The first set of steps is to get a good pc into the production domain. Once this pc is a member it needs to be promoted and be a healthy participant in the network. The new DC then needs to be removed from the network before it is restarted (From its restore) to prevent any replication activity from damaging the production system. Reconnection to the production system will create major problems in the production system
- Shutdown ALL pc’s within the test sub-net (For this document it will be 192.168.1.x, gateway = 192.168.1.250), mask = 255.255.255.0
- Remove the physical cable for the new pc and build the member server (This all should reside within the test domain) in production
- Install DNS (AD Integrated needed for this document)
- Re-connect the cable and join the Domain_Name.com domain
- Select the IP Address 192.168.1.101
- Select the mask to 255.255.255.0
- Select the Gateway 192.168.1.250
- Point the DNS services to a production AD DNS server
- Promote the server to a Domain Controller (DC) via dcpromo.exe
- Promote the server to a Global Catalog Server
- Let the system sit idle (2 hours) for Replication to sync up
- Point the DNS services to itself
- Open up a command prompt
- dcdiag /v /test:ridmanager
- Make sure no errors with the rid manager
- Create an object on the new DC
- Physically disconnect the cable
- Bring up “Active Directory Users and Computers”
- By disconnecting you force the system to attach locally
- Create a test user with the account disabled
- Reconnect the physical cable
- At a command prompt type in NTBACKUP and do a system state backup saving the file to the local server
- Demote this server to a member server with in the production domain (DCPROMO)
- Remove the NS record in the production environment
- Physically disconnect the server from the network by unplugging the cable from the hub
- Move the server to the test domain
- Re-Promote once this system has been disconnected and the ip changed
- Dcpromo
- Domain Name = Domain_Name.com
- NetBios Name = NetBIOS_Name
- Allow the promotion to create the DNS domain
- Once this DC is brought online (The DNS services on the member server can be shut down), define it with Integrated Active Directory DNS and all name space records will be restored. Make sure to bring up DNS and select reload to refresh all data
- Active Directory Integrated
- Only Secure Updates
- Reboot this server and After the POST Select F8
- Scroll down and select the option
“Directory Services Restore Mode (Windows 200x domain controllers only)”
- Log on as the administrator (This is within the old SAM account)
- Restore the System State from the previous NTBACKUP
- Re-boot the Domain Controller (DC)
Now that the DC is restored it needs to take control of all Flexible Single Master Operation roles (FSMO and the File Replication service). Because of this utilities need to be loaded off of the Windows 200x install CD. NTDSUTIL will perform most of these steps. Since this is the first DC it needs to be a Global Catalog server and validate that it is the primary server in the domain.
- After the POST Select F8
- Scroll down and select the option
“Directory Services Restore Mode (Windows 200x domain controllers only)”
- Log on as the administrator (This is within the old SAM account)
- Install the Windows 200x Active Directory Administration Tools from the server cd
- D:\i386\ Adminpak.msi
- Install the Windows 200x Server Resource Kit from the server cd
- D:\support\tools\200xrkst.msi
- Re-boot the Domain Controller (DC)
- Log on as the administrator (This is with the AD account)
- Reset the ip address to the test domain, the restore resets the ip address. Make sure to also point the dns server to itself as well
- Set this server as a Global Catalog (Ignore this step in a multi-domain environment and this DC holds the Infrastructure Master Role)
- Click Start, click Run, type mmc, and then click OK
- On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Sites and Services, click Close, and then click OK
- Double Click Active Directory Sites and Services
- Double Click Sites
- Double Click MP-Default-Site
- Double Click Servers
- Double Click the DC
- Right Click on NTDS Settings and Select Properties
- If the “Global Catalog” check box is not checked, check it
- All Flexible Single Master Operations (FSMO) roles need to reside on this DC
- Seize the PDC
- Click Start and then click Run
- In the Open text box, type ntdsutil
- Type roles
- Type connections
- Type connect to server <DC name>
- Type q
- Type seize pdc
- Click “Yes”
- Seize the Infrastructure master role
- Type seize infrastructure master
- Click “Yes”
- Seize the Domain Naming master role
- Type seize domain naming master
- Click “Yes”
- Seize the schema master role
- Type seize schema master
- Click “Yes”
- Seize the RID Master Role
- Type seize rid master
- Click “Yes”
- Type q
- Type q
- Remove all other DC server objects (Repeat this step for each DC) KB216498
- Click Start and then click Run
- In the Open text box, type ntdsutil
- Type metadata cleanup
- Type connections
- Type connect to server <DC>
- Type q (The metadata cleanup prompt should now show)
- Type select operation target
- Type list domains (A list of domains should be displayed)
- Type select domain < #> (This is the domain of the server to be pruned)
- Type list sites (A list of sites should be displayed)
- Type select site < #> (This is the site of the server to be pruned)
- Type list servers in site (A list of servers should be displayed)
- Type select server < #> (This is the server to be pruned)
- Type q
- Type remove selected server (You should get confirmation of the removal)
- Type q
- Type q
- Remove all other DC orphaned records in Active Directory (Repeat this step for each DC) KB216498
- Click Start – Programs – Windows 200x Support Tools – Tools – ADSI Edit
- Delete the computer account in OU=Domain Controllers, DC=Domain_Name,DC=com
- Delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Domain_Name,DC=com
- Remove all other DC orphaned records in DNS
- Click Start – Programs – Administrative Tools – DNS
- Click < DC>.Domain_Name.com – Forward Lookup Zones – Domain_Name.com
- Delete the cname (alias) of all other DC’s
- Delete the a record of all other DC’s
- This DC needs to be the File Replication Service Master (KB316790)
- Stop the File Replication service on the DC
- Make sure the following folders exist, if not create them
- C:\WINNT\SYSVOL\staging
- C:\WINNT\SYSVOL\sysvol (Share as SYSVOL)
- C:\WINNT\SYSVOL\sysvol\Domain_Name.com
- copy the contents of C:\WINNT\SYSVOL\domain to this folder
- Start Registry Editor (Regedt32.exe)
- Locate and then click the BurFlags value under the following key in the registry:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
- On the Edit menu, click DWORD, click Hex, type D2, and then click OK
- Quit Registry Editor
- Restart the File Replication Service
- Check the FRS event viewer to see if the system states that the sysvol is now being shared and defines all the paths
- Ensure that the DC has registered the proper computer role
- Enter net accounts at a dos prompt
- The computer role should say "primary”
Finally any information related to the old DC’s need to be purged from AD.
- Re-boot the Authoritatively restored DC
- Within the production system delete the test user and computer account
- Within the production system delete the server object within the site that it was placed into for replication
Note: The File Replication Service can prevent the computer from becoming a Domain Controller (See below). If when doing a dcdiag a message states that the rid pool is corrupt, what is probably happening is there are problems with replication. Check the “File Replication Service” Event Log. Also make sure that all sub-folders are available within c:\winnt\sysvol.
To re-test just the rid pool: dcdiag /v test:ridmanager
Never again connect this server to the production system!!!
When you restore a domain controller from backup (or when you restore the System State), the FRS database is not restored because the most up-to-date state exists on a current replica instead of in the restored database. When FRS starts, it enters a "seeding" state and then tries to locate a replica with which it can synchronize. Until FRS completes replication, it cannot share Sysvol and Netlogon.
If you restore all of the domain controllers in the domain backup, all the domain controllers enter the seeding state for FRS and try to synchronize with an online replica. This replication does not occur because all of the domain controllers are in the same seeding state. Setting the primary domain controller FSMO role holder to be authoritative forces the domain controller to rebuild its database based on the current contents of the system volume. When that task is completed, the Sysvol and Netlogon shares are shared. All the other domain controllers can then start synchronizing from the online replica
(See – KB316790)