none
Active Directory - Need to export 7000 users and 200 groups from one domain (2003) and import them into another domain (2003) retaining group membership. RRS feed

  • Question

  • 1) Export domain is e.g mycompany.ad.org and import domain is test.local

    2) Both domains run on 2003 R2

    3) Have full admin rights on both

    2) I tried with CSVDE and LDIFDE and I can import users and groups but can't import memberOf attribute since (attribute belongs to SAMacount and does not allow action)

    Thank you in advance for help and suggestions.

    Friday, October 1, 2010 9:37 AM

Answers

  • I think the problem with csvde and ldifde is that the memberOf attribute is a backlink. The corresponding forward link attribute is the member attribute of the group. If you use the -m switch with csvde (or ldifde), you find that memberOf is not included with users, but the member attribute is included with groups. See this link:

    http://support.microsoft.com/kb/555634

    I haven't tried, but perhaps the proper course would be to export all users and groups with the -m switch. Then import users first, then groups. When the member attribute of the groups is imported, this should update the corresponding memberOf attributes.

    Otherwise, there is probably a scripting solution. When I script adding users (or contacts, computers, groups) to a group, I use the Add method of the group object. I never modify memberships by updating the memberOf attribute.

    Is the purpose to rename the domain?

    Richard Mueller


    MVP ADSI
    • Marked as answer by fkekic Wednesday, October 13, 2010 6:25 AM
    Monday, October 4, 2010 5:09 PM
    Moderator

All replies

  • Friday, October 1, 2010 10:47 PM
    Moderator
  • Hi,

    Thank you for reply. Two domains in questions (old and new) are child domains of one forest. According to ADMT doc. this would be "intraforest" migration and objects will be not preserved in old location. Our situation requires to build a copy of existing domain under same root  domain(retaining as much as possible from old domain - group membership being the most important) and "migrate" users and computers once we ensure that security permissions on all servers are properly established. We have numerous locations 30+ and each of them has dc, file server, proxy etc...and quite limited IT support in those remote locations.

     

    Thank you in advance for your further advice

     

    Regards

     

    Faruk Kekic

     

    Monday, October 4, 2010 7:13 AM
  • I think the problem with csvde and ldifde is that the memberOf attribute is a backlink. The corresponding forward link attribute is the member attribute of the group. If you use the -m switch with csvde (or ldifde), you find that memberOf is not included with users, but the member attribute is included with groups. See this link:

    http://support.microsoft.com/kb/555634

    I haven't tried, but perhaps the proper course would be to export all users and groups with the -m switch. Then import users first, then groups. When the member attribute of the groups is imported, this should update the corresponding memberOf attributes.

    Otherwise, there is probably a scripting solution. When I script adding users (or contacts, computers, groups) to a group, I use the Add method of the group object. I never modify memberships by updating the memberOf attribute.

    Is the purpose to rename the domain?

    Richard Mueller


    MVP ADSI
    • Marked as answer by fkekic Wednesday, October 13, 2010 6:25 AM
    Monday, October 4, 2010 5:09 PM
    Moderator
  • Hi,Sorry for late answer. You are right memberOf is backlink.I did following in this order and worked pretty well:

    1. csvde - export/import ous
    2. csvde - export/import users
    3. ldifde - export/import groups (I used ldifde in the end, it just did not work with csvde)

    Only thing to be noted is that nested groups can't be imported between Interforest. However, our production env. is intraforest so it really is not problem.

    Yes, we are renaming domain. Ent. admins (due to large geo. distribution and net. complexity) did not want to go ahead with renaming. I was also considering ADMT but it does not have option to preserve objects in exporting domain in intraforest migration and is not surely option for us.

    Thank you for your support

    Faruk

    Wednesday, October 13, 2010 6:24 AM