Building Windows 2000 domain controllers and global catalog (GC) servers at remote sites has historically been a problem that had only two solutions: build the server, promote it in the corporate office and then ship it to the site and hope it comes online within the 60-day tombstone lifetime; or build the server, ship it to the site and endure the hit on the WAN when it's promoted.
Of course, when you are restoring a domain controller or global catalog you only have option two. In addition to using precious bandwidth for an extended period of time in large deployments, it creates an ongoing maintenance problem.
Since Exchange 2000 relies on the global catalog for its Global Address List (GAL), global catalog servers must be deployed in more sites than would be required by Active Directory requirements alone. Further, if that GC becomes unavailable for a period of time, it will impact Exchange performance -- as a remote GC will have to service that site. Thus, if you have to rebuild a global catalog (especially in a multiple domain environment), it can take a significant amount of time before it is available again. In addition, this live replication increases the bandwidth demand on the WAN and virtually makes the sourcing domain controller unavailable during this time. It also initiates a full Vvjoin of File Replication service (FRS) replicas.
Windows 2003 and Windows 2000 beginning in SP3 offer a new feature called "Install from
This switch will produce a dialog not offered during normal execution of the DCpromo wizard, shown in Figure 1.
Figure 1. The dialog produced by the DCpromo /adv option lets you choose the domain information location.
This offers the administrator the option of specifying the location of restored system state files to source the Active Directory from. DCpromo will then source from the restored system state rather than an active domain controller. Once the initial sourcing is complete, replication with an active domain controller will update the new doman controller with any changes since the media was created.
Thus you could provide immediate disaster recovery of a domain controller or global catalog by maintaining a current system state backup of any domain controller in the domain and restore it to some media such as CD, DVD, tape or disk that can be viewed as local media by the server being promoted.
Hewlett-Packard, one of the first companies to adopt Windows Server 2003 in a production environment, used Install from Media as one of the critical reasons to upgrade from Windows 2000. In the Windows 2000 environment, it took HP between 3 to 5 days to rebuild a GC due to the size of the ndts.dit and the network speed (varied, of course). In Windows 2003, using Install From Media, that same rebuild takes 20 to 30 minutes. This is a huge savings in terms of downtime and performance especially for Exchange users.
Note: This doesn't eliminate the tombstone problem. If the media is more than "tombstonelifetime" days old, new media must be created and used. One administrator suggested he would post the restore files on an FTP site for download and periodically update the FTP site.
In addition, DCpromo can use an answer file with additional options provided by Windows 2003 to include commands to accommodate Install from Media.
How to use Install from Media to promote a server to a domain controller
This process assumes you have at least one Windows 2003 domain controller (Company-DC1) in the Company.com domain and a Windows 2003 member server (Company-SRV1) in that domain that is to be promoted. Install from Media can't be used to create a new domain.
DNS must be installed and the SRV records for the first domain controller must be populated.
This process will backup a domain controller in the Company.com domain, restore it to the local disk of the member server, then run DCpromo on the member server using an answer file to make the promotion an unattended process.
Log on to the domain controller.
Create directory C:backup. If the directory exists, delete any files.
Using Windows 2000 Backup, back up the System State. Save the backup as
.bkf to C:backup (in other words, if you're backing up DC1, name the file DC1.bkf).
Log on to the member server that is to become a domain controllers.
Create the directory "C:NTDSrestore" on the member server and share it as NTDSrestore. Modify the permissions on the share and grant the Everyone group Full Control privilege. (The directory can be named anything –- NTDSRestore is just an example.)
On the DC, map a drive to <server> NTDSrestore (the share created in step 5), where <server> is the name of the member server where the share was created.
On the DC, open the Windows Backup Utility and use the Restore Wizard to restore the .bkf file created in step 3 to the NTDSrestore share. Make sure that you:
Select the System State as the file to be restored.
Make sure at the end that you select Advanced Options, then specify the location -- otherwise it will restore the file to the original location.
From the member server, logon as an admin and open a command prompt. At the command prompt, enter C:> DCPromo /ADV. Go through the dialog as you normally would. When you see the dialog shown in Figure 1. Just select the option "From These Restored Backup Files" and enter the path to the directory where you put the restored files (not the backup file but the restored files).
DCpromo will continue as normal and reboot. It will find a source domain controller and sync with it to get updated information in order to make up the gap from when the media was created.
Disaster Recovery Planning for Active Directory
Part 1: How creating an AD replication lag site minimizes disasters
Part 2: How to build redundancy in Active Directory replication
Part 3: How to restore a domain controller from backup in AD
Part 4: How to use Install from Media to restore a domain controller
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He wrote Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Windows Server-File Systems.
This was first published in March 2005