(this will be a bit long, please bear with me) I would like to clone my existing AD structure to a private network on VMware, so I can test things (like practicing updating from Win2008 R2 to Win2012 R2). I did this years ago, but that domain eventually got corrupted (the VMs were powered off too long, the domain got out of sync). So I would like to re-make it, with a fresh copy of my domain, as exists now. But I'd like to avoid some of the problems I had the last time.
Here's the overview: we have a root domain (this is empty, there are no user accounts or servers in it) - 3 DCs, and a child domain (7 DCs, between main site and branch site), where all the users and member servers and workstations, etc are. This was the recommended configuration when we originally migrated to AD, way back when in 2002 or so. Believe me when I say I would *dearly* love to collapse this down into just the child domain, and rename the thing while I was at it. But one horror show at a time ... Now, I already have (in production) a VM DC for the root domain, and a VM DC for the child domain. 1. Ensure that the “Schema” FSMO role, at the very least, is held by the VM for the root domain. 2. Ensure that there is a properly functioning replication link between the root domain VM DC and the child domain VM DC. 3. Ensure that both DCs are GCs 4. Clone both VMs to new names. 5. Migrate both new VMs to a ESXi server that has a vswitch defined there for just the test domain to use, that has no physical adapters assigned to it. Thus, the testing domain can talk only to itself. 6. Power them both up. 7. Change the adapter DNS settings of both DCs: a. Root DC – DNS points to only itself b. Child DC – DNS points to itself, and then the root DC 8.. Edit the DNS server on both DCs: a. Root DC – delete forwarders (since the traffic will never go anywhere out of that vswitch) b. Child DC – remove forwarders to non-existent DNS servers (i.e., the physical ones) - Seize any FSMO roles, as needed (http://support.microsoft.com/kb/255504 - Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller) - Run a Metadata Cleanup to remove all the now non-existent DCs (http://support.microsoft.com/kb/555846 - How to remove completely orphaned Domain Controller) - Remove the missing DCs in "Active Directory Sites and Services." - Remove old DNS and WINS records of the orphaned DCs. This worked last time, but took a long time, and a couple tries, to get right (especially the DNS server cleanup part), so the new private version of the domain was replicating correctly, and not complaining. Thoughts: To avoid some of those problems, what I thought about doing was to create a 2nd VM DC for each domain. And then gracefully transfer all FSMO roles between the 2 DCs for each domain, temporarily. And clone both those VMs. This way, I wouldn't have to seize roles later, I would have them all. After making the clone, I could transfer the FSMO roles back off those new VM DCs, back onto the physical DCs for each domain, which is where they are now. Now, I would still need to do cleanup, to remove the non-cloned DCs that are at the other sites, and to (eventually) cleanup Sites and Services, since only 1 of the Sites would exist in the cloned domain. Cleaning up DNS is more work, and will be a separate post. What do you think? What am I missing? Or - more importantly - how can I make this quicker and cleaner? Thanks
