Monday, July 11, 2016

How to P2V Active Directory Servers

Or how to "sandbox" your Windows 2008 production environment for free. 

Easy steps (Google if you need help):
  1. Take a bare-metal backup of your AD server(s) using Windows Server Backup to an external drive.
  2. Download XenServer from and install it on your Sandbox host machine. 
  3. Download XenCenter from and install it on your Sandbox management PC. 
  4. This is important:  Make sure the Sandbox is on a separate network from the production environment.  Sandbox network traffic should have no pathway to the production environment.
  5. Instantiate the virtual machine(s) on the Sandbox host machine.  
  6. Restore backup image(s) to virtual machine(s).  Now the restored, P2V server(s) will boot to the BSOD.
  7. Use this guide to tell Windows to load the driver for the (intelide) virtual hard disk. This will resolve the BSOD you were getting when starting the VM(s).
  8. Install XenServer Tools on the VM(s). Install XenServer Tools before you activate Windows, otherwise you will have to activate again after installing XenServer Tools.
  9. Activate Windows VM(s).  
  10. Take the VM(s) off the Internet and set change the properties of the VM’s network adapter.  Give it the static LAN IP, DNS, etc. of the physical machine.  NB, the DNS of the VM should point at itself.
Now is the part that is not well documented.  The VM(s) boot, but you can only access them from the Console in XenCenter.  If you try to use Remote Desktop from the management PC to access the VM(s), login fails with the message, “the specified domain could not be contacted.”  AD is broken and all sorts of AD and Group Policy errors problems are recorded in the Event Viewer.

To fix the problems and get AD and Group Policies working (mostly), here's what you need to do: 
  1. Click Start, and then click Run.
  2. In the Open box, type cmd and then press ENTER.
  3. In the Command box, type "net stop ntfrs", without quotes.
  4. Click Start, and then click Run.
  5. In the Open box, type regedit and then press ENTER.
  6. Locate the following subkey in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  7. In the right pane, double click BurFlags.
  8. In the Edit DWORD Value dialog box, type D4 and then click OK.
  9. Quit Registry Editor, and then switch to the Command box.
  10. In the Command box, type "net start ntfrs", without quotes.
  11. Quit the Command box.
Reboot and the VM is fixed! Active Directory is working and you can RDP to the VM from the management PC.  Note that if you have multiple AD VMs in your Sandbox, only the first one gets the DWORD Value of D4 in Step 8.  Subsequent VMs should get a DWORD Value of D2.

Some of you may not be content with just the hows; you also want to know the whys.  Here's some smoke and mirrors that might satisfy you - it satisfied my curiosity.
  1. Any Active Directory domain that was created using domain controllers running Windows Server 2003 or earlier will use the File Replication Service (FRS) for SYSVOL replication until it is migrated to Distributed File System Replication (DFS-R). This is true even if there are no longer any Windows Server 2003 DCs in the domain and the domain functional level is at Windows Server 2008 or above. 
  2. Various issues can cause FRS replica sets to stop replicating between DCs. The most common symptom of this is the lack of a SYSVOL share on one or more DCs in a domain. 
  3. SYSVOL replication and Active Directory replication use two separate mechanisms, and it is possible for one to work perfectly and the other to fail.
  4. To determine whether DFSR or FRS is being used on a domain controller that is running Windows Server 2008, check the value of theHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.
  5. System state backups for Windows domain controllers do not include the FRS database that maintains state information for the FRS service pertaining to the files within the SYSVOL folder and other content sets. The FRS database, debug logs, staging area files, and files in the pre-existing data folder are excluded from a system state backup. 
  6. An "authoritative restore" of FRS is necessary for SYSVOL and AD to work on a P2V Domain Controller (DC).  A"non-authoritative restore" of FRS on a P2V DC works if there are other working DCs on the LAN/Sandbox.