A converted domain controller does not synchronize.
The DNS services on a converter domain controller does not bind to the network interface.
The local domain database file (NTDS.DIT ) is corrupted in the new virtual machine.
The domain controller becomes tombstoned in Active Directory and will not synchronize.
Synchronization is unreliable with other domain controllers.
Newly created or removed objects changed on the virtual machine or source reappear in Active Directory.
The update or serial number changes unexpectedly on the domain controller.
Kerberos authentication or trust failures.
DNS lookup failures.
You see these errors:
LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.
Event ID: 1103 Description: "The windows directory services database could not be initialized and returned error 1032. Unrecoverable error, the directory can't continue."
Event ID 2042: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
Purpose
This article discusses techniques and best practices for converting a Domain Controller using VMware Converter.
Resolution
Introduction
A virtual machine created from an active domain controller may exhibit unexpected behavior. Domain controllers are very sensitive to hardware changes. When a physical server is virtualized, the hardware presented to the operating system may be very different. Also, it is possible that a virtualized domain controller and an identical physical domain controller may be running simultaneously, which may result in unpredictable replication issues across Active Directory or even a tombstone condition. If you are using Windows NT, these changes may prevent the directory or DNS servers from binding to the network connection.
Follow one of these solutions depending on your environment:
Windows 2000, 2003, and 2008 Servers
Decommission the existing domain controller using dcpromo , and provision a new domain controller in a fresh installation of Windows Server in a new virtual machine. Do not perform the conversion at all, but use the source server's host name and IP address. (recommended)
Ensure another domain controller is online on the network and properly synchronized. If one is not available, provision a new domain controller as a virtual machine and promote it. Demote the domain controller using dcpromo
Notes:
Always start using the new virtual machine as soon as possible after decommissioning the physical or source server. Failure to do so leads to a tombstone condition.
Never use the customization option in the Conversion Wizard. Using this process destroys the server on the destination.
Ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.
If the server to be virtualized holds any FSMO roles, transfer the roles to an existing and running domain controller. If a problem happens during the conversion process, you can provision new domain controllers in Active Directory and perform other AD operations without having to seize roles from the unavailable domain controller. For more information on FSMO roles in Windows Server 2003, see the Microsoft Knowledge Base article 324801.
For current Windows Server 2003 Active Directory domains with one Windows Server 2008 R2 domain controller, validate the domain/forest functionality by running the dcdiag /c /v /e command. Before beginning, run the repadmin and showreps commands to check for errors.
Avoid converting Windows NT domain controllers, if possible.
Before attempting conversion, always be sure another domain controller is online and properly synchronized.
Always ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.
Additional Information
Note: It is not a recommended practice to snapshot a virtual machine running as a Domain Controller. If the VM is running a Windows Domain Controller, then snapshots are not supported by Microsoft. for further information, see Virtualizing Windows Active Directory. See also, the below related Microsoft KBs.
For information related to the FSMO placement and optimization on Active Directory domain controllers, see the Microsoft Knowledge Base article223346.
Note: The preceeding link was correct as of July 7th, 2010. If you find the link is broken, please provide feedback and a VMware employee will update the link.
