RE: [ActiveDir] Non DR migration of AD
Hunter, Only from a supportability perspective, nothing else. I use the VMWare stuff very heavily in LAB environments and the like, but have to tread a bit more carefully around production (especially the production AD). Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Saturday, 12 June 2004 12:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD VMWare has a couple of fully released products right now ;-) You may have valid reasons for wanting to go with Microsoft's product, though. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Hunter, Agreed, have looked into this, but am waiting for the full release of virtual server before I start doing things like this in the prod environment. This will most likely be the go in the long run, and also affords some really nice flexibility in the production environment with respect to moving DC's around between newer hardware etc (which poses quite an issue at the moment). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, 11 June 2004 2:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other abnormal settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited
RE: [ActiveDir] Non DR migration of AD
Robert, Yep, that is essentially a DR strategy, which does work. I'm looking for a non DR-style method to do this as well. Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, 11 June 2004 1:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
Hunter, Agreed, have looked into this, but am waiting for the full release of virtual server before I start doing things like this in the prod environment. This will most likely be the go in the long run, and also affords some really nice flexibility in the production environment with respect to moving DC's around between newer hardware etc (which poses quite an issue at the moment). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, 11 June 2004 2:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other abnormal settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org
RE: [ActiveDir] Non DR migration of AD
Thanks Guido. I'll check out the IADsAccessControlEntry stuff. At the moment we are setting up a replica of the prod environment (same namespace), however the AD design (group layering structure, security) was inherited from the previous owners, and doesn't *quite* fit our security model. What I am trying to do is get the basic structure in, and see how I can recombine this into a more appropiate format. Bringing content (users, groups, security, policies) in selectively allows a lot more flexibility than a full DC grab/dr/clone, and allows the structure to be rebuilt piece by piece until its working much better, then work out how to retrofit it back into prod. Sounds a tedious way to do it I'll grant you, however allows me to build from the ground up, rather than pull down (which would probably miss things). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, 11 June 2004 7:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD you have different options when you're trying to implement the exact same namespace in a physically separated lab, or when you want to integrate your lab into the production network, choosing a different domain name. For the first option you can go the clone DC or grab DC method as described in other posts, but when you want to use a different namespace, it's a little more complicated, especially - as you noted yourself, when you want to grab the security settings as well. If Win2003, you could still do a domain/forest rename after you've cloned/grabbed the DCs from production, but that's still a lot of work. We've decided to go down the scripting/programming path to copy translate the ACLs of one AD forest to another to build lab-environments (only OU permissions). Yes, it is rather tedious, but it can be done - see MSDN IADsAccessControlEntry Property Methods. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Donnerstag, 10. Juni 2004 17:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
VMWare has a couple of fully released products right now ;-) You may have valid reasons for wanting to go with Microsoft's product, though. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Hunter, Agreed, have looked into this, but am waiting for the full release of virtual server before I start doing things like this in the prod environment. This will most likely be the go in the long run, and also affords some really nice flexibility in the production environment with respect to moving DC's around between newer hardware etc (which poses quite an issue at the moment). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, 11 June 2004 2:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other abnormal settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] Non DR migration of AD
Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other abnormal settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Non DR migration of AD
If you simply want: Same users\groups Same OU structure Same GPO's I highly suggest you look at GPMC (group policy mgmt console) scripts... CreateEnvironmentFromXML.wsf CreateXMLFromEnvironment.wsf -steve - Original Message - From: Glenn Corbett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 7:59 AM Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
It works well, we have done it. We took a DC from our root domain, plus DCs from two of the (four) child domains. If you have multiple domains, I would suggest that make sure your DCs are GC servers before you take them offline. This caused us a few difficulties when we tried to make the server a GC after-the-fact, as it complained that it did not have up-to-date about the other two domains that we did not take offline. When we get time, I would like to do it again, using virtual servers. I think that would provide a bit more flexibility... Tyson. Tyson Leslie Senior Network Analyst Colt Engineering Corporation (403) 258-8153 [EMAIL PROTECTED] -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
you have different options when you're trying to implement the exact same namespace in a physically separated lab, or when you want to integrate your lab into the production network, choosing a different domain name. For the first option you can go the clone DC or grab DC method as described in other posts, but when you want to use a different namespace, it's a little more complicated, especially - as you noted yourself, when you want to grab the security settings as well. If Win2003, you could still do a domain/forest rename after you've cloned/grabbed the DCs from production, but that's still a lot of work. We've decided to go down the scripting/programming path to copy translate the ACLs of one AD forest to another to build lab-environments (only OU permissions). Yes, it is rather tedious, but it can be done - see MSDN IADsAccessControlEntry Property Methods. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Donnerstag, 10. Juni 2004 17:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
