HOW TO: P2V a domain controller


A lot has been written about P2V’ing Windows Domain controllers. The preferred way is to build a new domain controller based on a virtual machine and demote the physical domain controller.

Rebuilding a new domain controllers may not always be possible due to time constraints or other dependencies like additional software running on the domain controller which can not be easily migrated.

However, P2V’ing of a domain controller is possible under the right conditions. These conditions are the same for any other transactional service like a Microsoft SQL server or a Microsoft Exchange server and comes to the following point:

‘Make sure all transactional processes are stopped during the P2V process’

For a Windows domain controller the transactional system consists of the Active Directory database. For a Windows 2000 and Windows 2003 domain controller the Active Directory service can’t be stopped. To solve this problem, boot the system in the Directory Service Restore Mode.

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

In DSRM mode Active Directory is not running and no transactions are occurring. In this state a hot clone can be made. After the hot clone is made, cleanup the system and restore the original ip address of the server.

The following steps describe the complete P2V process for a Windows 2000/Windows 2003 domain controller:

  1. If any other transactional services are running on the domain controller, stop and disable these services
  2. Boot the physical domain controller in Directory Services Restore Mode (DSRM)
  3. Clone the physical domain controller with VMware Converter
  4. After the conversion is completed, disable the nic(s) of the physical domain controller (through the physical console, iLO, DRAC or other consol tool). This prevents the physical server from being online on the network ever again.
  5. Shutdown the physical domain controller
  6. Start the virtual domain controller in Directory Services Restore Mode (DSRM). This prevents the directory service from starting and gives room to cleanup the system.
  7. Remove any unnecessary software, like hardware monitor agents (e.g. HP Insight Agents) and unnecessary hardware drivers. See this post for more information.
  8. Remove inactive devices in the device manager. See this post for more information.
  9. Configure the original IP address(es) to the virtual domain controller
  10. Enable any other transactional services you disabled in step 1
  11. Boot the virtual domain controller in normal mode.

The virtual domain controller should now be operational.

Be warned: from now on the physical domain controller can never be brought back online! This will result in USN rollback and Active Directory replication will not work correctly. See Microsoft Knowledge Base Article KB875495 for more information.

Perform the following checks to validate the domain controller:

  1. Check the eventlogs
  2. Check for NTDS Replication errors
  3. Run dcdiag from the windows support tools
  4. Run netdag from the windows support tools
  5. Create a test user on another domain controller and validate it’s replicated to the virtual domain controller
  6. Delete the test user on the virtual domain controller and validate the deletion is replicated to another domain controller

If you do resize the disk where the Active Directory replica root path is placed (e.g. %SystemRoot%\Sysvol) during the P2V process, you will get the following error:

The File Replication Service has detected that the replica root path has changed from "d:\sysvol\domain" to "d:\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.

Creating an empty file with the name NTFRS_CMD_FILE_MOVE_ROOT recreate the sysvol folder and solve this problem.

10 Responses to HOW TO: P2V a domain controller

  1. Jimmy George says:

    Hey Ted! Thanks for this great blog. We tested this in our testing and production environment and we were able to successfully do P2V of domain controllers of Windows 2003 DC without any issues.

    Can you also recommend what is the best practice to do a successful P2V of a Windows 2008 Domain controller? Do you think instead of booting into DSRM mode we can stop/disable the following services – Active Directory Domain Services, File Replication Service/DFSR for sysvol replication, DNS Server service and do the P2V?

    • Ted Steenvoorden says:

      Hi Jimmy,

      As long as all transactional processes are stopped during the P2V process you should have no problem. Stopping and disabling and the Active Directory Domain, File Replication Service/DFSR for sysvol replication and DNS Server service should do the trick on a Windows Server 2008 domain controller!

      Regards,
      Ted

  2. […] How to: P2V a domain controller by Ted Steenvoorden […]

  3. deinoscloud says:

    Hi Ted,

    Something you left over, Windows Product Activation.

    After a successful P2V,often the VM will have to connect to Microsoft to activate its copy of Windows.

    And if the VM uses an OEM license you are basically f*** as Microsoft will not allow this.

    I can’t say if it does all the time but it happened to me several times with OEM licenses only.

    Eventually before the P2V a tool like the Windows Product Key Update Tool can help you here by changing the OEM license key to a VLK one for example.

    Rgds,
    Didier

    • Ted Steenvoorden says:

      Hi Didier,

      You are completely right. With OEM en retail licenses the P2V conversion will result in reactivating the Windows installation, because of the new virtual hardware. Since the virtual hardware does not comply to the OEM license, the activation will fail.

      Thanx for your comment.

      Regards,
      Ted

  4. Ian says:

    Hi Ted,
    Is this procedure suitable for a lone W2K3 AD controller in a small network? For one of several W2K3 AD controllers in a larger network? Or either?
    Thanks, Ian

  5. Sam D. says:

    Ted, great article! This is the first site I have found that even suggests this is possible. I have a situation in a lab that runs an application which requires Active Directory. There is only one server in this environment and it runs the application and is the domain controller.

    My original thought was to do a P2V conversion on the server to avoid re-installing the application, all the configuration, etc. I hesitated when I started reading about the issues surrounding P2V on DCs. This lab is critical to our operations and if it is down, we can’t ship product. Therefore, I want to proceed cautiously.

    If I follow your instructions and if there are problems, would I still have the potential of USN rollback issues if I reverted back to the physical DC? I know you specifically addressed that in your article, but I was curious if that scenario would be an issue when there is only one DC on the network. (I realize there should be more than one DC but this was setup before I got here).

    Thanks!
    -Sam D.

  6. My Home Page says:

    I was excited to uncover this great site. I want to to thank
    you for your time for this wonderful read!! I definitely really liked every little bit of it and
    i also have you book-marked to look at new
    stuff in your website.

  7. Edgardo says:

    Great post. I will be experiencing a few of these issues as
    well..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: