Charles, I would like a copy of the document too. Thanks, /Chad >>> On 3/13/15 at 10:55 AM, in message <[email protected]>, Charles F Sullivan <[email protected]> wrote:
I'll dig it up, pull out the pertinent stuff and send it to you within an hour or so. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Friday, March 13, 2015 10:33 AM To: [email protected] Subject: Re: [NTSysADM] Advice: Clone AD domain to VMware for testing purposes On Fri, Mar 13, 2015 at 10:26 AM, Charles F Sullivan <[email protected]> wrote: > quicker and to reduce the margin of error. Also, the AD metadata > cleanup is really quick in newer versions of AD since you don't need > to use ntdsutil for it. Really? I will have to go and look again. The last time I did this ... 2011? Maybe 2010 ... I had to just the CLI ntdsutil ... > I agree that the biggest pain is DNS cleanup. What I have done is to > get the DR version of the DNS zones exactly the way I want them, then > I export them to files to reuse each time and update as necessary, > then export again for the next time, etc. Good point. > I can take a look at my documentation, clean it up and send it to you > offline if you think it would help. It won’t address all of your > issues, but may save you some time for individual tasks. Yes, please. :-) Thanks so much ... > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > On Behalf Of Michael Leone > Sent: Friday, March 13, 2015 9:49 AM > To: [email protected] > Subject: [NTSysADM] Advice: Clone AD domain to VMware for testing > purposes > > (this will be a bit long, please bear with me) > > I would like to clone my existing AD structure to a private network on > VMware, so I can test things (like practicing updating from Win2008 R2 > to > Win2012 R2). I did this years ago, but that domain eventually got > corrupted (the VMs were powered off too long, the domain got out of > sync). So I would like to re-make it, with a fresh copy of my domain, > as exists now. But I'd like to avoid some of the problems I had the last > time. > > Here's the overview: we have a root domain (this is empty, there are > no user accounts or servers in it) - 3 DCs, and a child domain (7 DCs, > between main site and branch site), where all the users and member > servers and workstations, etc are. This was the recommended > configuration when we originally migrated to AD, way back when in 2002 > or so. Believe me when I say I would *dearly* love to collapse this > down into just the child domain, and rename the thing while I was at it. > But one horror show at a time ... > > Now, I already have (in production) a VM DC for the root domain, and a > VM DC for the child domain. > > 1. Ensure that the “Schema” FSMO role, at the very least, is held by > the VM for the root domain. > 2. Ensure that there is a properly functioning replication link > between the root domain VM DC and the child domain VM DC. > 3. Ensure that both DCs are GCs > 4. Clone both VMs to new names. > 5. Migrate both new VMs to a ESXi server that has a vswitch defined > there for just the test domain to use, that has no physical adapters > assigned to it. Thus, the testing domain can talk only to itself. > 6. Power them both up. > 7. Change the adapter DNS settings of both DCs: > a. Root DC – DNS points to only itself > b. Child DC – DNS points to itself, and then the root DC > 8.. Edit the DNS server on both DCs: > a. Root DC – delete forwarders (since the traffic will never go > anywhere out of that vswitch) > b. Child DC – remove forwarders to non-existent DNS servers (i.e., > the physical ones) > > - Seize any FSMO roles, as needed > (http://support.microsoft.com/kb/255504 - Using Ntdsutil.exe to > tra nsfer or seize FSMO roles to a domain controller) > - Run a Metadata Cleanup to remove all the now non-existent DCs > (http://support.microsoft.com/kb/555846 - How to remove completely > orphaned Domain Controller) > - Remove the missing DCs in "Active Directory Sites and Services." > - Remove old DNS and WINS records of the orphaned DCs. > > This worked last time, but took a long time, and a couple tries, to > get right (especially the DNS server cleanup part), so the new private > version of the domain was replicating correctly, and not complaining. > > Thoughts: > > To avoid some of those problems, what I thought about doing was to > create a 2nd VM DC for each domain. And then gracefully transfer all > FSMO roles between the 2 DCs for each domain, temporarily. And clone both > those VMs. > This way, I wouldn't have to seize roles later, I would have them all. > > After making the clone, I could transfer the FSMO roles back off those > new VM DCs, back onto the physical DCs for each domain, which is where > they are now. > > Now, I would still need to do cleanup, to remove the non-cloned DCs > that are at the other sites, and to (eventually) cleanup Sites and > Services, since only 1 of the Sites would exist in the cloned domain. > > Cleaning up DNS is more work, and will be a separate post. > > What do you think? What am I missing? Or - more importantly - how can > I make this quicker and cleaner? > > Thanks > > CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you.
