Windows – sysprep /generalize a domain controller

sysprepwindows-server-2012-r2

I have a Windows Server 2012 in a XenCenter virtual machine. The image is prepared as an IIS server and AD domain controller. The domain contains that single server only, but the AD will be synchronized with O365 directory and used by IIS for authentication.

I now want to deploy that image as an Azure VM, so the machine had to be generalized.

I executed Sysprep /generalize /shutdown /oobe and after that process finished, I made a snapshot and tried whether the machine would be starting up in Citrix again, and whether it would give me chance to specify domain and user and password and all that stuff.

The error I get on bootup of the generalized system is "Windows Setup could not configure Windows to run on this computer's hardware" – although that Windows is running on exactly the same "hardware" as before.

As far as I now understand from what I read about that error, sysprep does not support generalizing domain computers, so it will try to remove that computer from the domain, which should – to my best knowledge – fail for the domain controller, and I guess no one has ever tried to generalize an (better: the) AD domain controller. Is this correct, and how can I check whether this is causing my issue?

Another possibility are issues with drivers, since "The main cause is due to incompatible driver". The only 3rd party drivers that come to mind are the Citrix drivers which I had to install at some point so I could use the mouse in the Citrix console. I only remember that it was a long and bumpy road to get them installed back then, without a mouse, so I'd like to postpone that test a bit.

Do you have any experiences to share about generalizing a Windows image with said error message, generalizing a Windows image with Citrix drivers or generalizing the image of an AD domain controller?

Best Answer

I don't know whether drivers are the actual cause of that error, but that's not relevant. You cannot generalize a domain controller. The boring reason is that Microsoft says Sysprep doesn't support the Active Directory Domain Services role; see "Sysprep Support for Server Roles."

Some specific reasons are:

  1. Domain controllers literally do not have a local account (SAM) database. Windows Welcome (OOBE) always creates a local user, but that's not going to work if there's no SAM database.
  2. Simple copies of domain controllers can easily cause USN rollbacks, and you will be exceptionally sad if that happens. There are some improvements for the situation in Windows Server 2012 with virtual DCs, but you still really want to avoid this. Note that USN rollback isn't possible if you only have the one domain controller, but you really need to know about this phenomenon in case you ever add more DCs.
  3. Sysprep generalization by definition removes all computer-specific information, including the machine SID. Since Sysprep doesn't know about Active Directory Domain Services or other domain controllers (which I know you don't have, but this is still really important), the new machine SID won't be the same as the other domain controllers, and suddenly you have an incorrect configuration.
  4. Sysprep removes domain joinedness, and it's not possible to be an active domain controller without being a member of the domain under control. The lack of SAM database strikes again - it's not possible to be a functional machine with neither an ADDS database nor a SAM database.

If you need to move Active Directory Domain Services, you should promote a new DC, let Active Directory replicate fully, then gracefully demote the old machine.

Not immediately helpful but kind of relevant: If your domain controller was already virtual and you wanted to make a copy, you could take advantage of Windows Server 2012's Virtual Domain Controller Cloning feature.

Related Question