P2V Domain Controller?

Much has been said about performing a P2V of a domain controller. My suggestion has always been to build a new VM, promote it to a domain controller and then go through a demotion process of the physical DC. In my opinion this is the safest option and easy to do.

The reason why a P2V of a domain controller is not recommended is because of what happens after the P2V is complete. The problem is when the virtualized DC comes online, a USN rollback occurs and causes issues with AD replication. Then that leads to hours of troubleshooting with various support tools among many other things. Just do whatever possible to avoid that mess and headache.

However, there is a process to properly P2V a domain controller and avoiding these issues. The process involves using the DSRM (Directory Services Restore Mode) boot option. Here is a step by step process...

  1. If any other transactional services are running on the domain controller, stop and disable these services. You do not want any transactions taking place on the DC while the P2V is taking place. TIP: Always document which services you disable or simply take a before and after screenshot!
  2. Boot the physical domain controller in Directory Services Restore Mode (DSRM).
  3. Clone the physical domain controller with VMware Converter.
  4. After the conversion is complete, disable the network connections on the physical domain controller (through the physical console, iLO, or other console). By no means, never allow the physical DC to connect to the network again! After the connections are disabled, shut the server down.
  5. Start the virtual DC in Directory Services Restore Mode (DSRM). This prevents the directory service from starting and gives you time to cleanup the system (typical post P2V tasks).
  6. Remove any unnecessary software, like hardware monitor agents (e.g. HP Insight Agents, etc.) and unnecessary hardware drivers. If you're not familiar with this process in Device Manager, email me and I'll provide you with the process (jkozej@anexinet.com). It's best practice and you should never skip this step.
  7. Configure the original IP address(es) on the virtual domain controller.
  8. Enable any other transactional services you disabled in Step 1. Do not start start the services; simply set them back to their Automatic startup configuration. Allow the system to bring them up normally during the next step.
  9. Boot the virtualized domain controller in normal mode and start your validation tasks on the domain controller (Review Event Logs, check for NTDS replication errors, DCDiag, etc.)
 Any questions please feel free to contact me!