lørdag 1. desember 2012

AD: Install a 2008 R2 Replica DC using IFM

If you have ever tried to install a replica domain controller that has to replicate over a slow network path like WAN, you may have had problems doing so ending up with an error. The solution may be to use Installation Media (IFM) instead of Replicating over network. Here is what you would do:

Install your new destination server and make it a member of your domain. Lets assume that you named it dcwansite. Now create a folder on this server called c:\ifm. Make sure you can reach this folder from one of your existing domain controllers by using the administrative share c$ (\\dcwansite\c$\ifm).

For the sake of verification (not mandatory), install the Total Files Received DFS Replication performance counter on your destination server. This you do by using Server Manager > Diagnostics > Performance > Data Collector Sets > right-click User Defined > New > Data Collector Set > Type a name and click Next > Basic and click Next > Type location and click Next > Start this data collector set now > Finish > click the new data collector set > Performance Counter > Properties > Add > double-click DFS Replicated Folders > Total Files Received > SYSVOL Share {C116FC7E-1CE1-4F62-A63F-210204C47BA6} > Add > click OK twice.

Before promoting any new server to a domain controller I strongly recommend to run Active Directory Health Check tests. Log on to an existing domain controller and run the following from Command Prompt by using Run as Administrator (it can take some time to run):
DCDIAG /e /v /c /ferr:dcdiagerror.txt /f:dcdiag.txt
DCDIAG /e /v /test:DNS /DnsAll /f:dcdiagdns.txt

When done open up the dcdiag logs and fix the problems that you find.

Other usefull tests include:
NSLOOKUP to verify that all replication partners can be resolved.
REPADMIN to verify replication (/showrepl)
NETDIAG to verify network connectivity (/v /fix)
NETDOM to verify domain trusts (query /verify)

For the destination server I would recommend verifying network connectivity (NETDIAG), and also DCDIAG with the tests RegisterInDns and DcPromo like this:
dcdiag /test:RegisterInDns /DnsDomain:your.domain 
dcdiag /test:DcPromo /DnsDomain:your.domain /ReplicaDC

To verify how many files of the SYSVOL folder will be replicated from a partner domain controller use Performance Monitor and look at Total Files Received. To do this open up the report by using Server Manager > Diagnostics > Performance > Reports > User Defined > double-click the name of the data collector set > double-click the report that corresponds to the time that you ran Performance Monitor > View > Performance Monitor > Change graph type pull-down menu > Report > Right-click the new data collector set > Start.

Now, log on to an existing domain controller (don't use a read-only domain controller). Start Command Prompt by using Run as Administrator and type as follows:

md c:\ifm
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create sysvol full c:\ifm
ifm: quit
ndtsutil: quit
robocopy c:\ifm \\dcwansite\c$\ifm /E /COPYALL /LOG:c:\robolog.txt

Next, when all the files have been copied (make shure to check the log and verify that all files was copied), log on to the destination server.

Open up the folder c:\ifm where you copied the media, open up properties of the SYSVOL folder > Security > Advanced > Auditing > Edit > uncheck "Include inheritable auditing entries from this objects parent" > OK.

Then open up Command Prompt by using Run as Administrator and type:
dcpromo /adv

Follow the wizard to add this server as "Additional Domain controller for an existing domain" and then choose Install from Media and point it to c:\ifm.

After installation, check the Performance Monitor report.