Build a Lab
It’s about time. After much promising and procrastinating and so on and so on, I am finally here. This is my first real blog post. Introductions don’t count.
This blog walks through some basic steps to setup a lab from a production network. I am sure you can modify it to fit your needs. The main goal to create a lab that closely resembles a production environment without breaking any rules. We will be creating a lab from the ground up that hopefully looks like your production environment. Here are some DO NOTS before we get into the steps of creating a lab:
DO NOTS
- DO NOT create a snapshot of domain controller and place in an isolated network – someone will UN isolated the lab one day and your mileage will vary WHEN (not if) that happens.
- DO NOT take a physical domain controller from production domain to an isolated network to build a lab – It is feasible that a lab network that has had all the production domain controllers’ metadata removed from the lab can then successfully remove the domain controllers from the production environment also WHEN they two environments are UN isolated.
- DO NOT use backups of a production environment to create a lab – the lab forest will have the same forest GUID and if connect to production will cause issues.
- DO NOT use production domain controllers for testing – no matter how much you promise the testing will not replicate to the other domain controllers and that the domain controllers used for testing will be formatted and all metadata removed.
- DO NOT give the lab forest name the same as the production forest. Using the same name will confuse even the best engineer and can lead to changes being made to the wrong environment.
- DO NOT not have a lab. Is that grammatically correct – NOT not?
So then the obvious question is how do I get a lab that closely mirrors or resembles my production without putting my production environment at risk. Glad you asked. On with one possible solution:
The discussion below provide some hints on setting up a virtual environment by exporting data from production to the test lab. This uses a Windows 2003 forest to conveniently walk you right in to a lab at the end. So this is a two for one post. One – setting up a lab to use for testing and Two – a lab to convert FRS to DFSR.
One last comment, or one more DO NOT to add to the list above. DO NOT take my labs straight to a production environment. I cannot envision all the possible scenarios and roadblock you will face in your production environment. Rather, use these labs to get a better understanding how things work in directory services. My future labs will be a much shorter post than this one and will be making assumptions that you can do most of the steps without detailed step by step instructions. When in doubt use <bing.com> to do a little research and if you feel the need to share, by all means leave comments.
Enjoy
Getting Started - Set up a Virtual Host
Suggestions to make life in your lab easier:
For Windows 2003 machines
- Install support tools, resource kit tools, GPMC, and any other tools you might need. (i.e. Netmon3.x, Pstools etc.)
- Load i386 folder on the image or create an ISO of the OS.
For all OSes
- Create ISOs for each operating system.
- Create an ISO with all your favorite tools and files.
- You can find utilities that can convert a folder to an ISO. This method is very useful in a virtual environment. You can search with Bing to find utilities that do this nicely.
- Setup multiple VLANs in the lab to simulate sites better.
- Work with the network team so that the router does not allow DHCP requests to pass through. This way you can test other services such as WDS, DHCP, MDT, etc.
- Setup change control for the lab
- Use the lab for training
Build a Windows 2003 Forest to upgrade to 2008/R2
- Fully patch server and take a snapshot (before promoting to DC)
- Configure the DC to point to itself for DNS
- Raise FFL to 2003 if not there already
- Verify DNS is stored in the DomainDNSzones (application partition)
- Verify DC is a global catalog server
- Run ADRPEP32 /Forestprep and ADPREP32 /DomainPrep to prepare the forest for Windows 2008 R2. Use the 2008 R2 CD to run \support\adprep\adprep32.exe
Add a Windows 2008 R2 domain controller
- Add DNS and GC function during the DCpromo process
- Transfer all the FSMO roles to the 2008 R2 DC
- Configure DNS to point to itself and the IP address of the second DC as a secondary
Add a second Windows 2008 R2 domain controller
- Add DNS and GC function during the DCpromo process
- Configure DNS to point to itself and the IP address of the First 2008 R2 DC as a secondary
- DCPromo (Demote) the Windows 2003 server.
Setup Sites and Services
- Create new site - Spoke1
- Rename DefaultFirstSite to Hub
- Rename DefaultSiteLink to Hub-Spoke1
- Set interval on the site link to 15 minutes
- Enable change notification on the site link: Use ADSIedit.msc. Find the site link in the configuration container and edit the properties of the site link. Find the "options" attribute and set it to 1.
- Move one of the DCs to the spoke site.
- Add subnets with a 32 bit subnet masks for the DCs in the appropriate site
Exporting data from Production (manually from command line)
- Use GPMC scripts to export the production environment to an XML file
- Create a folder to export to:
In my steps below I am using the following folder on a thumb drive. e:\Lab\GPOBackups
Cscript CreateXMLfromEnvironment.wsf e:\lab\prod.xml /domain:contoso.com /DC:<DCNAME> /templatepath:e:\lab\gpobakups /includeusers
Exporting the data from production (Using a script)
- Create a cmd file named “ExportForLab.cmd” with following commands.
<StartCopyHere>
REM Use desired drive letter
E:
CD\
REM Delete folder if it exists
RD LAB
REM Create folders for GPMC scripts to use
MD LAB
CD LAB
MD GPOBackups
REM Change to the folder where GPMC scripts are stored
C:
“CD\Program files\Microsoft GPMC Scripts”
Cscript CreateXMLfromEnvironment.wsf e:\lab\prod.xml /domain:contoso.com /DC:<DCNAME> /templatepath:e:\lab\gpobakups /includeusers
<EndCopyHere>
Move data to Lab
Warning: Do not import data in to the production environment. Verify when running the “Import” script or command that you are working in the lab environment.
- Copy the folder structure from the production environment to the lab environment
- ON THE LAB ENVIRONMENT: Use GPMC scripts to import the environment from the XML file to the lab. Using the /PasswordForUsers:Passw0rd1 means ALL users will have that password. It will not reset passwords if it has conflicts. You can do this by typing the command every time, or using a script.
Importing the data to the lab (manually on command line)
Cscript CreateEnvronmentFromXML /xml:e:\lab\prod.xml /domain:contoso-lab.com /dc:<DCNAME> /createusersenabled /PasswordForUsers:Passw0rd1
Importing the data to the lab (Using a script)
Create a cmd file named “ImportForLab.cmd” with the following commands
<StartCopyHere>
REM Change to the folder where GPMC scripts are stored
C:
“CD\Program files\Microsoft GPMC Scripts”
Cscript CreateEnvronmentFromXML /xml:e:\lab\prod.xml /domain:contoso-lab.com /dc:<DCNAME> /createusersenabled /PasswordForUsers:Passw0rd1
<EndCopyHere>
Basic lab build is complete and you are ready to use for testing and training as needed. So let's start with a basic FRS to DFSR migration
FRS to DFSR
The first test with your new lab if you choose to do so is to migrate SYSVOL replication from FRS to DFSR. Please review the link to build a more thorough process for testing and roll out to production. Below are basic requirements and a short list of steps that you will be doing to migrate SYSVOL replication. With all labs and test – do this in a lab not production.
Follow the above document and steps recommended. The steps below are the short list of commands you will use to migrate from FRS to DFSR. The steps below are simple and in a lab environment will happen quickly. However in a production environment with many DCs and more complex replication topology will take considerably longer to migrate.
- Build a 2003 forest with one or two domain controllers
- Use ADprep to prepare the forest for Windows 2008 or 2008 R2
- Upgrade the DCs to 2008 or add two new 2008 or 2008 R2 DCs
- Remove/demote the 2003 DCs if not upgraded
- Raise domain functional level to 2008 or 2008 R2
- Verify SYSVOL is replicating
- Verify DFSR is running on all DCs and AD is replicating
- Create a text file with all the domain controllers in the domain delimited with line feeds and name the text file “dclist.txt”. Then run the following commands and review the output. If you create a batch file for the commands below replace the single percentage signs with two percentage signs (%%a)
For /f %a in (dclist.txt) do sc \\%a query dfsr >>%a_health.txt
For /f %a in (dclist.txt) do Repadmin /replsummary %a >>%a_health.txt
For /f %a in (dclist.txt) do repadmin /showrepl %a >>%a_health.txt
Review each DC_health.txt for errors.
Migrate FRS with DFSRmig.exe
Dfsrmig /getmigrationstate (reports status of the migration – make sure all DCs have completed the current state before moving to the next state.
Dfsrmig /setglobalstate 1 (Sets to prepared state)
Dfsrmig /setglobalstate 2 (Sets to redirected state)
Dfsrmig /setglobalstate 3 (Sets to eliminated state)
<the End – dougga>
Comments
Anonymous
August 24, 2011
Doug, I've been waiting months for this....thanks for getting this out here!Anonymous
August 24, 2011
Excellent detailed tips! I also have a lab setup, and I write about my findings here: http://www.sysadminlab.net/Anonymous
August 30, 2011
Way to go! Great first post.Anonymous
August 31, 2011
great post!