模擬的網域控制站複製測試廠商應用程式的指導方針Virtualized Domain Controller Cloning Test Guidance for Application Vendors

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋廠商應用程式應該考慮協助確保您自己的應用程式仍會繼續執行如預期般模擬的網域控制站 DC 複製程序完成之後。This topic explains what application vendors should consider to help ensure their application continues to work as expected after the virtualized domain controller (DC) cloning process completes. 其涵蓋的那些層面複製程序,感興趣的應用程式廠商並可能需要額外的測試案例。It covers those aspects of the cloning process that interest application vendors and scenarios that may warrant additional testing. 已複製有模擬的網域控制站在自己的應用程式,適用於驗證的應用程式廠商是鼓勵清單中社群內容本主題,以及所在的使用者可以深入了解驗證您的組織的網站連結底部的應用程式的名稱。Application vendors who have validated that their application works on virtualized domain controllers that have been cloned are encouraged to list the name of the application in the Community Content at the bottom of this topic, along with a link to your organization's web site where users can learn more about the validation.

模擬俠複製概觀Overview of virtualized DC cloning

複製程序模擬的網域控制站在詳細資料中所述的方式Active Directory Domain Services (AD DS) 模擬 (層級 100) 簡介擬化檔案網域控制站技術參考 (層級 300)The virtualized domain controller cloning process is described in detail in Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100) and Virtualized Domain Controller Technical Reference (Level 300). 應用程式廠商觀點,這些都是評估的影響複製到您的應用程式時,請考慮事項:From an application vendor's perspective, these are some considerations to take into account when assessing the impact of cloning to your application:

  • 原始電腦不已損壞。The original computer is not destroyed. 它會保持在網路上,與戶端互動。It remains on the network, interacting with clients. 重新命名] 移除 DNS 記錄原始電腦的位置,然而來源網域控制站的原始記錄保留。Unlike a rename where the DNS records of the original computer are removed, the original records for the source domain controller remain.

  • 複製過程新電腦一開始執行的時間在舊電腦的身分短暫車載機起始複製程序,而且進行所需的變更。During the cloning process, the new computer is initially running for a brief period of time under the identity of the old computer until the cloning process is initiated and makes the necessary changes. 建立記錄主機相關的應用程式應該確保複製的電腦不會不會覆寫相關原始主機記錄複製程序期間。Applications that create records about the host should ensure that the cloned computer does not overwrite records about the original host during the cloning process.

  • 複製是只模擬的網域控制站的特定部署功能不複製其他伺服器角色通用擴充功能。Cloning is a specific deployment capability for only virtualized domain controllers, not a general purpose extension to clone other server roles. 尤其是不支援部分伺服器角色複製:Some server roles are specifically not supported for cloning:

    • 動態主機設定通訊協定」(DHCP)Dynamic Host Configuration Protocol (DHCP)

    • Active Directory 憑證 Services (AD CS)Active Directory Certificate Services (AD CS)

    • Active Directory 輕量 Directory Services (AD LDS)Active Directory Lightweight Directory Services (AD LDS)

  • 複製程序的一部分,表示原本俠整個 VM 複製時,讓該 VM 上的任何應用程式狀態也複製。As part of the cloning process, the entire VM that represents the original DC is copied, so any application state on that VM is also copied. 驗證狀態本機主機上複製 DC,這項變更適應應用程式,或如果介入,例如服務重新開機。Validate that the application adapts to this change in state of the local host on the cloned DC, or if any intervention is required, such as a service restart.

  • 複製的一部分,新的 DC 取得新電腦的身分和條款本身為複本俠拓撲中。As part of cloning, the new DC gets a new machine identity and provisions itself as a replica DC in the topology. 驗證是否應用程式電腦的身分,如其名稱、 帳號,SID,而定。Validate whether the application depends on the machine identity, such as its name, account, SID, and so on. 它會自動適用於電腦的身分複製上的變更會嗎?Does it automatically adapt to the change of machine identity on the clone? 如果該應用程式快取的資料,請確定它不依賴電腦可能會快取的身分資料。If that application caches data, ensure that it does not rely on machine identity data that may be cached.

何謂廠商應用程式的有趣?What is interesting for Application Vendors?

CustomDCCloneAllowList.xmlCustomDCCloneAllowList.xml

無法執行應用程式或服務的網域控制站複製直到應用程式或服務可能是:A domain controller that runs your application or service cannot be cloned until the application or service is either:

  • 使用取得-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet 來新增至 CustomDCCloneAllowList.xml 檔案Added to the CustomDCCloneAllowList.xml file by using the Get-ADDCCloningExcludedApplicationList Windows PowerShell cmdlet

-或者--Or-

  • 已移除網域控制站Removed from the domain controller

第一次使用者執行取得-ADDCCloningExcludedApplicationList cmdlet,它會傳回服務和應用程式的網域控制站上執行,但並非預設服務和應用程式可以複製支援清單中的清單。The first time the user runs the Get-ADDCCloningExcludedApplicationList cmdlet, it returns a list of services and applications that are running on the domain controller but are not in the default list of services and applications that are supported for cloning. 根據預設,您的應用程式或服務將不會列出。By default, your service or application will not be listed. 若要新增到清單的應用程式與服務可以放心地的應用程式或服務複製,取得-ADDCCloningExcludedApplicationList cmdlet 再試一次-GenerateXML 選項以將它新增到 CustomDCCloneAllowList.xml 檔案使用者執行。To add your service or application to the list of applications and services that can be safely cloned, the user runs Get-ADDCCloningExcludedApplicationList cmdlet again with the -GenerateXML option in order to add it to the CustomDCCloneAllowList.xml file. 如需詳細資訊,請查看步驟 2: 執行取得 ADDCCloningExcludedApplicationList cmdletFor more information, see Step 2: Run Get-ADDCCloningExcludedApplicationList cmdlet.

分散式的系統交互Distributed System Interactions

通常是在本機電腦隔離的服務可能通過或失敗時參與複製。Usually services isolated to the local computer either pass or fail when participating in cloning. 顧慮簡短的一段時間同時有兩個主機電腦的執行個體網路上有分散式的服務。Distributed services have to be concerned about having two instances of the host computer on the network simultaneously for a brief period of time. 這可能會顯示為嘗試拉資訊,從系統的夥伴有新的身分廠商為登記完畢複製的服務執行個體。This may manifest as a service instance trying to pull information from a partner system where the clone has registered as the new vendor of the identity. 或兩個服務可能推播資訊到 AD DS 資料庫在同一時間使用不同的結果。Or both instances of the service may push information into the AD DS database at the same time with different results. 例如,它不確定哪一部電腦將會進行通訊網路的網域控制站的 Windows 進行測試技術 (WTT) 服務的兩部電腦時。For example, it is not deterministic which computer will be communicated with when two computers that have Windows Testing Technologies (WTT) service are on the network with the domain controller.

分散式 DNS 伺服器服務,複製程序仔細避免覆寫來源網域控制站的 DNS 記錄時複製網域控制站開始使用新的 IP 位址。For the distributed DNS Server service, the cloning process carefully avoids overwriting the DNS records of the source domain controller when the clone domain controller starts with a new IP address.

您不應該依賴移除您所有的舊身分結束複製到電腦。You should not rely on the computer to remove all of the old identity until the end of cloning. 新的網域控制站新操作在升級之後,選取 [Sysprep 清理額外的狀態的電腦執行提供者。After the new domain controller is promoted inside the new context, select Sysprep providers are run to clean up the additional state of the computer. 例如,它是電腦的此時移除舊憑證,並變更密碼編譯密碼,可以存取電腦。For example, it is at this point the old certificates of the computer are removed and the cryptography secrets that the computer can access are changed.

有多少物件的從 PDC 複製就是最大倍不同的複製時機。The greatest factor that varies the timing of the cloning is how many objects there are to replicate from the PDC. 較舊的媒體增加完成複製所需的時間。Older media increases the time required to complete cloning.

您的應用程式或服務不明,因為它將會繼續執行。Because your service or application is unknown, it is left running. 複製程序不會變更非 Windows 服務的狀態。The cloning process does not change the state of non-Windows services.

此外,新的電腦有不同與原始電腦的 IP 位址。Additionally, the new computer has a different IP address than the original computer. 這些行為可能會造成副作用服務或根據服務或應用程式的處理方式此環境中的應用程式。These behaviors may cause side effects to your service or application depending on how the service or application behaves in this environment.

其他案例,建議的測試Additional scenarios suggested for testing

複製失敗Cloning Failure

服務廠商應該測試此案例,因為當複製失敗電腦開機至 Directory 服務修復模式 (DSRM),一種安全模式。Service vendors should test this scenario because when cloning fails the computer boots into Directory Services Repair Mode (DSRM), a form of Safe Mode. 此時電腦尚未完成複製。At this point the computer has not completed cloning. 某些狀態可能會變更,且部分狀態可能仍會是原始的網域控制站的。Some state may have changed and some state may remain from the original domain controller. 本案例,以了解哪些影響它能在您的應用程式測試。Test this scenario to understand what impact it can have on your application.

便會失敗複製,嘗試複製網域控制站複製的權限授與它不。To induce a cloning failure, try to clone a domain controller without granting it permission to be cloned. 若是如此,電腦將會有只變更的 IP 位址,仍然可以大部分的原始的網域控制站的狀態。In this case, the computer will have only changed the IP addresses and still have the majority of its state from the original domain controller. 如需有關複製網域控制站權限授與的詳細資訊,請查看步驟 1: 複製的權限授與的來源模擬的網域控制站For more information about granting a domain controller permission to be cloned, see Step 1: Grant the source virtualized domain controller the permission to be cloned.

複製肯定PDC emulator cloning

還有其他重新開機時肯定複製因為廠商服務和應用程式應該測試本案例。Service and application vendors should test this scenario because there is an additional reboot when the PDC emulator is cloned. 此外,大部分的複製身分暫時允許互動肯定複製程序期間的新複製到執行。In addition, the majority of cloning is performed under a temporary identity to allow the new clone to interact with the PDC emulator during the cloning process.

唯讀模式網域控制站與寫入Writable versus read-only domain controllers

服務和應用程式的供應商應測試複製使用相同的網域控制站類型 (也就是寫入或唯讀網域控制站),才能執行預計服務。Service and application vendors should test cloning by using the same type of domain controller (that is, on a writable or read-only domain controller) that service is planned to run on.