Duplicate AD domain (users & groups)

active-directory

Imagine our AD domain is currently called DOMAIN1 but we want it to be called DOMAIN2. I know that we can't rename the domain because we've got Exchange servers in there so basically we're looking at a relatively major migration project. Parking servers & computers for now but we've got a reasonable number of users accounts and groups in DOMAIN1 and we'd like the exactly same in DOMAIN2.

So for example, my user account is domain1\rob.nicholson in the "IT Support" OU and I'm a member of domain1\group1 and domain1\group2. So OU "domain2\IT Support" needs creating (with same metadata), domain2\rob.nicholson needs creating (copying metadata again), domain2\group2 created, me added to it etc etc.

I'm looking for a tool that will, in effect, duplicate the AD structure in domain1 in domain2 for some objects, but not all (e.g. don't bother with computers).

Do such tools exist or am I barking up completely the wrong tree? No problem with considering commercial tools.

Suggestions for a good search term for this process appreciated as well.

Best Answer

You can try AD Migration Tool, which allows to migrate users, groups, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration)

Active Directory Migration Tool version 3.1

ADMT actually doesn't allow to migrate OU structure, for that purpose you can use LDIFDE tool. Below is a link to the article which describes the process in details

How to migrate OU structure from one domain to another

Related Solutions

Can’t add client machine to windows server 2008 domain controller

You are correct-- Active Directory has strong dependencies on DNS.

To make this easy, you should install the Microsoft DNS server onto the domain controller computer and configure it to use itself for DNS. Your ISP's DNS servers probably don't support the dynamic updates that would make life w/ Active Directory easy (and they probably won't configure a zone for your AD domain's name anyway).

You can optionally configure your ISP's DNS server as a "Forwarder" in the DNS server you run to allow queries your DNS server can't answer to be sent on to your ISP, but the Microsoft DNS server will resolve queries to the root DNS servers in its "stock" configuration. Not using your ISP's DNS server really isn't a big deal, though.

Configure the machines that you'd like to join your domain to use your domain controller's DNS server as their only DNS server. Don't specify any other DNS servers on any of the machines. They should be using your Microsoft DNS server's IP address as their exclusive DNS server.

That'll get you over the problem of not being able to join your other machines to the domain. Be sure, when you try to join the domain from these machines, that you specify the fully-qualified domain name (and, if necessary, check with "nslookup" to see that they can resolve the domain's name to an "A" record that refers to the domain controller computer). If you've tried several times and it's still not working you may want to flush the DNS cache on the machine you're trying to join by running an "ipconfig /flushdns" from an elevated command-prompt.

You can use whatever name you want for your Active Directory domain's DNS name. Only your servers will be using a DNS server that "knows about" your domain, so you can choose any name you want. Bear in mind that your DNS server is going to be "authoritative" for that domain. If you choose "microsoft.com" as your Active Directory domain name, for example, your domain-member computers won't be able to resolve "real" names in the "microsoft.com" namespace (since your DNS server will think that it "owns" the "microsoft.com" domain).

I recommend that you either use a subdomain of a domain name you already own, like "ad.company.com", or that you use a domain with the ".local" suffix (some people say that using ".local" isn't "proper" since no RFC calls it out as being reserved). I prefer the "ad.company.com" style names. It looks like you've already installed AD, though, so your name choice is somewhat "set". (It's possible to rename a domain, and not really too difficult, but in this case it might be better to uninstall and reinstall AD.)

How to find out what AD groups I’m a member of

Try running gpresult /R for RSoP summary or gpresult /V for verbose output from the command line as an administrator on the computer. It should output something like this:

C:\Windows\system32>gpresult /V

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/10/2010 at 10:27:41 AM


RSOP data for OQMSupport01\- on OQMSUPPORT01 : Logging Mode
------------------------------------------------------------

OS Configuration:            Standalone Workstation
OS Version:                  6.1.7600
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\-
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 2/10/2010 at 10:16:09 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OQMSUPPORT01
    Domain Type:                        <Local Computer>

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        System Mandatory Level
        Everyone
        Debugger Users
        IIS_WPG
        SQLServer2005MSSQLUser$OQMSUPPORT01$ACT7
        SQLServerMSSQLServerADHelperUser$OQMSUPPORT01
        BUILTIN\Users
        NT AUTHORITY\SERVICE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        BDESVC
        BITS
        CertPropSvc
        EapHost
        hkmsvc
        IKEEXT
        iphlpsvc
        LanmanServer
        MMCSS
        MSiSCSI
        RasAuto
        RasMan
        RemoteAccess
        Schedule
        SCPolicySvc
        SENS
        SessionEnv
        SharedAccess
        ShellHWDetection
        wercplsupport
        Winmgmt
        wuauserv
        LOCAL
        BUILTIN\Administrators

USER SETTINGS
--------------

    Last time Group Policy was applied: 2/10/2010 at 10:00:51 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OQMSupport01
    Domain Type:                        <Local Computer>

    The user is a part of the following security groups
    ---------------------------------------------------
        None
        Everyone
        Debugger Users
        HomeUsers
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        NTLM Authentication
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Increase a process working set

Or if you are logged in to a Windows Server OS with the ActiveDirectory PowerShell Module (or Client OS with the Remote Server Administration Tools) try the Get-ADPrincipalGroupMembership cmdlet:

C:\Users\username\Documents> Get-ADPrincipalGroupMembership username | Select name

name
----
Domain Users
All
Announcements
employees_US
remotes
ceo-report
all-engineering
not-sales
Global-NotSales

Best Answer

Related Solutions

Can’t add client machine to windows server 2008 domain controller

How to find out what AD groups I’m a member of

Related Topic