I will admit right up front that I am talking about something I don’t know a lot about… I just felt I should put SOME sort of warning out there though for anyone looking to play with this tool just in case it helps someone from finding out something bad after it has already done something really bad….
Basically I was digging around the Windows IT Pro site looking to see if I could find a full copy of the “article” where oldcmp was discussed. This was prior to several nice folks sending it to me when I asked… Anyway, I saw an AD for the UMOVE utility from UTOOLS.
Now let me start off by saying, UTOOLS makes a great little tool called UPROMOTE that I even mentioned in Active Directory 3rd Edition as a possible solution if you have an NT4 BDC that you just can’t get rid of. Endorsement of that tool doesn’t extend automatically to everything they make….
So now about UMOVE… The claim is that they can pick up AD on one DC and put it on another, make snapshots of AD, Recover AD, Clone AD, etc. These are all potentially very dangerous operations. If you have a single DC domain and forest, then you are probably fine doing this and in fact you don’t really even need any fancy tools to do it, just use virtualization software and have at it. However, if you have more than one DC in the forest a single DC is no longer as important as the whole MESH of DCs together. Active Directory is what we call a distributed application and every instance needs to have some good info on pretty much every other instance, especially if they are replication partners. If you muck with an AD DC or an ADAM instance incorrectly, you will hurt yourself very bad.
Now looking over the site, they mention using NTBackup which is a good start, but it doesn’t mean everything is being done properly. Since I don’t have time to fully investigate their application and I don’t intend to use it so don’t need to make the time to investigate it I thought I would at least poke around quickly to see if anything stuck out immediately as bad that might give me a level of fear…. I found some items that were described that weren’t technically accurate (such as the PDC is required for a password change to be successful, etc) such that I was a little uneasy.
Now this product could work perfectly. I am telling you straight out that I don’t know; however it wouldn’t the first product that works with AD that didn’t do things in quite the way that it probably should.
If you take anything from this post, know that I am telling you that if you buy it, don’t rush off and play in production with it or you may be testing your Disaster Recovery Plan (you do have one right?) a little sooner than expected (you do test it right?). If you do play with it and you do so in multi-DC environments, I would be curious as to what you think, please email me and let me know.
I would feel a whole lot better if they had a big stamp of approval from the DS and ESE Teams from Microsoft on the product where they say, we have looked at what they did and it is fine! I was quite hesitant about UPROMOTE initially as well but that ended up being a pretty solid product and I have yet to have heard someone have an issue, however, NT4 BDCs were a lot simpler to deal with than the multimaster loosely consistent Active Directory Domain Controllers and there are very few people who truly understand all of the interconnections and have a clue at the possible issues when incorrectly putting a DC back together.
Overall, have multiple DCs in a domain and have a good backup/recovery plan. Everything you need is included in the OS for that, you just have to have looked at it and planned for the problem. If there is a problem, I would WAY prefer to promote a 10 new DCs than recover a single one from a backup. While there have been lots of successful recoveries from backup, there have been orders of magnitude more new DCPROMOs that were successful.
  joe
Â
Hi Joe. I am the author of UMove for Active Directory and stumbled upon your post. I generally agree with your views regarding recovery, etc.
First let me explain that UMove is very careful not to touch your Active Directory in any way. All it does is run NTBACKUP for you, choosing a subset of files to back up. It never directly touches AD during backup and is guaranteed to be safe to run on your production box.
You are correct that cloning an entire AD forest takes some work. UMove tries to make it as easy as possible (see http://utools.com/help/TestForest.asp). In a large production shop cloning just the forest PDCs to a testbed of VMs can be very worthwhile, esp before implementing a major global change such as elevating the Forest Functional Level or changing the schema.
I wrote a white paper that covers these topics, http://utools.com/ADRecoveryPlanning.asp
You are also right that DC recovery is generally a pain. This is because of the hassle of tearing down the old DC, which requires you to fiddle with NTDSUTIL, ADSIEDIT, and DCPROMO to fix up the DNS SRV records and in the NTDS site objects. See http://utools.com/UMove_repl_faq.asp. The purpose of UMove is to make DC recovery as painless as possible by literally just clicking the Finish button.
As far as stamp of approval goes, many UMove users tell me they were referred from calling Microsoft Tech Support. I’m currently working on getting a “Designed for” logo, though at this point WHQL is transitioning to Vista Server so a logo for Windows Server 2003 up in the air. (2000 logos expired long ago.)
Regards,
Alan Klietz (alank at algintech d-o-t com)