Thursday, August 20, 2009

Virtualising existing domain controllers


Against VMwares recommendations I written up the safest way to virtualise a Domain Controller without demoting it to a standlone server as described here.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006996


Part 1. Install VM Converter

1. Install the standalone VM converter tool on trhe domain controller

Part 2 Boot server in Directory Recovery services mode

1. On your machine, select Run from the Start menu, type Mstsc /console, and click OK.

2. Type the FQDn of the DC

3. Log on to the server using a Domain admin account

4. On the DC, select Run from the Start menu, type sysdm.cpl, and click OK.

5. On the Advanced tab, click Settings in the Startup and Recovery section. Click Edit. This opens the boot.ini file in Notepad.

6. Add the following line to the end of the boot.ini file: /SAFEBOOT:DSREPAIR Save and close the boot.ini file.

7. Disable the FRS services

8. Reboot the server.

9. Rdp to the server again (make sure you use the /console switch)

10. When you reconnect, the server should state that it’s in safe mode. Log on using the recovery console account

Part 3 Convert the domain controller

1. Use the Vmconvertor to convert the server

2. Resize disks as appropriate

3. Once conversion is complete shutdown the physical server and physically disconnects it from the network and do not reconnect for any reason!

Part 4 Clean up new virtual DC

1. Boot the new VM server in a network Isolated state the server should still be DSRM mode as we haven't removed the /SAFEBOOT:DSREPAIR from the boot .ini

2. Uninstall all HP software except HP Data Protector or other providor software

3. remove hidden Nics using Devcon http://support.microsoft.com/kb/269155

4. Assign the correct server to the VM NIC. Very important as this is a DNS server

5. Reboot server

6. Check event logs for hardware related issues

7. If all looks good remove the /SAFEBOOT:DSREPAIR from the boot.ini

8. Reenable the FRS services

9. Reboot the server and place back on the network. ( From this point forward we cannot role back to the original server)

Part 5.

1 . Check replication!

2. Check FRS Replication! If required do a non authoritative restore of Sysvol http://support.microsoft.com/kb/840674

3. Destroy the original Domain Controller!!!

4. Never Clone a DC as a Backup!!!


Cheers

Steve