Transfer Active Directory to a test Domain

What is the best way to "copy" AD from a production environment?
 What I have done is used LDIFDE to export  users, groups and the OU structure from the production AD environment and I then  imported it to the test environmnet. This does not seem to be sufficient.

Is there a way to import ALL Active Directory data including passwords for a test environmnet. What is the best way to do this?

Who is Participating?
Chris DentPowerShell DeveloperCommented:

Install base operating system
Install basic AD components

Once done this allows you access to the Directory Services Restore mode from the F8 Menu at startup.

From the Windows Advanced Options Menu, select Directory Services Restore Mode
Select the Windows 2003 OS
Use the restore mode password and log on as the administrator
Click OK to the confirmation that Windows is running in Safe mode
Start the Windows Backup application (like ntbackup)
Ensure the System State is selected
After the restore is complete, restart
Chris DentPowerShell DeveloperCommented:

Passwords are going to be very difficult for any scripted export type - they are stored using non-reversible encryption, only the hashed version of the password is stored on the KDC.

That said, this does not stop you restoring AD from a System State backup of your domain controller onto your test network. This method does mean your test network can't chat to your live environment - but all the AD data should be present.
RealBigTimeAuthor Commented:
Ok.. Then what is the best way to restore from a system state backup to my test environment.
This method will work, but it will take some time.

1)  Build your test server (intall the OS and patch it, etc, etc.)  It's best to build it on a single-drive server for now.
2)  Join the domain with it as a DC.
3)  Shut it down gracefully after leaving it up overnight and take it off the network.
4)  Do a disk clone to another hard drive or make an image file - use Ghost or Drive Image.
5)  Replace it on the production LAN again and DCPROMO it out of the AD gracefully.

You now have a disk clone or image of your exact AD.  Of course, you could image the main server also, but it's more difficult if the server is a production box with harware RAID.

When you bring up the clone on the test network, you can seize all the FSMO roles to it and keep it isolated from your main network - FOREVER...!  It must never again be allowed to attach to the same wire as your production network or you WILL have problems.

Hope this helps.
I agree with Netman66.  I had to replicate Active Directory so I just build a new Server and installed active directory and added it to the domain.  I then took it offline and it had all the data.   Like he said you would have to seize all the operation master roles and you would not ever want the 2 servers to be in the same network again.

Here is a link to seize the roles
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.