really I didn't realize that was all that was needed.

There's nothing magical about a domain controller - just the possibility that a transaction will get rolled back between when it happens, and when the database is copied to the host.

A rolled back AD is a world of pain, so there are a lot of warnings. But it's also easily avoided.

What would create a transacation besides the obvious things like a new user created or a computer joining the domain?

marshall28 wrote:

What would create a transacation besides the obvious things like a new user created or a computer joining the domain?

If you study the USN counter on a total idle domain controller it will increase without any objects created or modifed by any administrator. I have never seen it properly documented exactly why this happens, but as noted above the AD replication process is very sensitive about the USN numbers being totally correct and it is very good to be sure that nothing could in any way change, that is the database should not be active at all.

this has been the general fear thats kept me doing the demotion and conversion. would you say that going into active directory restore mode and doing the vmware conversion while the domain controller is in that state would ensure a successful conversion?

You would still have to be very careful to never let the original host ever have contact with the network, since that would break the converted DC as well. (In the case that it would need some quite difficult AD remove and clean up operations.)

rickardnobel,

how would you do the domain controller conversion and what has worked the best in your experience? In regards to that last post you made I would make sure to unplug the network cable on the converted physical domain controller after the conversion is complete.

thanks for your advice

I am personally more comfortable with doing a new dcpromo on a virtual machine and then demote the physical (after if needed moved FSMO roles and changed all DNS pointers from clients). However, depending on the environment the DNS part could take some work to identify all static pointers to the old IP.

If you first make sure all replication is in fact working (run repadmin /showrepl *) - paste the result here if you need help with verify - and then restart the VM into directory service restore mode (make sure you know the DSRM password!), do the conversion, make sure there are no physical network connectivity on the original machine - it should be safe for you to then start the converted VM. Be also sure to verify that the replication does work with the repadmin command above.

"I am personally more comfortable with doing a new dcpromo on a virtual  machine and then demote the physical (after if needed moved FSMO roles  and changed all DNS pointers from clients). However, depending on the  environment the DNS part could take some work to identify all static  pointers to the old IP."

this is how I have been doing it, I just wanted to see if doing the active directory restore mode way is a reliable effective alternative to accomplish the conversion without USN rollback occuring?

marshall28 wrote:

, I just wanted to see if doing the active directory restore mode way is a reliable effective alternative to accomplish the conversion without USN rollback occuring?

It only takes one work experience kid to turn on an old server ("hey, someone shutdown this machine") to blow up a migration you did six months earlier. Depends if you see that sort of thing as a risk.

well in my case the "old" server will actually be formatted and moved into a secondary backup server using vmware. So there wouldn't be an chances of a turn up. if thats the only worry than I will use this active directory restore mode to perform the migration.

thanks

everyone

Rickard Nobel wrote:

I am personally more comfortable with doing a new dcpromo on a virtual machine and then demote the physical (after if needed moved FSMO roles and changed all DNS pointers from clients). However, depending on the environment the DNS part could take some work to identify all static pointers to the old IP.

If you first make sure all replication is in fact working (run repadmin /showrepl *) - paste the result here if you need help with verify - and then restart the VM into directory service restore mode (make sure you know the DSRM password!), do the conversion, make sure there are no physical network connectivity on the original machine - it should be safe for you to then start the converted VM. Be also sure to verify that the replication does work with the repadmin command above.

Assuming that more than one domain controller is available, this is the ONLY way I ever move a DC to VMware.  More specifically:

1) Demote old physical server

2) Rename old physical server to something else & change IP to something else

3) Provision a new VM, name it the original DC name and give original IP address

4) DCPromo, reboot, and wait for replication

5) Set up any other services that might have been running, such as DNS, DHCP, etc.

6) Once it is certain the environment is stable (dcdiag, repadmin, due diligance, etc), repeat above steps for next DC

This way is the safest way, and gives you fresh install of Windows to boot.