question

DenisPasternak-3587 avatar image
0 Votes"
DenisPasternak-3587 asked piaudonn edited

Cloning, synchronization of two identical AD

Dear, professionals. Everyone has experienced the problem of having a test environment with an isolated domain. In which it is important to have actual objects.

I need to synchronize two identical (same domain) separated ADs. I confess prod AD is AWS Directory Service, the second AD is also AWS Directory Service but is a test environment.

Spent some time looking for a solution.
1. ADMT - not suitable, because it works with domains directly (can`t export). If the two domains are identical, ADMT will not work. But he knows how to transfer passwords.
2. Backup and restore is too heavy and cannot be automated. An exception is the transfer of a virtual machine image, but unfortunately this is not possible in my scenario.
3. Using ldifde. Does not know how to transfer passwords and is morally obsolete.
4. Writing a PowerShell script. It won't be difficult, I've been automating with PowerShell scripts for a long time. But, unfortunately, the password cannot be transferred either.

The main problem is password transfer

Perhaps someone was able to implement AD synchronization with the test environment?

Thank you.

P.S. what if do like this?
prod.contoso.com (prod) -> admt sync -> transfer.contoso.com -> admt sync -> prod.contoso.com (lab clone)
some madness :)

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered piaudonn edited

Passwords aren't the only issue with recreating the account. They will aso have a different security identifiers and will lose their previous configured access.
Unfortunanly, there are no builtin migration path between identical domains. You could use the strategy you added in your post scriptum and use a temporary domain in between. Then you can use ADMT. Extra work, but does work.
Or you could have the option of recreating stuff from scratch and handle the password manually (the password will not be migrated). Which isn't a bad idea as it would give you the occasion to implement things such as this: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
There's effort involved in both.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.