Clone active directory to a test domain

fertigj used Ask the Experts™

I am looking for advice on the best way to stand up a development instance of our ad 2008 r2 domain.    

We are currently running a Windows 2008 R2 domain {w2k3 functional}.    I would like to setup a copy of this for development/testing reasons.   Setting up another domain isn't really an issue, but keeping the information current between domains and keeping them separate is where I am looking for advice.    

I would like to have the same user & group information on both prod & dev.   I would also like to automate the process so there is an update run at least once a day to reflect adds/deletes of users/etc.        I do want to keep the domains separate {as far as trusts} to avoid any issues.    Both domains will however be on the same network.

I can write a number of scripts to do this, but being a lazy  *eerrr* efficient admin...I just wondered if there is a better way.  Thoughts?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Awarded 2009
Top Expert 2010
East way is to join the new server to your live domain.

Make it a domain controller then disconnect it.

On te live domain then run a METADATA cleanup as per:

Then bring your new DC up on it's own subnet/network and seize the 5 FSMO roles


I would normally go this route if I could keep them on separate networks, but the prod/dev boxes need to stay on the same production network in this case.

Awarded 2009
Top Expert 2010

If there on the same network you won't be able to clone them anyway you won't be able to have 2 domains with the same name on the same network and any import tools will not work.

Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Technology and Business Process Advisor
Most Valuable Expert 2013
I know of no way to have replicating domains (even one way replication) and keep them separate, domain wise.  The test and dev networks should be completely separate else you face potential disaster.

I would suggest your best option is to do as demazter says, only use Virtual Machines.  You can script a shutdown every night and copy the Virtual Hard drive to your system and have an up-to-date copy of the AD.  But it must remain (virtually) in it's own network.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

To be clear, make a virtual DC in your existing network, script it to shutdown (and later restart) nightly and then have a script to copy the VHD over to a new location.
I agree with Leew... Use vmware's esxi free server and get their free clone software so that you take a image of each one of the machines you need and load it into a stand alone virtual environment.
I would recomend with considering your enviroment fist

How do you want to create your test domain ? I might recomned virtualizing it.
You could do this on the existing server by intsalling HyperV but be aware it "fundamentaly alters" the system when doing so.
Another option is to run Server 2008 in virtual PC 2007.
See this link

Once you have the new server installed and updated you probably want to add it to a new subnet and or a VLAN.
This can get complex - so for testing purposes, I would leave it on the same subnet.
Unless security is a big concern, that should be fine.

I would create a completely new forset on this new install and prepare your domain.
Once done, I would use a 1 way trust from your primary forest to your test forest.
Nice article here -

If that's not what your looking for, you might want to actually migrate your domain to the new domain using the ADMT (Active Directory Migration Tool).

If you go this route, I highly sugest your have a system state image and full backup made first.

How to backup server 2008 system state -

I highly recomend using this trial software as well -

One final thought, a read only domain controller MIGHT be able to do what you need, but that's a big might.

Please ask any specific conerns I can help with


Unfortunately...   these must stay on the same production network.       If not...I would follow exactly this process and throw the entire lab on to one of our esx clusters.

One point I should have specified...  they can be two separate domain names.   {CurrentDomain   & Currentdomain-dev}    The ip addresses/dns names/etc can all be different.   Just need to have the same information across the two domains.    I considered a one way trust between them...but I am honestly very nervous about doing that for a dev domain.

The only working solution I have at the moment is to write a process that will connect {via ldaps} to the production domain from the dev domain and enumerate/compare/update the dev domain with the needed changes.
Awarded 2009
Top Expert 2010

Then follow my steps (do it virtually if you wish) then perform a domain rename.


I am familiar with bringing a dc into the production domain and then removing it {including the cleanup process}    However, I am not familiar with the domain rename.   Can you elaborate on this a bit?    

My other question would be.... even if I went the route of using a one way trust.   This would not copy the would just allow for the users of domain-prod to access resources domain-dev.      I need to have a complete copy to test account management procedures, and a variety of other tasks.   I really do not want to take any chances on the production domain.   Thoughts?


I ended up settings up a fresh domain, and then use ldifde to export import the needed structures.


The answers were correct...they just did not suit my needs in this instance.    Good answers, just not quite what I need at this point.
Thanks for posting your resolution and working method.  It's of great use for us to know how and what you did to resolve your problem.

I'm actually taking the time to read that artile.


Ok...  now you made me feel guilty for being lazy about the reply back :)

Setup Clean Domain for dev.  

1.  Export ou structure from production domain with following command (Run on ProdDomain Controller)
     ldifde -f exportOu.ldf -s ProdDomainController -d "dc=ProdDomain,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"

2.  open exportou.ldf with text editor and replace dn reference "dc=ProdDomain,dc=local" with  "dc=DevDomain,dc=local"

3.   Import ou structure from domain with following command (Run on DevDomain Controller)
      ldifde -i -f Exportou.ldf -s -j c:\log -v -z

4.  Export users from production domain with following command  *Note* You may need to play with some attributes as they do not export/import well  (Run on ProdDomain Controller)
      ldifde -m -f Exportuser.ldf -s ProdDomainController -d "dc=ProdDomain,dc=local" -p subtree -r "(&(objectCategory=person)(objectClass=User)(cn=*))" -l "cn,givenName,userPrincipalName,objectclass,samAccountName,comment,company,department,description,displayName,employeeID,employeeNumber,homeDirectory,homeDrive,info,initials,mail,middleName,name,scriptPath,sn,title"

5.  Replace dn reference "dc=ProdDomain,dc=local" with  "dc=DevDomain,dc=local"

6.  Import users into DevDomain domain with the following command (Run on DevDomain Controller)
      ldifde -i -f Exportuser.ldf -s -j c:\log -v -z

7.  Export Group structure from production domain with following command (Run on ProdDomain Controller)
     ldifde -f groupexport.ldf -s ProdDomainController -t 3268 -d "dc=ProdDomain,dc=local" -p subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,sAMAccountName,groupType,objectClass,member"

8.  Replace dn reference "dc=ProdDomain,dc=local" with  "dc=DevDomain,dc=Local"

9.  Import group structure from prod domain with following command  (Run on DevDomain Controller)
     ldifde -i -f groupexport.ldf -s -j c:\log -v -z

10. This process will create users on the dev domain.    The only gotcha is, each user account will not have a password and will be disabled.   I just wrote a small script to set each user with a random password and enable the account.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial