Tag Archives: AD

Non-Authoritative and Authoritative SYSVOL Restore (DFS Replication)

Healthy SYSVOL replication is key for every active directory infrastructure. when there is SYSVOL replication issues you may notice,

1. Users and systems are not applying their group policy settings properly. 

2. New group policies not applying to certain users and systems. 

3. Group policy object counts is different between domain controllers (inside SYSVOL folders)

4. Log on scripts are not processing correctly

Also, same time if you look in to event viewer you may able to find events such as,

Event Id

Event Description

2213

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Recovery Steps

1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.

2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”xxxxxxxx″ call ResumeReplication

5002

The DFS Replication service encountered an error communicating with partner <FQDN> for replication group Domain System Volume.

5008

The DFS Replication service failed to communicate with partner <FQDN> for replication group Home-Replication. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

5014

The DFS Replication service is stopping communication with partner <FQDN> for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Some of these errors can be fixed with simple server reboot or running commands describe in the error ( ex – event 2213 description) but if its keep continuing we need to do Non-Authoritative or Authoritative SYSVOL restore.

Non-Authoritative Restore 

If it’s only one or few domain controller (less than 50%) which have replication issues in a given time, we can issue a non-authoritative replication. In that scenario, system will replicate the SYSVOL from the PDC. 

Authoritative Restore

If more than 50% of domain controllers have SYSVOL replication issues, it possible that entire SYSVOL got corrupted. In such scenario, we need to go for Authoritative Restore. In this process, first we need to restore SYSVOL from backup to PDC and then replicate over or force all the domain controllers to update their SYSVOL copy from the copy in PDC. 

SYSVOL can replicate using FRS too. This is deprecated after windows server 2008, but if you migrated from older Active Directory environment you may still have FRS for SYSVOL replication. It also supports for Non-Authoritative and Authoritative restore but in this demo, I am going to talk only about SYSVOL with DFS replication. 

Non-Authoritative DFS Replication 

In order to perform a non-authoritative replication,

1) Backup the existing SYSVOL – This can be done by copying the SYSVOL folder from the domain controller which have DFS replication issues in to a secure location. 

2) Log in to Domain Controller as Domain Admin/Enterprise Admin

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

sys1

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Change value of attribute msDFSR-Enabled = FALSE

sys2

6) Force the AD replication using,

repadmin /syncall /AdP

7) Run following to install the DFS management tools using (unless this is already installed), 

Add-WindowsFeature RSAT-DFS-Mgmt-Con

8) Run following command to update the DFRS global state,

dfsrdiag PollAD

9) Search for the event 4114 to confirm SYSVOL replication is disabled. 

Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl

10) Change the attribute value back to msDFSR-Enabled=TRUE (step 5)

11) Force the AD replication as in step 6

12) Update DFRS global state running command in step 8

13) Search for events 4614 and 4604 to confirm successful non-authoritative synchronization. 

sys3

All these commands should run from domain controllers set as non-authoritative. 

Authoritative DFS Replication 

In order to perform to initiate authoritative DFS Replication,

1) Log in to PDC FSMO role holder as Domain Administrator or Enterprise Administrator

2) Stop DFS Replication Service (This is recommended to do in all the Domain Controllers)

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Update the given attributes values as following, 

msDFSR-Enabled=FALSE

msDFSR-options=1

sys4

6) Modify following attribute on ALL other domain controller.

msDFSR-Enabled=FALSE

7) Force the AD replication using,

repadmin /syncall /AdP

8) Start DFS replication service in PDC

9) Search for the event 4114 to verify SYSVOL replication is disabled.

10) Change following value which were set on the step 5,

msDFSR-Enabled=TRUE

11) Force the AD replication using,

repadmin /syncall /AdP

12) Run following command to update the DFRS global state,

dfsrdiag PollAD

13) Search for the event 4602 and verify the successful SYSVOL replication. 

14) Start DFS service on all other Domain Controllers

15) Search for the event 4114 to verify SYSVOL replication is disabled.

16) Change following value which were set on the step6. This need to be done on ALL domain controllers. 

msDFSR-Enabled=TRUE

17) Run following command to update the DFRS global state,

dfsrdiag PollAD

18) Search for events 4614 and 4604 to confirm successful authoritative synchronization. 

Please note you do not need to run Authoritative DFS Replication for every DFS replication issue. It should be the last option.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com 

Step-by-Step Guide to enable Azure AD Domain Services

Azure AD, Azure AD Domain Services, On-premises Active Directory, AD-sync ….. All these terms are now start to appear on most of now a days infrastructure projects. Based on the questions I get from the blog also represent still engineers struggle how to implements Azure services with their needs and how to get best benefits out from it. So this article also a series of articles I was doing to cover up Azure AD related services and how to use these services to enhanced your current infrastructure operations.

Azure AD Domain Services

Azure AD Domain Services is in preview for a while now (6 months). Azure AD Domain Services is a managed domain service which provides group policy, LDAP, NTLM/Kerberos Authentication without need of “Domain Controller” in your azure cloud setup.

If you have “cloud-only” service with Azure, this service will allow you to manage your azure identities more affectively. You can deploy the azure ad domain services in to the same virtual network your other IaaS workloads runs. Then these VM can connect to the Azure AD as typical domain join servers and can control those centrally. Also can apply group policies if you like.

If its hybrid setup you can sync your on-premises identities to the cloud and use those along with the azure Iaas workloads.

These are the main features of Azure Active Directory Domain Services (From: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-ds-features/)

•    Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be provisioned quickly.
•    Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD Domain Services. You can also use automated domain join tooling against such domains.
•    One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
•    Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services. This includes both verified as well as unverified domain names. Optionally, you can also create a domain with the built-in domain suffix (i.e. *.onmicrosoft.com) that is offered by your Azure AD directory.
•    Integrated with Azure AD: You do not need to configure or manage replication to Azure AD Domain Services. User accounts, group memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services. New users, groups or changes to attributes ocurring in your Azure AD tenant or in your on-premises directory are automatically synchronized to Azure AD Domain Services.
•    NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows Integrated Authentication.
•    Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This means users in your organization can use their corporate credentials on the domain – for domain joining machines, logging in interactively or over remote desktop, authenticating against the DC etc.
•    LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer attributes from the directory can also work against Azure AD Domain Services.
•    Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with required security policies for user accounts as well as domain joined computers.
•    Available in multiple Azure regions: See the Azure services by region page to know the Azure regions in which Azure AD Domain Services are available.
•    High availability: Azure AD Domain Services offer high availability for your domain. This offers the guarantee of higher service uptime and resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed instances and to provide continued service for your domain.
•    Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.

In my demo today I am going to show how to enable Azure AD Domain Services and how to configure it properly for cloud-only IaaS setup.

I have created Azure AD instance called REBELADMIN already. I will be using it during the demo.

aads1

Setup Azure Virtual Network

I am going to show how to setup new azure virtual network. The azure AD domain service instance also need to assign to the same virtual network as your other service run in order to integrate those resources.

1)    In Azure Classic Portal click on “Networks” option in left side.

aads2

2)    Then click on “Create a Virtual Network

aads3

3)    In wizard type the name for the virtual network and select the location, then click on proceed button to go to next step

aads4

4)    In next page, I am not going to define any DNS servers as I will setup it in later time in this demo, click on proceed button

aads5

5)    In next window it will show the address space, you can either customize or proceed with default. I am going to use default.

aads6

6)    After proceed, its created the new virtual network successfully

aads7

Enable Azure AD Domain Service

Now we got the virtual network setup. Next step is to enable the domain service.

1)    Click on the Azure AD directory instance which needs to enable Azure AD Domain Service (if you not done yet you can do it using New > App Services > Active Directory > Directory )

aads8

2)    Then click on “Configure

aads9

3)    Under the “Domain Services” click on “Yes” button to enable the domain services.

aads10

4)    DNS Domain name of domain services – This option to define the dns domain name. If you do not have domain setup you still can use default azure name which is ends up with onmicrosoft.com.
Connect domain service to this virtual network – in here you can define which virtual network domain service should assign to. I have selected the new virtual network created on previous step.
After changes click on “Save

aads11

5)    Then it will start to activate the service.

aads12

6)    Currently it takes like 30 minutes to get service enabled. Once its setup we can see the DNS server ip address appears. This is important as we need to add these in to virtual network in order to join servers to domain.

aads13

Add DNS server details into Virtual Network

1)    Click on the virtual network where Azure AD domain service also associated with.

aads14

2)    Click on the configure and then add the DNS server info

aads15

3)    Click on Save to submit the changes

Create “AAD DC Administrator” group

Since Azure AD Domain service is managed service you will not get domain admin or enterprise administrator privileges to the Ad instance. But you allowed to create this group and all the members of this group will be granted with administrator privileges to the domain join servers (This group will added to the administrators group in domain join servers).

In order to do that need to load the Azure AD instance again,

1)    Click on the relevant Azure AD instance.

aads16

2)    Click on the “Groups” and then Add Group

aads17

3)    Then in next window type the group name as “AAD DC Administrators” and type as “Security” then click on proceed button. Please note you must use the text on same format in order to get enable this group.

aads18

4)    Then you can add the member as you prefer

aads19

With this our initial configuration is done. The next step is to enable password synchronization to allow users to use their cooperate logins to log in to the domain. I will explain it on my next post as another step-by-step guide.

If you have any questions about the post feel free to contact me on rebeladm@live.com

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

status1

status2

Once tool is loaded, you can check the replication on entire forest or specific domains.

status3

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

status4

status5

status6

If you required you can export the data to xps or csv format.

status7

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.

down-1

Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory

down-2

Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.

down-4

down-3

First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.

down-5

Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain

down-6

After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.

down-7

If you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to install Active Directory on Windows server technical preview 2

Microsoft released Windows Server 2016 Technical Preview 2 for the public. I am sure most of you already got the news. In this article I am going to demonstrate how we can install AD in Windows server 2016 TP2.

You can download windows 2016 TP2 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-previewit

You can deploy it using .iso or .vhd file. If you notice, installation no longer allows to select the GUI option during the installation. It gives 2 options to select from, one is goes as core version and the one with administrative tools gives ability to use admin tools such as server manager. If you like to install GUI you need to install it using server manager or using command Install-WindowsFeature Server-Gui-Shell –Restart -Source wim:E:\sources\install.wim:4

In here E: is the DVD with the windows server 2016 source files.

What is new in AD DS?

Well it may be too early to look for what is going to be in windows server 2016 in AD end. But here is the few new features, enhancements available for TP.

Privileged Access Management – This PAM feature allows to mitigate security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing etc.

Azure AD Join – This enhance identity experience for businesses. Including benefits such as SSO, access organizational resources, MDM integration etc.

Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels – Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

Complete description about these features can find on https://technet.microsoft.com/en-us/library/mt163897.aspx

Let’s gets started. In here my demo I am using windows server 2016 TP2 with GUI.
Log in to server as administrator. Then load server manager.

2016dc1

Then go to Manage > Add Roles and Features

2016dc2

In the wizard click on next.

2016dc3

In installation type selection, let the default selection run and click on next.

2016dc4

For the server selection leave the default and click on next.

2016dc5

From the role selection window select “Active Directory Domain Services” click next. Then it will ask to add the dependent features. Click on add features button. Then click next.

2016dc6

2016dc7

In the features selection will keep the default selection and then click next to continue.

2016dc8

Then it gives description window about AD DS. Click next to proceed.

2016dc9

Then in next window click on install button to install AD DS role.

2016dc10

Once it is finished, click on link “Promote this server to a domain controller”

2016dc11

Then it will open up the new wizard for the AD DS configuration. In here I am going to deploy new forest, so do the relevant selection and fill information and click on next.

2016dc12

In next window select the forest function and domain function level, to “Windows server technical preview” and then add the domain controller capabilities such as DNS, then submit the DSRM password and click next.

2016dc13

Then click next to complete DNS delegation.

2016dc14

In next window we can specify the Netbios name and then click next to continue.

2016dc15

In next window select the paths for database installation etc. then click next.

2016dc16

Then it gives option to review the configuration, and click next to continue.

2016dc17

Once prerequisite check is done, click on install to proceed.

2016dc18

Then it starts the installation process. It will reboot server automatically once completed.
Once reboot, we can see AD DS is configured and functioning as expected.

2016dc19

This completes installation process. The steps are very similar to with AD DS installation on windows server 2012.

If you have any issues feel free to contact me on rebeladm@live.com

Step-by-Step Guide to setup windows azure active directory – Part 01

This is the start of series of post which will explain installation and configuration of WAAD. In previous article I explain about the WAAD and its features. If you not read it yet you can find it here.

Windows Azure Active Directory (WAAD)

In this post I will demonstrate how we can do the WAAD initial setup. As explain on previous post Azure AD comes with 3 versions. Once you subscribed with required version, to setup log in to Azure Management Portal.

azure1

Then click on +New button on the left hand bottom corner.

azure2

Then go and click on App Services > Active Directory > Directory

azure3

Then click on Custom Create to create WAAD instance with your requirements.

azure4

Once click on it will open a form. In here “Name” field refer to the instance name. “Domain Name” should be unique name. Initially it create with .onmicrosoft.com extension. But later you can change it to domain name your organization already using.

Once these info are filed in click on complete button.

azure5

Once it’s complete it can see on the portal as active.

azure6

Then if you click on selected instance it will bring you to the page where you can configure the WAAD instance.

azure7

As the first configuration we need to add the domain to match with our existing organization. Because on setup it uses a name with .onmicrosoft.com extension. To do this click on domains tab.

azure8

Then once load click on “Add a custom domain

azure9

In new wizard, put the domain name to match with local active directory domain. In here later i will configure SSO with local AD. So I selected that option too. Once information are type in click on add to continue.

azure10

Once it’s done it will list on the page. But as we can see here it’s not yet “verified” and set as “primary domain”. To do that we need to do the AD integration with local organization. In next post let’s see how we can do that.

azure11

If you have any questions about the post feel free to contact me on rebeladm@live.com

Active Directory in Hybrid Cloud

Cloud”, the most common term now in IT, its everywhere . Companies which provides IT services bringing their products and services in to the cloud rapidly. “Hosting services” was the first industry affect with it and now its spread to even small companies, individual professionals. With introduce of everyday products like Microsoft office365 every one start to understand the benefits of the “cloud”. Some organizations are use their own private cloud while some are completely move in to public cloud services.

One of the main concern people had about cloud was how they can bring there infrastructure services, resources, applications without impact to productivity. For example most organizations uses Single-Sign-On (SSO) to reduce the complexity of the authentication and authorization process. After we move organization’s resources, products, services to cloud if SSO do not work it still preventing full benefits of the cloud in end user prospective. The same time it will make impact on productivity directly. This access control and authentication concerns are more applying in to “Hybrid Cloud” systems. In Hybrid cloud some resources, services, application will run on-premises and some will be run from public cloud or private cloud setup in data center. This is the most commonly used cloud model in industry.

One of the solution used to address this is federation services. But issue is not every application or products uses same standards, protocols for identity management. As we know most of available products supports integration with AD services. Even Microsoft gives relevant tools, techniques to succeed with SSO on application development. So if you have working infrastructure system with all company requirement, how you convince management to move in to cloud system which will needs to deal with identity and access issues?

Well, Microsoft has found the solution for this. “Microsoft cloud – Azure” and windows server 2012 allows to extend the active directory in to the cloud. It allows to use claim based authorization. We can use windows azure AD as the identity store for the hybrid cloud and easily integrate other systems such as web portals, email system, crm, non-Microsoft apps. Also it can sync with the on-premises windows server active directory using “DirSync (Windows Azure Active Directory Sync Agent)” with AD FS (Active Directory Federation Services).

clip_image001_1E3725C4

In next posts let’s see how we can configure Azure AD and how it works with integration. If you have any question about post feel free to contact me on rebeladm@live.com

Image Source: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image001_5F00_1E3725C4.png

Step-by-Step Guide to clone a Domain Controller

From Windows server 2012 Microsoft introduce feature to allow clone on domain controller. It helps to quickly restore a domain controller in event of failure and also it helps to deploy test environments easily when needed.

In previous, if you clone a domain controller, it will not allow to deploy on same domain or the forest without running sysprep to remove security information before cloning. Then afterwards you need to promote the domain manually. But now when clone domain controller it will do the sysprep and promote process automatically.

For the demo purpose I am using a windows 2012 R2 domain controller which is deployed in Hyper-V environment.
 

1)    Log in to the Source Domain controller as Domain admin or Enterprise administrator
2)    Go to Server Manager > Tools > Active Directory Users and Computers

clone1

3)    Then go to “Domain Controllers” OU. Select the DC needs to clone and right click to select properties.

clone2

4)    Go to member of tab and click on Add.

clone3

5)    Then add security group Cloneable Domain Controllers and click ok.

clone4

6)    Close the mmc and load the windows PowerShell with admin rights. Then type and enter Get-ADDCCloningExcludedApplicationList . This will check the system if there is program which will not compatible with the clone process.

clone5

7)    If it’s comes up with list make sure those services are removed before clone.
8)    After cleanup process type
New-ADDCCloneConfi gFile –Static -IPv4Address “10.10.10.7” -IPv4DNSResolver “10.10.10.2” -IPv4SubnetMask “255.255.255.0” –CloneComputerName “DC2” -IPv4DefaultGateway “10.10.10.1” -SiteName “Default-First-Site-Name”

In here I specify the ip address information it (the clone server) will hold. Also the computer name and site name.

clone6

9)    Once its pass and completed the process, exit from the console and the server.
10)    For next steps we need to turn off the source domain controller. So before proceed make sure organization is aware about the downtime and the impact.
11)    Load the Hyper-V manager and right click on the DC which needs cloning. Then select Turn-off.

clone7

12)    Once its turn off, right click on DC and select export. Then select the path to save the export file.

clone8

clone9

13)    Once export process is completed, right click on the source dc and click on start.
14)    Then in Hyper-V go to Action > Import Virtual Machine

clone10

15)    It will open up the import wizard and click next to continue.

clone11

16)    In next window specify the folder path to the exported DC. Then click next.

clone12

17)    Next window to select the DC and click next

clone13

18)    In next window from the list select “Copy the virtual machine (create a new unique ID )” option can click next.

clone14

19)    In next window it ask for the VM path. You can leave default or the different path based on your requirement. Once done click on next.

clone15

20)    Next it’s ask for storage folder. Again it can change as per requirement. Once done click next.

clone16

21)    Then it gives a summary page. Click on finish to start the import process.

clone17

22)    Once import is completed, right click on the clone dc and click on start.
23)    It will runs under several stages preparing the AD.

clone18

24)    Once process is completed, l logged in to the server as domain admin. In Domain controller OU I can see the new clone dc. Also under site and services I can see the cloned dc located correctly.

clone19

clone20

This is the end of the post and if there is any question feel free to contact me on rebeladm@live.com