1

Let me explain out scenario:

We have a totally virtualized live production system running all the production VMs in a Microsoft Failover cluster. The interesting VMs for this questions are the Main Domain Controller (SRV-DCA) & Secondary Domain Controller (SRV-DCB).

Now we would like to export/copy these two virtual machines onto a backup server so that we can run some tests on the DCs not on the production environment.

We tried to shutdown SRV-DCA and SRV-DCB on the live servers and did a normal Hyper-V export. Then when the export was ready, I imported the Exported DCs to the backup server using the Hyper-V Import (Register In-place (use existing unique-IDs) and started both VMs on the backup server. When both where started and I tried to open Active Directory users and computers, it was stating that the domain controller could not be found, also I tried to do a "netdom /query fsmo" and it stated that the domain controller could not be found or contacted.

Now what I don't understand is what might have happened during the exports because the VMs were turned off. what other way can I export/copy domain controllers so that I can then run tests on a backup server without giving me such problems?

StefanGrech
  • 154
  • 2
  • 10
  • Yeah, this isn't something that's really done, because you essentially can't do it. You need/want to setup a new test forest, and you can copy objects from the production environment into the test one. – HopelessN00b Oct 07 '14 at 12:00
  • I'd disagree w/ that assessment. Visualizing an AD environment for testing (which usually involves making a virtual replica DC in the production environment then moving it "under glass" and cleaning up the production environment) is a pretty common activity. This is fairly elegant, actually, since all the DCs are already virtual. – Evan Anderson Oct 07 '14 at 12:42
  • @EvanAnderson Fair point, but it seems to me like this is not an isolated network, and based on the issues, I'd assume that the domain controllers are not being imported to a destination network that matches the source network. – HopelessN00b Oct 07 '14 at 14:30

2 Answers2

2

Assuming that you're keeping the test VMs in a private network what you're trying to do is a totally reasonable and valid exercise.

Your "AD under glass" environment on the backup server should be isolated into a private virtual switch, and everything the AD environment needs to function must be present there. It sounds like you had some kind of name resolution problem when you attempted this the first time. Presumably the two DCs are DNS servers and refer to themselves (and likely each other) as the DNS servers specified in their NIC properties. Since these are the only DCs in your production environment you'll have the FSMOs in the isolated environment.

Get name resolution working properly in your isolated environment and I suspect everything will work fine.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • What I don't understand is that my production just works fine and the exported DC VMs which should be the exact same replica of the original DCs since the export was taken while turned off, is not working when I turn them on on a seperated isolated network.. the only difference is that on the backup server, the DCs does not have any internet access so there's not gateway.. that shouldn't be a problem tough i assume .. Basically SRV-DCA is pointing to itself for DNS and SRV-DCB is pointing to SRV-DCA, is that wrong ? – StefanGrech Oct 07 '14 at 13:00
  • @StefanGrech - W/ respect to the DNS configuration you describe that's totally reasonable and expected. What kind of behavior to you see when you run `nslookup` in the test environment and poke around? Not having access to Internet DNS shouldn't be a problem, presuming that the DNS servers in the test environment are authoritative for the AD domain. – Evan Anderson Oct 07 '14 at 13:02
2

Personally I believe the "DNS Island" problem still exists, depending on how you have each DC configured for DNS. I've seen several instances where all DC's were turned off and had the issues you described when turning them back on. Here's what I would recommend:

Configure each DC to use the other DC for primary DNS and itself for secondary DNS. Add 127.0.0.1 as tertiary DNS on each DC. Power on both DC's and wait until DNS and AD fully load and initialize.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171