In our environment we have set up a separate vSphere cluster purely for application and upgrade/update testing. This cluster is configured with isolated networks. These networks are grouped together to mimic our production network. The groups of networks are connected via a linux router, wich also serves as a FTP server for file transfer to and from the production network. These isolated networks pose a challenge when when building copies of your production Domain, for instance activating Server 2008 or placing a copy of one of your Domain Controllers in the isolated network.
When you build a copy of your domain in an isolated network, for testing purposes, you may find, that simply placing a copy of one of your DC’s will not work. The machine will get loads of NTDS errors. When this continues for more than 24 hrs. you will not be able to load AD anymore. You can solve this by simply rebooting the machine, this will clear the NTDS errors.
To get rid of all those NTDS errors, you have to prepare your DC and clean up your Domain. Remove all DC’s and sites from it and transfer all roles to your remaining DC. If WINS and DHCP are not installed on your server, you can either place another machine in the network, preferably with the same name as in your production environment. Promote it, with DCpromo, later on and then add either one of those roles. Or install them on your copy DC.
After you have created your copy, and configured the network you can start cleaning up Active directory. To clean up Active Directory first you have to remove all your other DC’s from your domian. You can do this with Active Directory Users and Computers.
Active Directory Users and Computers:
- Start AD users en computers.
- Go to Domain controllers.
- Remove all DC’s except <yourDC>, you can select them all at once.
- After removal there will be a pop up per server. Check the box for “This Domain controller is permanently offline and can no longer be demoted using the active directory installation wizard (DCpromo)”.
- Click yes.
- Reboot the machine to clear the cache.
After this you can check your errors with the eventviewer, most of them will be in NTDS. You can clean this up using metadata cleanup in NTDSutil.
- start NTDSutil with a command prompt. (You can also find this information in Q216498; How to remove data in AD after an unsuccesfull domain controller demotion)
- run/cmd/ntdsutil metadata cleanup
- connect to server scomp000x
- select operation target
- list domains
- select domain 0
- list sites
- select site 0
- list servers in site
- select server 0
- remove selected server (DO NOT throw away your server <yourDC>)
- Repeat this untill all non existing servers have been deleted (select operation target/select server 1/q/remove selected server)
- Do this for all sites
After doing this, for quite some time I might add, depending on how large your Domain is, you are ready to clean up your sites with Active Directory Sites and Services.
Active Directory Sites and Services:
- Start AD sites and services.
- All non existant servers can now be deleted
- Remove all non existant sites andeverything in them
- Delete all IP subnets, exept the default site link
Next we have adjust the forwarders in the Domain Naming Service.
Domain Naming Service:
- Start DNS and check the forward lookup zone
- Goto <your domain> properties and name servers
- Delete everything, but <yourDC>
- Remove all “same as parent”entries exept all <yourDC> records
- Check everything in MSDCS/sites/TCP and UDP
Now everything is cleaned up, but the server does not have any roles yet, unless, of course, it already had those to begin with. You can check this in Active Directory Users and Computers
Acitive Directory Users and Computers:
- Goto “AD users and computers”
- right click on your domain
- Select “operations masters”
- you can now see the roles and who has them
To transfer the roles from the non existing DC’s to <yourDC> we will use NTDSutil again. (Don’t wory, we’re nearly there).
- start NTDSutil from a command prompt
- metadata cleanup
- connect to server <yourDC>
- roles (fsmo maintenance prompt)
- seize Domain naming master
- seize Infrastructure master
- seize PDC
- seize RID master
- seize schema master (optional, this wil only work with a specific account)
- Go back to Active Directory Users and Computers and check if the roles are now asigned to <yourDC>
Your server is now ready for use in your isolated network and you can probably use a large cup of coffee by now.