Friday, May 20, 2011

Directory Services Restore to Virtual from Physical

I've restored Windows Server 2003 Active Directory Directory Services from a physical to a virtual server lately probably more times than is reasonable, four successful, one unsuccessful (see note about cavalier deletion of network registry keys below). I've been playing with Domain Rename operations in Windows Server 2008 (R2 in this case) and the hiccups. Unfortunately, it doesn't sound like my company will be changing our .local domain to .com any time soon as Microsoft does not support domain name changes in Microsoft Exchange 2007 or 2010 (http://technet.microsoft.com/en-us/library/cc816848%28WS.10%29.aspx). I found that three of our more important server applications can handle it, it seems. Earlier, I elucidated steps to backup physical/restore virtual Active Directory involving 3 virtual machines and a bunch of tools. I think now I'm doing it more streamlined:

1) Backup the system state of the Domain Controller (or Active Directory Server or Directory Services server) using NTBackup (in Advanced Mode to select only the System State) on Windows Server 2003 (we're moving to 2008 soon though).
2) Create the Windows Server 2003 virtual server (up to date, with the virtual machine additions) and copy over the backed up system state.
3) Move the virtual server off the production network to prevent interfering with the production environment.

4) Give the network adapter of the virtual server a static address. I matched the address of the physical server and also added the Domain Controller (Active Directory) role to match the configuration I was restoring. As I was restoring the system state, this step might be unnecessary.
5) Restart in Directory Services Restore Mode by pressing F8 after the BIOS screen before the Windows screen, selecting the option and pressing enter.
6) Log in to Windows, run NTBackup in Wizard Mode, select the backup file, and restore the system state. After completing the restoration, clicking Close prompts a restart. Restart.
7) Pressing F8 after the BIOS but before the Windows splash screen, selecting Safe Mode, and pressing enter allowed Windows to detect the new hardware (trying to boot into Windows in normal mode would hang in my case), but because I was restoring an OEM copy, I had to repair Windows.

8) After restoring the system state, I was left with (not strictly necessary) services that no longer started that I could delete. I used sc delete to delete them. I also changed the mfevtp and mfehidk services to manual start. Not necessary if you don't mind seeing "One or more services failed to start..." on startup.
9) Give the presumably new network adapter a static IP address. Again, I matched the restored configuration.
10) Open DNS from Start -> Administrative Tools. Expand to the forward lookup zone(s), right-click the zone and click Properties. Click the Name Servers tab, select, and remove the Name Servers not being restored. Do the same for the reverse lookup zone(s), if applicable.
11) Open Active Directory Sites and Services from Start -> Administrative Tools. Make sure for the server(s) that remains, that GC is checked by right-clicking its NTDS Settings and clicking Properties. Delete the servers that won't be restored from under its NTDS Settings. For each server not restored under Sites - - Servers, expand NTDS Settings and remove the other servers. Delete NTDS Settings, choose "This domain controller is permanently offline and can no longer be demoted using Active Directory Installation Wizard (DCPROMO)", and click Delete. Delete the Server as well.
12) Open Active Directory Domains and Trusts from Start -> Administrative Tools. Right-click Active Directory Domains and Trusts and click operations Master. A restored server should be Domain Naming Operations master. If not, change the role by seizing it.
13) Open Active Directory Users and Computers from Start -> Administrative Tools. Right-click Active Directory Users and Computers, click All Tasks - Operations Masters...
Make sure a restored server is Operations master for RID, PDC, and Infrastructure roles. If not, change the roles by seizing them.
14) If not installed, install the Windows Server Support Tools from the installation media ( \SUPPORT\TOOLS\SUPTOOLS.MSI). Click Start->Run, type regsvr32 schmmgmt.dll and click OK, OK. Click Start -> Run MMC and click OK. Click Console Root and click Add/Remove Snap-In..., click Add, select Active Directory Schema, click Add, Close, and OK. Right-click Active Directory Schema and click Operations Master
Make sure a restored server is Operations master.
15) Open Active Directory Users and Computers from Start -> Administrative Tools. Expand the Domain and click Domain Controllers. Press delete for the domain controllers not being restored, select "This domain controller is permanently offline and can no longer be demoted using Active Directory Installation Wizard (DCPROMO)" and click Delete and Yes.
16) Open DNS from Start -> Administrative Tools. Delete (Same as parent folder) entries for other DCs in domain.local forward lookup zones for domain controllers not being restored. Double-click DomainDnsZones and delete (Same as parent folder) entries for other DCs
Expand DomainDnsZones - _sites - Default-First-Site-Name - _tcp and delete entries for domain controllers not being restored. Expand DomainDnsZones - _tcp and delete entries for domain controllers not being restored. Double-click ForestDnsZones and delete (Same as parent folder) entries for domain controllers not being restored. Expand ForestDnsZones - _sites - Default-First-Site-Name - _tcp and delete entries for domain controllers not being restored. Expand ForestDnsZones - _tcp and delete entries for domain controllers not being restored. Expand _msdcs - gc and delete entries for domain controllers not being restored.
17) Make sure SYSVOL and NETLOGON are being shared (browse \\HOSTNAME or \\localhost). The most recent time I did this, I saw a folder called NtFrs_Preexisting___See_EventLog under c:\Windows\Sysvol\Sysvol\Domain.local\, so I made a copy, moved the scripts and policies out of the folder and under the domain.local folder and deleted the NtFrs_... folder. Then I opened regedit (Start -> Run -> regedit OK), changed BurFlags to d4 under HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Processes and restarted the NtFrs service to get Sysvol (c:\Windows\Sysvol\Sysvol) and Netlogon (c:\Windows\Sysvol\Sysvol\Domain.local\scripts) shared.
18) At this point, I have a domain controller that can be joined to. Unfortunately, in my cases, this domain controller now has Registry entries, Add\Remove Program entries, and files that may be suspect, so at this point, I preferred to join to it a clean virtual server, promote that server to a domain controller with DNS, and transfer operations master roles to it then demote and disjoin the "dirty" server from that domain.

1 comment: