3

I have reason to believe that previous administrators cloned our Domain Controller at somepoint in its recent lifetime. The DC at one point was running on Server 2003 and has since been upgraded to Server 2008 R2 Standard. The functional level sits at 2008 as well. Clonning a domain controller is not supported by Microsoft until Server 2012. We have seen many odities that do not make sense and believe that our secondary DC is simply a clone of the primary. Or even our existing Primary DC a clone of a past DC. Our DC are VM's running on Microsofts Hyper-V. Currently they sit on a host with Server 20012 R2 and our second DC is hosted on a Server 2008 R2.

Does anyone know if there is a way to see if a DC has been cloned?

veel84
  • 288
  • 1
  • 4
  • 14
  • Just demote it to be safe and stand up a fresh DC? Sounds a lot easier than this idea. – HopelessN00b Mar 14 '15 at 23:07
  • Can you be more specific about your observed issues? I can't see how you could clone a 2k3/2k8 DC once it's running the ADS role. This leaves just pre-DCPROMO cloning as a possibility. Is this your suspicion? – Simon Catlin Mar 14 '15 at 23:09

1 Answers1

6

PS GetSid from Sysinternals will show if the SIDS match.
https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

If they match then that's the answer, if they are different then it won't show if it was cloned and sysprep'd, or changed via another method, or not a clone at all.

OTOH, MS provides a 180 day free trial, spin up a new 2012 vm, promote it and then remove AD from the possible clone. If the problems stop then there is at least one known solution.

[EDIT] Above is incorrect, thank you @RyanRies.
GetSID will return the same computer account SID for all DC's in a domain. In a non-cloned environment, 2 DC's in the same site: ADSIEdit will list different ObjectGUID's and the ObjectSID will match the GETSID + "-%4DifferentDigits%".

Ed Fries
  • 1,621
  • 2
  • 11
  • 14
  • 1
    Despite the upvotes, I feel this is incorrect. All domain controllers in the domain will always have identical machine SIDs. The DC promotion process changes the machine's SID to match that of its replication partner. This why all DCs in the domain share the same BUILTIN accounts, for example. Note, however, that the machine SID is different than the domain account SID. What I'm saying is that there are two different SIDs for a machine that is joined to an Active Directory domain. Anyway, you are chasing a red herring. You need to post what your *actual* problem is. – Ryan Ries Mar 15 '15 at 17:49
  • 1
    Interesting, @RyanRies thank you for the input and correction. After testing further I agree, GetSID will return the same machine SID for all DC's. Using ADSIEdit instead, the ObjectGUID's are completely different and the ObjectSID = what GetSID returns + "-%4DifferentDigits%". I will edit the answer to reflect the correction. – Ed Fries Mar 15 '15 at 22:00
  • 1
    In that case, downvote retracted in anticipation of future refinement of this answer. :) – Ryan Ries Mar 16 '15 at 02:02