Home > Uncategorized > Bringing a single domain controller up in an isolated network

Bringing a single domain controller up in an isolated network

 

I wanted to create a quick test lab so I spun up a copy of a virtualized domain controller into an isolated network. The domain controller came up in a failed state with DNS and Active Directory non-functional.

Apparently in a multi domain controller network it is a requirement that the domain controller be able to sync with other domain controllers/role masters in order to function.

Because this was the only domain controller in the network, and I wanted to get the test network up quickly, I performed the following workarounds:

 

(Thanks to user zabo2012 on the veeam forums at http://forums.veeam.com/vmware-vsphere-f24/restoring-2012-domain-controller-vm-t18629.html for the awesome instructions)

 

boot the machine up in dsrm ( bcdedit /set safeboot dsrepair )

log in with ds repair mode password .\Administrator

run the bcdedit command to set and remove dsrepair mode ( bcdedit /deletevalue safeboot )

net stop ntfrs

open regedit and

Open Regedit
Browse to the following extension: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Add the following dword (32 bit) value: Repl Perform Initial Synchronizations
And leave this set to 0.
http://www.veeam.com/kb_articles.html/kb1280
then

open regedit and expand: hklm\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Set the burflags to d2 (sometimes you will have to use d4, but only do this in isolated network or it will overwrite other DC’s during replication)
http://www.veeam.com/kb_articles.html/kb1278

reboot

Edit:

I noticed that although I was able to get other servers to authenticate off the DC after doing the above, I wasn’t able to access AD Users and Computers on the DC itself.

Seizing the roles from the other DCs (that are not available in the isolated test lab) fixed this.  To seize the other domain controller FSMO roles:

ntdsutil
roles
connections
connect to server <dns name of local dc server>
quit

seize schema master
seize naming master
seize rid master
seize PDC
seize infrastructure master

quit
quit

After seizing roles I now see the expected information in AD Users and Computers

Edit 2:

I continued to have problems with an Exchange server that was in the same test lab as the isolated domain controller so I made a few more changes:

I performed a metadata cleanup, removing all the domain controllers that were not in the isolated lab environment, using the GUI > http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx#bkmk_graphical

I then set the burflag to d4 (below) and restarted the domain controller.  After that exchange was working correctly.

open regedit and expand: hklm\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Set the burflags to d4
http://www.veeam.com/kb_articles.html/kb1278

 

 

Print Friendly
Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.