Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Re: Cloning AD groups (incl. SID's) between production/test enviro
Re: Cloning AD groups (incl. SID's) between production/test enviro [message #155335] Wed, 27 May 2009 11:55
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
- I was refering to the object itself withou cloned SIDs. To do that either
need to clone or do full restores to different hardware box (of course that
you'll need to perform AD clean up each time that you duplicate the
environment).
- What is the purpose of that?
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Alwin" <Alwin@discussions.microsoft.com> wrote in message
news:D5D0CCB0-87BF-4409-8FA9-B6C6A81F711D@microsoft.com...
> Hello Jorge,
>
> the 'migrate objects' from production to test sounds nice :)
> Which tool can do a migrate of specific OU's (including 'objectSID')
> whithout seeing the domain controllers (production / test).
> I have read about the tool from Quest Software
> (http://www.quest.com/object-restore-for-active-directory/)
>
> "Jorge Silva" wrote:
>
>> As I said, you can clone it again, or you can migrate the objects (and
>> they'll have the correct SIDs for that test domain), or you can do a full
>> restore as you would if you were changing to a different hardware.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>> news:6CEBCCB2-BBB7-441E-8105-389FC7D0A256@microsoft.com...
>> > Hi
>> > Since that you cloned the prod DC has different objects and assignments
>> > to
>> > the objects that may contain. I don't know how many DCs you have in PRD
>> > environment, but in the test domain sounds that you only have one and
>> > at
>> > this moment that test domain is not a mirror of your prod domain,
>> > because
>> > it has (probably) different FSMO roles it has different objects it has
>> > different replication partners, USNs etc... You can use that method but
>> > only to assign users that existed before the cloning process, otherwise
>> > you must add them manually or using a script. Another option is to try
>> > a
>> > restore of the prod AD DB in that server, but if you do that you may
>> > need
>> > to perform AD cleanup after that process (as you did when you clone the
>> > DC
>> > in the first time)
>> >
>> > --
>> > I hope that the information above helps you.
>> > Have a Nice day.
>> >
>> > Jorge Silva
>> > MVP Directory Services
>> > "Alwin" <Alwin@discussions.microsoft.com> wrote in message
>> > news:7733313C-1321-47E6-B080-D9F38ACACF38@microsoft.com...
>> >> Hi,
>> >>
>> >> I have setup a test-environment, which is a clone of the production
>> >> domain
>> >> controller. I want to synchronize a specific OU with Security Groups
>> >> via
>> >> the
>> >> ldifde tool.
>> >> I need also the SID's of the security groups, because there is a
>> >> member
>> >> server in the test-domain with a NTFS share. This is also a clone of
>> >> production.
>> >>
>> >> I use the next commandline from the production domain controller for
>> >> the
>> >> export:
>> >>
>> >> ldifde -m -f c:\file.ldf -s dc-prod-01 -d
>> >> "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
>> >> " (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydom ain,DC=nl) "
>> >>
>> >> At the test-domain controller I remove all the entries in the same OU
>> >> with
>> >> the commandline:
>> >>
>> >> dsrm -subtree -exclude -noprompt -c
>> >> "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
>> >>
>> >>
>> >> And finally I use the next command from the commandline at the test
>> >> domaincontroller:
>> >>
>> >> ldifde -i -f c:\file.ldf -k -y
>> >>
>> >> The result is that I have a filled up OU with all Groups and all
>> >> members
>> >> whitin those groups etc. as exactly It was in production. So It seems
>> >> okay.
>> >> Unfortunately, when I go to the memberserver in the test domain. All
>> >> SID's
>> >> are not resolvable at the NTFS permissions. When I use the tool
>> >> 'getsid'
>> >> and
>> >> compare a Group from test and prodcution I notice that the SID's are
>> >> not
>> >> the
>> >> same anymore.
>> >> The SID's in the test domain are higher (and newer). That explains the
>> >> not
>> >> resolvable SID's at NTFS.
>> >>
>> >> My question: how can I clone the groups (inlcuding the memberships)
>> >> including the SID's, so that in the test domain the same SID's are
>> >> created...
>> >>
>> >> sincerly, Alwin
>> >
>>
Previous Topic:Re: 2008 DC in trouble
Next Topic:Disjoin computer from domain
Goto Forum:
  


Current Time: Fri Oct 20 02:59:21 EDT 2017

Total time taken to generate the page: 0.02689 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software