Tuesday, August 7, 2012

Export Users, Groups and OU’s from one AD to another AD


Export Users, Groups and OU’s from one Windows 2003/2008 Active Directory Domain to other Windows 2003/2008 Active Directory Domain

One of our engagement with client, client wants to upgrade of Windows 2003 Domain Controller to Windows 2008 R2 Domain Controller and to assure that once upgrade, application integrated with Active Directory will have no impact, we want it to test with Windows 2008 R2 Active Directory Domain. We deploy one fresh Windows 2008 R2 Domain from scratch. The next is to create users, groups OU structure similar to the production environment. So we thought to use LDAP export and import to do that. We have to first import OU, then Users and last Groups. Here are steps we followed to achieve the same.



1.       Export OU structure from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a.    To export users, login with Domain Admin credential to Windows 2003 DC and run below command

ldifde -f ExportOu.ldf -s DCservername -d "dc=domain,dc=com" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou" -c fromDN ToDN

Where ExportOU.ldf: file name
DCservername: Domain Controller Name
 fromDN: Source Domain Name
 ToDN: Destination Domain Name

b.    Copy File ExportOu.ldf to Windows 2008 R2 Domain Controller
c.     Login to Windows 2008 R2 DC with Domain Admin credential
d.    To import OU structure, run below command

ldifde -i -f ExportOu.ldf -k -s DCservername

Where ExportOU.ldf: file name
DCservername: Domain Controller Name

e.    Confirm OU structure is similar to Windows 2003 Active Directory Domain

2.       Export Users from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a.       To export users login to Windows 2003 DC and run below command

ldifde -f ExportUser.ldf -s DCservername -d "dc=domain,dc=com" -c "dc=domain,dc=com" "DC=destination,DC=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,memberof" –c fromDN ToDN


Where ExportUser.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
 ToDN: Destination Domain Name

b.    Copy File ExportUser.ldf to Windows 2008 R2 Domain Controller
c.     Login to Windows 2008 R2 DC with Domain Admin credential
d.    To import Users, run below command

ldifde -i –f ExportUser.ldf -k –s DCservername

Where ExportUser.ldf: file name
DCservername: Domain Controller Name

e.    Confirm users are imported successfully
3.       Export Groups  from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a.    To export Groups login to Windows 2003 DC and run below command

ldifde -f ExportGroup.ldf -s DCservername -d "dc=domain,dc=com" -c "dc=domain,dc=com" "DC=destination,DC=com" -p subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,givenName,objectclass,member,memberof,managedby" –c fromDN ToDN

Where ExportGroup.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
 ToDN: Destination Domain Name

b.    Copy ExportGroup.ldf File to Windows 2008 R2 Domain Controller
c.     Login to Windows 2008 R2 DC with Domain Admin credential
d.    To import groups, run below command

ldifde -i –f ExportGroup.ldf -k –s DCservername

Where ExportOU.ldf: file name
DCservername: Domain Controller Name

e.    Confirm users are imported successfully
4.    Enable all users and reset the password
a.    When you import users, it will be in disabled state. To enable it, right click saved queries and define new query. Give query name and click on define query. Click users and select ‘Disabled Accounts’. Click OK
b.    Select all users and click on Enable Account
c.    Select all users and click on Properties, Select Account and select check box for Users must change password at next logon, and click OK
d.    To reset password for users, use below command

   dsquery user -samid <usersam> | dsmod user -pwd <password>
Now you can ask users to login and test application J


at
Labels: ,

7 comments:

  1. AnonymousDecember 5, 2012 at 1:22 PM

    ldifde -f ExportUser.ldf -s lhr_srv1 -d "dc=tfmpk,dc=com" -c "dc=tfmpk,dc=com" "DC=tfmpk,DC=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,memberof" –c fromDN ToDN

    i am unable to run subjected command your asistance is requested

    ReplyDelete
    Replies
    1. UnknownDecember 5, 2012 at 5:40 PM

      Can you please post the exact error message...

      Delete
  2. AnonymousDecember 29, 2012 at 7:54 AM

    It is possible that the commenter above got the error: "A parameter has been defined more than once". In the commenter's command, and in the article, the "-c" parameter is listed twice, e.g., -c "dc=domain,dc=com" "DC=destination,DC=com" ... –c fromDN ToDN . To fix this, just remove the trailing "–c fromDN ToDN" from the command. This was probably a cut and paste error.

    ReplyDelete
  3. AnonymousAugust 5, 2013 at 11:42 AM

    export command work greate but unable to import users please define in simple how to import users

    ReplyDelete
  4. AnonymousNovember 11, 2013 at 5:05 PM

    You can use gpmc for this http://technet.microsoft.com/en-us/library/cc782251%28v=ws.10%29.aspx

    ReplyDelete
  5. AnonymousMarch 7, 2014 at 3:18 PM

    There is one issue with the how to. You export the memberof attribute which can't be imported.

    Thanx for the great instruction

    ReplyDelete
  6. hamuodMay 1, 2014 at 4:40 PM

    thanks for this ...

    i needed the same exactly same doamin with all settings but on new server . this helped

    ReplyDelete

Subscribe to: Post Comments (Atom)

Azure Policy support for remediating tags for existing resources

Use Azure policy to remediate tags for existing resources. https://azure.microsoft.com/en-us/updates/azure-provides-at-scale-tags-managem...