Domain Cloning

Hi,

We are working on a divestiture project with very tight timelines and hence
we decided to clone the AD environment. Please let us know the drawbacks or
any potential issues that many arise. The exact steps we intend to follow:

1.Install additional Domain Controllers and copy the entire directory- Owned
by the new entity
2.Backup all the user data (home folders, profiles etc) and restore it on a
FS owned by the new entity
3.Change the login script/profile paths to reflect the new FS where the
profiles and data are stored
4.Ensure that AD DNS namespace is not published on internet
5.Add the new physical sunets and sites into AD
6.On the day when the network is seperated, seize the Forest and Domain FSMO
roles - Ensure that noth AD Forests never talk to each other
7. We are all set

I am presuming that the end user workstations need not be touched at all, if
this approach is adopted.

kindly share your views.

Regards
Venkat

Hello VENKAT,

What's the reason for having an exact same domain? You have then all SID's
also doubled. Please describe more in detail the reason for this clone.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> We are working on a divestiture project with very tight timelines and
> hence we decided to clone the AD environment. Please let us know the
> drawbacks or any potential issues that many arise. The exact steps we
> intend to follow:
>
> 1.Install additional Domain Controllers and copy the entire directory-
> Owned
> by the new entity
> 2.Backup all the user data (home folders, profiles etc) and restore it
> on a
> FS owned by the new entity
> 3.Change the login script/profile paths to reflect the new FS where
> the
> profiles and data are stored
> 4.Ensure that AD DNS namespace is not published on internet
> 5.Add the new physical sunets and sites into AD
> 6.On the day when the network is seperated, seize the Forest and
> Domain FSMO
> roles - Ensure that noth AD Forests never talk to each other
> 7. We are all set
> I am presuming that the end user workstations need not be touched at
> all, if this approach is adopted.
>
> kindly share your views.
>
> Regards
> Venka

As i described, time is a critical factor in this divestiture, hence this
approach. wrt to double SID's, we are planning to have a seperate project
once the divestiture happens to migrate toa clean directory. At this point
migrating users and resources using any tool is reled out.

Regards
Venkat



"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news: .com...
> Hello VENKAT,
>
> What's the reason for having an exact same domain? You have then all SID's
> also doubled. Please describe more in detail the reason for this clone.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi,
>>
>> We are working on a divestiture project with very tight timelines and
>> hence we decided to clone the AD environment. Please let us know the
>> drawbacks or any potential issues that many arise. The exact steps we
>> intend to follow:
>>
>> 1.Install additional Domain Controllers and copy the entire directory-
>> Owned
>> by the new entity
>> 2.Backup all the user data (home folders, profiles etc) and restore it
>> on a
>> FS owned by the new entity
>> 3.Change the login script/profile paths to reflect the new FS where
>> the
>> profiles and data are stored
>> 4.Ensure that AD DNS namespace is not published on internet
>> 5.Add the new physical sunets and sites into AD
>> 6.On the day when the network is seperated, seize the Forest and
>> Domain FSMO
>> roles - Ensure that noth AD Forests never talk to each other
>> 7. We are all set
>> I am presuming that the end user workstations need not be touched at
>> all, if this approach is adopted.
>>
>> kindly share your views.
>>
>> Regards
>> Venkat
>
>

it may seem a very good idea, but depending on requirements it may also be a
very bad idea. And....if I'm not mistaken, MS does not support it

also see:
http://blogs.dirteam.com/blogs/jorge...Scenarios.aspx

what tasks/actions do you think you do not need to do, or which
tasks/actions do you need to do for each scenario. Think about how much time
you will really save from cloning.

Cloning an AD is not the first thing I would recommend.

What I would recommend (or something similar with some other tools:
http://blogs.dirteam.com/blogs/jorge...rver-2008.aspx
http://blogs.dirteam.com/blogs/jorge...th-ADMTv3.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Venkat" <> wrote in message
news:...
> Hi,
>
> We are working on a divestiture project with very tight timelines and
> hence we decided to clone the AD environment. Please let us know the
> drawbacks or any potential issues that many arise. The exact steps we
> intend to follow:
>
> 1.Install additional Domain Controllers and copy the entire directory-
> Owned by the new entity
> 2.Backup all the user data (home folders, profiles etc) and restore it on
> a FS owned by the new entity
> 3.Change the login script/profile paths to reflect the new FS where the
> profiles and data are stored
> 4.Ensure that AD DNS namespace is not published on internet
> 5.Add the new physical sunets and sites into AD
> 6.On the day when the network is seperated, seize the Forest and Domain
> FSMO roles - Ensure that noth AD Forests never talk to each other
> 7. We are all set
>
> I am presuming that the end user workstations need not be touched at all,
> if this approach is adopted.
>
> kindly share your views.
>
> Regards
> Venkat
>

I agree, i wouldn't do it myself personally, however i would like to know
what are the possible components that can break (even if we ensure that the
two forests never talk to each other).

Regards
Vish

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail .com> wrote in message
news:...
> it may seem a very good idea, but depending on requirements it may also be
> a very bad idea. And....if I'm not mistaken, MS does not support it
>
> also see:
> http://blogs.dirteam.com/blogs/jorge...Scenarios.aspx
>
> what tasks/actions do you think you do not need to do, or which
> tasks/actions do you need to do for each scenario. Think about how much
> time you will really save from cloning.
>
> Cloning an AD is not the first thing I would recommend.
>
> What I would recommend (or something similar with some other tools:
> http://blogs.dirteam.com/blogs/jorge...rver-2008.aspx
> http://blogs.dirteam.com/blogs/jorge...th-ADMTv3.aspx
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "Venkat" <> wrote in message
> news:...
>> Hi,
>>
>> We are working on a divestiture project with very tight timelines and
>> hence we decided to clone the AD environment. Please let us know the
>> drawbacks or any potential issues that many arise. The exact steps we
>> intend to follow:
>>
>> 1.Install additional Domain Controllers and copy the entire directory-
>> Owned by the new entity
>> 2.Backup all the user data (home folders, profiles etc) and restore it on
>> a FS owned by the new entity
>> 3.Change the login script/profile paths to reflect the new FS where the
>> profiles and data are stored
>> 4.Ensure that AD DNS namespace is not published on internet
>> 5.Add the new physical sunets and sites into AD
>> 6.On the day when the network is seperated, seize the Forest and Domain
>> FSMO roles - Ensure that noth AD Forests never talk to each other
>> 7. We are all set
>>
>> I am presuming that the end user workstations need not be touched at all,
>> if this approach is adopted.
>>
>> kindly share your views.
>>
>> Regards
>> Venkat
>>
>

Venkat wrote:
> As i described, time is a critical factor in this divestiture, hence
> this approach. wrt to double SID's, we are planning to have a
> seperate project once the divestiture happens to migrate toa clean
> directory. At this point migrating users and resources using any tool
> is reled out.
> Regards
> Venkat

All other mentioned caveats aside (dual Domain GUIDS),

You should clean up and delete orphaned objects (users, computers, and
Domain Controllers) in *each* now seperate domain.

I'd also have *every* user password changed in the next few days.

Of course at least one of the two domains should go through a proper
interforest migration process "soon".

>
>
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news: .com...
>> Hello VENKAT,
>>
>> What's the reason for having an exact same domain? You have then all
>> SID's also doubled. Please describe more in detail the reason for
>> this clone. Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Hi,
>>>
>>> We are working on a divestiture project with very tight timelines
>>> and hence we decided to clone the AD environment. Please let us
>>> know the drawbacks or any potential issues that many arise. The
>>> exact steps we intend to follow:
>>>
>>> 1.Install additional Domain Controllers and copy the entire
>>> directory- Owned
>>> by the new entity
>>> 2.Backup all the user data (home folders, profiles etc) and restore
>>> it on a
>>> FS owned by the new entity
>>> 3.Change the login script/profile paths to reflect the new FS where
>>> the
>>> profiles and data are stored
>>> 4.Ensure that AD DNS namespace is not published on internet
>>> 5.Add the new physical sunets and sites into AD
>>> 6.On the day when the network is seperated, seize the Forest and
>>> Domain FSMO
>>> roles - Ensure that noth AD Forests never talk to each other
>>> 7. We are all set
>>> I am presuming that the end user workstations need not be touched at
>>> all, if this approach is adopted.
>>>
>>> kindly share your views.
>>>
>>> Regards
>>> Venkat

--
/kj

Dear Customer,

Thank you for posting in newsgroup. And thanks to the community members for
the contribution.

According to the description, my understanding is that:

you want to clone the Active Directory entity to another domain controller
and want to know the drawbacks or any potential issues that may arise. If I
have any misunderstanding, please feel free to let me know.

Based on the experience, here is some information which may be helpful for
you.

Analysis and Suggestion:
=====================

I agree with Jorge. Since it will cause double SID issue and double GUID
issue, cloning a Active Directory entity is not recommended. Also, seizing
the Forest and Domain FSMO roles is not recommended. We suggest that you
may perform a domain migration with ADMT utility. With ADMT, you can
perform the security translation and this won't cause duplicated SID issue.
And you can also migrate the user profiles to the new domain, there is no
need to seize FSMO after we perform the domain migration with ADMT.

For your convenience, I have list the general steps to perform ADMT
migration as followed.

General Steps:
==================

1. As always, domain migrations are complicated tasks. Please perform
complete backup first for recovery purposes.

2. We are able to establish a trust relationship between the two root
domains in different forests, and then use ADMT with the following three
wizards to migrate the group accounts, user accounts, client computers and
file permissions:

Group Account Migration Wizard
User Account Migration Wizard
Computer Migration Wizard
Security Translation Wizard

3. It is recommended that we install ADMT on target domain's PDC Emulator.
And it is recommended that we use administrator credential of source domain
to logon the target domain from source domain controller.

4. ADMT checks its database file for information regarding the previously
migrated user objects and then determines how to migrate user profiles and
NTFS folders permissions when migrating computers. Therefore, it is better
to only install one ADMT host machine.

5. The account that runs ADMT must have administrator privileges on both
domains, and also need to be a member of the local administrators group
when migrating computer objects.

6. It is recommended to perform the migration in the following order:

Domain Global Group
Domain Local Group
User Account
Computer Account

7. Please migrate the groups and users separately (do not migrate the
associated group members when migrating the groups).

During the group migration, please use the following configurations

[Group Options]
Copy group members Not Checked
Fix membership of group Checked

During the user migration, please use the following configurations:

[User Options]
Migrate associated user groups Not Checked
Fix users'' group memberships Checked

Reference:
============

ADMT v3 Migration Guide
http://www.microsoft.com/downloads/d...770-3BBB-4B9E-
A8BC-01E9F7EF7342&displaylang=en

How to use Active Directory Migration Tool version 2 to migrate from
Windows 2000 to Windows Server 2003
http://support.microsoft.com/kb/326480/en-us

If this problem is urgent and important, I would like to suggest that you
contact Microsoft Product Support Services via telephone so that a
dedicated efficient Support Professional can assist with this request. You
may obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default...S;PHONENUMBERS

If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

Hope the issue will be resolve soon.

David Shen
Microsoft Online Partner Support

Dear Customer,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

David Shen
Microsoft Online Partner Support

Thanks David for the support. I have proposed to consider the migration
route...which will ensure clean and pristine environment from day 1

Venkat
"David Shen [MSFT]" <v-> wrote in message
news:...
> Dear Customer,
>
> I am just writing to see how everything is going. If you have any updates
> or need any further assistance on this issue, please feel free to let me
> know. I am glad to be of assistance.
>
> David Shen
> Microsoft Online Partner Support
>

Hello Venkat,

I am glad that the information can help you. if you have other question,
please welcome to the newsgroup again.

David Shen
Microsoft Online Partner Support