none
Exporting users, groups and their members from a currently installed and importing them to a new active directory (server 2003) RRS feed

  • Question

  • Hi,

    I have a problematic active directory currently installed and I need to establish a news dc and reconstruct the current objects in current active directory in it. Since the current AD has lots of problem I absolutely cannot relay on ADMT and use it and its procedures to move objects to new active directory. Is there another alternative to do the job?

    Thanks in advance

    Bijan

    Wednesday, June 22, 2011 8:15 AM

Answers

  • Great examples Gunner999.  Additionally, you can use LDIFDE to export and import the using the same process.  I have done this many, many times when building test domains that are replicas of a source domain.  After a bit of practice and familiarity with the data set being produced by the LDIFDE export process you can create a near exact replica of any LDAP directory structure.  You only need READ access to the source directory to perform these exports.

    Export Process:

    1.    Export OUs from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\exportOU.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree -r "(ObjectCategory=organizationalUnit)" -l "cn,objectclass,ou" –j C:\

    2.    Export Users from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\exportUsers.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree -r "(&(ObjectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName" –j C:\

    3.    Export Groups (without members) from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\export_Groups_NO_Members.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree –r "(&(ObjectCategory=group)(objectclass=group)(name=*))" -l "cn,name,sAMAccountName,grouptype,objectclass" -j c:\


    4.    Export Groups (only groups with members) from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\export_Groups_WITH_Members.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree -r "(&(ObjectCategory=group)(objectClass=group)(name=*)(member=*))" -l "member" -j c:\

    Modify Process:

    Search / Replace all exported data sets.  Search for old domain name DN and replace with new domain DN.  You will have to "massage" the exported data sets to properly format them so they can be used as the import source data sets.  The LDIFDE export process adds extraneous carriage return line feeds (0d0a) to the data sets.  You will have to remove those with your favorite hex editor.

    Import process:

    1.    Import OUs to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\exportOU.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    2.    Import Users to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\exportUsers.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    3.    Import Groups to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\export_Groups_NO_Members.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    4.    Import Groups members to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\export_Groups_WITH_Members.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    Note: All imported users will be disabled.  This process does not import user passwords.  You will want to run a script that will set the flag to force all users to change their passwords upon initial authentication.

    Done.

    • Proposed as answer by JasenL Wednesday, June 22, 2011 7:08 PM
    • Marked as answer by Bijan Kianifard Thursday, June 23, 2011 8:26 AM
    Wednesday, June 22, 2011 4:38 PM

All replies

  • AD contains distributed database which is contains similar objects & resources, so i don't think its possible to segregate between healthy & faulty data.BTW, whats the actual problem in your domain & can you share more information about environment.


    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 22, 2011 8:55 AM
    Moderator
  • Thank you for response,

     

    To be frank, the technical problems of infrastructure are not the main issue, although they are pretty complicated. The main issue is the organizational structure and you know, the management.

    Anyway, I am working in a company which is a complex of 5 plants. Some 5 years ago, each of this plants had its independent domain and infrastructure. Then the company decided to implement a parent-child structure and of course a microsoft exchange organization with one exchange server each plant. This implementation was problematic from the begining and these days the whole domain in all plants is generating serious problems. For example the exchange server completely fails to service and users in getting logon problems on and off....

    The circumstances make the management to return to the previous structure and I am the first administrator that have to do the job. Hope this short history help you to understand the problem.

    Thank you


    Wednesday, June 22, 2011 9:50 AM
  • Single forest/domain is the best model from the administration & maintenance cost. You can deploy one or two DC in each location.

    Since, you don't want to migrate, you can document your current infra using ADTD tool mentioned in the post.

    You can refer Infrastructure planning & design guide below.

    Infrastructure Planning and Design Guide

    http://www.microsoft.com/downloads/en/details.aspx?familyid=ad3921fb-8224-4681-9064-075fdf042b0c&displaylang=en

    Determining Domain Controller Placement

    http://technet.microsoft.com/en-us/library/cc754920%28WS.10%29.aspx

    Microsoft Active Directory Design Guide

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=88F0184C-8F03-4F0F-B3F9-5109255FB461

    Planning Domain Controller Capacity

    http://technet.microsoft.com/en-us/library/cc738079%28WS.10%29.aspx

    You can document the current infrastructure using ADTD tool.

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13380

    http://blogs.technet.com/b/askds/archive/2007/10/12/documenting-active-directory-infrastructure-the-easy-way.aspx

    Restructuring Active Directory Domains Between Forests

     

    http://awinish.wordpress.com/2011/02/09/restructuring-active-directory-domains-between-forests/

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 22, 2011 10:31 AM
    Moderator
  • Awinish,

    Migrate could be an option if the current (actually) child domain controller was healthy. ADTD gives me a visio schematic of the child domain controllers and parent dc and their interconnection which has no use for me. I am looking for - let's say - a set of scripts for example; to extract users, groups and the group membership of the users from the old AD and export them to new AD.

     

    Thank you

     

    Wednesday, June 22, 2011 12:02 PM
  • Awinish,

    Migrate could be an option if the current (actually) child domain controller was healthy. ADTD gives me a visio schematic of the child domain controllers and parent dc and their interconnection which has no use for me. I am looking for - let's say - a set of scripts for example; to extract users, groups and the group membership of the users from the old AD and export them to new AD.

     

    Thank you

     


    Hello,

    in short you can't do it complete. Ldifde has a small option, therefore please see:

    http://support.microsoft.com/kb/237677


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, June 22, 2011 12:23 PM
  • As far as i know, there is no such tool which can meet your requirements but you can try with custom written script. You can import schema using LDIFDE, but when there is corruption or custom attribute, it will not import & it requires manualy work & this is just an example.

    As, you only said there is so many issues, it difficult to even take out those data.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 22, 2011 1:10 PM
    Moderator
  • >> let's say - a set of scripts for example; to extract users, groups and the group membership of the users from the old AD and export them to new AD.

    You can’t really export and import objects like this from one domain to another.  You should be able export/import “some” information using LDIFDE or CSVDE but you really need to perform a “migration”.

    If your DC is not healthy, you won’t be able to export anything from that DC.  So better to use ADMT to migrate everything.

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Wednesday, June 22, 2011 2:27 PM
    Moderator
  • In general do the following in order.  I do this to build a TEST AD environment that matches my production, on a regular basis.  I know this works.  It just takes a little practice to get it to work smoothly.

    Use CSVDE to export the current OU Structurte and import them into the NEW AD system.

    Use CSVDE to export the current User Objects and import them into the NEW AD system.

    Use CSVDE to export the current Group Objects and import them into the NEW AD system.

    Alternatively you can use http://networkadminkb.com/Utilities/Descriptions/AddMembers2Group.aspx to export groups membership from the old domain into the new domain.  Edit/search and replate the Exported text file as needed to allow for the import.

    Example of how to export the OU structure and translate it for import into the new domain

    csvde -s %1 -c "DC=old,DC=domain,DC=net" "DC=new,DC=domain,DC=local" -r "(objectClass=organizationalunit)" -f "%1-ous.txt" -l "DN,objectClass,ou,description,distinguishedName,name"

    Import translated export

    csvde -i -k -s %1 -f "%1-ous.txt" -j .

    Repeat for Users using

    -l cn,objectClass,samAccountName,givenName,initials,sn,displayname,mail -r (objectclass=user)

    Repeat for group using

    -l DN,objectClass,cn,description,groupType,member,memberOf,samAccountName -r (objectclass=group)

    Done.

    Wednesday, June 22, 2011 2:46 PM
  • Great examples Gunner999.  Additionally, you can use LDIFDE to export and import the using the same process.  I have done this many, many times when building test domains that are replicas of a source domain.  After a bit of practice and familiarity with the data set being produced by the LDIFDE export process you can create a near exact replica of any LDAP directory structure.  You only need READ access to the source directory to perform these exports.

    Export Process:

    1.    Export OUs from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\exportOU.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree -r "(ObjectCategory=organizationalUnit)" -l "cn,objectclass,ou" –j C:\

    2.    Export Users from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\exportUsers.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree -r "(&(ObjectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName" –j C:\

    3.    Export Groups (without members) from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\export_Groups_NO_Members.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree –r "(&(ObjectCategory=group)(objectclass=group)(name=*))" -l "cn,name,sAMAccountName,grouptype,objectclass" -j c:\


    4.    Export Groups (only groups with members) from Source Domain
    a.    Syntax:

    ldifde -f c:\LDIFDE_export\export_Groups_WITH_Members.ldf -s <DC NAME> -d "<DOMAIN DN>" -p subtree -r "(&(ObjectCategory=group)(objectClass=group)(name=*)(member=*))" -l "member" -j c:\

    Modify Process:

    Search / Replace all exported data sets.  Search for old domain name DN and replace with new domain DN.  You will have to "massage" the exported data sets to properly format them so they can be used as the import source data sets.  The LDIFDE export process adds extraneous carriage return line feeds (0d0a) to the data sets.  You will have to remove those with your favorite hex editor.

    Import process:

    1.    Import OUs to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\exportOU.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    2.    Import Users to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\exportUsers.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    3.    Import Groups to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\export_Groups_NO_Members.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    4.    Import Groups members to destination domain
    a.      Syntax:

    ldifde -i -k -f c:\import\export_Groups_WITH_Members.ldf -s <domaincontroller> -v –j c:\<destinationdir>

    Note: All imported users will be disabled.  This process does not import user passwords.  You will want to run a script that will set the flag to force all users to change their passwords upon initial authentication.

    Done.

    • Proposed as answer by JasenL Wednesday, June 22, 2011 7:08 PM
    • Marked as answer by Bijan Kianifard Thursday, June 23, 2011 8:26 AM
    Wednesday, June 22, 2011 4:38 PM
  • JasenL,

    >>>The LDIFDE export process adds extraneous carriage return line feeds (0d0a) to the data sets.  You will have to remove those with your favorite hex editor.

    I'm having issues in getting the ldifde import working.   I have exported all the OUs from a domain.  In the ldf export file, the first OU it exported (and all subsequent ones) I see 0d 0a at the start and 0d 0a 0d 0a at the end.   I have tried deleting one set of 0d 0a at the end to no avail.

    Can you please let me know which ones to delete?

    Thanks..


    Pramod

    Wednesday, October 31, 2012 2:08 PM
  • Hi,

    I know this is an old post.

    I am using JasonL's solution it to perform an Cross forest migration where a Trust is impossible (so cannot use admt)

    I can import the OU's, Users and Groups without problems.

    I only have problems with exporting / importing the members:

    Whenever a group contains a user that has special characters, like ' or ` the groups does not get any members.

    Groups that do not contain users with special characters work ok. members get added properly.

    Commands that i am using:

    export:

    ldifde -u -s <DCNAME> -d "dc=xxx,dc=xxx" -f d:\export\members.ldf -p subtree -r "(objectclass=group)" -l "member" -c "DC=xxx,DC=xxx" "dc=yyy,dc=yyy" -m

    import:

    ldifde -i -k -f c:\import\Members.ldf -v -j c:\grplog -c "DC=xxx,dc=xxx "DC=yyy,dc=yyy"

    Any ideas?


    • Edited by Marzzie Friday, May 3, 2013 3:11 PM
    Friday, May 3, 2013 3:10 PM
  • How do I correct this error when I try to import groups WITH members?

    Add error on line 1: Unwilling To Perform
    The server side error is "Access to the attribute is not permitted
    because the attribute is owned by the Security Accounts Manager (SAM)."


    Here is a sample of the export.

    dn: CN=Domain Admins,CN=Users,DC=DOMAIN,DC=local
    changetype: add
    objectClass: top
    objectClass: group
    cn: Domain Admins
    description: Designated administrators of the domain
    member: CN=SpaceAdmin,OU=Bedford Users,DC=DOMAIN,DC=local
    member: CN=Curt Admin,OU=Bedford Users,DC=DOMAIN,DC=local
    member: CN=Jeff Strehl,OU=Jeffs Test,DC=DOMAIN,DC=local
    member: CN=Naan Hughes,OU=Flex Corp,DC=DOMAIN,DC=local
    member: CN=Exch2K3,CN=Users,DC=DOMAIN,DC=local
    member: CN=Dera Davids,CN=Users,DC=DOMAIN,DC=local
    member: CN=EXCHANGE_SERVICE,CN=Users,DC=DOMAIN,DC=local
    member: CN=SQL_SERVICE,CN=Users,DC=DOMAIN,DC=local
    member: CN=repuser,CN=Users,DC=DOMAIN,DC=local
    member: CN=adminnolock,OU=No CTPAT lockout,DC=DOMAIN,DC=local
    member: CN=PamMail,CN=Users,DC=DOMAIN,DC=local
    member: CN=Kerry Archambault,OU=Bedford Users,DC=DOMAIN,DC=local
    member: CN=Administrator,CN=Users,DC=DOMAIN,DC=local
    distinguishedName: CN=Domain Admins,CN=Users,DC=DOMAIN,DC=local
    instanceType: 4
    whenCreated: 20070715140153.0Z
    whenChanged: 20150810114929.0Z
    uSNCreated: 12508
    memberOf:
     CN=Denied RODC Password Replication Group,CN=Users,DC=DOMAIN,DC=local
    memberOf: CN=Administrators,CN=Builtin,DC=DOMAIN,DC=local
    uSNChanged: 14737151
    name: Domain Admins
    objectGUID:: EhtMHckiXUSe88og+p0Giw==
    objectSid:: AQUAAAAAAAUVAAAA5QnuenArmSgRYRtFAAIAAA==
    adminCount: 1
    sAMAccountName: Domain Admins
    sAMAccountType: 268435456
    groupType: -2147483646
    objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
    isCriticalSystemObject: TRUE
    dSCorePropagationData: 20140311195416.0Z
    dSCorePropagationData: 20130924223018.0Z
    dSCorePropagationData: 20130924222642.0Z
    dSCorePropagationData: 20130924222425.0Z
    dSCorePropagationData: 16010101000000.0Z

    • Edited by kdla Tuesday, October 6, 2015 10:23 AM Fixed data & typ-o's
    Tuesday, October 6, 2015 10:17 AM
  • Thanks for detailed information. 

    Perfectly explained and working smoothly.  


    Regards, Amol Patil

    Thursday, May 31, 2018 10:10 PM