Friday, March 2, 2007

Restoring Domain into Vmware virtual environment for a Lab or Test

Key article KB249694: How to move a Windows installation to different hardware

The first step is to make sure that you are using the same hal.dll's. In our environment almost every server has dual processors or more. I had to shutdown the virtual environment and switch to 2 processors. After logging in as an admininstrator for 5 minutes, Windows asked me to reboot to take advantage of new hardware.

The first machine to install is a machine with the global catalog at the highest most domain a root level. When you restore

Next I restored C: and the System State. No big problem there, just wait it out and don't reboot!!! Wait until you replace c:\boot.ini with your backup in c:\backup. Also make sure that c:\windows\repair\boot.ini doesn't revert (only if you did this once before and have an old backup boot.ini here) Microsoft has a step for the first domain controller in a new environment in the registry but we found that the registry entry wasn't available until the next reboot.

Reboot the restored pc.

Basically make a backup of boot.ini into a folder like c:\backup. After restoring through ntbackup and before rebooting, replace the c:\boot.ini with c:\backup\boot.ini. Also copy c:\backup\boot.ini to c:\windows\repair\

We have 2 domains in our forest. An empty root domain that has the highest security and a primary domain which all users use for day to day activities. We have broken up the Active Directory roles between 2 machines at each level.  We found it easier to restore the global catalog domain controller because you have the entire database to authenticate against.  The first domain controller (per domain) needs a registry edit under HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\{UUID value}\BurFlags of Hex x00000D4 (212)  If you have multiple UUIDs, use the UUID value that is found under the HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets.  We had to do this twice, once for each domain!!!  The errors that we saw when we missed the second domain were from dcdiag and netdiag about replication errors and security channel errors and domain controllers not being part of the domain they are supposed to monitor.

Our first step was to mimic our production network environment subnet in a host only setting.

We then installed Windows 2003 to a virtual disk. We found out the hard way that we had to be at the same level of service pack, SP1 for us. I then created a sysprep.inf answer file to speed deployment. After resealing the image, I just copied the generic template 4 times. Each time I would have to wait through a mini-setup, but it was pretty easy to work on 4 machines at the same time.

Right after we copied the boot.ini to the right spots, we would take a snapshot. Again, this was learned the hard way; snapshots can save you lots of time!

Our last issue is the Netlogon share under each domain controller, but since the Sysvol share was automatically enabled after replication errors went away, we are hopeful that this will also correct itself.  I think the only thing that we are missing are group policies.