Cloning AD groups (incl. SID's) between production/test environmen

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: Alwin <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 25 May 2009 12:41:01 -0700

---

Hi,

I have setup a test-environment, which is a clone of the production domain
controller. I want to synchronize a specific OU with Security Groups via the
ldifde tool.
I need also the SID's of the security groups, because there is a member
server in the test-domain with a NTFS share. This is also a clone of
production.

I use the next commandline from the production domain controller for the
export:

ldifde -m -f c:\file.ldf -s dc-prod-01 -d
"ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
"(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=nl)"

At the test-domain controller I remove all the entries in the same OU with
the commandline:

dsrm -subtree -exclude -noprompt -c
"ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"


And finally I use the next command from the commandline at the test
domaincontroller:

ldifde -i -f c:\file.ldf -k -y

The result is that I have a filled up OU with all Groups and all members
whitin those groups etc. as exactly It was in production. So It seems okay.
Unfortunately, when I go to the memberserver in the test domain. All SID's
are not resolvable at the NTFS permissions. When I use the tool 'getsid' and
compare a Group from test and prodcution I notice that the SID's are not the
same anymore.
The SID's in the test domain are higher (and newer). That explains the not
resolvable SID's at NTFS.

My question: how can I clone the groups (inlcuding the memberships)
including the SID's, so that in the test domain the same SID's are created...

sincerly, Alwin
.

---

• Follow-Ups:
  • Re: Cloning AD groups (incl. SID's) between production/test environmen
    • From: Paul Bergson [MVP-DS]
  • Re: Cloning AD groups (incl. SID's) between production/test environmen
    • From: Marcin
  • Re: Cloning AD groups (incl. SID's) between production/test environmen
    • From: Jorge Silva
  • Re: Cloning AD groups (incl. SID's) between production/test environmen
    • From: Meinolf Weber [MVP-DS]

• Prev by Date: Re: DFS problem - Event id 14526
• Next by Date: Re: 2k8 Mapped Network Drive GPO - NTFS Permissions?
• Previous by thread: search by last name in Select Users, Computers, Groups dialog?
• Next by thread: Re: Cloning AD groups (incl. SID's) between production/test environmen
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Cloning AD groups (incl. SIDs) between production/test environmen ... which is a clone of the production domain ... I use the next commandline from the production domain controller for the ... when I go to the memberserver in the test domain. ... (microsoft.public.windows.server.active_directory) Re: Copy users and groups to test DC? ... Regards, ... > production domain, and you said in your original post that you wanted ... you need your test domain to trust the production ... > be able to resolve DNS queries about the test domain. ... (microsoft.public.windows.server.active_directory) Re: ASP.Net development - must you have IIS on the machine that VS.Net is on? ... what is the best way to connect to the remote server and have full ... and I never installed IIS locally. ... member of the production domain, but not of the test domain. ... (microsoft.public.vsnet.general) Win2k3/IIS Kerberos challenges ... application uses delegation to allow the users to access resources from ... their remote browser. ... PRODUCTION domain. ... The machines are in the TEST domain. ... (microsoft.public.windows.server.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-05