Re: test environment windows 2003
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 3 Feb 2006 07:50:34 -0600
I hope to have this up in the next couple of weeks on my website but for now
here you go
The text below is from a Word doc for our build of a test domain. Use as
you see fit.
Creating A Test Domain
This document was prepared for the building of a copy of the production
Active Directory. Following these steps will define how to rebuild the
entire Microsoft Active Directory for a test domain. *** Be careful ***
The first set of steps is to get a good pc into the production domain. Once
this pc is a member it needs to be promoted and be a healthy participant in
the network. The new DC then needs to be removed from the network before it
is restarted (From its restore) to prevent any replication activity from
damaging the production system. Reconnection to the production system will
create major problems in the production system. x.x.201.101 is the only IP
Address that has access to the production system via an allowed rule on the
router. A windows 2000 workstation can be used to connect to the internet
and the production system, not a test DC!
1. Shutdown ALL pc's within the sub-net x.x.210.x
2. Remove the physical cable for the new pc and build the member server
(This all should reside within the test domain)
3. Re-connect the cable and join the Domain_Name.com domain
.. Select the IP Address x.x.210.101
.. Select the mask to 255.255.255.0
.. Select the Gateway x.x.210.250
.. Point the DNS services to a production AD DNS server
4. Promote the server to a Domain Controller (DC) via dcpromo.exe
5. Promote the server to a Global Catalog Server
6. Let the system sit idle overnight for Replication to sync up
7. Open up a command prompt
.. dcdiag /v /test:ridmanager
.. Make sure no errors with the rid manager
.. Create an object on the new DC
.. Physically disconnect the cable
.. Bring up "Active Directory Users and Computers"
.. By disconnecting you force the system to attach locally
.. Create a test user with the account disabled
.. Reconnect the physical cable
8. At a command prompt type in NTBACKUP and do a system state backup saving
the file to the local server
9. Demote this server to a member server with in the production domain
(DCPROMO)
10. Physically disconnect the server from the network by unplugging the
cable from the hub
11. Change the server IP Address within the test domain
.. x.x.201.101 has access to the production system via an allowed rule on the
router. If this DC was ever re-plugged into the hub (Without the IP address
being changed) it would take over ownership of the production system,
(Domain_Name.com) it would have catastrophic results!
12. Re-Promote once this system has been disconnected and the ip changed
.. Dcpromo
.. Domain Name = Domain_Name.com
.. NetBios Name = netbios_name
.. Allow the promotion to create the DNS domain
.. Once this DC is brought online (The DNS services on the member server can
be shut down), define it with Integrated Active Directory DNS and all name
space records will be restored. Make sure to bring up DNS and select reload
to refresh all data
.. Active Directory Integrated
.. Only Secure Updates
13. Reboot this server and After the POST Select F8
.. Scroll down and select the option
"Directory Services Restore Mode (Windows 2000 domain controllers only)"
14. Log on as the administrator (This is within the old SAM account)
15. Restore the System State from the previous NTBACKUP
16. Re-boot the Domain Controller (DC)
Now that the DC is restored it needs to take control of all Flexible Single
Master Operation roles (FSMO and the File Replication service). Because of
this utilities need to be loaded off of the Windows 2000 install CD.
NTDSUTIL will perform most of these steps. Since this is the first DC it
needs to be a Global Catalog server and validate that it is the primary
server in the domain.
17. After the POST Select F8
.. Scroll down and select the option
"Directory Services Restore Mode (Windows 2000 domain controllers only)"
18. Log on as the administrator (This is within the old SAM account)
19. Install the Windows 2000 Active Directory Administration Tools from the
server cd
.. D:\i386\ Adminpak.msi
20. Install the Windows 2000 Server Resource Kit from the server cd
.. D:\support\tools\2000rkst.msi
21. Re-boot the Domain Controller (DC)
22. Log on as the administrator (This is with the AD account)
23. Reset the ip address to the test domain, the restore resets the ip
address. Make sure to also point the dns server to itself as well
24. Set this server as a Global Catalog (Ignore this step in a multi-domain
environment and this DC holds the Infrastructure Master Role)
.. Click Start, click Run, type mmc, and then click OK
.. On the Console menu, click Add/Remove Snap-in, click Add, double-click
Active Directory Sites and Services, click Close, and then click OK
.. Double Click Active Directory Sites and Services
.. Double Click Sites
.. Double Click MP-Default-Site
.. Double Click Servers
.. Double Click the DC
.. Right Click on NTDS Settings and Select Properties
.. If the "Global Catalog" check box is not checked, check it
25. All Flexible Single Master Operations (FSMO) roles need to reside on
this DC
.. Seize the PDC
.. Click Start and then click Run
.. In the Open text box, type ntdsutil
.. Type roles
.. Type connections
.. Type connect to server <DC name>
.. Type q
.. Type seize pdc
.. Click "Yes"
.. Seize the Infrastructure master role
.. Type seize infrastructure master
.. Click "Yes"
.. Seize the Domain Naming master role
.. Type seize domain naming master
.. Click "Yes"
.. Seize the schema master role
.. Type seize schema master
.. Click "Yes"
.. Seize the RID Master Role
.. Type seize rid master
.. Click "Yes"
.. Type q
.. Type q
26. Remove all other DC server objects (Repeat this step for each DC)
Q216498
.. Click Start and then click Run
.. In the Open text box, type ntdsutil
.. Type metadata cleanup
.. Type connections
.. Type connect to server <DC>
.. Type q (The metadata cleanup prompt should now show)
.. Type select operation target
.. Type list domains (A list of domains should be displayed)
.. Type select domain <#> (This is the domain of the server to be pruned)
.. Type list sites (A list of sites should be displayed)
.. Type select site <#> (This is the site of the server to be pruned)
.. Type list servers in site (A list of servers should be displayed)
.. Type select server <#> (This is the server to be pruned)
.. Type q
.. Type remove selected server (You should get confirmation of the removal)
.. Type q
.. Type q
27. Remove all other DC orphaned records in Active Directory (Repeat this
step for each DC) Q216498
.. Click Start - Programs - Windows 2000 Support Tools - Tools - ADSI Edit
.. Delete the computer account in OU=Domain Controllers,
DC=Domain_Name,DC=com
.. Delete the FRS member object in CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System,DC=Domain_Name,DC=com
28. Remove all other DC orphaned records in DNS
.. Click Start - Programs - Administrative Tools - DNS
.. Click <DC>.Domain_Name.com - Forward Lookup Zones - Domain_Name.com
.. Delete the cname (alias) of all other DC's
.. Delete the a record of all other DC's
29. This DC needs to be the File Replication Service Master (Q316790)
.. Stop the File Replication service on the DC
.. Make sure the following folders exist, if not create them
.. C:\WINNT\SYSVOL\staging
.. C:\WINNT\SYSVOL\sysvol (Share as SYSVOL)
.. C:\WINNT\SYSVOL\sysvol\Domain_Name.com
.. copy the contents of C:\WINNT\SYSVOL\domain to this folder
.. Start Registry Editor (Regedt32.exe)
.. Locate and then click the BurFlags value under the following key in the
registry:
..
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process
at Startup
.. On the Edit menu, click DWORD, click Hex, type D2, and then click OK
.. Quit Registry Editor
.. Restart the File Replication Service
.. Check the FRS event viewer to see if the system states that the sysvol is
now being shared and defines all the paths
30. Ensure that the DC has registered the proper computer role
.. Enter net accounts at a dos prompt
.. The computer role should say "primary"
Finally any information related to the old DC's need to be purged from AD.
31. Re-boot the Authoritatively restored DC
32. Within the production system delete the test user and computer account
33. Within the production system delete the server object within the site
that it was placed into for replication
Note: The File Replication Service can prevent the computer from becoming a
Domain Controller (See below). If when doing a dcdiag a message states that
the rid pool is corrupt, what is probably happening is there are problems
with replication. Check the "File Replication Service" Event Log. Also
make sure that all sub-folders are available within c:\winnt\sysvol.
To re-test just the rid pool: dcdiag /v test:ridmanager
Never again connect this server to the production system!!!
When you restore a domain controller from backup (or when you restore the
System State), the FRS database is not restored because the most up-to-date
state exists on a current replica instead of in the restored database. When
FRS starts, it enters a "seeding" state and then tries to locate a replica
with which it can synchronize. Until FRS completes replication, it cannot
share Sysvol and Netlogon.
If you restore all of the domain controllers in the domain backup, all the
domain controllers enter the seeding state for FRS and try to synchronize
with an online replica. This replication does not occur because all of the
domain controllers are in the same seeding state. Setting the primary domain
controller FSMO role holder to be authoritative forces the domain controller
to rebuild its database based on the current contents of the system volume.
When that task is completed, the Sysvol and Netlogon shares are shared. All
the other domain controllers can then start synchronizing from the online
replica
(See - Q316790)
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Heath Higgins" <heathhiggins@xxxxxxxxxxxxxxxxx> wrote in message
news:uIew%23YMKGHA.3932@xxxxxxxxxxxxxxxxxxxxxxx
Paul - Could you PLEASE post your info for making a test environement!
thanks
heath
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:uPhRL%23$JGHA.2336@xxxxxxxxxxxxxxxxxxxxxxx
Microsoft has written a document on disaster recovery to cover this
scenario it sometimes works, but I have heard of many instances where
people just aren't succesfull. The drivers for a scsi drive or different
processor, etc...
Have you thought of promoting the dc into your current AD and then taking
a backup while a dc and then demoting.You can then remove it and put in
your test environment and restore from this backup. There are a few
tricks to it but I have done it many times with success and it works
great. If you are interested I could post the info. Otherwise I have
provided a link to the different hardware restore.
http://support.microsoft.com/default.aspx?scid=kb;en-us;263532&Product=win2000
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Eros" <Eros@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C4588BB-EEE4-4801-A371-C7EE29619823@xxxxxxxxxxxxxxxx
hi,
I would have needs to reply it mine AD 2003 in a test environment. I
have
only a normal ntbackup of system state of my Ad 2003. I have differt
hardware in test environment .
someone can help me?
(I think like a disaster recovery)
--
Eros Marra
.
- Follow-Ups:
- Re: test environment windows 2003
- From: Eros
- Re: test environment windows 2003
- References:
- Re: test environment windows 2003
- From: Heath Higgins
- Re: test environment windows 2003
- Prev by Date: Re: Autoenrollment error
- Next by Date: Re: Trusting between Windows 2003 to Windows NT 4.0
- Previous by thread: Re: test environment windows 2003
- Next by thread: Re: test environment windows 2003
- Index(es):
Relevant Pages
|
