![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
big daddy fatsacks
2[H]4U
- Joined
- Aug 10, 2001
- Messages
- 2,312
i am working on getting a change management lab setup here at work, and need some advice as to how to do it. i think i've asked this before, but now that i've done a lot more research and thinking about the topic and am ready to move forward i have a much more specific question.
so, this is a windows 2000 domain with some *nix boxes in the mix. for the change management lab i would want to have all the same AD objects as i do in production. the way i see it there are 2 different approaches to take. each has its pros and cons. i would like your professional opinion as to which approach you think is the best, what i should be aware of, and any possible 3rd method i could use but haven't thought about if you know of one.
1) bring up a server on my production LAN. promote it to DC. move it to the lab where it is behind a firewall preventing any possible communication between the lab and production which might cause AD problems.
on the lab DC run ntdsutil to eliminate the pproduction DCs which are basically phantoms now as far as this machine is concerned. sieze FSMO roles with ntdsutil. bring up new BDC as needed. setup the rest of the lab. run ntdsutil on the production DCs to remove the lab DC which is now a phantom as far as the production network is concerned.
2) bring up a new DC for a new subdomain of my root domain. export all AD objects from production using ldifde. import to the new subdomain using ldifde. recreate the GPOs (i don't think ldifde will grab these.)
the problem with the first method is that i can't do a whole lot of external communications testing with it. i can't send email to it because any email for would have to end up in my production domain or there is something very wrong with my mail setup. also, i need to mess with ntdsutil which makes me nervous. this is somewhat of a moot point because there is a ghost DC in our AD right now that i need to remove anyway.
the second option may not exactly duplicate our production environment though. also, it would become a subdomain in our real AD tree, but i'm not sure if i should consider that a problem or not. also, i'm not really clear how the import of objects will go. if a user has an associated mydomain.com address it's going to come in with that right? so it's going to require a lot of data massaging to get that stuff changed over then.
if anyone has any firsthand experience with this let me know. i've got several pages of docs written up so far and i'm ready to get going with this, but want to make sure i take the right approach.
TIA,
billy ocean
so, this is a windows 2000 domain with some *nix boxes in the mix. for the change management lab i would want to have all the same AD objects as i do in production. the way i see it there are 2 different approaches to take. each has its pros and cons. i would like your professional opinion as to which approach you think is the best, what i should be aware of, and any possible 3rd method i could use but haven't thought about if you know of one.
1) bring up a server on my production LAN. promote it to DC. move it to the lab where it is behind a firewall preventing any possible communication between the lab and production which might cause AD problems.
on the lab DC run ntdsutil to eliminate the pproduction DCs which are basically phantoms now as far as this machine is concerned. sieze FSMO roles with ntdsutil. bring up new BDC as needed. setup the rest of the lab. run ntdsutil on the production DCs to remove the lab DC which is now a phantom as far as the production network is concerned.
2) bring up a new DC for a new subdomain of my root domain. export all AD objects from production using ldifde. import to the new subdomain using ldifde. recreate the GPOs (i don't think ldifde will grab these.)
the problem with the first method is that i can't do a whole lot of external communications testing with it. i can't send email to it because any email for would have to end up in my production domain or there is something very wrong with my mail setup. also, i need to mess with ntdsutil which makes me nervous. this is somewhat of a moot point because there is a ghost DC in our AD right now that i need to remove anyway.
the second option may not exactly duplicate our production environment though. also, it would become a subdomain in our real AD tree, but i'm not sure if i should consider that a problem or not. also, i'm not really clear how the import of objects will go. if a user has an associated mydomain.com address it's going to come in with that right? so it's going to require a lot of data massaging to get that stuff changed over then.
if anyone has any firsthand experience with this let me know. i've got several pages of docs written up so far and i'm ready to get going with this, but want to make sure i take the right approach.
TIA,
billy ocean