Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Re: Cloning AD groups (incl. SID's) between production/test enviro
Re: Cloning AD groups (incl. SID's) between production/test enviro [message #155326] Wed, 27 May 2009 08:20 Go to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I don't know how you would be able to do that, unless you did a full AD
restore from prod to test.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Alwin" <Alwin@discussions.microsoft.com> wrote in message
news:E6B076EB-285C-481B-890B-ADD960F06970@microsoft.com...
> Hello Paul,
>
> Thank you for answering my question.
> As I can see, I have a problem :)
> I just wanted this specific OU "Applicaties" to be cloned every month from
> prodcution to test. Not the rest of the Active Directory.
> I also tried the ADRM with specific "ntdsutil, auth restore, restore
> subtree, etc. Whithout any succes.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> If you are created new objects, with the same names once you have cloned
>> your environment, you will not et the same sids. The only way you could
>> get
>> the same sids is if you were to restore the production ntds.dit into the
>> test environment. Since each dc will have a new set of rid's and the
>> order
>> in which objects created are going to be different you will never get
>> them
>> to be the same, unless like I said you did a restore. This can be
>> disasterous if you allow production and test to ever speak to one
>> another.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
>> news:7733313C-1321-47E6-B080-D9F38ACACF38@microsoft.com...
>> > Hi,
>> >
>> > I have setup a test-environment, which is a clone of the production
>> > domain
>> > controller. I want to synchronize a specific OU with Security Groups
>> > via
>> > the
>> > ldifde tool.
>> > I need also the SID's of the security groups, because there is a member
>> > server in the test-domain with a NTFS share. This is also a clone of
>> > production.
>> >
>> > I use the next commandline from the production domain controller for
>> > the
>> > export:
>> >
>> > ldifde -m -f c:\file.ldf -s dc-prod-01 -d
>> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
>> > " (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydom ain,DC=nl) "
>> >
>> > At the test-domain controller I remove all the entries in the same OU
>> > with
>> > the commandline:
>> >
>> > dsrm -subtree -exclude -noprompt -c
>> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
>> >
>> >
>> > And finally I use the next command from the commandline at the test
>> > domaincontroller:
>> >
>> > ldifde -i -f c:\file.ldf -k -y
>> >
>> > The result is that I have a filled up OU with all Groups and all
>> > members
>> > whitin those groups etc. as exactly It was in production. So It seems
>> > okay.
>> > Unfortunately, when I go to the memberserver in the test domain. All
>> > SID's
>> > are not resolvable at the NTFS permissions. When I use the tool
>> > 'getsid'
>> > and
>> > compare a Group from test and prodcution I notice that the SID's are
>> > not
>> > the
>> > same anymore.
>> > The SID's in the test domain are higher (and newer). That explains the
>> > not
>> > resolvable SID's at NTFS.
>> >
>> > My question: how can I clone the groups (inlcuding the memberships)
>> > including the SID's, so that in the test domain the same SID's are
>> > created...
>> >
>> > sincerly, Alwin
>>
>>
>>
Re: Cloning AD groups (incl. SID's) between production/test enviro [message #155376 is a reply to message #155326] Thu, 28 May 2009 10:44 Go to previous messageGo to next message
Alwin  is currently offline Alwin
Messages: 2
Registered: May 2009
Junior Member
Hello Paul,

The workaround I am thinking of is (whithout rebuilding the
Test-environment) is adding a extra domain/forest with a complete different
name. Then using ADMT to migrate specific those Application OU to the new
domein including SIDhistory.
After a succefull migration then again using ADMT from the new domain to the
cloned domain in the test environment.

The only thing that would be nice if there was a hack to import/add a
SIDhistory attribute from file into the test-domain without having a
connection from prodcution source domain....:)

"Paul Bergson [MVP-DS]" wrote:

> I don't know how you would be able to do that, unless you did a full AD
> restore from prod to test.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
> news:E6B076EB-285C-481B-890B-ADD960F06970@microsoft.com...
> > Hello Paul,
> >
> > Thank you for answering my question.
> > As I can see, I have a problem :)
> > I just wanted this specific OU "Applicaties" to be cloned every month from
> > prodcution to test. Not the rest of the Active Directory.
> > I also tried the ADRM with specific "ntdsutil, auth restore, restore
> > subtree, etc. Whithout any succes.
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> If you are created new objects, with the same names once you have cloned
> >> your environment, you will not et the same sids. The only way you could
> >> get
> >> the same sids is if you were to restore the production ntds.dit into the
> >> test environment. Since each dc will have a new set of rid's and the
> >> order
> >> in which objects created are going to be different you will never get
> >> them
> >> to be the same, unless like I said you did a restore. This can be
> >> disasterous if you allow production and test to ever speak to one
> >> another.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
> >> news:7733313C-1321-47E6-B080-D9F38ACACF38@microsoft.com...
> >> > Hi,
> >> >
> >> > I have setup a test-environment, which is a clone of the production
> >> > domain
> >> > controller. I want to synchronize a specific OU with Security Groups
> >> > via
> >> > the
> >> > ldifde tool.
> >> > I need also the SID's of the security groups, because there is a member
> >> > server in the test-domain with a NTFS share. This is also a clone of
> >> > production.
> >> >
> >> > I use the next commandline from the production domain controller for
> >> > the
> >> > export:
> >> >
> >> > ldifde -m -f c:\file.ldf -s dc-prod-01 -d
> >> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
> >> > " (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydom ain,DC=nl) "
> >> >
> >> > At the test-domain controller I remove all the entries in the same OU
> >> > with
> >> > the commandline:
> >> >
> >> > dsrm -subtree -exclude -noprompt -c
> >> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
> >> >
> >> >
> >> > And finally I use the next command from the commandline at the test
> >> > domaincontroller:
> >> >
> >> > ldifde -i -f c:\file.ldf -k -y
> >> >
> >> > The result is that I have a filled up OU with all Groups and all
> >> > members
> >> > whitin those groups etc. as exactly It was in production. So It seems
> >> > okay.
> >> > Unfortunately, when I go to the memberserver in the test domain. All
> >> > SID's
> >> > are not resolvable at the NTFS permissions. When I use the tool
> >> > 'getsid'
> >> > and
> >> > compare a Group from test and prodcution I notice that the SID's are
> >> > not
> >> > the
> >> > same anymore.
> >> > The SID's in the test domain are higher (and newer). That explains the
> >> > not
> >> > resolvable SID's at NTFS.
> >> >
> >> > My question: how can I clone the groups (inlcuding the memberships)
> >> > including the SID's, so that in the test domain the same SID's are
> >> > created...
> >> >
> >> > sincerly, Alwin
> >>
> >>
> >>
>
>
>
Re: Cloning AD groups (incl. SID's) between production/test enviro [message #155411 is a reply to message #155376] Thu, 28 May 2009 17:06 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
NO

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Alwin" <Alwin@discussions.microsoft.com> wrote in message
news:7670374A-66F2-41BB-AAE3-4AB7DD8CE965@microsoft.com...
> Hello Paul,
>
> The workaround I am thinking of is (whithout rebuilding the
> Test-environment) is adding a extra domain/forest with a complete
> different
> name. Then using ADMT to migrate specific those Application OU to the new
> domein including SIDhistory.
> After a succefull migration then again using ADMT from the new domain to
> the
> cloned domain in the test environment.
>
> The only thing that would be nice if there was a hack to import/add a
> SIDhistory attribute from file into the test-domain without having a
> connection from prodcution source domain....:)
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I don't know how you would be able to do that, unless you did a full AD
>> restore from prod to test.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
>> news:E6B076EB-285C-481B-890B-ADD960F06970@microsoft.com...
>> > Hello Paul,
>> >
>> > Thank you for answering my question.
>> > As I can see, I have a problem :)
>> > I just wanted this specific OU "Applicaties" to be cloned every month
>> > from
>> > prodcution to test. Not the rest of the Active Directory.
>> > I also tried the ADRM with specific "ntdsutil, auth restore, restore
>> > subtree, etc. Whithout any succes.
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> If you are created new objects, with the same names once you have
>> >> cloned
>> >> your environment, you will not et the same sids. The only way you
>> >> could
>> >> get
>> >> the same sids is if you were to restore the production ntds.dit into
>> >> the
>> >> test environment. Since each dc will have a new set of rid's and the
>> >> order
>> >> in which objects created are going to be different you will never get
>> >> them
>> >> to be the same, unless like I said you did a restore. This can be
>> >> disasterous if you allow production and test to ever speak to one
>> >> another.
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This
>> >> posting is provided "AS IS" with no warranties, and confers no rights.
>> >>
>> >> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
>> >> news:7733313C-1321-47E6-B080-D9F38ACACF38@microsoft.com...
>> >> > Hi,
>> >> >
>> >> > I have setup a test-environment, which is a clone of the production
>> >> > domain
>> >> > controller. I want to synchronize a specific OU with Security Groups
>> >> > via
>> >> > the
>> >> > ldifde tool.
>> >> > I need also the SID's of the security groups, because there is a
>> >> > member
>> >> > server in the test-domain with a NTFS share. This is also a clone of
>> >> > production.
>> >> >
>> >> > I use the next commandline from the production domain controller for
>> >> > the
>> >> > export:
>> >> >
>> >> > ldifde -m -f c:\file.ldf -s dc-prod-01 -d
>> >> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
>> >> > " (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydom ain,DC=nl) "
>> >> >
>> >> > At the test-domain controller I remove all the entries in the same
>> >> > OU
>> >> > with
>> >> > the commandline:
>> >> >
>> >> > dsrm -subtree -exclude -noprompt -c
>> >> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
>> >> >
>> >> >
>> >> > And finally I use the next command from the commandline at the test
>> >> > domaincontroller:
>> >> >
>> >> > ldifde -i -f c:\file.ldf -k -y
>> >> >
>> >> > The result is that I have a filled up OU with all Groups and all
>> >> > members
>> >> > whitin those groups etc. as exactly It was in production. So It
>> >> > seems
>> >> > okay.
>> >> > Unfortunately, when I go to the memberserver in the test domain. All
>> >> > SID's
>> >> > are not resolvable at the NTFS permissions. When I use the tool
>> >> > 'getsid'
>> >> > and
>> >> > compare a Group from test and prodcution I notice that the SID's are
>> >> > not
>> >> > the
>> >> > same anymore.
>> >> > The SID's in the test domain are higher (and newer). That explains
>> >> > the
>> >> > not
>> >> > resolvable SID's at NTFS.
>> >> >
>> >> > My question: how can I clone the groups (inlcuding the memberships)
>> >> > including the SID's, so that in the test domain the same SID's are
>> >> > created...
>> >> >
>> >> > sincerly, Alwin
>> >>
>> >>
>> >>
>>
>>
>>
Re: Cloning AD groups (incl. SID's) between production/test enviro [message #155441 is a reply to message #155411] Fri, 29 May 2009 08:16 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
ditto

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:A27EE316-553D-46D3-AA58-A5BEF1949DEE@microsoft.com...
> NO
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
> news:7670374A-66F2-41BB-AAE3-4AB7DD8CE965@microsoft.com...
>> Hello Paul,
>>
>> The workaround I am thinking of is (whithout rebuilding the
>> Test-environment) is adding a extra domain/forest with a complete
>> different
>> name. Then using ADMT to migrate specific those Application OU to the new
>> domein including SIDhistory.
>> After a succefull migration then again using ADMT from the new domain to
>> the
>> cloned domain in the test environment.
>>
>> The only thing that would be nice if there was a hack to import/add a
>> SIDhistory attribute from file into the test-domain without having a
>> connection from prodcution source domain....:)
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>>> I don't know how you would be able to do that, unless you did a full AD
>>> restore from prod to test.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
>>> news:E6B076EB-285C-481B-890B-ADD960F06970@microsoft.com...
>>> > Hello Paul,
>>> >
>>> > Thank you for answering my question.
>>> > As I can see, I have a problem :)
>>> > I just wanted this specific OU "Applicaties" to be cloned every month
>>> > from
>>> > prodcution to test. Not the rest of the Active Directory.
>>> > I also tried the ADRM with specific "ntdsutil, auth restore, restore
>>> > subtree, etc. Whithout any succes.
>>> >
>>> > "Paul Bergson [MVP-DS]" wrote:
>>> >
>>> >> If you are created new objects, with the same names once you have
>>> >> cloned
>>> >> your environment, you will not et the same sids. The only way you
>>> >> could
>>> >> get
>>> >> the same sids is if you were to restore the production ntds.dit into
>>> >> the
>>> >> test environment. Since each dc will have a new set of rid's and the
>>> >> order
>>> >> in which objects created are going to be different you will never get
>>> >> them
>>> >> to be the same, unless like I said you did a restore. This can be
>>> >> disasterous if you allow production and test to ever speak to one
>>> >> another.
>>> >>
>>> >> --
>>> >> Paul Bergson
>>> >> MVP - Directory Services
>>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> >> 2008, 2003, 2000 (Early Achiever), NT4
>>> >>
>>> >> http://www.pbbergs.com
>>> >>
>>> >> Please no e-mails, any questions should be posted in the NewsGroup
>>> >> This
>>> >> posting is provided "AS IS" with no warranties, and confers no
>>> >> rights.
>>> >>
>>> >> "Alwin" <Alwin@discussions.microsoft.com> wrote in message
>>> >> news:7733313C-1321-47E6-B080-D9F38ACACF38@microsoft.com...
>>> >> > Hi,
>>> >> >
>>> >> > I have setup a test-environment, which is a clone of the production
>>> >> > domain
>>> >> > controller. I want to synchronize a specific OU with Security
>>> >> > Groups
>>> >> > via
>>> >> > the
>>> >> > ldifde tool.
>>> >> > I need also the SID's of the security groups, because there is a
>>> >> > member
>>> >> > server in the test-domain with a NTFS share. This is also a clone
>>> >> > of
>>> >> > production.
>>> >> >
>>> >> > I use the next commandline from the production domain controller
>>> >> > for
>>> >> > the
>>> >> > export:
>>> >> >
>>> >> > ldifde -m -f c:\file.ldf -s dc-prod-01 -d
>>> >> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
>>> >> > " (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydom ain,DC=nl) "
>>> >> >
>>> >> > At the test-domain controller I remove all the entries in the same
>>> >> > OU
>>> >> > with
>>> >> > the commandline:
>>> >> >
>>> >> > dsrm -subtree -exclude -noprompt -c
>>> >> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
>>> >> >
>>> >> >
>>> >> > And finally I use the next command from the commandline at the test
>>> >> > domaincontroller:
>>> >> >
>>> >> > ldifde -i -f c:\file.ldf -k -y
>>> >> >
>>> >> > The result is that I have a filled up OU with all Groups and all
>>> >> > members
>>> >> > whitin those groups etc. as exactly It was in production. So It
>>> >> > seems
>>> >> > okay.
>>> >> > Unfortunately, when I go to the memberserver in the test domain.
>>> >> > All
>>> >> > SID's
>>> >> > are not resolvable at the NTFS permissions. When I use the tool
>>> >> > 'getsid'
>>> >> > and
>>> >> > compare a Group from test and prodcution I notice that the SID's
>>> >> > are
>>> >> > not
>>> >> > the
>>> >> > same anymore.
>>> >> > The SID's in the test domain are higher (and newer). That explains
>>> >> > the
>>> >> > not
>>> >> > resolvable SID's at NTFS.
>>> >> >
>>> >> > My question: how can I clone the groups (inlcuding the memberships)
>>> >> > including the SID's, so that in the test domain the same SID's are
>>> >> > created...
>>> >> >
>>> >> > sincerly, Alwin
>>> >>
>>> >>
>>> >>
>>>
>>>
>>>
>
Previous Topic:RE: msNPAllowDialIn and delegwiz.inf
Next Topic:Re: AD 2003 and a clone domain
Goto Forum:
  


Current Time: Thu Sep 21 08:05:38 EDT 2017

Total time taken to generate the page: 0.03940 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software