"Troy Thompson" <Troy Thomp***@discussions.microsoft.com> wrote in message
news:CAB03BA8-41EF-47E7-8B4D-3AC2D8A3837A@microsoft.com...
>I now realize that converting a DC from a physical machine to a virtual
> machine has its own set of caveats. That said: I need to recover from a
> USN
> rollback situation.
>
> Scenario:
> - Parent PDC Zeus is Windows 2000 Server (corporate.com)
> --- Child PDC Alpha is Windows 2000 Server (dev.corporate.com)
> ------ Member server Vulcan is Windows 2003 Server and a member of
> dev.corporate.com.
>
> I converted Alpha (the child domain PDC) from a physical system to a
> virtual
> machine, but didn't realize that Active Directory needs more attention
> when
> this sort of cloning happens. I just shut down the physical box, and
> booted
> the virtual machine. The NetLogon service on Alpha pauses, throwing Event
> ID
> 2103: "The Active Directory database has been restored using an
> unsupported
> restoration procedure." I just resumed NetLogon, and it looks happy. I
> assumed this would sort itself out after a while, but it hasn't.
>
> After some research, I discovered http://support.microsoft.com/kb/885875/
> which indicates the proper solution is a complete reinstall of AD;
> however, I
> don't have a fresh system state backup (though I still have the physical
> PDC
> idling in the server room).
>
> Is there any way to uninstall AD and reinstall AD on this child domain
> PDC,
> without having to redo all the permissions on the member server? Will the
> parent PDC just "magically" see the reinstalled child PDC and sync
> everything? Or does uninstalling AD on the child PDC mean all the
> permissions
> set on the member server are orphaned?
>
> Would it be possible to add a child domain BDC, promote it, then demote
> and
> uninstall AD from the child PDC? Or would the added child BDC have
> bogus/broken replication data, since the USN on the child PDC was rolled
> back?
>
> My goal is to resolve the child domain NetLogon problems without having to
> redo all of the share and permission settings on the child domain member
> server.

"Troy Thompson" <TroyThomp***@discussions.microsoft.com> wrote in message
news:B90DAD48-0A51-479B-AD3A-720117BFD352@microsoft.com...
> "Jorge Silva" wrote:
>
>> Hi Troy,
>> Did you do a backup before that operation on the original DC?
>>
>
> I don't think I have a valid backup. I made a backup the night before
> doing
> the conversion to virtual, but it's suspect after I've reviewed the
> restoration options. Is there a particular folder I need to restore? Would
> just the entire OS folder (C:\winnt including registry, etc) be all that's
> needed?
>

"Florian Frommherz [MVP]" wrote:

> Ace,
>
> Ace Fekay [Microsoft Certified Trainer] wrote:
> >> The Key is to have a valid system state backup.
> >>
> >
> > Just a thought - Maybe he can bring the old DC online, but in a separate
> > network and not on the same network, run a backup to disk, copy the BKF
> > file using a USB to the VM, then restore? It will be a few days out of
> > date, but replication should get it caught up.
>
> That is what I would suggest here, too. I'd put effort into bringing the
> old DC online - with network wiring unplugged and run a system state
> backup. Restoring the backup on the virtual DC and restoring
> non-authoritatively should do the trick. That would involve the least
> pain, I guess.
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>

"Troy Thompson" <TroyThomp***@discussions.microsoft.com> wrote in message
news:29708840-741B-42B3-B001-9AEB76F2A9E5@microsoft.com...
>
>
> "Florian Frommherz [MVP]" wrote:
>
>> Ace,
>>
>> Ace Fekay [Microsoft Certified Trainer] wrote:
>> >> The Key is to have a valid system state backup.
>> >>
>> >
>> > Just a thought - Maybe he can bring the old DC online, but in a
>> > separate
>> > network and not on the same network, run a backup to disk, copy the BKF
>> > file using a USB to the VM, then restore? It will be a few days out of
>> > date, but replication should get it caught up.
>>
>> That is what I would suggest here, too. I'd put effort into bringing the
>> old DC online - with network wiring unplugged and run a system state
>> backup. Restoring the backup on the virtual DC and restoring
>> non-authoritatively should do the trick. That would involve the least
>> pain, I guess.
>>
>> Florian
>> --
>> Microsoft MVP - Group Policy
>> eMail: prename [at] frickelsoft [dot] net.
>> blog: http://www.frickelsoft.net/blog.
>> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>>
>
> So let me summarize the recommendation:
>
> 1) Power up the old DC physical machine, completely off the network.
> 2) Backup the system state on the old DC; I can use Windows 2000 backup
> for
> this, selecting only the System State item, writing the results into a
> .BKF
> file.
> 3) Copy the .BKF to removable media and shut down the old DC.
> 4) Reboot the current virtualized DC in "Directory Services Recovery
> Mode".
> 5) Restore the System State via the Windows 2000 backup utility.
> 6) Restart the virtualized DC.
>
> I've found instructions for performing the restore:
> http://technet.microsoft.com/en-us/library/bb727062.aspx#E0LB0AA
>
> Does this cover it? Any caveats?
>

"Troy Thompson" <TroyThomp***@discussions.microsoft.com> wrote in message
news:C72DF841-4B0D-45B0-A4A6-ED886A12820A@microsoft.com...
> "Jorge Silva" wrote:
>
>> I still don't know if you have a valid System State backup? Was NOT that
>> backup taken before the clone procedure? If yes I still recomend to use
>> that
>> one.
>>
>
> After some review, I've found that the normal scheduled backup taken
> immediately before the clone procedure was incomplete. (I'm beginning to
> trust Retrospect less and less...) Further, due to the way Retrospect
> works,
> it's easy to restore an entire volume (aka volume snapshot) or just a
> single
> file--but there is no elegant way to restore "only system state" out of a
> backup.
>
> I'll use NTBackup from now on, then back up the .BKF file (which I've been
> doing on my main PDC for quite some time... and now I remember why...)
>
> SO... looks like the old physical box is the safest way to get a System
> State backup to use for this recovery effort.
>

"Ace Fekay [Microsoft Certified Trainer]" <firstnamelastn***@hotmail.com>
wrote in message news:%23lhV4r1pJHA.2392@TK2MSFTNGP04.phx.gbl...
>
> "Jorge Silva" <jorgesilva***@hotmail.com> wrote in message
> news:E0D5C6B9-EE67-4049-A6E7-B6D7B4677B04@microsoft.com...
>>- Ok, since that you don't have a valid Systate backup the next option
>>will be that one.
>> - I don't know if that will work or crash in other containers... The
>> problem is that you did the cloning process with both DCs online, the
>> cloned and the original, If by any chance the cloned DC replicated
>> anything to the other DC, you will have USN rollbacks any away... That’s
>> why I was insisting in the original Backup.
>>
>> If you're decided... Try it and let's know how it did it.
>
> I agree there may be a caveat with possible hardware differences, and may
> or may not cause problems. Difficult to tell, but at this point, he has a
> non-working DC, and this would sound like the best option, only because of
> that reason.
>
> I would be curious how he makes out too!
>
> Ace

> That's why I think that he should connect the old DC to the network
> First. Then do the tests to guarantee that everything was OK. After
> that (and assuming that everything is ok) do the migration using the
> correct methods (disconnect from network, do the system state backup,
> etc...).
> IM There's no point to recover a system state from a disconnected DC
> that no one knows if it's working correctly and use it in a VM that
> has different hardware characteristics, if things go wrong, that is
> an extra thing to consider including the problems that he might have
> in that operation.
> In conclusion, first guarantee that the old DC is in fact working
> correctly. If it's, then do the things in the right way.
>
> But that's only my opinion :)