How to Create a Test Lab from a Production Environment Using Hyper-V and GPMC Scripts
Overview:
The steps that follow involve creating a backup of the production group policies and permissions, OU structures, and user accounts. After that backup is created, it is then copied over to the lab environment and imported into the lab Active Directory environment.
These procedures are recommended as a safer alternative to creating a lab using actual system state, P2V, or other backups of production domain controllers. They also are a “cleaner” option, as large environments can contain hundreds of domain controllers, and cleanup operations when using a restore operation in the lab (i.e. metadata cleanup) can be quite extensive. Further, in order to ensure that the lab is properly differentiated from production, the restore method would normally mandate forest/domain renames and compete re-addressing of the IP addressing scheme.
In most cases for lab scenarios, a lab with a similar namespace and imported configurations is more appropriate, and sufficient, as it contains the key AD infrastructure information typically needed for testing.
Detailed Procedures for Creating the Lab AD Environment
Preparations:
1. On a production Windows XP or Windows Server 2003 machine, install the Group Policy Management Console, SP1. This utility can be downloaded here:
This machine will be used to pull the Active Directory infrastructure information from the production environment. No changes are made to the production environment.
2. Next, also install the GPMC SP1 package on one of the domain controllers in the lab environment.
3. There are two main scripts needed to create the OU and GPO structure in the lab, one for export and the other to import. These scripts are located in the C:\Program Files\GPMC\Scripts directory after installing GPMC.
NOTE: Regarding the steps that follow, GPMC only needs to be installed if you are using Windows 2003 servers. It is available within the OS (Add Features) if you are running 2008 and later. However, the scripts are only included with the version for 2003 as referenced in the link above. If you are using 2008 and later, you’ll need at least one 2003 or XP machine on which to install GPMC. For the source (production), you need to INSTALL the GPMC package - don't just copy the scripts over to an existing machine. Otherwise you will get an "Automation server can't create object" error. For the target (lab), you can just copy the scripts over.
4. Create a folder to accept the files, such as c:\temp\labinfo on the source machine (production side) and also in the lab (target side).
5. From the C:\Program Files\GPMC\Scripts directory on the production side (source), open a command prompt and run the following command which will create an xml and back up all GPO’s:
cscript createxmlfromenvironment.wsf c:\temp\labinfo\production.xml /TemplatePath:C:\temp\labinfo /IncludeAllGroups /IncludeUsers >c:\temp\labinfo\labinfo.log
Note: the above command should be all on one line
(This will store the xml file and the GPO backups in the labinfo folder)
7. Next, copy the contents of the labinfo folder over to the domain controller in the lab (target), in the same location c:\temp\labinfo.
8. From within the labinfo folder on the lab domain controller (target machine), copy all of the gpo backup folders (all of them have GUIDs for names) to the
c:\program files\gpmc\scripts directory on the same lab domain controller:
9. Optional, but highly recommended – take a snapshot of the DC’s in the lab (using Hyper-V) in case something goes wrong, and you want to roll back. Note that you should never use snapshots to backup production DCs that are virtualized, due to risks such as USN rollback. For labs though, it serves as a convenient way to test changes while allowing you to roll back. If you do need to roll back the state of a lab that contains domain controllers, you need to roll the whole lab back to the same point in time. Otherwise, you risk USN rollback, broken secure channels, and other problems. In short, select all the virtual machines, create a snapshot at the same time, and if you need to roll them back, apply the old snapshot to all of them before starting them back up.
10. Open a command prompt and run the following command from within the c:\program files\gpmc\scripts directory on the lab domain controller (target side) to import and create the environment in the lab:
cscript createenvironmentfromxml.wsf /xml:c:\temp\labinfo\production.xml
/CreateUsersEnabled /PasswordForUsers:P@ssw0rd /ImportDefaultGpos
Note: the above command should be all on one line
11. After the script is finished, check the verbose output for errors. Verify that all OU’s, user accounts, group policies and GPO permissions have been imported.
Additional Screen Shots
Production ADUC:
Production GPMC:
Lab ADUC Before Import:
Lab ADUC after Running Script:
Lab GPMC after Running Script:
OU with explicit ACL’s in Production:
OU with Explicit ACL’s in Lab after Running Script:
Limitations
1. Customized ACL’s on OU’s will not import completely due to an API limitation with GPMC. If there are numerous OU’s in the production environment that are using customized permissions, those permissions must be reassigned manually or through the use of additional scripts.
2. User accounts must be located in OU’s on the production side in order to be brought over by the script. The script will not export/import user accounts from the default Users container in the Production environment. If user accounts exist in the default Users container, you may want to move them to an OU before the Export, so that the script will be able to pick them up.
Comments
Anonymous
January 01, 2003
Nice Post Jim. FYI, you can still use the policy sample scripts with the console provided in Win 7/Server 2008 R2. www.microsoft.com/.../details.aspx.Anonymous
January 01, 2003
Thank you for posting this article! Using this procedure, I've cloned production AD to test AD. I would be using this for few days before I switch to next script which does not have any limitation. I am getting follow warning message -
Warning-1
============
Group Citrix contains more than 100 members.
Any users or groups contained as members after the first 100 will not be added to the XML file.
Warning-2
===========
The security principal [S-1-5-21-2106337540-1191053186-196506527-44005] referenced in extension [Core Extension] cannot be resolved, but the task will continue. In the future, you can use a migration table to map or remove this security principal.
Details: No mapping between account names and security IDs was done.
Warning-3
===========
** domain admins has custom permissions. These will be dropped. **
Any guess, if this can be achieved using PowerShell script "without" any limitation.
Thank you once again!Anonymous
August 27, 2013
Thanks for your post. I am also trying to create a test lab but with a diff. domain name. Is it possible for me to only backup OU/Users/Groups/GPO to lab environment? Thanks.