller being prepared for cloning (VirtualDC1), open Active Directory Administrative Center (ADAC), locate the virtualized domain controller object (domain controllers are usually located under the Domain Controllers container in ADAC), right click it, choose Add to group and under Enter the object name to select type Cloneable Domain Controllers and then click OK.

    在此步驟執行群組成員資格更新必須複製到肯定複製才能執行。The group membership update performed in this step must replicate to PDC emulator before cloning can be performed. 如果的網域控制站複製找不到群組,可能不會在執行 Windows Server 2012 」 的網域控制站裝載 PDC 模擬器角色。If the Cloneable Domain Controllers group is not found, the PDC emulator role might not be hosted on a domain controller that runs Windows Server 2012 .

    注意

    Windows Server 2012 網域控制站打開 ADAC,開放的 Windows PowerShell 並輸入dsac.exeTo open ADAC on a Windows Server 2012 domain controller, open Windows PowerShell and type dsac.exe.

AD DS 簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能:The following Windows PowerShell cmdlet performs the same function as the preceding procedure:

Add-ADGroupMember "Identity "CN=Cloneable Domain Controllers,CN=Users, DC=Fabrikam,DC=Com" "Member "CN=VirtualDC1,OU=Domain Controllers,DC=Fabrikam,DC=com"

步驟 2: 執行取得-ADDCCloningExcludedApplicationList cmdletStep 2: Run Get-ADDCCloningExcludedApplicationList cmdlet

此程序,在執行Get-ADDCCloningExcludedApplicationList上找出 [所有程式或服務,不會評估複製的來源模擬的網域控制站 cmdlet。In this procedure, run the Get-ADDCCloningExcludedApplicationList cmdlet on the source virtualized domain controller to identify any programs or services that are not evaluated for cloning. 您需要執行取得-ADDCCloningExcludedApplicationList cmdlet 新-ADDCCloneConfigFile cmdlet 之前,因為如果新-ADDCCloneConfigFile cmdlet 偵測到排除的應用程式,就不會建立 DCCloneConfig.xml 檔案。You need to run the Get-ADDCCloningExcludedApplicationList cmdlet before the New-ADDCCloneConfigFile cmdlet because if the New-ADDCCloneConfigFile cmdlet detects an excluded application, it will not create a DCCloneConfig.xml file.

找出應用程式或服務執行來源網域控制站的複製尚未評估To identify applications or services that run on a source domain controller which have not been evaluated for cloning
  1. 來源網域控制站上 (VirtualDC1),按一下 [伺服器管理員,按一下 [工具,按一下Active Directory 模組適用於 Windows PowerShell ,然後輸入下列命令:On the source domain controller (VirtualDC1), click Server Manager, click Tools, click Active Directory Module for Windows PowerShell and then type the following command:
<span data-ttu-id="09ecc-311">取得-ADDCCloningExcludedApplicationList</span><span class="sxs-lookup"><span data-stu-id="09ecc-311">Get-ADDCCloningExcludedApplicationList</span></span>
  1. 若要判斷是否他們可以放心地複製軟體廠商對傳回的服務和已安裝的程式清單。Vet the list of the returned services and installed programs with the software vendor to determine whether they can be safely cloned. 如果應用程式或服務的清單中找不安全複製,您必須移除來源網域控制站或複製將會失敗。If applications or services in the list cannot be safely cloned, you must remove them from the source domain controller or cloning will fail.

  2. 一組服務,並判斷安全地複製已安裝的程式,執行一次使用命令「 GenerateXML切換提供這些服務和程式中CustomDCCloneAllowList.xml檔案。For the set of services and installed programs that were determined to be safely cloned, run the command again with the "GenerateXML switch to provision these services and programs in the CustomDCCloneAllowList.xml file.

<span data-ttu-id="09ecc-315">取得-ADDCCloningExcludedApplicationList-GenerateXml</span><span class="sxs-lookup"><span data-stu-id="09ecc-315">Get-ADDCCloningExcludedApplicationList -GenerateXml</span></span>

步驟 3: 執行新 ADDCCloneConfigFileStep 3: Run New-ADDCCloneConfigFile

ADDCCloneConfigFile 新的執行來源網域控制站並選擇指定名稱、 IP 位址和 DNS 解析複製網域控制站的設定。Run New-ADDCCloneConfigFile on the source domain controller, and optionally specify configuration settings for the clone domain controller, such as the name, the IP address, and DNS resolver.

例如,以建立複製網域控制站名 VirtualDC2 靜態 IPv4 位址,請輸入:For example, to create a clone domain controller named VirtualDC2 with a static IPv4 address, type:

New-ADDCCloneConfigFile "Static -IPv4Address "10.0.0.2" -IPv4DNSResolver "10.0.0.1" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "VirtualDC2" -IPv4DefaultGateway "10.0.0.3" -SiteName "REDMOND"

注意

複製網域控制站會位於相同的來源網域控制站網站除非 DCCloneConfig.xml 檔案中指定不同的網站。The clone domain controller will be located in the same site as the source domain controller unless a different site is specified in the DCCloneConfig.xml file. 建議您在根據其 IP 位址複製網域控制站 DCCloneConfig.xml 檔案中指定適當的網站。It is recommended that you specify a suitable site in the DCCloneConfig.xml file for the clone domain controller based on its IP address.

電腦名稱是選擇性的。The computer name is optional. 如果您不指定一個,將根據下列演算法產生唯一名稱:If you do not specify one, a unique name will be generated based on the following algorithm:

  • 前置詞是來源網域控制站的電腦名稱的第一次 8 個字元。The prefix is the first 8 characters of the source domain controller computer name. 例如,SourceComputer 的來源電腦的名稱會被截斷 SourceCo 為前置詞字串。For example, a source computer name of SourceComputer is truncated to a prefix string of SourceCo.

  • 格式的唯一命名尾碼 」 」 CLnnnn」 附加至前置詞字串其中* nnnn 是從 0001 9999 PDC 判斷正在使用中的下一個可用值。A unique naming suffix of the format ""CLnnnn" is appended to the prefix string where *nnnn is the next available value from 0001-9999 that the PDC determines is not currently in use. 例如,0047 是否允許的範圍中的下一步使用數字,使用先前的電腦名稱前置詞 SourceCo,範例衍生使用複製的電腦名稱將會設定為 SourceCo-CL0047。For example, if 0047 is the next available number in the allowed range, using the preceding example of the computer name prefix SourceCo, the derived name to use for the clone computer will be set as SourceCo-CL0047.

注意

新增-ADDCCloneConfigFile cmdlet 順利運作的必要通用伺服器 (GC)。A global catalog server (GC) is required for the New-ADDCCloneConfigFile cmdlet to work successfully. 來源網域控制站的成員資格的網域控制站複製群組必須會反映出剛剛在 GC。The source domain controller's membership in the Cloneable Domain Controllers group must be reflected on the GC. 不需要肯定,以相同的網域控制站 GC,但最好它應該會在相同的網站。The GC does not need to be the same domain controller as the PDC emulator, but preferably it should be in the same site. 如果無法使用 GC、 命令失敗,錯誤 」 伺服器是不作業 」。If a GC is not available, the command fails with the error "The server is not operational." 如需詳細資訊,請查看擬化檔案網域控制站疑難排解For more information, see Virtualized Domain Controller Troubleshooting.

若要建立的靜態 IPv4 設定名 Clone1 複製網域控制站指定慣用及其他 WINS 伺服器,鍵入:To create a clone domain controller named Clone1 with static IPv4 settings and specify preferred and alternate WINS servers, type:

New-ADDCCloneConfigFile "CloneComputerName "Clone1" "Static -IPv4Address "10.0.0.5" "IPv4DNSResolver "10.0.0.1" "IPv4SubnetMask "255.255.0.0" "PreferredWinsServer "10.0.0.1" "AlternateWinsServer "10.0.0.2"

注意

若您指定 WINS 伺服器,您必須指定兩者「 PreferredWINSServer」 AlternateWINSServerIf you specify WINS servers, you must specify both "PreferredWINSServer and "AlternateWINSServer. 如果您只這些引數指定複製失敗,錯誤代碼 0x80041005 dcpromo.log 中出現。If you specify only of those arguments, cloning fails with error code 0x80041005 appearing in the dcpromo.log.

若要建立複製網域控制站名 Clone2 動態 IPv4 設定,請輸入:To create a clone domain controller named Clone2 with dynamic IPv4 settings, type:

New-ADDCCloneConfigFile -CloneComputerName "Clone2" -IPv4DNSResolver "10.0.0.1" 

注意

若是如此,應該會有 DHCP 伺服器環境複製可以瑞曲之戰並取得 IP 位址和其他相關的網路設定中。In this case, there should be a DHCP server in the environment that the clone can reach and obtain IP address and other relevant network settings.

若要建立名 Clone2 動態 IPv4 設定的網域控制站複製指定慣用及其他 WINS 伺服器,鍵入:To create a clone domain controller named Clone2 with dynamic IPv4 settings and specify preferred and alternate WINS servers, type:

New-ADDCCloneConfigFile -CloneComputerName "Clone2" -IPv4DNSResolver "10.0.0.1" -SiteName "REDMOND" "PreferredWinsServer "10.0.0.1" "AlternateWinsServer "10.0.0.2"

若要建立複製網域控制站的動態 IPv6 設定,請輸入:To create a clone domain controller with dynamic IPv6 settings, type:

New-ADDCCloneConfigFile -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc"

若要建立複製網域控制站的靜態 IPv6 設定,請輸入:To create a clone domain controller with static IPv6 settings, type:

New-ADDCCloneConfigFile "Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc"

注意

指定 IPv6 設定時, 僅限靜態和動態設定不同的是包含-靜態切換。When specifying IPv6 settings, the only difference between the static and dynamic settings is the inclusion of -Static switch. 包含-靜態選項可讓您管轄中指定至少一個IPv6DNSResolver。無狀態地址自動設定 (SLAAC) 路由器指派前置詞透過預期靜態 IPv6 位址。The inclusion of the -Static switch makes it mandatory to specify at least one IPv6DNSResolver.The static IPv6 address is expected to be configured via stateless address auto configuration (SLAAC) with router assigned prefixes. 動態 IPv6,使用 DNS 解析程式是選擇性的但預期複製可以瑞曲之戰 IPv6 式上 DHCP 伺服器子網路,以取得 IPv6 位址和 DNS 設定的資訊。With dynamic IPv6, the DNS resolvers are optional, but it's expected that the clone can reach an IPv6-enabled DHCP server on the subnet to obtain IPv6 address and DNS configuration information.

離線模式中的執行新 ADDCCloneConfigFileRunning New-ADDCCloneConfigFile in offline mode

如果您有多個複本已經準備複製 (來源網域控制站的複製授權,取得-ADDCCloningExcludedApplicationList cmdlet 已,這表示執行,等等) 來源網域控制站媒體,並想要的每一份媒體不同設定,您可以執行新-ADDCCloneConfigFile 離線模式。If you have multiple copies of source domain controller media that have been prepared for cloning (meaning the source domain controller is authorized for cloning, the Get-ADDCCloningExcludedApplicationList cmdlet has been run, and so on) and you want to specify different settings for each copy of the media, you can run New-ADDCCloneConfigFile in offline mode. 這可能是比排列匯入的每個複本以準備每個 VM,例如更有效率。This can be more efficient than individually preparing each VM, for example, by importing each copy.

在這種情形下,網域系統管理員可以雷離線磁碟和使用遠端伺服器管理工具 (RSAT) 執行新-ADDCCloneConfigFile cmdlet-離線引數以新增 XML 檔案,可以針對原廠類似的自動化使用新的 Windows PowerShell 選項包含 Windows Server 2012 中。In this case, domain administrators can mount the offline disk and use Remote Server Administration Tools (RSAT) to run the New-ADDCCloneConfigFile cmdlet with the -offline argument in order to add the XML files, which allows for factory-like automation using new Windows PowerShell options included in Windows Server 2012. 如需了解如何以執行離線模式中的新-ADDCCloneConfigFile cmdlet 雷離線磁碟的詳細資訊,請查看新增離線系統磁碟的 XMLFor more information about how to mount the offline disk in order to run the New-ADDCCloneConfigFile cmdlet in offline mode, see Adding XML to the Offline System Disk.

您應該先 cmdlet 本機上執行以確定該必要條件檢查 pass 來源媒體。You should first run the cmdlet locally on the source media to ensure that prerequisite checks pass. 因為您的電腦可能無法從相同的網域或加入網域的電腦無法執行 cmdlet 必要條件檢查不會執行離線模式。The prerequisite checks are not performed in offline mode because the cmdlet could be run from a machine that may not be from the same domain or from a domain-joined computer. 您在本機上執行 cmdlet 之後,它將會建立 DCCloneConfig.xml 檔案。After you run the cmdlet locally, it will create a DCCloneConfig.xml file. 您可能會 delete 建立本機如果您打算使用離線模式後續 DCCloneConfig.xml。You may delete the DCCloneConfig.xml that is created locally if you plan to use the offline mode subsequently.

若要建立網域控制站複製名為 CloneDC1 離線模式,請在網站的呼叫 REDMOND 」 靜態 IPv4 位址,類型:To create a clone domain controller named CloneDC1 in offline mode, in a site called REDMOND" with static IPv4 address, type:

New-ADDCCloneConfigFile -Offline -CloneComputerName CloneDC1 -SiteName REDMOND -IPv4Address "10.0.0.2" -IPv4DNSResolver "10.0.0.1" -IPv4SubnetMask "255.255.0.0" -IPv4DefaultGateway "10.0.0.1" -Static -Path F:\Windows\NTDS

若要建立複製網域控制站名 Clone2 靜態 IPv4 與靜態 IPv6 設定中,輸入離線模式:To create a clone domain controller named Clone2 in offline mode with static IPv4 and static IPv6 settings, type:

New-ADDCCloneConfigFile -Offline -IPv4Address "10.0.0.2" -IPv4DNSResolver "10.0.0.1" -IPv4SubnetMask "255.255.0.0" -Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -CloneComputerName "Clone2" -PreferredWINSServer "10.0.0.1" -AlternateWINSServer "10.0.0.3" -Path F:\Windows\NTDS

若要建立複製網域控制站離線模式靜態 IPv4 與動態 IPv6 設定中指定 DNS 解析設定多個 DNS 伺服器,鍵入:To create a clone domain controller in offline mode with static IPv4 and dynamic IPv6 settings and specify multiple DNS servers for the DNS resolver settings, type:

New-ADDCCloneConfigFile -Offline -IPv4Address "10.0.0.10" -IPv4SubnetMask "255.255.0.0" -IPv4DefaultGateway "10.0.0.1" -IPv4DNSResolver @( "10.0.0.1","10.0.0.2" ) -Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -Path F:\Windows\NTDS 

若要建立複製網域控制站名 Clone1 動態 IPv4 與靜態 IPv6 設定中,輸入離線模式:To create a clone domain controller named Clone1 in offline mode with dynamic IPv4 and static IPv6 settings, type:

New-ADDCCloneConfigFile -Offline -Static -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -CloneComputerName "Clone1" -PreferredWINSServer "10.0.0.1" -AlternateWINSServer "10.0.0.3" -SiteName "REDMOND" -Path F:\Windows\NTDS

若要建立複製網域控制站在動態 IPv4 與動態 IPv6 設定離線模式,請輸入:To create a clone domain controller in offline mode with dynamic IPv4 and dynamic IPv6 settings, type:

New-ADDCCloneConfigFile -Offline -IPv4DNSResolver "10.0.0.1" -IPv6DNSResolver "2002:4898:e0:31fc:d61:2b0a:c9c9:2ccc" -Path F:\Windows\NTDS

步驟 4: 匯出與然後匯入的來源網域控制站一樣Step 4: Export and then import the virtual machine of the source domain controller

在這個程序,匯出來源模擬的網域控制站一樣,然後匯入一樣。In this procedure, export the virtual machine of the source virtualized domain controller and then import the virtual machine. 這個動作會在您的網域中建立複製模擬的網域控制站。This action creates a clone virtualized domain controller in your domain.

您需要為每個 HYPER-V 主機上的系統管理員本機群組成員。You need to be a member of the local Administrators group on each Hyper-V host. 如果您的每個伺服器使用不同的認證,執行 Windows PowerShell cmdlet 匯出與匯入 VM,在不同的 Windows PowerShell 工作階段。If you use different credentials for each server, run the Windows PowerShell cmdlets to export and import the VM in different Windows PowerShell sessions.

如果來源網域控制站快照,它們應該刪除之前來源網域控制站匯出因為 VM 將會匯入快照有與目標超 hyper-v 主機不相容的處理器設定。If there are snapshots on the source domain controller, they should be deleted before the source domain controller is exported because the VM will not import if a snapshot has processor settings that are incompatible with the target hyper-v host. 如果來源和目標超 hyper-v 主機間的相容的處理器設定,您可能匯出並不事先刪除快照複製來源。If the processor settings are compatible between the source and target hyper-v hosts, you may export and copy the source without deleting snapshots beforehand. 匯入之後,不過,快照必須從刪除複製 VM 開始。After import, however, the snapshots must be deleted from the clone VM before it starts.

若要匯出,然後匯入的來源模擬的網域控制站複製 virtual 網域控制站To copy a virtual domain controller by exporting and then importing the virtualized source domain controller
  1. HyperV1,關閉來源網域控制站 (VirtualDC1)。On HyperV1, shutdown the source domain controller (VirtualDC1).

    AD DS 簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

    停止-VM-命名 VirtualDC1-電腦名稱 HyperV1Stop-VM -Name VirtualDC1 -ComputerName HyperV1

  2. HyperV1、 delete 快照,然後匯出 c:\CloneDCs directory 來源網域控制站 (VirtualDC1)。On HyperV1, delete snapshots and then export the source domain controller (VirtualDC1) to the c:\CloneDCs directory.

注意

因為取得快照時,每次 AVHD 建立新的檔案會做為差分磁碟,您應該 delete 所有相關聯的快照。You should delete all the associated snapshots because each time a snapshot is taken, a new AVHD file is created that acts as differencing disk. 這會建立鏈結影響。This creates a chain affect. 如果您已快照和插入 VHD DCCLoneConfig.xml 檔案,您可能會從舊版 DIT 建立複製或插入錯誤 VHD 檔案中的設定檔。If you have taken snapshots and insert the DCCLoneConfig.xml file into the VHD, you may end up creating a clone from an older DIT version or inserting the configuration file into the wrong VHD file. 刪除快照合併所有這些 AVHDs 到 VHD 基底。Deleting the snapshot merges all these AVHDs into the base VHD.

AD DS 簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

Get-VMSnapshot VirtualDC1 | Remove-VMSnapshot -IncludeAllChildSnapshots
Export-VM -Name VirtualDC1 -ComputerName HyperV1 -Path c:\CloneDCs\VirtualDC1
  1. 複製資料夾virtualdc1以 c:\Import directory 的HyperV2Copy the folder virtualdc1 to the c:\Import directory of HyperV2.

  2. HyperV2、 使用HYPER-V 管理員,匯入一樣 (使用匯入一樣精靈中HYPER-V 管理員) 資料夾c:\Import\virtualdc1和 delete 所有相關快照On HyperV2, using Hyper-V Manager, import the virtual machine (using the Import Virtual Machine wizard in Hyper-V Manager) from the folder c:\Import\virtualdc1 and delete all associated Snapshots.

使用複製一樣 (建立新的唯一 ID)選項時匯入一樣。Use the Copy the virtual machine (create new unique ID) option when importing the virtual machine.

AD DS 簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

$path = Get-ChildItem "C:\CloneDCs\VirtualDC1\VirtualDC1\Virtual Machines"
$vm = Import-VM -Path $path.fullname -Copy -GenerateNewId
Rename-VM $vm VirtualDC2

若要從相同的來源網域控制站建立多個複本網域控制站:To create multiple clone domain controllers from the same source domain controller:

  • UI: 在 [匯入一樣精靈中,指定新的位置一樣組態資料夾快照網上商店智慧分頁資料夾,不同位置一樣的 virtual 硬碟。UI: in the Import Virtual Machine wizard, specify new locations for Virtual machine configuration folder, Snapshot store, Smart Paging folder, and a different Location for the virtual hard disks for the virtual machine.

  • Windows PowerShell: 使用下列的參數指定一樣的新位置Import-VMcmdlet:Windows PowerShell: specify new locations for the virtual machine by using the following parameters for the Import-VM cmdlet:

    $path = Get-childitem 」 C:\CloneDCs\VirtualDC1\VirtualDC1\Virtual 電腦 」 匯入 VM-Path $path.fullname-複製-GenerateNewId-電腦名稱 HyperV2-VhdDestinationPath 「 「-SnapshotFilePath 「 路徑 「-SmartPagingFilePath 「 「-VirtualMachinePath 」 路徑 」$path = Get-ChildItem "C:\CloneDCs\VirtualDC1\VirtualDC1\Virtual Machines" Import-VM -Path $path.fullname -Copy -GenerateNewId -ComputerName HyperV2 -VhdDestinationPath "path" -SnapshotFilePath "path" -SmartPagingFilePath "path" -VirtualMachinePath "path"

注意

建立多個複本網域控制站同時建議批次大小為 10。The recommended batch size for creating multiple clone domain controllers simultaneously is 10. 最大值限制太多複寫輸出連接的預設為 16 的散發檔案系統複寫 (DFSR) 和 10 檔案複寫服務 (FRS)。The maximum number is restricted by the maximum number of outbound replication connections, which by default is 16 for Distributed File System Replication (DFSR) and 10 for File Replication Service (FRS). 您不應部署以上建議的複製網域控制站同時除非完全已經通過該數字測試您的環境。You should not deploy more than the recommended number of clone domain controllers simultaneously unless you have thoroughly tested that number for your environment.

  1. HyperV1,重新開機來源網域控制站 ((VirtualDC1) 將回上網。On HyperV1, restart the source domain controller ((VirtualDC1) to bring it back online.

AD DS 簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

Start-VM -Name VirtualDC1 -ComputerName HyperV1
  1. HyperV2,開始一樣 (VirtualDC2) 為複製網域控制站網域中將它上網。On HyperV2, start the virtual machine (VirtualDC2) to bring it online as a clone domain controller in the domain.

AD DS 簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

Start-VM -Name VirtualDC2 -ComputerName HyperV2

注意

必須執行肯定複製才能繼續。The PDC emulator must be running for cloning to succeed. 如果是關機,請確定它已經開始,執行初始同步,也就是知道保留 PDC 模擬器角色。If it was shutdown, make sure it has started and performed initial synchronization so it is aware that is holds the PDC emulator role. 如需詳細資訊,請查看 Microsoft知識庫文章 305476For more information, see Microsoft KB article 305476.

複製完成之後,請確認已成功複製確保複製到電腦的名稱。After cloning completes, verify the name of the clone computer to ensure the cloning operation succeeded. 請確認 VM 不開始在 Directory 服務還原模式 (DSRM)。Verify that the VM did not start in Directory Services Restore Mode (DSRM). 如果您嘗試登入並收到錯誤,指出不登入伺服器可供使用,請嘗試登入 DSRM。If you try to log on and receive an error indicating no logon servers are available, try logging on in DSRM. 如果 DC 未成功複製 DSRM 開機,請登入事件檢視器,而帶領登 %systemroot%/debug 資料夾中。If the DC did not clone successfully and it is booted in DSRM, check the logs in Event Viewer and dcpromo logs in the %systemroot%/debug folder.

複製的網域控制站會成員的的網域控制站複製群組成員資格複製來源網域控制站因為。The cloned domain controller will be a member of the Cloneable Domain Controllers group because it copies the membership from the source domain controller. 做為最佳做法,您應該出發的的網域控制站複製群組空白,直到您已經準備好執行複製作業,並複製作業完成之後,您應該會移除成員。As a best practice, you should leave the Cloneable Domain Controllers group empty until you are ready to perform cloning operations, and you should remove members after cloning operations are complete.

如果來源網域控制站儲存的備份媒體,複製的網域控制站也將會儲存的備份的媒體。If the source domain controller stores a backup media, the cloned domain controller will also store the backup media. 您可以在執行wbadmin get versions上的複製的網域控制站顯示備份的媒體。You can run wbadmin get versions to show the backup media on the cloned domain controller. 網域管理群組成員應該 delete 複製的網域控制站防止不小心要還原備份的媒體。A member of the Domain Admins group should delete the backup media on the cloned domain controller to prevent it from being accidentally restored. 如需如何 delete 使用 wbadmin.exe 系統狀態備份,請查看Wbadmin delete systemstatebackupFor more information about how to delete a system state backup using wbadmin.exe, see Wbadmin delete systemstatebackup.

疑難排解Troubleshooting

如果複製網域控制站 (VirtualDC2) 開始在 Directory 服務還原模式 (DSRM),它不會傳回至標準模式在其上的下一步重新開機。If the clone domain controller (VirtualDC2) starts in Directory Services Restore Mode (DSRM), it does not return to a normal mode on its own on the next reboot. 若要登入的網域控制站在 DSRM 開始使用,請使用。 \Administrator ,然後指定 DSRM 密碼。To log on to a domain controller that is started in DSRM, use .\Administrator and specify the DSRM password.

更正的項目複製失敗的原因,並確認 dcpromo.log 不會指出複製無法嘗試重新。Correct the cause for cloning failure and verify that the dcpromo.log does not indicate that cloning cannot be re-tried. 複製無法嘗試重新,安全捨棄媒體。If cloning cannot be re-tried, safely discard the media. 如果複製重新嘗試,您必須以再試一次複製移除 DS 還原模式開機旗標。If cloning can be re-tried, you must remove the DS Restore Mode boot flag in order to try cloning again.

  1. 開放的 Windows Server 2012,以提升權限的命令 (向按 Windows Server 2012,選擇 [以系統管理員身分執行),然後輸入msconfigOpen Windows Server 2012 with an elevated command (right click Windows Server 2012 and choose Run as Administrator), and then type msconfig.

  2. 開機索引標籤,在開機選項,清除安全開機(它已選取的選項功能的 Active Directory 修復)。On the Boot tab, under Boot Options, clear Safe boot (it is already selected with the option Active Directory repair enabled).

  3. 按一下[確定]並重新出現提示時。Click OK and restart when prompted.

如需有關模擬的網域控制站疑難排解資訊,請查看擬化檔案網域控制站疑難排解For more troubleshooting information about virtualized domain controllers, see Virtualized Domain Controller Troubleshooting.