Cloning, synchronization of two identical AD

Mountain Pond 1,431 Reputation points
2022-05-07T21:36:14.817+00:00

Dear, professionals. Everyone has experienced the problem of having a test environment with an isolated domain. In which it is important to have actual objects.

I need to synchronize two identical (same domain) separated ADs. I confess prod AD is AWS Directory Service, the second AD is also AWS Directory Service but is a test environment.

Spent some time looking for a solution.

  1. ADMT - not suitable, because it works with domains directly (can`t export). If the two domains are identical, ADMT will not work. But he knows how to transfer passwords.
  2. Backup and restore is too heavy and cannot be automated. An exception is the transfer of a virtual machine image, but unfortunately this is not possible in my scenario.
  3. Using ldifde. Does not know how to transfer passwords and is morally obsolete.
  4. Writing a PowerShell script. It won't be difficult, I've been automating with PowerShell scripts for a long time. But, unfortunately, the password cannot be transferred either.

The main problem is password transfer

Perhaps someone was able to implement AD synchronization with the test environment?

Thank you.

P.S. what if do like this?
prod.contoso.com (prod) -> admt sync -> transfer.contoso.com -> admt sync -> prod.contoso.com (lab clone)
some madness :)

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,599 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,213 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2022-05-09T14:36:22.417+00:00

    Passwords aren't the only issue with recreating the account. They will aso have a different security identifiers and will lose their previous configured access.
    Unfortunanly, there are no builtin migration path between identical domains. You could use the strategy you added in your post scriptum and use a temporary domain in between. Then you can use ADMT. Extra work, but does work.
    Or you could have the option of recreating stuff from scratch and handle the password manually (the password will not be migrated). Which isn't a bad idea as it would give you the occasion to implement things such as this: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
    There's effort involved in both.

    0 comments No comments

0 additional answers

Sort by: Most helpful