AD restore on different hardware [Was: Re: Completely restoring two domains in the same forest]

Discussion in 'Windows Server' started by Massimo, Dec 12, 2008.

  1. Massimo

    Massimo Guest

    Today I tried restoring the system state of the first domain controller of
    the root domain on one of the test lab's servers. It didn't work.

    Problem: the system state brings with it all the original system's hardware
    settings, so looks like it just doesn't like being restored on different
    hardware. I got a BSOD complaining about INACCESSIBLE_BOOT_DEVICE, most
    likely because the SCSI controller is definitely different between the two
    systems (HP Smart Array on the original one, VMWare SCSI (disguised as LSI
    Logic U320) on the destination one). It doesn't look like a HAL problem, as
    the two systems have exactly the same HAL ("ACPI Multiprocessor PC").

    As suggested here (http://support.microsoft.com/kb/263532/en-us), I launched
    a repair install from a Windows 2003 R2 CD-ROM (the same version used on
    both the original and destination systems), but it didn't work also: after
    the text-mode setup, I got the same BSOD again.

    The Question: I have a full system state backup of a Windows 2003 R2 domain
    controller and I don't have its AD domain available (because this is a test
    lab or a real disaster recovery scenario), how can I restore full DC
    functionality to a server with the same OS but different hardware?

    I can't do more tests until Monday, but I have a couple ideas to try:

    - Run DCPROMO /ADV to restore only the AD database instead of the full
    system state. But will this work if the original domain isn't available? I
    think not, but please confirm.
    - Use DSRM to do the same as above; but will this mode be available if the
    server isn't a domain controller yet?
    - Force the system to use the right SCSI controller driver. I tried, but it
    looks like the actual system state restore is delayed until reboot: after
    restoring and before rebooting, the system still has all the device drivers
    it had before, so the restored hardware database clearly isn't in place yet;
    this makes me unable to modify it with proper device drivers.
    - I can mount the restored system's boot disk on another VM and access it
    for file/Registry modifications, if needed; I tried this also, but the
    WINDOWS\system32\config directory is full of $RestoredActiveFileXX things,
    which I think make up the restored system state, copied on disk but still
    not "active" (see above). I don't know what to do here, or if I can do
    anything at all.


    If you can help, please do :)


    Massimo
     
    Massimo, Dec 12, 2008
    #1
    1. Advertisements

  2. I tried this once too.
    Was never successful

    But I thought about this although I didn't try it.

    Create a new Server VM that can actually see the LAN and be fully functional
    on it

    Join it to the real domain

    DC Promo it to a Domain Controller

    When finished, give it time to fully replicate then shut down the VM.

    Make a copy of the VM "hard drive file" and put it somewhere safe

    Start up the VM and run DCPromo on the it to demote it down to a member
    server, wait till replication stabilizes.
    Move the VM from a Member Server to a Workgroup. Basically this is the same
    thing as gracefully removing a DC from the domain. You can delete the VM at
    this point.

    Use the saved copy of the VM "hardrive" to create a new VM. Do **not* let
    it see the LAN when it starts up. Have it seize all the FSMO Roles and go
    through all the normal "cleanup" steps you would go through if a DC is
    non-gracefully removed from a Domain. When finished you should have a
    domain with a single DC holding all the Roles. But this is for a single
    Forest/Domain only.

    Your problem is going to be with having Child domains. You will have to do
    a VM for each child Domain and the Root Domain at the *same time* so the VMs
    won't be out of sync with each other. Make the backup copies and create new
    VMs for each and start them up *together*,..but yet isolated from the *real*
    LAN. Then do all the cleanup processes.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 12, 2008
    #2
    1. Advertisements

  3. If there is an Exchange Server then you will have to wait untill the VM DCs
    are all working correctly and "cleaned up". Then create a new Server VM
    clean from scratch and then install Exchange on it and go throught the steps
    you would go through if you had lost your real Exchange Server with out a
    Full Backup.

    I believe once Exchange is install the way it is suppposed to be you can use
    actual "real" Backups of your Exchange Data Stores to "restore" them to the
    new VM Exchange. It think because the VM Active Directory would have all
    the Exchange material left over in it from the AD you mirrored it from the
    Exchange installation should pick all that up as it is installed.
    But,...like I said,..I haven't tried this,...it is just theory for me.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 12, 2008
    #3
  4. Massimo

    Massimo Guest

    It's a good strategy, and it's the one we'll probably use if restores don't
    work.

    But I find quite puzzling to not be able to restore a domain controller from
    backup if I don't have identical hardware at hand...


    Massimo
     
    Massimo, Dec 13, 2008
    #4
  5. Massimo

    Massimo Guest

    No help here? :-(


    Massimo


     
    Massimo, Dec 14, 2008
    #5
  6. Meinolf Weber [MVP-DS], Dec 14, 2008
    #6
  7. Massimo

    Massimo Guest

    Hello Meinolf,

    I know different hardware is a problem when restoring the system state; my
    main question was: is there any way I can rebuild a domain controller
    without restoring the full system state? Will DSRM and/or DCPROMO help me
    here?

    I also already tried repairing the Windows installation from the install
    media; after the text-mode part of the setup, it crashed again with the same
    blue screen.


    Massimo
     
    Massimo, Dec 14, 2008
    #7
  8. Hello Massimo,

    No, you can't restore without at least the system state. Make sure you have
    more then one DC/GC and that replication works correct. So you have allways
    the AD database available, FSMO roles you can seize if needed.

    For a test domain i would add an additional DC/DNS/GC, let it replicate,
    disconnect it from the domain and NEVER connect it back, seize the FSMO roles
    and you have a full running copy from the production. Any new policy/change
    make also on the test domain.

    Also see here:
    http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspx

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Dec 14, 2008
    #8
  9. Massimo

    Massimo Guest

    I'm testing a disaster recovery scenario here, so all I have are full
    backups (including of course the system state) of the production DCs; so, if
    I'm correctly understanding this issue, those backups are totally useless if
    I don't have identical hardware to restore them on?
    Yes, I know I can do that; I also could use VMWare Converter to create
    virtual clones of my DCs.
    But I'm really interested in the disaster recovery scenario, here.


    Massimo
     
    Massimo, Dec 14, 2008
    #9
  10. Hello Massimo,

    As stated in the article:
    You can restore a system state backup from one physical computer to the same
    physical computer or another computer that has the same make, model, and
    configuration (identical hardware).

    Microsoft does not support restoring a system state backup from one computer
    to a second computer of a different make, model, or hardware configuration.
    Microsoft will only provide commercially reasonable efforts to support this
    process. Even if the source and destination computers appear to be identical
    makes and models, there may be driver, hardware, or firmware differences
    between the source and destination computers.

    So it is not supported, but can work. Personally i made the same experience
    like Philipp, always a blue screen.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Dec 14, 2008
    #10
  11. Massimo

    Massimo Guest

    That's ok.

    But I really wish Microsoft would provide means of restoring Active
    Directory that were not so dependent on the server's hardware. After all, AD
    is "only" a database, and doesn't have any real dependency on physical
    devices... if it could be backed up and restored without the need to include
    it in a full system state backup, that would be a lot better.


    Massimo
     
    Massimo, Dec 14, 2008
    #11
  12. Massimo

    mct Guest

    This right here is why Acronis can sell True Image with Universal Restore
    for a thousand bucks per server.
     
    mct, Dec 15, 2008
    #12
  13. To me it would be puzzling if it worked. I would never expect it to work.
    After the time I tried it and realized what was happening I would have never
    expected it to be any other way.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 16, 2008
    #13
  14. Yes. Completely useless.

    That is why you want more than one DC,...one fails you load up the OS on new
    hardware, join the domain, and run DCPromo to make it a new DC where it
    replicated from the remaining DC.

    The backups are worthless unless you are restoring to the same or identical
    hardware.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 16, 2008
    #14
  15. I really wish Microsoft would provide means of restoring Active
    They do. That is what having a least two DCs is all about. The second DC
    *is* your Active Directory backup.

    Yes,..I can hear all the objections already,...thought of some myself,..like
    how about if the building burned down and I loose all DC and can not buy
    identical hardware? I'm not saying it is a perfect world,..I'm just saying
    that is the way the world is.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 16, 2008
    #15
  16. Massimo

    Massimo Guest

    Let me restate this :)

    I know, too, that restoring a system state backup can't work on different
    hardware; what I find puzzling is the only way to back up and restore AD
    being including it in a full system state backup.

    I of course don't know the inner secrets of how a DC works, but I don't
    think it could be *so* difficult to decouple the AD database from the
    physical details of the server it's hosted on.


    Massimo
     
    Massimo, Dec 16, 2008
    #16
  17. I agree.
    I guess they have their reasons...


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Dec 16, 2008
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.