Thanks Guido. I'll check out the IADsAccessControlEntry stuff.
At the moment we are setting up a replica of the prod environment (same namespace), however the AD design (group layering structure, security) was inherited from the previous owners, and doesn't *quite* fit our security model. What I am trying to do is get the basic structure in, and see how I can recombine this into a more appropiate format. Bringing content (users, groups, security, policies) in selectively allows a lot more flexibility than a full DC grab/dr/clone, and allows the structure to be rebuilt piece by piece until its working much better, then work out how to retrofit it back into prod. Sounds a tedious way to do it I'll grant you, however allows me to build from the ground up, rather than pull down (which would probably miss things). G. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, 11 June 2004 7:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD you have different options when you're trying to implement the exact same namespace in a physically separated lab, or when you want to integrate your lab into the production network, choosing a different domain name. For the first option you can go the "clone DC" or "grab DC" method as described in other posts, but when you want to use a different namespace, it's a little more complicated, especially - as you noted yourself, when you want to grab the security settings as well. If Win2003, you could still do a domain/forest rename after you've cloned/grabbed the DCs from production, but that's still a lot of work. We've decided to go down the scripting/programming path to copy & translate the ACLs of one AD forest to another to build lab-environments (only OU permissions). Yes, it is rather tedious, but it can be done - see MSDN "IADsAccessControlEntry Property Methods". /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Donnerstag, 10. Juni 2004 17:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
