Virtualizing existing domain controllers in VMware vCenter Converter
search cancel

Virtualizing existing domain controllers in VMware vCenter Converter

book

Article ID: 308619

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides information on techniques and best practices for converting a Domain Controller using VMware Converter.

Symptoms:

  • A converted domain controller does not synchronize.
  • The DNS services on a converter domain controller does not bind to the network interface.
  • The local domain database file NTDS.DIT is corrupted in the new virtual machine.
  • The domain controller becomes tombstoned in Active Directory and does not synchronize.
  • Synchronization is unreliable with other domain controllers.
  • Newly created or removed objects are changed on the virtual machine or source reappear in Active Directory.
  • The update or serial number changes unexpectedly on the domain controller.
  • Kerberos authentication or trust failures.
  • DNS lookup failures.
  • You see these errors:

    LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.
    Event ID: 1103
    Description: "The windows directory services database could not be initialized and returned error 1032. Unrecoverable error, the directory can't continue."
    Event ID 2042: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

Environment

VMware vCenter Converter Standalone 6.x

Resolution

Introduction

A virtual machine created from an active domain controller may exhibit unexpected behavior. Domain controllers are very sensitive to hardware changes. When a physical server is virtualized, the hardware presented to the operating system may be different. Also, it is possible that a virtualized domain controller and an identical physical domain controller are running simultaneously, which may result in unpredictable replication issues across Active Directory or even a tombstone condition. If you are using Windows NT, these changes may prevent the directory or DNS servers from binding to the network connection.
 
Use one of these solutions depending on your environment:

Windows 2000, 2003, 2008, and 2012 Servers

  • Decommission the existing domain controller using dcpromo, and provision a new domain controller during the installation of new Windows Server in a new virtual machine. Do not perform the conversion, but use the source server's host name and IP address. (recommended)
  • Ensure another domain controller is online on the network and properly synchronized. If one is not available, provision a new domain controller as a virtual machine and promote it. Demote the domain controller using dcpromo. Set any static IP addresses to DHCP prior to conversion. When converted power off the source server, reassign static IP address, and promote the virtualized server.

    Notes:
    • Always start using the new virtual machine as soon as possible after decommissioning the physical or source server. Failure to do so leads to a tombstone condition.
    • Never use the customization option in the Conversion Wizard. Using this process destroys the server on the destination.
    • Ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.
    • If the server to be virtualized holds any FSMO roles, transfer the roles to an existing and running domain controller. If a problem happens during the conversion process, you can provision new domain controllers in Active Directory and perform other AD operations without having to seize roles from the unavailable domain controller. 
    • For current Windows Server 2003 Active Directory domains with one Windows Server 2008 R2 domain controller, validate the domain/forest functionality by running the dcdiag /c /v /e command. Before beginning, run the repadmin and showreps commands to check for errors.
    • Avoid converting Windows NT domain controllers, if possible.
    • Before attempting conversion, always be sure another domain controller is online and properly synchronized.
    • Always ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.
       
  • Do not perform ONLINE physical-to-virtual (P2V) conversions.

Additional Information

Note: VMware does not recommend to take a snapshot of the virtual machine running as a Domain Controller. In Windows Server 2012, there are changes to support creating a snapshot. For more information, see the Microsoft TechNet article, Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100). If the virtual machine is running a Windows Domain Controller, then snapshots are not supported by Microsoft.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statesdments made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
Powered by Wolken Software