Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 28 May 2009 22:06:49 +0100
NO
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:7670374A-66F2-41BB-AAE3-4AB7DD8CE965@xxxxxxxxxxxxxxxx
Hello Paul,
The workaround I am thinking of is (whithout rebuilding the
Test-environment) is adding a extra domain/forest with a complete different
name. Then using ADMT to migrate specific those Application OU to the new
domein including SIDhistory.
After a succefull migration then again using ADMT from the new domain to the
cloned domain in the test environment.
The only thing that would be nice if there was a hack to import/add a
SIDhistory attribute from file into the test-domain without having a
connection from prodcution source domain....:)
"Paul Bergson [MVP-DS]" wrote:
I don't know how you would be able to do that, unless you did a full AD
restore from prod to test.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E6B076EB-285C-481B-890B-ADD960F06970@xxxxxxxxxxxxxxxx
> Hello Paul,
>
> Thank you for answering my question.
> As I can see, I have a problem :)
> I just wanted this specific OU "Applicaties" to be cloned every month > from
> prodcution to test. Not the rest of the Active Directory.
> I also tried the ADRM with specific "ntdsutil, auth restore, restore
> subtree, etc. Whithout any succes.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> If you are created new objects, with the same names once you have >> cloned
>> your environment, you will not et the same sids. The only way you >> could
>> get
>> the same sids is if you were to restore the production ntds.dit into >> the
>> test environment. Since each dc will have a new set of rid's and the
>> order
>> in which objects created are going to be different you will never get
>> them
>> to be the same, unless like I said you did a restore. This can be
>> disasterous if you allow production and test to ever speak to one
>> another.
>>
>> -- >> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup >> This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:7733313C-1321-47E6-B080-D9F38ACACF38@xxxxxxxxxxxxxxxx
>> > Hi,
>> >
>> > I have setup a test-environment, which is a clone of the production
>> > domain
>> > controller. I want to synchronize a specific OU with Security Groups
>> > via
>> > the
>> > ldifde tool.
>> > I need also the SID's of the security groups, because there is a >> > member
>> > server in the test-domain with a NTFS share. This is also a clone of
>> > production.
>> >
>> > I use the next commandline from the production domain controller for
>> > the
>> > export:
>> >
>> > ldifde -m -f c:\file.ldf -s dc-prod-01 -d
>> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
>> > "(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=nl)"
>> >
>> > At the test-domain controller I remove all the entries in the same >> > OU
>> > with
>> > the commandline:
>> >
>> > dsrm -subtree -exclude -noprompt -c
>> > "ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
>> >
>> >
>> > And finally I use the next command from the commandline at the test
>> > domaincontroller:
>> >
>> > ldifde -i -f c:\file.ldf -k -y
>> >
>> > The result is that I have a filled up OU with all Groups and all
>> > members
>> > whitin those groups etc. as exactly It was in production. So It >> > seems
>> > okay.
>> > Unfortunately, when I go to the memberserver in the test domain. All
>> > SID's
>> > are not resolvable at the NTFS permissions. When I use the tool
>> > 'getsid'
>> > and
>> > compare a Group from test and prodcution I notice that the SID's are
>> > not
>> > the
>> > same anymore.
>> > The SID's in the test domain are higher (and newer). That explains >> > the
>> > not
>> > resolvable SID's at NTFS.
>> >
>> > My question: how can I clone the groups (inlcuding the memberships)
>> > including the SID's, so that in the test domain the same SID's are
>> > created...
>> >
>> > sincerly, Alwin
>>
>>
>>
.
- Follow-Ups:
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Paul Bergson [MVP-DS]
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- References:
- Cloning AD groups (incl. SID's) between production/test environmen
- From: Alwin
- Re: Cloning AD groups (incl. SID's) between production/test environmen
- From: Paul Bergson [MVP-DS]
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Alwin
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Paul Bergson [MVP-DS]
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Alwin
- Cloning AD groups (incl. SID's) between production/test environmen
- Prev by Date: Re: Cloning AD groups (incl. SID's) between production/test enviro
- Next by Date: Re: Dcdiag error message on systemlog test
- Previous by thread: Re: Cloning AD groups (incl. SID's) between production/test enviro
- Next by thread: Re: Cloning AD groups (incl. SID's) between production/test enviro
- Index(es):
Relevant Pages
|
