Cloning AD

[Hank Arnold]

I've been browsing the ngs for info on AD (among others) and there's so much
info it's sometimes hard to condense it all.

What I have is a test/development domain running on a server. The server is
running W2K Server w/SP4. It is in the same subnet as the production server.
All servers are "192.168.1.x". It is running fine and we are using it to set
up test environments for our main application, a medical database program
that uses SQL2000 (w/SP3a).

What I want to do is start using the test domain for developing strategies
and processes for changing/improving our current AD environment as well as
setting up our main environment (Citrix MetaFrame XP and Exchange 5.5) for
testing changes/updates, etc.. For example, our current AD has one OU and
one default GPO (thanks to our former "expert" consultants...). I know what
I want to do, I just need to be able to try out various implementation
options.....

I'm looking for a documented process to basically "clone" the AD structure
(OU/GPO/Accounts, etc.) so that I can set up the test servers (usually VM
sessions in VMWare) to match our current environment and then try out
things.

TIA..........

 

[Herb Martin]

I've been browsing the ngs for info on AD (among others) and there's so much
info it's sometimes hard to condense it all.

What I have is a test/development domain running on a server. The server is
running W2K Server w/SP4. It is in the same subnet as the production server.
All servers are "192.168.1.x". It is running fine and we are using it to set
up test environments for our main application, a medical database program
that uses SQL2000 (w/SP3a).

What I want to do is start using the test domain for developing strategies
and processes for changing/improving our current AD environment as well as
setting up our main environment (Citrix MetaFrame XP and Exchange 5.5) for
testing changes/updates, etc.. For example, our current AD has one OU and
one default GPO (thanks to our former "expert" consultants...). I know what
I want to do, I just need to be able to try out various implementation
options.....

I'm looking for a documented process to basically "clone" the AD structure
(OU/GPO/Accounts, etc.) so that I can set up the test servers (usually VM
sessions in VMWare) to match our current environment and then try out
things.

You cannot REALLY "clone" AD -- you can however clone it
to an additional DC by just doing DC promo, moving the new
DC offline (to never return probably), and cleaning up the FSMO
roles and AD using NTDSUtil on the "disconnected" AD.

General rule: when you finish with it, just DCPromo to destroy
the "extra AD" before returning the SERVER (non-DC now) to
your network.

 

[ptwilliams]

Somebody else asked a similar question. Have a look at some of our
responses...
-- http://x220.minasi.com/forum/topic.asp?TOPIC_ID=11128

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


I've been browsing the ngs for info on AD (among others) and there's so much
info it's sometimes hard to condense it all.

What I have is a test/development domain running on a server. The server is
running W2K Server w/SP4. It is in the same subnet as the production server.
All servers are "192.168.1.x". It is running fine and we are using it to set
up test environments for our main application, a medical database program
that uses SQL2000 (w/SP3a).

What I want to do is start using the test domain for developing strategies
and processes for changing/improving our current AD environment as well as
setting up our main environment (Citrix MetaFrame XP and Exchange 5.5) for
testing changes/updates, etc.. For example, our current AD has one OU and
one default GPO (thanks to our former "expert" consultants...). I know what
I want to do, I just need to be able to try out various implementation
options.....

I'm looking for a documented process to basically "clone" the AD structure
(OU/GPO/Accounts, etc.) so that I can set up the test servers (usually VM
sessions in VMWare) to match our current environment and then try out
things.

TIA..........

 

[Ace Fekay [MVP]]

In

Somebody else asked a similar question. Have a look at some of our
responses...
-- http://x220.minasi.com/forum/topic.asp?TOPIC_ID=11128

Good link Paul. I would think either to use Ghost (which I do all the time
with my classroom instructor DC image) or since using VMWare, copy the
virtual machine file to another machine running VMWare and run it there,
provided there is no network conenctivity between the existing one and the
new one.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Enkidu]

For example, our current AD has one OU and one default GPO (thanks
to our former "expert" consultants...).

What's wrong with that setup? Keep it simple is GOOD. Just wonderin'.

Cheers,

Cliff

 

[Hank Arnold]

I think that "clone" is probably not the best term. The DC is already set
up. It's physical machine and, as I said, it's on the same network. No way
I can use image software or any process that will interfere with the other
domain.

I guess what I want to do is re-create the user accounts and GPO so that I
can:

1) simulate the current GPO environment and try different techniques to
improve the structure
2) set up applications (like Citrix) and see the impact of different
upgrades or mods

What *can * I do to make the two environments a similar as possible?

 

[Hank Arnold]

One OU makes it hard to have different policies depending on the users. We
have users who we only want to be able to access a single application.
Others will have extensive permissions. We need a granularity that can't be
achieved with a single OU and GPO.....

 

[Hank Arnold]

Excellent link. However, my problem is that I want to do this to an existing
DC, not create a new one... GPMC looks promising, though..... Thanks.

 

[Herb Martin]

Just take the DC off line (put it on a private net in a lab).

If you make any changes, you can DCPromo it (to non-DC)
when finished and bring it back online as an ordinary
server (and optional re-DCPromo to DC again.)

Every DC has the same info as the others *

(*A GC has a bit more in a multi-domain forest and you
might want to have the FSMO roles on the "disconnected"
DC.)

 

[dj]

Exactly. This is pretty simple. Just promote a server to
DC in production and move that DC to the lab. Don't de-
promote it, just move it. You can then seize all fsmo
roles while in the lab or you can add an additional DC in
the lab once the production DC is placed there first. To
safely and completely get rid of the DC object in the
production domain after the server is unplugged and moved
to the lab, follow the procedures is kb article 216498.