Completely restoring two domains in the same forest

I have an Active Directory forest (2003 functional level) composed of a root
domain and a child domain; each domain has two domain controllers, and all
the DCs are global catalogs.

I need to completely re-create this forest in a test lab, and I'm planning
on using backups and restores to do this; I have full system state backups
of every domain controller.

What is the restore process I should follow?

I outlined this sequence for the root domain:

- Install the same version of Windows on a server with the same host name as
the first DC I want to restore (the one holding all the FSMO roles).
- DCPROMO it to a new domain controller for a domain with the same name as
the original one (but is this step really needed?)
- Restart it in directory services restore mode
- Restore the full system state backup of the original DC
- Do a metadata cleanup to remove all info about the second domain
controller
- Install the second DC from scratch, DCPROMO it and have it replicate

This should leave the root domain fully operational; but now, what about the
child domain?


Alternatively, is it enough to install Windows on four new systems with the
same host names as the original DCs, restart them in DSRM (without promoting
them or joining them to anything) and simply restore the system state on
them?


Please shred some light :-)


Massimo

Hello Massimo,

See here a really good article about test environments:
http://blogs.dirteam.com/blogs/jorge...11/19/105.aspx

http://blogs.dirteam.com/blogs/jorge...11/19/107.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have an Active Directory forest (2003 functional level) composed of
> a root domain and a child domain; each domain has two domain
> controllers, and all the DCs are global catalogs.
>
> I need to completely re-create this forest in a test lab, and I'm
> planning on using backups and restores to do this; I have full system
> state backups of every domain controller.
>
> What is the restore process I should follow?
>
> I outlined this sequence for the root domain:
>
> - Install the same version of Windows on a server with the same host
> name as
> the first DC I want to restore (the one holding all the FSMO roles).
> - DCPROMO it to a new domain controller for a domain with the same
> name as
> the original one (but is this step really needed?)
> - Restart it in directory services restore mode
> - Restore the full system state backup of the original DC
> - Do a metadata cleanup to remove all info about the second domain
> controller
> - Install the second DC from scratch, DCPROMO it and have it replicate
> This should leave the root domain fully operational; but now, what
> about the child domain?
>
> Alternatively, is it enough to install Windows on four new systems
> with the same host names as the original DCs, restart them in DSRM
> (without promoting them or joining them to anything) and simply
> restore the system state on them?
>
> Please shred some light :-)
>
> Massimo
>

Massimo,

Massimo wrote:
> - Install the same version of Windows on a server with the same host
> name as the first DC I want to restore (the one holding all the FSMO
> roles).
> - DCPROMO it to a new domain controller for a domain with the same name
> as the original one (but is this step really needed?)

No - you should be able to restore the backup and mark it authoritive
without the need to promote it first. You'd have to look for the
utilities (ntdsutil) to be installed though.

> - Restart it in directory services restore mode
> - Restore the full system state backup of the original DC
> - Do a metadata cleanup to remove all info about the second domain
> controller
> - Install the second DC from scratch, DCPROMO it and have it replicate

You could also use a backup of the second DC and restore it on the
second machine. Would work the same way.

> This should leave the root domain fully operational; but now, what about
> the child domain?

Use backups of the child domains and restore them the way you were doing
it with the root domain. Given that IPs and hostnames are the same and
DNS was AD-integrated (and therefore part of the backups), it should
work out okay. Make sure the backups are current and not too far off
taken between the root and the child-domains so that trust passwords and
computer passwords are still accurate (you'd otherwise have to change
them with NETDOM TRUST).

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

[dkumar]

What if, in case of 100% disaster.

Check out an article I have on building a test environment

http://www.pbbergs.com/windows/articles.htm
Select Create a Test AD Domain

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Massimo" <barone@mclink.it> wrote in message
news:exwL%23YcWJHA.4284@TK2MSFTNGP02.phx.gbl...
>I have an Active Directory forest (2003 functional level) composed of a
>root domain and a child domain; each domain has two domain controllers, and
>all the DCs are global catalogs.
>
> I need to completely re-create this forest in a test lab, and I'm planning
> on using backups and restores to do this; I have full system state backups
> of every domain controller.
>
> What is the restore process I should follow?
>
> I outlined this sequence for the root domain:
>
> - Install the same version of Windows on a server with the same host name
> as the first DC I want to restore (the one holding all the FSMO roles).
> - DCPROMO it to a new domain controller for a domain with the same name as
> the original one (but is this step really needed?)
> - Restart it in directory services restore mode
> - Restore the full system state backup of the original DC
> - Do a metadata cleanup to remove all info about the second domain
> controller
> - Install the second DC from scratch, DCPROMO it and have it replicate
>
> This should leave the root domain fully operational; but now, what about
> the child domain?
>
>
> Alternatively, is it enough to install Windows on four new systems with
> the same host names as the original DCs, restart them in DSRM (without
> promoting them or joining them to anything) and simply restore the system
> state on them?
>
>
> Please shred some light :-)
>
>
> Massimo
>

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> ha scritto nel messaggio
news:ff16fb66101608cb27eae572359f@msnews.microsoft.com...

> Hello Massimo,
>
> See here a really good article about test environments:
> http://blogs.dirteam.com/blogs/jorge...11/19/105.aspx
>
> http://blogs.dirteam.com/blogs/jorge...11/19/107.aspx

I already had to recover a customer's domain from a USN rollback, but thanks
for the links anyway ;-)


Massimo

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> ha scritto
nel messaggio news:uLg5MucWJHA.4384@TK2MSFTNGP02.phx.gbl...

> you should be able to restore the backup and mark it authoritive without
> the need to promote it first. You'd have to look for the utilities
> (ntdsutil) to be installed though.

That's everything I needed, thanks.


Massimo

"Paul Bergson" <pbbergs@nospam_msn.com> ha scritto nel messaggio
news:27D7EC7E-6726-492F-ACAE-C3F10B896C78@microsoft.com...

> Check out an article I have on building a test environment

I know I can put a DC in the production domain, have it replicate, detach it
and then use it to build the test environment; but I prefer not to mess with
the production domain if not absolutely necessary (otherwise I could also
p2v some of them), so I'll go with the backup/restore plan. Thanks anyway.


Massimo

it is useless to restore the AD DB *AND* make it authoritative (I'm talking
about the "RESTORE DATABASE" option in NTDSUTIL)

whatever the scenario the restore of an AD domain should be unauthoritative.
only object/container restore should be done authoritatively when required

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Massimo" <barone@mclink.it> wrote in message
news:eT5DPeiWJHA.5272@TK2MSFTNGP04.phx.gbl...
> "Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> ha scritto
> nel messaggio news:uLg5MucWJHA.4384@TK2MSFTNGP02.phx.gbl...
>
>> you should be able to restore the backup and mark it authoritive without
>> the need to promote it first. You'd have to look for the utilities
>> (ntdsutil) to be installed though.
>
> That's everything I needed, thanks.
>
>
> Massimo
>

for to say: look at the forest recovery docs from MS (also apply to a
domain)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Massimo" <barone@mclink.it> wrote in message
news:eT5DPeiWJHA.5272@TK2MSFTNGP04.phx.gbl...
> "Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> ha scritto
> nel messaggio news:uLg5MucWJHA.4384@TK2MSFTNGP02.phx.gbl...
>
>> you should be able to restore the backup and mark it authoritive without
>> the need to promote it first. You'd have to look for the utilities
>> (ntdsutil) to be installed though.
>
> That's everything I needed, thanks.
>
>
> Massimo
>

"Massimo" <barone@mclink.it> ha scritto nel messaggio
news:exwL%23YcWJHA.4284@TK2MSFTNGP02.phx.gbl...

> I have an Active Directory forest (2003 functional level) composed of a
> root domain and a child domain; each domain has two domain controllers,
> and all the DCs are global catalogs.
>
> I need to completely re-create this forest in a test lab, and I'm planning
> on using backups and restores to do this; I have full system state backups
> of every domain controller.
>
> What is the restore process I should follow?

Today I tried restoring the system state of the first domain controller of
the root domain on one of the test lab's servers. It didn't work.

Problem: the system state brings with it all the original system's hardware
settings, so looks like it just doesn't like being restored on different
hardware. I got a BSOD complaining about INACCESSIBLE_BOOT_DEVICE, most
likely because the SCSI controller is definitely different between the two
systems (HP Smart Array on the original one, VMWare SCSI (disguised as LSI
Logic U320) on the destination one). It doesn't look like a HAL problem, as
the two systems have exactly the same HAL ("ACPI Multiprocessor PC").

As suggested here (http://support.microsoft.com/kb/263532/en-us), I launched
a repair install from a Windows 2003 R2 CD-ROM (the same version used on
both the original and destination systems), but it didn't work also: after
the text-mode setup, I got the same BSOD again.

The Question: I have a full system state backup of a Windows 2003 R2 domain
controller and I don't have its AD domain available (because this is a test
lab or a real disaster recovery scenario), how can I restore full DC
functionality to a server with the same OS but different hardware?

I can't do more tests until Monday, but I have a couple ideas to try:

- Run DCPROMO /ADV to restore only the AD database instead of the full
system state. But will this work if the original domain isn't available? I
think not, but please confirm.
- Use DSRM to do the same as above; but will this mode be available if the
server isn't a domain controller yet?
- Force the system to use the right SCSI controller driver. I tried, but it
looks like the actual system state restore is delayed until reboot: after
restoring and before rebooting, the system still has all the device drivers
it had before, so the restored hardware database clearly isn't in place yet;
this makes me unable to modify it with proper device drivers.
- I can mount the restored system's boot disk on another VM and access it
for file/Registry modifications, if needed; I tried this also, but the
WINDOWS\system32\config directory is full of $RestoredActiveFileXX things,
which I think make up the restored system state, copied on disk but still
not "active" (see above). I don't know what to do here, or if I can do
anything at all.


If you can help, please do :-)


Massimo

I tried this once too.
Was never successful

But I thought about this although I didn't try it.

Create a new Server VM that can actually see the LAN and be fully functional
on it

Join it to the real domain

DC Promo it to a Domain Controller

When finished, give it time to fully replicate then shut down the VM.

Make a copy of the VM "hard drive file" and put it somewhere safe

Start up the VM and run DCPromo on the it to demote it down to a member
server, wait till replication stabilizes.
Move the VM from a Member Server to a Workgroup. Basically this is the same
thing as gracefully removing a DC from the domain. You can delete the VM at
this point.

Use the saved copy of the VM "hardrive" to create a new VM. Do **not* let
it see the LAN when it starts up. Have it seize all the FSMO Roles and go
through all the normal "cleanup" steps you would go through if a DC is
non-gracefully removed from a Domain. When finished you should have a
domain with a single DC holding all the Roles. But this is for a single
Forest/Domain only.

Your problem is going to be with having Child domains. You will have to do
a VM for each child Domain and the Root Domain at the *same time* so the VMs
won't be out of sync with each other. Make the backup copies and create new
VMs for each and start them up *together*,..but yet isolated from the *real*
LAN. Then do all the cleanup processes.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

If there is an Exchange Server then you will have to wait untill the VM DCs
are all working correctly and "cleaned up". Then create a new Server VM
clean from scratch and then install Exchange on it and go throught the steps
you would go through if you had lost your real Exchange Server with out a
Full Backup.

I believe once Exchange is install the way it is suppposed to be you can use
actual "real" Backups of your Exchange Data Stores to "restore" them to the
new VM Exchange. It think because the VM Active Directory would have all
the Exchange material left over in it from the AD you mirrored it from the
Exchange installation should pick all that up as it is installed.
But,...like I said,..I haven't tried this,...it is just theory for me.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <philwindell@hotmail.com> ha scritto nel messaggio
news:ut8ZTiJXJHA.4384@TK2MSFTNGP03.phx.gbl...

> I tried this once too.
> Was never successful

:-(

> But I thought about this although I didn't try it.

It's a good strategy, and it's the one we'll probably use if restores don't
work.

But I find quite puzzling to not be able to restore a domain controller from
backup if I don't have identical hardware at hand...


Massimo

No help here? :-(


Massimo


"Massimo" <barone@mclink.it> ha scritto nel messaggio
news:OsBKZxIXJHA.1184@TK2MSFTNGP05.phx.gbl...

>> I have an Active Directory forest (2003 functional level) composed of a
>> root domain and a child domain; each domain has two domain controllers,
>> and all the DCs are global catalogs.
>>
>> I need to completely re-create this forest in a test lab, and I'm
>> planning on using backups and restores to do this; I have full system
>> state backups of every domain controller.
>>
>> What is the restore process I should follow?
>
> Today I tried restoring the system state of the first domain controller of
> the root domain on one of the test lab's servers. It didn't work.
>
> Problem: the system state brings with it all the original system's
> hardware settings, so looks like it just doesn't like being restored on
> different hardware. I got a BSOD complaining about
> INACCESSIBLE_BOOT_DEVICE, most likely because the SCSI controller is
> definitely different between the two systems (HP Smart Array on the
> original one, VMWare SCSI (disguised as LSI Logic U320) on the destination
> one). It doesn't look like a HAL problem, as the two systems have exactly
> the same HAL ("ACPI Multiprocessor PC").
>
> As suggested here (http://support.microsoft.com/kb/263532/en-us), I
> launched a repair install from a Windows 2003 R2 CD-ROM (the same version
> used on both the original and destination systems), but it didn't work
> also: after the text-mode setup, I got the same BSOD again.
>
> The Question: I have a full system state backup of a Windows 2003 R2
> domain controller and I don't have its AD domain available (because this
> is a test lab or a real disaster recovery scenario), how can I restore
> full DC functionality to a server with the same OS but different hardware?
>
> I can't do more tests until Monday, but I have a couple ideas to try:
>
> - Run DCPROMO /ADV to restore only the AD database instead of the full
> system state. But will this work if the original domain isn't available? I
> think not, but please confirm.
> - Use DSRM to do the same as above; but will this mode be available if the
> server isn't a domain controller yet?
> - Force the system to use the right SCSI controller driver. I tried, but
> it looks like the actual system state restore is delayed until reboot:
> after restoring and before rebooting, the system still has all the device
> drivers it had before, so the restored hardware database clearly isn't in
> place yet; this makes me unable to modify it with proper device drivers.
> - I can mount the restored system's boot disk on another VM and access it
> for file/Registry modifications, if needed; I tried this also, but the
> WINDOWS\system32\config directory is full of $RestoredActiveFileXX things,
> which I think make up the restored system state, copied on disk but still
> not "active" (see above). I don't know what to do here, or if I can do
> anything at all.
>
>
> If you can help, please do :-)
>
>
> Massimo
>