Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Virtualizing existing domain controllers in VMware vCenter Converter (1006996)

Symptoms

  • A converted domain controller does not synchronize.
  • The DNS services on a converter domain controller does not bind to the network interface.
  • The local domain database file ( NTDS.DIT) is corrupted in the new virtual machine.
  • The domain controller becomes tombstoned in Active Directory and will not synchronize.
  • Synchronization is unreliable with other domain controllers.
  • Newly created or removed objects changed on the virtual machine or source reappear in Active Directory.
  • The update or serial number changes unexpectedly on the domain controller.
  • Kerberos authentication or trust failures.
  • DNS lookup failures.
  • You see these errors:

    LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.
    Event ID: 1103
    Description: "The windows directory services database could not be initialized and returned error 1032. Unrecoverable error, the directory can't continue."
    Event ID 2042: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

Purpose

This article provides information on techniques and best practices for converting a Domain Controller using VMware Converter.

Resolution

Introduction

A virtual machine created from an active domain controller may exhibit unexpected behavior. Domain controllers are very sensitive to hardware changes. When a physical server is virtualized, the hardware presented to the operating system may be very different. Also, it is possible that a virtualized domain controller and an identical physical domain controller may be running simultaneously, which may result in unpredictable replication issues across Active Directory or even a tombstone condition. If you are using Windows NT, these changes may prevent the directory or DNS servers from binding to the network connection.
 
Perform one of these solutions depending on your environment:

Windows 2000, 2003, 2008, and 2012 Servers

  • Decommission the existing domain controller using dcpromo, and provision a new domain controller in a fresh installation of Windows Server in a new virtual machine. Do not perform the conversion at all, but use the source server's host name and IP address. (recommended)
  • Ensure another domain controller is online on the network and properly synchronized. If one is not available, provision a new domain controller as a virtual machine and promote it. Demote the domain controller using dcpromo. Set any static IP addresses to DHCP prior to conversion. When converted, power off the source server, reassign any static IP addresses, and promote the virtualized server.

    Notes:
    • Always start using the new virtual machine as soon as possible after decommissioning the physical or source server. Failure to do so leads to a tombstone condition.
    • Never use the customization option in the Conversion Wizard. Using this process destroys the server on the destination.
    • Ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.
    • If the server to be virtualized holds any FSMO roles, transfer the roles to an existing and running domain controller. If a problem happens during the conversion process, you can provision new domain controllers in Active Directory and perform other AD operations without having to seize roles from the unavailable domain controller. For more information on FSMO roles in Windows Server 2003, see the Microsoft Knowledge Base article 324801.
    • For current Windows Server 2003 Active Directory domains with one Windows Server 2008 R2 domain controller, validate the domain/forest functionality by running the dcdiag /c /v /e command. Before beginning, run the repadmin and showreps commands to check for errors.
    • Avoid converting Windows NT domain controllers, if possible.
    • Before attempting conversion, always be sure another domain controller is online and properly synchronized.
    • Always ensure that the source server is powered off or decommissioned before starting the new virtual machine with the network cards connected.

Additional Information

Note: It is not a recommended practice to snapshot a virtual machine running as a Domain Controller.  In Windows Server 2012, there are changes to support creating a snapshot, for more information, see the Microsoft TechNet article, Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100). If the virtual machine is running a Windows Domain Controller, then snapshots are not supported by Microsoft. For further information, see Virtualizing a Windows Active Directory Domain Infrastructure white paper.

For more information, see these related Microsoft Knowledge Base articles:
For information related to the FSMO placement and optimization on Active Directory domain controllers, see the Microsoft Knowledge Base article 223346.

Note: The preceding links were correct as of March 4, 2014. If you find a link is broken, provide feedback and a VMware employee will update the link.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 66 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 66 Ratings
Actions
KB: