Clone a Domain Controller for testing

Often I find the need to clone a DC to carry out some testing (lovely and simple in a virtualised environment). With Server 2008 R2 and earlier this wasn’t much fun with DNS and Time changes causing various issues along with removing all the other DCs and seizing roles etc.

With Server 2012 R2 Domain Controllers its suddenly far easier. The updated Microsoft instructions are here but the steps are essentially:

  1. Active Directory Users and Computers – Navigate to Domain Controllers, right click and delete the unwanted DC. Select ‘Delete this Domain Controller anyway’.
  2. Active Directory Sites and Services – Delete unwanted sites and any unwanted DCs in the site you are retaining.

Thats it! One thing that is now built in is seizing roles. When you delete the DC that has one of the FMSO roles you get a pop-up informing you of this and the option to move roles to the DC you are working on, much easier!



LAPS – Local Admin Password Solution

As part of my role I took over a reasonable sized Windows Server infrastructure. Many servers have now been replaced but some of the originals remain. I am currently running security tasks across all areas and one was to change the local admin password and account name for all servers.

There used to be generally two ways to acheive this:

  1. Manually reset each password and save into a spreadsheet.
  2. Use Group Policy Preferences to set a standard password.

Creating a spreadsheet of passwords fills me with dread and sods law says you won’t be able to open it when you need it. Using GPP is a reasonable idea but the implementation stores passwords in clear text within the Sysvol folder (read-only to anyone on the network). Microsoft have realised this is an issue and have actually prevented the GPP solution from working as at May 2014.

The new, approved solution is LAPS – Local Admin Password Solution. This is a combination of dll and GPO configurations which regularly, automatically reset the local administrator password and store the information in Active Directory. Its a free tool available here complete with downloadable instructions. The instructions are very clear and easy to follow so I won’t detail them here but give a quick overview.

  1. Install the management agent onto a management server.
  2. Extend the schema and make some small permission changes to the AD OU/s you wish to manage the servers in.
  3. Create a GPO with password complexity and refresh time you require.
  4. Install agent onto server to be managed.

Once complete (the above took 30 minutes not including Change Control and testing). You can retrieve the password in 3 ways:

  1. Using the LAPS tool


2. Inspecting the attribute editor in Active Directory


3. Viewing in PowerShell


2008 R2 Domain Controllers have “unidentified network”

I have found two workarounds for this issue.


1. From Microsoft – they do not support this in a production environment!

Value name:  Repl Perform Initial Synchronizations
Value type:  REG_DWORD
Value data: 0


2. Edit the following registry entries to contain the correct domain name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\networkname

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\machinedomain

Server Core – Promote to Domain Controller

To carry out a successful dcpromo under Server Core you will need an answer file. Not all settings shown in the answer file below are needed (DNS server, GC etc)


Full MS article here

Server Core: Demoting a Domain Controller

To demote with a single command (assuming all default answers)

dcpromo /administratorpassword:password

To demote with alternate settings, options are:

The following is a list of unattend parameters for demotion (default values are enclosed in <>):

/AdministratorPassword:”administrator password” default is empty password

Specifies a local administrator account password when demoting a domain controller.

/DemoteFSMO:{Yes | <No>}

Indicates that (forced) demotion should continue even if a FSMO role is discovered on domain controller being demoted.

/DNSDelegationPassword:{“password” | *}

Specifies the password for the user name (account credentials) to use for creating or removing DNS delegation. Specify * to prompt the user to enter credentials.


Specifies the user name (account credentials) used for creating or removing DNS delegation. If no value is specified, the credentials used for the domain controller installation or removal are used.

/IgnoreIsLastDcInDomainMismatch:{Yes | <No>} default causes the wizard to prompt the user to continue and causes the command-line tool to exit with an error.

Specifies whether to continue the demotion of the domain controller when either the switch /IsLastDCInDomain:Yes is specified and dcpromo detects that there is actually another active domain controller in the domain, or when the switch /IsLastDCInDomain:No is specified and dcpromo cannot contact any other domain controller in the domain.

/IgnoreIsLastDNSServerForZone:{Yes | <No>}

Specifies whether to continue demotion despite that the domain controller is the last DNS server for one or more of the Active Directory-integrated DNS zones that it hosts.

/IsLastDCInDomain:{Yes | <No>}

Specifies whether the computer which is being demoted is the last domain controller in the domain.

/Password:{“password” | *}

Specifies the password corresponding to the user name (account credentials) used for the operation. Specify * to prompt the user to enter credentials.

/RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion, regardless of success.

/RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

/RemoveApplicationPartitions:{Yes | <No>}

Specifies whether to remove application partitions during the demotion of the domain controller.

/RemoveDNSDelegation:{<Yes> | No}

Specifies whether DNS delegations pointing to this DNS server should be removed from the parent zone.

/RetainDCMetadata:{Yes | <No>}

Specifies to retain domain controller metadata in the domain after AD DS removal. Delegated read-only domain controller (RODC) administrators should specify this option to demote an RODC.


Specifies the domain name for the user name (account credentials) used for the operation. It also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.


Specifies the user name (account credentials) used for the operation. If no value is specified, the credentials of the current user are used for the operation.

Set Authoritive Time Source within domain (Primary DC)

From Technet

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
In the right pane, right-click AnnounceFlags, and then click Modify.
In Edit DWORD Value, type A in the Value data box, and then click OK.
Quit Registry Editor.
At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time