How to Create an Active Directory Test Lab

Similar documents
Active Directory was compromised, now what?

Quickly Recovering Deleted Active Directory Objects

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Protecting Data with a Unified Platform

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Protecting Data with a Unified Platform

8.3. Competitive Comparison vs. Microsoft ADMT 3.1

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Quick Connect Express for Active Directory

Active Directory Manager Pro New Features

Security Explorer 9.5. User Guide

ACTi NVR Config Converter User s Manual. Version /06/07

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Agilent OpenLAB. Data Store. Disaster Recovery Plan

Quest InTrust for Active Directory. Product Overview Version 2.5

Best Practices for an Active Directory Migration

Quest Collaboration Services 3.5. How it Works Guide

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Integrating Dell server hardware alerts into SBS 2008 report. By Perumal Raja Dell Enterprise Product Group

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory 2008 Operations

How To Send E Mail From An Exchange 2007 To A Domain Name Address Book On A Domain Address Book (For A Domain) On A Pc Or Mac Xp (For An Ipod) On An Ipo (For Windows 2007) On Your Ip

Introduction to Version Control in

Quest Collaboration Services How it Works Guide

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Dell InTrust Preparing for Auditing Microsoft SQL Server

8.7. Target Exchange 2010 Environment Preparation

Dell InTrust 11.0 Best Practices Report Pack

Dell NetVault Backup Plug-in for SharePoint 1.3. User s Guide

HP OpenView Patch Manager Using Radia

Enterprise Reporter Report Library

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory. Infrastructure. Key Data. Audience. At Course Completion

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

2.0. Quick Start Guide

6425C - Windows Server 2008 R2 Active Directory Domain Services

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Use QNAP NAS for Backup

Version 9. Active Directory Integration in Progeny 9

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Top 10 Most Popular Reports in Enterprise Reporter

Dell Statistica Statistica Enterprise Installation Instructions

10 Things DBAs Probably Don t Know LiteSpeed Can Do. written by Brent Ozar, SQL Server DBA

AKIPS Network Monitor User Manual (DRAFT) Version 15.x. AKIPS Pty Ltd

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Active Directory Recovery: What It Is, and What It Isn t

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

CA Nimsoft Monitor Snap

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Host OS Compatibility Guide

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Symantec Endpoint Encryption Device Control Release Notes

R4: Configuring Windows Server 2008 Active Directory

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days

Windows Small Business Server 2003 Upgrade Best Practices

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

11 Things to Know About Active Directory Recovery

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Dell Compellent Storage Center

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Dell One Identity Quick Connect for Cloud Services 3.6.1

Spotlight Management Pack for SCOM

Configuring Windows Server 2008 Active Directory

Object Level Authentication

technical brief Multiple Print Queues

ActiveRoles 6.9. Quick Start Guide

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

HJ594S. Configuring, Managing and Mantaining Windows Server 2008 Servers (6419)

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

How to Test Out Backup & Replication 6.5 for Hyper-V

WHITE PAPER: ENTERPRISE SOLUTIONS. Quick Recovery of Microsoft Active Directory Using Symantec Backup Exec 11d Agent for Active Directory

Investigating the Use of Virtual Servers to Improve the Restoration Process of an Active Directory Forest

RealPresence Platform Director

Dell One Identity Cloud Access Manager Installation Guide

Configuring, Managing and Maintaining Windows Server 2008 Servers

Dell One Identity Quick Connect for Cloud Services 3.6.0

Recording Server Monitoring Tool

Veeam Backup & Replication. Version 7.0

Getting the Most From. Your Help Desk

About Recovery Manager for Active

Symantec Security Information Manager - Best Practices for Selective Backup and Restore

AD Self-Service Suite for Active Directory

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Active Directory Change Notifier Quick Start Guide

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Defender 5.7. Remote Access User Guide

Course 6425C: Five days

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Pulse Redundancy. User Guide

Allan Hirt Clustering MVP

Dell NetVault Backup Plug-in for Hyper-V User s Guide

Foglight. Managing Hyper-V Systems User and Reference Guide

Security whitepaper. CloudAnywhere.

Dell Client Profile Updating Utility 5.5.6

Transcription:

Need to know details for Administrators Essential knowledge: Creating an Active Directory Test Lab Author Bob Bobel

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 2 About the Author As a Product Management Director, Bob is responsible for driving innovation and strategy for Security, Compliance and Identity products. Bobel combines his twenty+ years of IT management and enterprise software experience to provide strategic vision to high-performance teams through times of growth and change. Bobel previously held Product Management roles at enterprise software companies Netwrix Software and Quest Software Inc. (Acquired by Dell in 2012) While at Quest, Bobel s role included creating the first true Active Directory centric Identity Management platform ActiveRoles Server. A frequent traveler, Bob resides in Ohio with his wife and two children. Email: bob@cayosoft.com LinkedIn: linkedin.com/in/robertbobel Twitter: @rbobel

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 3 Overview There are two primary methods used by administrators to implement Dev/Test environments to protect Active Directory from errors while they try out administrative changes. There are numerous options for creating an Active Directory test lab. The first method is to clone the directory and the second is to recreate the directory. Each has benefits and drawbacks that should be considered before choosing the method that meets your organizations requirements. Cloning keeps all object Security IDs (SIDs) identical to the production while Recreating will new SIDs for the objects. Both methods should keep the object names the same and that is typically the important part. Cloning may be seen by some as a security problem as well since you end up with a duplicate Active Directory with password hashes intact. I prefer Recreation of the directory because it is simpler, safer, more secure and can be extended to pull additional changes from production into test. Cloning Active Directory (Keep SIDs intact) Cloning is more accurate yet the more difficult of the two methods. Cloning is a one-time event the result of which must forever be disconnected from you production environment so that there is no chance of improper replication. There are two general ways people clone Active Directory. Both methods will require you implement changes to Active Directory such as seizing FISMO roles and potentially re-implementing services such as DNS, but with a lot of work it can be done. The result of cloning is that you very accurate clone of AD at that moment in time. Option 1: Create a backup of an active directory domain controller then restore that backup new computer (VM or Physical Host) on a disconnected or sandboxed network. This method can get messy because of the restored OS will detect the hardware changed and you will need to repair the OS. In addition to fixing the OS you will need to update AD by seizing the FISMO roles with NTDSUTIL as well as configure a new DNS to work with this new environment. Option 2: Create a computer on the production network (VM or Physical Host) and promote it to a domain controller. After it fully replicates, move the domain controller to a completely isolated network so that it has no chance of replicating with the source directory. Recreation (Copy object without SIDs) Recreating is less accurate it is vastly simpler and safer. Recreated directories are usually just as useful as a cloned directory and there is no fear of accidental replication back into production. Option 1: Setup a new Windows Server (VM or physical host) and install DNS and Active Directory; this will be the home of your dev/test directory. When you configure AD choose a domain name that is similar, but not the same as your production domain. For example, if my domain name is bobbobel.com, make the test environment domain name bobbobel.devtest. On a domain controller

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 4 your existing production directory use either the LDIFDE or CSVDE utilities to export the data in Active Directory. (Technet article on using CSVDE) I prefer CSVDE because the resulting file can be opened and modified in Microsoft Excel allowing you to find/replace names. Using LDIFDE or CSVDE import the file into your new domain. Option 2: Writing a PowerShell script that copies the most important objects from production to a dev/test environment is actually very simple. In this case you create a new host with a new dev/test domain as you would with option 1, but instead of using LDIFDE or CSVDE you write a PowerShell script that will copy the OU structure, user objects, group objects, group memberships etc until you have enough detail to meet your requirements. I like this approach, because the scripting that is required is typically one or two lines per object type and examples are easily found on the Internet. I also like this option because you get ultimate control over what you copy into dev/test and you delete your dev/test objects and re-run the scripts to get an up-to-date picture of your current production environment. Conclusion Having used both cloning and recreating, I have rarely run into a situation where re-creating the directory did not meet my requirements. For dev/test I almost never need the SIDs or passwords to be identical to production and I never enjoy dealing with FISMO role transfers or repairing the OS. So in my mind I would always choose re-creating the directory using PowerShell until I ran into some situation that would force me to consider cloning.

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 5 Cayo Software To get additional practical whitepapers from Cayo Software, please visit www.cayosoft.com. Copyright 2013 Cayo Software Inc. ALL RIGHTS RESERVED. This document is protected by copyright. No part of this document may be reproduced or transmitted for any purpose other than the reader's personal use without the written permission of Cayo Software, LLC. WARRANTY The information contained in this document is subject to change without notice. Cayo Software makes no warranty of any kind with respect to this information. Cayo SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cayo Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS Cayo and Cayo Software are trademarks of Cayo Software, LLC. in the United States of America and other countries. Other trademarks and registered trademarks used in this document are property of their respective owners. For additional information please see our web site at (www.cayosoft.com)

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 6 This page intentionally left blank

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information