none
AD DS Replication to lab security concerns

    Question

  • Upper level management wants us to create a DC, wait for replication to occur, disconnect it, and then put it in the lab to mirror production. Obviously, we don't want to do this for security reasons (SIDs, passwords, etc.), and also for the clean up effort since it is a very large production environment.

    I've used CreateXMLfromEnvironment and vice versa before in the GPMC scripts. And, we are using PowerShell now in another lab to just use the OU structure with a GPOs backup/restore.

    However, I can't find anything that will support my stance. Does anyone know of anything semi-official that doesn't recommend this approach?

    Wednesday, March 8, 2017 3:45 PM

All replies

  • Hi

     You're right strongly not recommended,possibilty issues should be occurs,like lingering objects,USN rollbacks,etc..

    Lingering Objects; https://support.microsoft.com/en-us/help/910205/information-about-lingering-objects-in-a-windows-server-active-directory-forest

    USN rollbacks; https://support.microsoft.com/en-us/help/875495/how-to-detect-and-recover-from-a-usn-rollback-in-windows-server-2003,-windows-server-2008,-and-windows-server-2008-r2

    So you need a succesfull backup of your DC and also you should configure additional domain controllers for redundancy.(with dns,gc.)

    For test something you can configure lab domain environment completely isolate from product.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 8, 2017 3:51 PM
  • I'm not sure whether there is anything official, but the approach that your upper management intends to take does not yield the mirror of the production environment - since, for the isolated DC to be operational, you would need to perform fairly significant amount of changes to take into account that the DC will no longer be part of the production AD environment (e.g. remove references to all other domain controllers, seize FSMO roles, etc.)

    In addition, it won't take long before the isolated DC will no longer be in sync with the production anyway.

    hth
    Marcin

    Wednesday, March 8, 2017 3:54 PM
  • > I've used CreateXMLfromEnvironment and vice versa before in the GPMC scripts. And, we are using PowerShell now in another lab to just use the OU structure with a GPOs backup/restore.
     
    That's a quite fair approach, afaik.
     
    > However, I can't find anything that will support my stance. Does anyone know of anything semi-official that doesn't recommend this approach?
     
    Recovery Manager Forest Edition provides such a tool (clone entire forests...)
     
    Wednesday, March 8, 2017 5:36 PM