Create A Test Domain (Old Style)
This document was prepared for the
building of a copy of the production Active Directory. Following these steps will define how to
rebuild the entire Microsoft Active Directory for a test domain. *** Be careful
***
The first set of steps is to get a good pc into the
production domain. Once this pc is a
member it needs to be promoted and be a healthy participant in the network. The new DC then needs to be removed from the
network before it is restarted (From its restore) to prevent any replication
activity from damaging the production system.
Reconnection to the production system will create major problems in the
production system
1.
Shutdown ALL pc’s within the test sub-net (For this document it will be 192.168.1.x,
gateway = 192.168.1.250), mask = 255.255.255.0
2.
Remove the physical cable for the new pc and build the member server
(This all should reside within the test domain) in production
· Install DNS (AD
Integrated needed for this document)
3.
Re-connect the cable and join the Domain_Name.com domain
· Select the IP Address
192.168.1.101
· Select the mask to
255.255.255.0
· Select the Gateway
192.168.1.250
· Point the DNS services
to a production AD DNS server
4.
Promote the server to a Domain Controller (DC) via dcpromo.exe
5.
Promote the server to a Global Catalog Server
6.
Let the system sit idle (2 hours) for Replication to sync up
· Point the DNS services
to itself
7.
Open up a command prompt
· dcdiag /v
/test:ridmanager
· Make sure no errors
with the rid manager
· Create an object on
the new DC
· Physically disconnect
the cable
· Bring up “Active
Directory Users and Computers”
· By disconnecting you
force the system to attach locally
· Create a test user
with the account disabled
· Reconnect the physical
cable
8.
At a command prompt type in
NTBACKUP and do a system state backup saving the file to the local server
9.
Demote this server to a member server with in the production domain
(DCPROMO)
· Remove the NS record
in the production environment
10.
Physically disconnect the server from the network by unplugging the cable
from the hub
11.
Move the server to the test domain
12.
Re-Promote once this system has been disconnected and the ip changed
· Dcpromo
· Domain Name =
Domain_Name.com
· NetBios Name =
NetBIOS_Name
· Allow the promotion to
create the DNS domain
· Once this DC is
brought online (The DNS services on the member server can be shut down), define
it with Integrated Active Directory DNS and all name space records will be
restored. Make sure to bring up DNS and
select reload to refresh all data
· Active Directory
Integrated
· Only Secure
Updates
13.
Reboot this server and After the POST Select F8
· Scroll down and select
the option
“Directory Services Restore Mode (Windows 200x domain
controllers only)”
14.
Log on as the administrator (This is within the old SAM account)
15.
Restore the System State from the previous NTBACKUP
16.
Re-boot the Domain Controller (DC)
Now that the DC is restored it needs to take control of all
Flexible Single Master Operation roles (FSMO and the File Replication
service). Because of this utilities need
to be loaded off of the Windows 200x install CD. NTDSUTIL will perform most of these
steps. Since this is the first DC it
needs to be a Global Catalog server and validate that it is the primary server
in the domain.
17.
After the POST Select F8
· Scroll down and select
the option
“Directory Services Restore Mode (Windows 200x domain
controllers only)”
18.
Log on as the administrator (This is within the old SAM account)
19.
Install the Windows 200x Active Directory Administration Tools from the
server cd
· D:\i386\
Adminpak.msi
20.
Install the Windows 200x Server Resource Kit from the server cd
·
D:\support\tools\200xrkst.msi
21.
Re-boot the Domain Controller (DC)
22.
Log on as the administrator (This is with the AD account)
23.
Reset the ip address to the test domain, the restore resets the ip
address. Make sure to also point the dns
server to itself as well
24.
Set this server as a Global Catalog (Ignore this step in a multi-domain
environment and this DC holds the Infrastructure Master Role)
· Click Start, click
Run, type mmc, and then click OK
· On the Console menu,
click Add/Remove Snap-in, click Add, double-click Active Directory Sites and
Services, click Close, and then click OK
· Double Click Active
Directory Sites and Services
· Double Click Sites
· Double Click
MP-Default-Site
· Double Click
Servers
· Double Click the
DC
· Right Click on NTDS
Settings and Select Properties
· If the “Global
Catalog” check box is not checked, check it
25.
All Flexible Single Master Operations (FSMO) roles need to reside on this
DC
· Seize the PDC
· Click Start and then
click Run
· In the Open text box,
type ntdsutil
· Type roles
· Type
connections
· Type connect to
server <DC name>
· Type q
· Type seize
pdc
· Click “Yes”
· Seize the
Infrastructure master role
· Type seize
infrastructure master
· Click “Yes”
· Seize the Domain
Naming master role
· Type seize domain
naming master
· Click “Yes”
· Seize the schema
master role
· Type seize schema
master
· Click “Yes”
· Seize the RID Master
Role
· Type seize rid
master
· Click “Yes”
· Type q
· Type q
26.
Remove all other DC server objects (Repeat this step for each DC) KB216498
· Click Start and then
click Run
· In the Open text box,
type ntdsutil
· Type metadata
cleanup
· Type
connections
· Type connect to
server <DC>
· Type q (The
metadata cleanup prompt should now show)
· Type select
operation target
· Type list domains
(A list of domains should be displayed)
· Type select domain
<#> (This is the domain of the server to be pruned)
· Type list sites
(A list of sites should be displayed)
· Type select site
<#> (This is the site of the server to be pruned)
· Type list servers
in site (A list of servers should be displayed)
· Type select server
<#> (This is the server to be pruned)
· Type q
· Type remove
selected server (You should get confirmation of the removal)
· Type q
· Type q
27.
Remove all other DC orphaned records in Active Directory (Repeat this
step for each DC) KB216498
· Click Start - Programs
- Windows 200x Support Tools - Tools - ADSI Edit
· Delete the computer
account in OU=Domain Controllers,
DC=Domain_Name,DC=com
· Delete the FRS member
object in CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System,DC=Domain_Name,DC=com
28.
Remove all other DC orphaned records in DNS
· Click Start - Programs
- Administrative Tools - DNS
· Click
<DC>.Domain_Name.com - Forward Lookup Zones - Domain_Name.com
· Delete the cname
(alias) of all other DC’s
· Delete the a record of
all other DC’s
29.
This DC needs to be the File Replication Service Master (KB316790)
· Stop the File
Replication service on the DC
· Make sure the
following folders exist, if not create them
· C:\WINNT\SYSVOL\staging
· C:\WINNT\SYSVOL\sysvol (Share as SYSVOL)
· C:\WINNT\SYSVOL\sysvol\Domain_Name.com
· copy the contents of
C:\WINNT\SYSVOL\domain to this folder
· Start Registry Editor
(Regedt32.exe)
· Locate and then click
the BurFlags value under the following key in the registry:
·
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process
at Startup
· On the Edit
menu, click DWORD, click Hex, type D2, and then click OK
· Quit Registry
Editor
· Restart the File
Replication Service
· Check the FRS event
viewer to see if the system states that the sysvol is now being shared and
defines all the paths
30.
Ensure that the DC has registered the proper computer role
· Enter net
accounts at a dos prompt
· The computer role
should say "primary”
Finally any information related to the old DC’s need to be
purged from AD.
31.
Re-boot the Authoritatively restored DC
32.
Within the production system delete the test user and computer
account
33.
Within the production system delete the server object within the site
that it was placed into for replication
Note: The File Replication
Service can prevent the computer from becoming a Domain Controller (See
below). If when doing a dcdiag a message
states that the rid pool is corrupt, what is probably happening is there are
problems with replication. Check the
“File Replication Service” Event Log.
Also make sure that all sub-folders are available within
c:\winnt\sysvol.
To re-test just the rid
pool:
dcdiag /v test:ridmanager
Never again connect this server
to the production system!!!
When you restore a domain controller from backup (or when you
restore the System State), the FRS database is not restored because the most
up-to-date state exists on a current replica instead of in the restored
database. When FRS starts, it enters a "seeding" state and then tries to locate
a replica with which it can synchronize. Until FRS completes replication, it
cannot share Sysvol and Netlogon.
If you restore all of the domain
controllers in the domain backup, all the domain controllers enter the seeding
state for FRS and try to synchronize with an online replica. This replication
does not occur because all of the domain controllers are in the same seeding
state. Setting the primary domain controller FSMO role holder to be
authoritative forces the domain controller to rebuild its database based on the
current contents of the system volume. When that task is completed, the Sysvol
and Netlogon shares are shared. All the other domain controllers can then start
synchronizing from the online replica
(See - KB316790)