Building the Lab

The high-level planning part of this is done so breathe a sigh of relief to that. This is where we simply need to lay on the elbow grease and run through the Windows installation for the 1237th time in our careers. If we were using identical hardware in the lab as we were in production we could use Symantec Ghost to try to simplify this task. Luckily we can do that for our desktop systems, but the server configurations are going to require a lot of work. Let's get started.

The first thing we should worry about is our network configuration. If we don't have a way to block off the lab from production then we can't effectively separate traffic between our production domain controllers and this new one we're creating for the lab. What we are going to do for the networking setup then, is to add another LAN segment to our production firewall. We already have enough NICs in it to do this so we just need to enable the interface and assign it another subnet. We are then going to connect that interface directly to our lab firewall's external interface. On our production firewall we'll create rules to block any traffic between the lab LAN segment and our production LAN or production DMZ segments. Only traffic between our lab and the Internet will be allowed. Our lab firewall rule set will closely resemble our production firewall rule set except that it won't have any evidence of a segment dedicated to a lab. A diagram of the proposed setup should help clarify things (see Figure 1).

Figure 1

So we begin by building the firewall. We're going to use the free version of Clarkconnect instead of the office version, but for our purposes they are the same. We have some special rules we need to copy over, and we need to set up the same services running on the system. This is basically just Squid and Dansguardian. Once we've got both firewalls setup and connected we can begin to get the domain built.

We need to have all of the same AD objects in the lab as in production. There are some tools you can use to export and import AD data including Ldifde and Csvde, but these would be more useful for moving objects between directories or domains. For instance, if we were moving from NetWare to Microsoft Windows Active Directory we could import all of our NDS objects into AD with those tools. We want to create an identical network though, and I think the best way to do this would be to bring up the box we are going to use as our PDC on the production network. We will then run dcpromo to promote it to a domain controller, make sure it synchronizes with the other domain controllers, create a global catalog on it, and then move it from production to the lab. The downside to this approach is that we will have phantom DCs in AD in both the production and lab environments, and we will need to use ntdsutil to remove them.

We start with a simple Windows 2000 Server install. Just make sure that we have the same Windows components installed here as we do on our production PDC. After Windows is installed we apply all Windows updates. Since this is our file server in addition to our PDC it would be wise to copy all our files over from the production file server to this machine. This is going to take a while, and if we do this trivial task first it leaves us to focus on the DC issues. So we will create the big partition for the file storage, and then run a simple command to copy the files.

1. On the production file server open a command prompt
2. Type xcopy "S:\" "\\labdc1\h$" /E /V /C /H /I /K /O /Y > "C:\logger.txt"

This command will copy all the files from the production file server to the lab file server without prompting, without stopping on errors, including hidden files, file attributes, and it will write the output of the command to the logger.txt file. You could drag and drop all your files, but I would only suggest that if you like banging your head against a wall. The drag and drop method will stop randomly on file copy errors, and since you won't know for sure what had already been copied you'll have to try to either piece things together with subsequent copy operations, or start over from scratch only to hit the same problem again. Use xcopy, it's easier and more powerful.

Now, we run dcpromo and promote this machine to a domain controller on our production network. As soon as AD is installed on this system it should synch up with our other DCs. We can check to make sure of this by using the Windows Support Tool repadmin.exe. To make our use of this powerful and complex tool as simple as possible we are going to simply try to match 2 numbers. We will run the command repadmin /showvector dc=domain,dc=com dc.domain.com and see what USN value is listed for the dc.domain.com server. dc is our primary domain controller in production. Then we will rerun the command, substituting the labdc name at the end: repadmin /showvector dc=domain,dc=com labdc.domain.com. Again, we will check what the USN for dc.domain.com is. If both numbers match then we know that our lab domain controller is aware of the latest AD changes that our main domain controller is aware of. Once AD is synched we should make our lab domain controller a global catalog server.

Next, shut the machine down and move it to the lab. Bring it back online, log on as the domain administrator, and open a command prompt. If you do not log in as the domain administrator you will need to use the set creds command with each of the processes below right after you enter the connections menu. Look up the Microsoft documentation on ntdsutil to find out how to use that command properly.

Remove the Remnants of the Production DCs

1. Type ntdsutil and hit Enter.
2. Type metadata cleanup and hit Enter.
3. Type connections and hit Enter. You are now in the connections mode.
4. Type connect to server labdc and hit Enter.
5. Type q and hit Enter to exit the connections screen. You are now back at the metadata cleanup menu.
6. Type select operation target and hit Enter.
7. Type list domains and hit Enter. You will see a (very short) list of domains in the forest with a number for each. Make a note of the number for your target domain.
8. Type select domain # and hit Enter. Replace # with the number of your target domain.
9. Type list sites and hit Enter. You will see a list of sites in the domain with a number for each. Make a note of the number for your target site.
10. Type select site # and hit Enter. Replace # with the number of your target site.
11. Type list servers in site and hit Enter. You will see a list of servers in the site with a number for each. Make a note of the number for your target server.
12. Type select server # and hit Enter. Replace # with the number of your target server- THIS IS THE SERVER YOU ARE DELETING SO BE CAREFUL!
13. Type quit and hit Enter to return to the metadata cleanup menu.
14. Type remove selected server and hit Enter. You will receive a pop-up asking if you really want to perform the operation.
15. To remove the next of your production domain controllers, type select operation target and hit Enter.
16. Type select server # and hit Enter. Replace # with the number of your next target server.
17. Type quit and hit Enter to return to the metadata cleanup menu.
18. Type remove selected server and hit Enter. You will receive a pop-up asking if you really want to perform the operation.
19. Type quit and hit Enter. You have exited the main ntdsutil menu.
20. Type quit and hit Enter to exit ntdsutil.

1. Type ntdsutil and hit Enter.
2. Type roles and hit Enter. You are now in the fsmo maintenance menu.
3. Type connections and hit Enter. You are now in the connections menu.
4. Type connect to server labdc and hit Enter.
5. Type q and hit Enter to exit the connections menu.
6. Type seize rid master and hit Enter. You will be shown a lot of pop-ups regarding this which you should answer yes to.
7. Type seize infrastructure master and hit Enter.
8. Type seize pdc and hit Enter.
9. Type seize domain naming master and hit Enter.
10. Type seize schema master and hit Enter.
11. Type quit and hit Enter. You have exited the main menu.
12. Type quit and hit Enter to exit ntdsutil.

Now we need to remove the lat remaining evidence of he phantom domain controllers from Active Directory. You will need to have the Windows 2000 Support Tools installed. Open ADSIEdit, and follow the steps listed below:

1. In the left pane, expand the Domain NC node.
2. Expand the DC=yourdomainname,DC=com,org,net,etc node.
3. Expand the OU=Domain Controllers node.
4. Expand the node for the domain controller you wish to delete. For us, this is CN=MAGIC in the picture below.
5. For any objects beneath that domain controller node: right-click them, and then select Delete (see Figure 2).
6. Once all the phantom domain controller's subobjects are deleted, right-click the domain controller node, and select Delete.