cswaters1
Contributor
Contributor

AD problem requires solution...

Jump to solution

Not sure where to post this so I'll try here.

So, here is my problem:

We currently have 3 environments PROD, STAGE and DEV and we typically use a DEV-STAGE-PROD lifecycle for new applications being developed.

We use AD for security accounts / groups in PROD and have a seperate install in DEV (I've been using LDAP imports to import new user accounts / groups etc from PROD to DEV but this is manual).

When we provision a system in DEV we typically rebuild in PROD, but any GUIDs from AD accounts etc are different.

What would be great is some way to sync / partition AD from Prod to DEV and allow any AD users/groups created in PROD to also be available in DEV.

Has anyone got any ideas on how I can keep these environments in Sync?

Any suggestions?

Thanks,

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership

Hello,

Thanks for the links Edward, I'll start the research, my 'challenge' if you like is that our Prod and Dev VMs live on different ESX Clusters but in the same VirtualCenter...

In this case I doubt linked clones will help, but you can do a full clone of the VM and that may do what you want. For a linked CLone to work Your linked clone must be able to access the sames storage as your production. If they are accessible then it may just ork.

Has anyone tried this out using a Linked Clone? Can anyone recommend an approach?

Never for a DC but for other items and they run quite fine. I have a dev environment where I have linked clones for a firewall, VC4, and OpenFiler. No real issues. But they are also on the same storage device. But a linked clone is nothing more than a snapshot and a snapshot CAN live on a different storage device than the master VMDK.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
13 Replies
Texiwill
Leadership
Leadership

Hello,

This sounds more like a AD issue than a virtualization issue. How do you think virtualization could help with this? Did you want to clone DCs?


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
azn2kew
Champion
Champion

It doesn't sounds related but you can use P2V converter and clone the DC PROD and then place it in DEV/STAGE environment where you need to isolate your network. You can similate and mimic 100% of production AD and settings but ISOLATE them though.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
0 Kudos
cswaters1
Contributor
Contributor

My AD environment is already virtual... But that is not what this question is really about.

I want an automated way to create a one way replication of changes in Production AD into DEV AD so that when we Develop new applications, any changes we make in PROD are there in DEV.

We originally P2V'd our production AD servers and then V2V'd them to DEV (so they have the same hostname/ IP etc), the problem is that as Prod changes we have to refresh DEV, which is growing seperately to PROD.

Any suggestions? I know Lab manager enables you to snapshot VMs for different environments but wanted to know if there was something else out there...

Can I use Lab Manager to snap our production AD and use this as a pointer for DEV?

Thanks,

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
Texiwill
Leadership
Leadership

Hello,

I want an automated way to create a one way replication of changes in Production AD into DEV AD so that when we Develop new applications, any changes we make in PROD are there in DEV.

Replication within the Guest is an option using whatever AD would use for replication if there is anything. This is one option.

Replication at the VM Level... All you can really do is Clone the AD Server.

Or perhaps use the same AD server and just have a Dev tree?

We originally P2V'd our production AD servers and then V2V'd them to DEV (so they have the same hostname/ IP etc), the problem is that as Prod changes we have to refresh DEV, which is growing seperately to PROD.

Why not just Clone your current AD Server and place it into DEV (I hope DEV is protected)?

Can I use Lab Manager to snap our production AD and use this as a pointer for DEV?

snapshots are not quite what you think. A snapshot is a file of changed blocks from the master VMDK. This is how linked clones work.

You may want to make a REAL clone and then use that within your protected DEV environment.

You could also make a 'DEV' Linked Clone as well. This would keep everything that was in the AD server but then your 'dev' changes would NOT show up in the main AD Server.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
cswaters1
Contributor
Contributor

Thanks for your reply Edward,

So would I need Lab Manager to use a 'Linked Clone'? Or is it possible to do this using VI35?

Regards,

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
Texiwill
Leadership
Leadership

Hello,

A linked Clone is possible on VI3.5 using ghetto-esx-linked-clones.sh found at http://communities.vmware.com/docs/DOC-9852


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
cswaters1
Contributor
Contributor

Can you recommend some good reading on the linked clone technology?

I guess the original and the linked clone would have to exist on the same ESX host?

Thanks,

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Any documentation for VMware View is a good place to start as that is where Linked Clones... The linked clone I believe just has to have access to the virtual disk not the VM. Consider a Linked Clone a form of snapshot with a VM wrapped around it.

http://www.vmware.com/support/ws5/doc/ws_clone_overview.html

http://blogs.vmware.com/view


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
dtracey
Expert
Expert

Hi Guys,l

I always thought it was bad practice to P2V or clone a DC...

If it's simply migrating user accounts and groups from one AD domain to another then you can use ADMT(Active Directory Migration Tool).

Cheers,

Dan

0 Kudos
cswaters1
Contributor
Contributor

As stated previously, the production AD is already a VM - granted, P2V is not recommended but there is no real issue in cloning an AD server, as long as the clone is isolated.

The purpose of this post is to provide a mechanism to keep the Dev Environment clone of AD in sync with the original Prod AD VM (keep in mind Dev is completely isolated and will typical have other cloned production servers in it using the same IP Addresses etc as Prod.)

Thanks for the links Edward, I'll start the research, my 'challenge' if you like is that our Prod and Dev VMs live on different ESX Clusters but in the same VirtualCenter...

Has anyone tried this out using a Linked Clone? Can anyone recommend an approach?

Thanks,

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Thanks for the links Edward, I'll start the research, my 'challenge' if you like is that our Prod and Dev VMs live on different ESX Clusters but in the same VirtualCenter...

In this case I doubt linked clones will help, but you can do a full clone of the VM and that may do what you want. For a linked CLone to work Your linked clone must be able to access the sames storage as your production. If they are accessible then it may just ork.

Has anyone tried this out using a Linked Clone? Can anyone recommend an approach?

Never for a DC but for other items and they run quite fine. I have a dev environment where I have linked clones for a firewall, VC4, and OpenFiler. No real issues. But they are also on the same storage device. But a linked clone is nothing more than a snapshot and a snapshot CAN live on a different storage device than the master VMDK.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
cswaters1
Contributor
Contributor

The problem with a clone (for me) is that it's a point in time copy, any objects (computers, user accounts / groups etc) that are created after the clone are given a unique GUI (which will be different between DEV and PROD), which makes the VMs different and would require us to re-clone the VM again on a regular basis to keep them like for like.

What would be really useful is a 'read only' linked clone that would get changes from the PROD AD (source VM) as they occur and present these to DEV (but I guess that then you wouldn't be able to write changes from DEV, but this would be OK as long as the object (computer, group, user etc) already existed in PROD....

Thanks for all your feedback, I guess I'll have to manually keep recreating the clone on a regular basis to keep DEV in sync with PROD.

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
ajaipathak
Enthusiast
Enthusiast

For replication of data U have to check with AD replication.

U can clone the dev machine & then dump the database from prod to dev machine.

I doubt, if u can have the same replica for prod machine everytime. U have to daily dump the database from prod to dev machine. This is what I did for my DRP (Disaster Recovery Plan) exercise.