Two choices;
1) win2k domain in mixed mode, and you can install an nt4 bdc into it.
2) win2k domain in native mode or you cannot install an nt4 bdc for
whatever reason.
#1) Install a bdc into the domain, wait until replication is completed and
it shows all your users etc like you want. Then take if off line to your
lab, promote it to pdc, and then upgrade it to win2k using the same dns name
as you did in the "original" domain. (it must sense network connectivity to
promote, so plug into a dead end hub or something, just being sure that it
isn't able to actually talk with the "real" network). At that point you
should have a domain with all users/groups etc that you have in your
production domain. I haven't tried it, but since domain name etc are the
same you might be able to drop the gpo folders in your
sysvol/domain/policies into the one on this box to get the same policy
settings too (31B = domain, 6AC = domain controller, etc)
Here as below, do NOT allow this dc to communicate iwth the "real" network
though.
#2) You can either take a win2k server and do a "simulated" disaster
recovery on it using a full restore
with system state from an existing dc (whitepapers are available on our
website on how to do this) or you can either take an existing dc from the
domain or add/promote a new one up and then take it to your lab for testing.
Whatever dc was "removed" though would probably need to be deleted from the
existing AD though, especially if it would be "off line" for more than 60
days which would tombstone it's AD info, and you would NOT want to bring it
back into the network after that point. If not deleted (ie, this lab deal
will not be that long and you want to keep it "active") then be prepared to
see replication errors on the other dc's, as they will still want to try and
replicate with it (they don't know that its gone).
To remove the metadata from AD on the machine you remove, use the article
below, 216498.
You would also need to be sure that all fsmo roles were on other dc's before
it was deleted, and then once it was moved to your lab, you would need to
"seize" all 5 roles back to it, 255504. You would also need to install and
configure dns on it. At this point you have two dc's both thinking that
they are your domain.
When you were finished, and if you wanted that machine back in the network,
it could then be deomoted as "last dc in the domain", rejoined to the
original domain again, and promoted back up if so desired.
NOTE: If all of this is done, there must NOT be any communication between
the machine that is in your lab to the rest of AD. If there is, you'll
start seeing all sorts of errors in the event logs.
255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller
http://support.microsoft.com/?id=255504
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498
--
David Brandt
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
