we want to take the active directory data from the current active directory domain and import it in our test environment

Posted on 2009-05-01
Last Modified: 2012-05-06
we have an active directory directory implementation organized into an OU hierarchy. for testing of some applications we want to just export all users, groups and ou hierarchy and then import it into a new domain that will also be on the producation network. this new domain will only be used for testing and will ultimately me removed after testing. so i need if possible a complete procedure of exporting the current users, groups and OU hierarchy. install a new active directry domain and then import it in the new domain without effecting the existing active directory infrastructure.

i have an idea of what needs to be done, i will mention it here, need some docs to do it and also if i am missing out on someting.
 install a new active directory domain and install dns also on the domain new domain controller.
use csvde to export the current active directory to a file.
modify the file to reflect the new domain name
imort the modified csvde file.

appreciate if i can get hold of a document of doing it and anything more i need to do

Question by:mgmohiuddin
    LVL 13

    Accepted Solution


    actually you don't need to do anything more, you described this procedure verey well.

    Now just the question is, if you want to "migrate" or "make a copy" of your existing domain structure. I mean - if you use the procedure you described, the newly imported object will be identic with the originals just "visually", they will not have anything common with the original objects regarding security (different SIDs).

    So you can use csvde dc=mydomain,dc=com -scope subtree -f outputfile.csv to export the objects and then you can maybe delete some unneccessary columns in the csv file (and of course change the domain name).
    But there might be a problem that you can import only to existing OUs. I don't think CSVDE will take care of the correct order (first export OU structure, then users in it, then import the OU structure, then users in it). So maybe it will be better to do it step by step. Export top level OUs, import them, etc etc...
    LVL 16

    Assisted Solution

    You could either:
    1. Backup the current DC, then restore it to another box.  Keep the two on differant networks. Possibly for development & testing purposes it would be best to virualise it. Some virtualisation software includes tools to move the HDD contents into a virtual image.

    2. Add new machine to the network as a DC & GC.  Disconnect it then, on the old network run a Metadata cleanup to get rid of any traces, and seize all roles on the new one.

    Author Comment

    Thanks for your reply. i was just going through some docs and i want the users to be organized exactly as they are in the original domain. there are too many ou's and multiple levels. so according to what you suggested i should export the OU's first, import them then import users. i will really appreciate if you could help me with a doc or command so that i could test it. i know computers cannot be migrated. creating trunt is not an option for using ADMT. we dont want to tough the production domain, all we could do is run the csvde or ldifde to export info. so i should export ou first, then inport ou's. export users, import users, export groups, import groups. some help needed. to be sure. i will do it in my VM's first and then try. so i have to export  AD once and import it in parts or export multiple times and import them accordingly.
    LVL 13

    Expert Comment

    Actually the comments from the other guys here are very senseful. I'd say this is the easiest way to achieve your goal.

    Just install some VM machine, give it access to the network, promote that machine to a DC and then wait for the AD to be completely replicated to your VM. Also make sure you install DNS server on this VM and in the TCPIP properties define the IP address of the DNS server to point to some of your real DNS servers.
    Make sure the VM is Global Catalog (AD Sites and Services console, sites / site name / servers / servername / open properties of NTDS Settings object).

    Then cut off the connection (just to isolate it from your real production network), change the IP address of the DNS server to point to itself and seize all roles to this VM.
    Here's the procedure for seizure:

    After this you should have an exact copy od your real AD domain. Just to get rid of some possible errors you could remove the real DC object from your virtual domain by using ntdsutil, see here:

    I just emphasize that everything after enabling Global catalog is supposed to be done in the virtual environment - thus isolated from the production network having no possibility to do any harm.
    Maybe one exception:
    In your real network you can also delete the DC object (the one which has been moved to virtual network) using the procedure described by the second link (ntsutil metadata cleanup).

    Is this ok for you? It's much less work to do than playing with exports/imports.


    Author Comment

    well i dont want a new dc account to be added and the delete it from the domain. i have to go through a lot of approvals before i could modify the AD. its a big environment and i cant modify anything and i am sure i wont get this approved.
    LVL 13

    Expert Comment

    I understand. But in this scenario you can use the procedure described above - just make a backup of some DC and resore it to your virtual machine - absolutelly no modification of anything in AD.
    What do you think about it?

    Author Comment

    two domains with the same netbios name on the same network is going to have name conflicts right. one production and then the test domain exactly with the same domain name is definitely an issue. we need to have a different domain name as the test domain will also be in the same network for a while

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now