VMware Cloud Community
theanykey
Virtuoso
Virtuoso

Virtualizing existing domain controllers

This article discusses techniques and best practises for converting a Domain Controller using VMware Converter.

Symptoms

  • A converted domain controller does not synchronize

  • The DNS services on a converter domain controller does not bind to the network interface

  • The local domain database file (NTDS.DIT) is corrupted in the new virtual machine

  • The domain controller becomes tombstoned in Active Directory

  • Synchronization is unreliable with other domain controllers

  • Newly created or removed objects changed on the virtual machine or source reappear in Active Directory

  • The update or serial number changes unexpectedly on the domain controller

  • Kerberos authentication or trust failures

  • DNS lookup failures

  • You receive the following errors:

  • LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.

  • Event ID: 1103 Description: "The windows directory services database could not be initialized and returned error 1032. Unrecoverable error, the directory can't continue."

Resolution

Introduction

A virtual machine created from an active domain controller may exhibit unexpected behavior. Domain controllers are very sensitive to hardware changes. When a physical server is virtualized the hardware presented to operating system may be very different. In addition it is possible that a virtualized domain controller and an identical physical domain controller may be running simultaneously which may result in unpredictable replication issues across Active Directory or even a tombstone condition. If you are using Windows NT, these change may prevent the directory or DNS servers from binding to the network connection.

Follow one of the below solutions depending on your situation:

Windows 2000, and 2003 Servers

For Windows 2000, and 2003 Servers:

  • Ensure another domain controller is online on the network and properly synchronized, if one is not available provision a new domain controller as a virtual machine and promote it. Demote the domain controller using dcpromo. Set any static IP addresses to DHCP prior to conversion. When converted, power off the source server, reassign any static IP addresses and promote the virtualized server.

  • Install the Microsoft loopback adapter and assign it an unused static IP address. Set any static IP addresses of the physical network adapters to DHCP, prior to conversion. Power down the source server, then boot it up using the Converter boot CD. Cold clone the server. If a cold clone is not possible, start the server in Directory Recovery mode and perform a hot conversion. Failure to use Directory Recovery mode may result in an incomplete and corrupted copy of NTDS.DIT. After conversion is complete, you can remove the Microsoft Loopback adapter and restore the static IP addresses to the new virtual network cards.

  • Decommission the existing domain controller using dcpromo, and provision a new domain controller in a fresh installation of Windows Server in a new virtual machine. Do not perform the conversion at all, but use the source server's host name and IP address. (recommended)

Important Notes:

  • Always start using the new virtual machine as soon as possible after decommissioning the physical or source server. Failing to do so leads to a tombstone condition.

  • Never use the customization option in the Conversion Wizard. Using this process destroys the server on the destination.

  • Always be sure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.

  • If the server to be virtualized holds any FSMO roles, transfer the roles to an existing and running domain controller. If a problem happens during the conversion process, you can provision new domain controllers in Active Directory and perform other AD operations without having to sieze roles from the unavailable domain controller.

Windows NT

Converting a Windows NT domain controller is a very involved process that may be trouble prone. VMware does not recommend converting a Windows NT domain controller if at all possible.

Warning: The following conversion process updgrades any NTFS file systems on the source and destination to version 3.0 (NTFS5). Do not perform these steps if you require disk utilities that are not compatible with newer NTFS file systems. To avoid NTFS upgrade, perform a hot clone to convert a stand-alone server. Do not hot clone a domain controller.

Below is a detailed list of complete steps to assist you with fully converting a Windows NT domain controller. This process may take several hours to complete. You should plan a maintenance window accordingly to perform the conversion.

To convert a Windows NT domain controller:

1. Verify that you have the latest version of VMware Converter. Older versions do not support all Windows NT Fault Tolerant disk types. Use VMware Converter version 3.0.3 or higher.

2. Ensure the server is running Windows NT Service Pack 5 or higher (Service Pack 6a is recommended).

To determine this:

1. Click Start > Run.

2. Run the winver command. Do not proceed any further if the service pack requirement is not met.

3. Create a Rescue Diskette. Click Start > Run, and run the rdisk command. If there is a problem with the new virtual machine you may be able to repair the problem using the Rescue Diskette.

4. Ensure you have a complete and working backup of the server, especially if the Windows NT server is a Primary Domain Controller (PDC).

5. Ensure another domain controller is available to service user logins.

Note: If you are taking a PDC server offline, you cannot join any other DCs to the domain until it is online again as a virtual machine.

6. Install the Microsoft loopback adapter and assign it an unused static IP address.

7. Set any static IP addresses of the physical network adapters to DHCP.

8. Properly shut down the source server. Click Start > Shutdown > Shutdown the computer. Power off the server with its physical power switch.

9. Boot the Converter cold clone CD.

Warning: Starting the Converter cold clone CD upgrades the NTFS version on the disk on the source and destination virtual machine to version 3.0 (NTFS5). This may prevent disk check (chkdsk) and defrag utilities (Diskeeper) from working on the volume. For more information, see Windows NT 4.0 CHKDSK Refuses to Check NTFS 3.0/3.1 Volumes (http://support.microsoft.com/kb/196707).

Warning: Performing a hot clone of a Windows NT server may result in a corrupted NTDS.DIT on the destination virtual machine. Do not hot clone a Windows NT domain controller.

10. Perform the conversion to a new virtual machine, and power off the source server.

Warning: Do not power the server back on again for any reason after the new virtual machine is powered on with a network connection. Doing so may break synchronization with other domain controllers.

11. Review the virtual hardware settings on the new virtual machine:

  • Adjust the number of virtual NICs.

  • Remove any unnecessary devices such as USB controllers, COM ports or floppy drives.

12. Power on the new virtual machine with the network card disconnected.

13. Click Start > Settings > Control Panel > Add / Remove Programs. Remove any unnecessary programs used to install or support device drivers, such a RAID management tools, network teaming or management software, wireless card management software, and video and sound drivers.

Caution: Do not restart if prompted by an uninstall program.

14. Restart the virtual machine properly.

15. Remove any additional devices or device drivers that were used to support hardware on the physical server. Use the Control Panel to remove any necessary devices especially COM ports, SCSI controllers, video, and network cards.

Do not remove the following devices:

  • Buslogic SCSI controller

  • IDE CD-ROM ATAPI controller

  • AMD PC NET network card

16. Restart the virtual machine properly.

17. Attempt to install the VMware Tools. If you are missing the CD-ROM drive in the virtual machine or if you are unable to get the network adapter installed, see After converting a physical server running Windows NT the CD-ROM or networking does not work on the VM (http://kb.vmware.com/kb/1002278).

18. Restart the virtual machine properly.

19. Assign the static IP addresses used on the source server to the new virtual network adapters, if applicable.

20. Restart the virtual machine properly.

21. Ensure the DNS and directory services are started and bound to a valid adapter and start correctly.

22. Remove the Microsoft loopback adapter.

23. Restart the virtual machine properly.

24. Review the server's Event Logs and ensure the necessary services are starting correctly without failures. To view the Event Log, click Start > Run, and run the eventvwr command.

Note: Some failures may be due to device drivers or services still being installed. You may need to manually disable or remove these services in the Control Panel to prevent these errors.

25. Shut down the virtual machine properly, then connect the network cards in the virtual device settings.

26. Start the virtual machine normally.

27. Ensure the DNS and directory services are started and bound to a valid adapter and start correctly.

28. Check the Event Logs for any remaining errors and correct as needed.

Important Notes:

  • Avoid converting Windows NT domain controllers if possible.

  • Before attempting conversion, always be sure another domain controller is online and properly synchronized.

  • Never use the customization option in the Conversion Wizard. Using this process destroys the server on the destination.

  • Always ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.

Virtualizing existing domain controllers

http://kb.vmware.com/kb/1006996

Best practices for using and troubleshooting VMware Converter

http://kb.vmware.com/kb/1004588

Reply
0 Kudos
2 Replies
azn2kew
Champion
Champion

Its a nice KB articles and we always clean installed Windows 2003 server and promote it from there much easier and faster. It could be a lot of issues using P2V if not planned correctly and also not a choice.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos
DannoXYZ
Contributor
Contributor

Hi, I've found this article to be very helpful. Just a question on the steps for virtualizing Win2k3 DCs. Those are three separate processes for virtualizing DCs right? You pick one of the three, rather than doing all three correct? If so, what is the purpose of the loopback adapter in the #2 technique?

Thanks.

Reply
0 Kudos