HOW TO: P2V a domain controller

November 3, 2010

A lot has been written about P2V’ing Windows Domain controllers. The preferred way is to build a new domain controller based on a virtual machine and demote the physical domain controller.

Rebuilding a new domain controllers may not always be possible due to time constraints or other dependencies like additional software running on the domain controller which can not be easily migrated.

However, P2V’ing of a domain controller is possible under the right conditions. These conditions are the same for any other transactional service like a Microsoft SQL server or a Microsoft Exchange server and comes to the following point:

‘Make sure all transactional processes are stopped during the P2V process’

For a Windows domain controller the transactional system consists of the Active Directory database. For a Windows 2000 and Windows 2003 domain controller the Active Directory service can’t be stopped. To solve this problem, boot the system in the Directory Service Restore Mode.

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

In DSRM mode Active Directory is not running and no transactions are occurring. In this state a hot clone can be made. After the hot clone is made, cleanup the system and restore the original ip address of the server.

The following steps describe the complete P2V process for a Windows 2000/Windows 2003 domain controller:

  1. If any other transactional services are running on the domain controller, stop and disable these services
  2. Boot the physical domain controller in Directory Services Restore Mode (DSRM)
  3. Clone the physical domain controller with VMware Converter
  4. After the conversion is completed, disable the nic(s) of the physical domain controller (through the physical console, iLO, DRAC or other consol tool). This prevents the physical server from being online on the network ever again.
  5. Shutdown the physical domain controller
  6. Start the virtual domain controller in Directory Services Restore Mode (DSRM). This prevents the directory service from starting and gives room to cleanup the system.
  7. Remove any unnecessary software, like hardware monitor agents (e.g. HP Insight Agents) and unnecessary hardware drivers. See this post for more information.
  8. Remove inactive devices in the device manager. See this post for more information.
  9. Configure the original IP address(es) to the virtual domain controller
  10. Enable any other transactional services you disabled in step 1
  11. Boot the virtual domain controller in normal mode.

The virtual domain controller should now be operational.

Be warned: from now on the physical domain controller can never be brought back online! This will result in USN rollback and Active Directory replication will not work correctly. See Microsoft Knowledge Base Article KB875495 for more information.

Perform the following checks to validate the domain controller:

  1. Check the eventlogs
  2. Check for NTDS Replication errors
  3. Run dcdiag from the windows support tools
  4. Run netdag from the windows support tools
  5. Create a test user on another domain controller and validate it’s replicated to the virtual domain controller
  6. Delete the test user on the virtual domain controller and validate the deletion is replicated to another domain controller

If you do resize the disk where the Active Directory replica root path is placed (e.g. %SystemRoot%\Sysvol) during the P2V process, you will get the following error:

The File Replication Service has detected that the replica root path has changed from "d:\sysvol\domain" to "d:\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.

Creating an empty file with the name NTFRS_CMD_FILE_MOVE_ROOT recreate the sysvol folder and solve this problem.