Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxx>
- Date: Fri, 29 May 2009 07:16:37 -0500
ditto
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:A27EE316-553D-46D3-AA58-A5BEF1949DEE@xxxxxxxxxxxxxxxx
NO
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7670374A-66F2-41BB-AAE3-4AB7DD8CE965@xxxxxxxxxxxxxxxx
Hello Paul,
The workaround I am thinking of is (whithout rebuilding the
Test-environment) is adding a extra domain/forest with a complete
different
name. Then using ADMT to migrate specific those Application OU to the new
domein including SIDhistory.
After a succefull migration then again using ADMT from the new domain to
the
cloned domain in the test environment.
The only thing that would be nice if there was a hack to import/add a
SIDhistory attribute from file into the test-domain without having a
connection from prodcution source domain....:)
"Paul Bergson [MVP-DS]" wrote:
I don't know how you would be able to do that, unless you did a full AD
restore from prod to test.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E6B076EB-285C-481B-890B-ADD960F06970@xxxxxxxxxxxxxxxx
Hello Paul,
Thank you for answering my question.
As I can see, I have a problem :)
I just wanted this specific OU "Applicaties" to be cloned every month
from
prodcution to test. Not the rest of the Active Directory.
I also tried the ADRM with specific "ntdsutil, auth restore, restore
subtree, etc. Whithout any succes.
"Paul Bergson [MVP-DS]" wrote:
If you are created new objects, with the same names once you have
cloned
your environment, you will not et the same sids. The only way you
could
get
the same sids is if you were to restore the production ntds.dit into
the
test environment. Since each dc will have a new set of rid's and the
order
in which objects created are going to be different you will never get
them
to be the same, unless like I said you did a restore. This can be
disasterous if you allow production and test to ever speak to one
another.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7733313C-1321-47E6-B080-D9F38ACACF38@xxxxxxxxxxxxxxxx
Hi,
I have setup a test-environment, which is a clone of the production
domain
controller. I want to synchronize a specific OU with Security
Groups
via
the
ldifde tool.
I need also the SID's of the security groups, because there is a
member
server in the test-domain with a NTFS share. This is also a clone
of
production.
I use the next commandline from the production domain controller
for
the
export:
ldifde -m -f c:\file.ldf -s dc-prod-01 -d
"ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl" -p subtree -r
"(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=nl)"
At the test-domain controller I remove all the entries in the same
OU
with
the commandline:
dsrm -subtree -exclude -noprompt -c
"ou=Applicaties,ou=Groepen,dc=mydomain,dc=nl"
And finally I use the next command from the commandline at the test
domaincontroller:
ldifde -i -f c:\file.ldf -k -y
The result is that I have a filled up OU with all Groups and all
members
whitin those groups etc. as exactly It was in production. So It
seems
okay.
Unfortunately, when I go to the memberserver in the test domain.
All
SID's
are not resolvable at the NTFS permissions. When I use the tool
'getsid'
and
compare a Group from test and prodcution I notice that the SID's
are
not
the
same anymore.
The SID's in the test domain are higher (and newer). That explains
the
not
resolvable SID's at NTFS.
My question: how can I clone the groups (inlcuding the memberships)
including the SID's, so that in the test domain the same SID's are
created...
sincerly, Alwin
.
- References:
- Cloning AD groups (incl. SID's) between production/test environmen
- From: Alwin
- Re: Cloning AD groups (incl. SID's) between production/test environmen
- From: Paul Bergson [MVP-DS]
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Alwin
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Paul Bergson [MVP-DS]
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Alwin
- Re: Cloning AD groups (incl. SID's) between production/test enviro
- From: Jorge Silva
- Cloning AD groups (incl. SID's) between production/test environmen
- Prev by Date: Re: Group Membership being applied more than once
- Next by Date: Re: search by last name in Select Users, Computers, Groups dialog?
- Previous by thread: Re: Cloning AD groups (incl. SID's) between production/test enviro
- Next by thread: Group Policy question .
- Index(es):
Relevant Pages
|
Loading
