Solved

Copy an entire Active Directory Domain to a dev environment

Posted on 2016-09-28
4
236 Views
Last Modified: 2016-11-14
We want to bring the OU structure of course, as well as groups and users... changing the domain.com to domain.fake along the way.

What's the best approach?
0
Comment
Question by:Dallas Smetter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 500 total points
ID: 41820555
In the past, I have added a new domain controller to my domain, then completely isolated it with decent results.  I this was a "hacky" way of recreating my prod domain and accepted there might be odd behavior, but for my purposes it worked well.

Be aware, you now have an exact duplicate of all your identities and securityprincipals and they need to be secured - DONT just keep this test domain on a VM in the dev box under your desk - secure it!

Dont forget:
In the source domain:
1. Do a metadata cleanup in the source domain and remove the domain controller you isolated when you are done

On the dev domain:
1. You need to do metadata cleanup on all domain controllers that were in the source domain (dont forget DNS records)
2. You need to run rendom to rename it while its on an isolated network. (For the record, I kept mine isolated and didnt rename it)
3. You have to seize all FSMO roles on the domain controller in the test domain.
4. All security principals subject to expiry will continue aging and will eventually expire unless you devise a mechanism to refresh things
5. Go through and adjust sites and subnets to suit the new environment
6. Clean up any certificates you may have stored.

Aside from that, you may be able to use ADMT to accomplish the same thing.  If neither of these is suitable, you can export everything using ldifde and import it into a new pristine domain.  Ive never tried either of these mechanisms though
1
 
LVL 16

Expert Comment

by:Ivan
ID: 41820577
Hi,

I think all of this can be achieved with full backup of DC, specially if it is VM, and then restore on new machine, or restore VM.

Put this on separate LAN, and there you go.

Regards,
Ivan.
1
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 41839799
I think the most simple way for that might be using LDIFDE command to export OUs, users and groups structure and restore them within development environment.

This is the most clean scenario you can follow and do this very quickly.
Just take a look at the article on my blog, describing how to do that for OU
http://kpytko.pl/active-directory-domain-services/how-to-migrate-ou-structure-from-one-domain-to-another/

add -z switch into LDIFDE syntax during import to avoid stop action on import errors i.e. if something already exists.

The same way might be used for users and groups, you need to only modify export filter to

users:
ldifde -f c:\users.ldf -r “(&(objectClass=user)(objectCategory=person))” -l objectClass,description,sAMAccountName,givenName,sn

Open in new window


and other attributes you might need.

groups:
ldifde -f c:\groups.ldf -r “(objectClass=group)” -l objectClass,description,name

Open in new window


and other attributes you might need.

More about attributes and ldap names you can find on a SelfADSI blog at http://selfadsi.org/

If you need more support, do not hesitate to ask.

Regards,
Krzysztof
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41887264
Yes, I agree, Ivan and Sam method works well in my case here.
Thanks for posting the good Q&A.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question