One area to lower remediation for use-case testing during service projects, is to create a replica of a client's Active Directory domain, for select use-cases.
For Identity Suite/Identity Management/Identity Governance/SSO solutions, the replica only requires user,group, and DIT structure. The replica does NOT have to contain 100% of all Active Directory objects.
This TDM (test-data-management) process may be shared with the client's ADS or IAM teams, to push replica data from Production, to the designated Development and QA AD Domain/Servers, that will be used as managed endpoints.
The process below will describe how:
1) the DIT structure may be queried (all the OU org directory structures)
2) the complete group objects with limited attributes selected.
3) the complete user objects with limited attributes selected (non-PII)
The three (3) assumptions are:
- An existing MS AD lab, dev, or QA environment has been created, and a service ID/password exists to populate this lab environment.
Example: IMAG: Active Directory Lab Env. with SSL/TLS Certs
- A workstation/desktop, that is part of the current Production AD domain is available.
Example: Open a command line window and look for the variable(s) USERDOMAIN= or LOGONSERVER=
- MS tools of ldifde/csvde (MS RSAT) are available on the workstation/desktop
1) Check for ldifde/csvde tools installed or copied
- a) copy from a MS Windows server ( binaries are typically under C:\Windows\System32 folder ) or install MS RSAT tools
2) Pull selective fields for AD DIT (OU structure), AD users, and AD Groups
Note: No authentication is required, if these commands are executed on a peer server/workstation that is part of the domain. These tools will use the current authentication session. If these tools are to be run under MS Win Scheduler, then a service ID (part of the AD domain with "Domain User" group), will need to be used.
Note 2: Set the variables of %DCHOSTNAME% = LOGONSERVER (without the \\ characters); and %ADSDOMAIN% = dc=company,dc=com DN format.
::LDIF Extract to pull ADS Domain OU/DIT structureldifde -f ADS_Domain_DIT_Export.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(objectcategory=organizationalUnit)" -l "cn,objectclass,ou"
::LDIF Extract to pull ADS Domain User Objects with select attributesldifde -f ADS_Users_Select_Fields.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(&(objectCategory=person)(objectClass=User)(displayName=*))" -l "cn,givenName,description,memberOf,samAccountName,sn,homeDirectory,homeDrive,primaryGroupID,uid,employeeid,userAccountcontrol,homeMTA,homeMDB"
::LDIF Extract to pull ADS Domain Group Objects with select attributesldifde -f ADS_Export_Groups.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(&(objectCategory=group)(objectClass=Group)(displayName=*))" -l "cn,displayName,description,info,whenCreated,whenChanged,memberOf,member"
3) Use same ldifde commands, to import this data into your lab, dev, or QA AD Domain
Note: If the number of users /accounts is > 100K, Recommend parallel scripts/processes be used.
Populate your lab AD with 100,000+ test accounts using a for-loop, with dsadd user, dsmod user, or net user.
Active Directory on vmware, may have a rate of 2-4 updates/second; this can be increased to 60+ updates/second.
See Step 11 from IMAG: Active Directory Lab Env. with SSL/TLS Certs
Hey first off thank you for taking the time to write this article! I am currently in the process of trying to follow through on this and import these ldif files into my sandbox environment - I am receiving the following error on import: Object does not exist, entry skipped - the only thing previously that i have done is the import of a schema and configuration also done with ldifde - any thoughts on why this would be occurring (I would assume since its an import that everything would not exist and would need to be created)? - anyway thank you again.
ldifde -i -v -f .\ADS_Domain_DIT_Export.ldif -s %DCHOSTNAME% -j .\