I should have learned a lot from yesterday's struggle, but sadly this ain't the truth. The truth is: I got the thing working (almost, you'll see) but I still don't know the main cause of the problem. I have a gut feeling DNS has a rotten finger on this, but I still have to prove it.
To the layout, then.
- ADSL link
- 192.168.0.0/24 network
- 1 domain controller which also runs DNS
- 1 DHCP server
- Linux firewall (iptables)
- adsl link
- 192.168.10.0/24 network
- ISA server firewall which also runs DNS and DHCP
Both sites communicate using a PPTP VPN initiated by the ISA Server. I'll cover the details on a separate post. For now, suffice to say I can route packets between both networks.
Step 1: install windows 2003
Our new DC server hasn't arrived yet, but as I needed it on the new site badly I created a VMWare virtual machine with 512Mb RAM and 15Gb disk to host the DC temporarily.
Step 2: create active directory backup
This is a cool new feature on Windows 2003 domain controllers. Instead of doing the first AD replication using your slow WAN link, it allows you to create a backup and use it to perform the installation. Afterwards it'll only synchronize what changed between the backup creation and the DC creation.
Just open the windows backup tool on any existing domain controller and create a backup from the system state:
Save the backup file in your favorite media, hop on your station wagon and head to Site 2.
Step 3: extract the backup
Just restore the file you created to a specific location. Be careful not to restore to the original location - this would be a little set back. I just extracted the whole thing to C:\AD
Step 4: promote the new server
You have to use the "/adv" switch so dcpromo.exe will ask you wheter you want to synchronize active directory using the network or provide a file location.
Step 5: lean back and watch
On a fantasy world the wizard would just go on its business and deliver you a nice new DC. But on my world I kept getting those errors, no matter if I used the AD backup or copied everything again using the network.
Sometimes the wizard would say it couldn't read the files in C:\AD\Active Directory and, to my surprise, they really weren't there. I gave up after a few times restoring the backup and trying again.
What did it for me was: I created a dial-up VPN on the server I was trying to promote. From the error messages I could gather that there was some communication problem with the AD (I don't even wanna go into the disappearing files issue) and so I tried to bypass the ISA VPN using a dial up on the server itself.
I was still left with a few issues: the AD synchronization wasn't working and the new server entry in the MSDC DNS couldn't be created. I solved those with the help of the tools in the Windows 2003 CD, google and a bunch of KB articles.
Oh yeah. One last thing is worth mentioning. This domain was renamed around 6 months ago. Since then we've been seeing a lot of strange things. Keep alert for our next post: starting a domain from scratch because the domain renaming thingamabob dosn't work oh-so-well.