Export Users, Groups and OU’s from one Windows 2003/2008 Active Directory Domain to other Windows 2003/2008 Active Directory Domain
One of our engagement with client, client wants to upgrade of Windows 2003 Domain Controller to Windows 2008 R2 Domain Controller and to assure that once upgrade, application integrated with Active Directory will have no impact, we want it to test with Windows 2008 R2 Active Directory Domain. We deploy one fresh Windows 2008 R2 Domain from scratch. The next is to create users, groups OU structure similar to the production environment. So we thought to use LDAP export and import to do that. We have to first import OU, then Users and last Groups. Here are steps we followed to achieve the same.
1. Export OU structure from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a. To export users, login with Domain Admin credential to Windows 2003 DC and run below command
ldifde -f ExportOu.ldf -s DCservername -d “dc=domain,dc=com” -p subtree -r “(objectCategory=organizationalUnit)” -l “cn,objectclass,ou” -c fromDN ToDN
Where ExportOU.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
ToDN: Destination Domain Name
b. Copy File ExportOu.ldf to Windows 2008 R2 Domain Controller
c. Login to Windows 2008 R2 DC with Domain Admin credential
d. To import OU structure, run below command
ldifde -i -f ExportOu.ldf -k -s DCservername
Where ExportOU.ldf: file name
DCservername: Domain Controller Name
e. Confirm OU structure is similar to Windows 2003 Active Directory Domain
2. Export Users from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a. To export users login to Windows 2003 DC and run below command
ldifde -f ExportUser.ldf -s DCservername -d “dc=domain,dc=com” -c “dc=domain,dc=com” “DC=destination,DC=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,samAccountName,memberof” –c fromDN ToDN
Where ExportUser.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
ToDN: Destination Domain Name
b. Copy File ExportUser.ldf to Windows 2008 R2 Domain Controller
c. Login to Windows 2008 R2 DC with Domain Admin credential
d. To import Users, run below command
ldifde -i –f ExportUser.ldf -k –s DCservername
Where ExportUser.ldf: file name
DCservername: Domain Controller Name
e. Confirm users are imported successfully
3. Export Groups from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a. To export Groups login to Windows 2003 DC and run below command
ldifde -f ExportGroup.ldf -s DCservername -d “dc=domain,dc=com” -c “dc=domain,dc=com” “DC=destination,DC=com” -p subtree -r “(&(objectCategory=group)(objectClass=group))” -l “cn,givenName,objectclass,member,memberof,managedby” –c fromDN ToDN
Where ExportGroup.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
ToDN: Destination Domain Name
b. Copy ExportGroup.ldf File to Windows 2008 R2 Domain Controller
c. Login to Windows 2008 R2 DC with Domain Admin credential
d. To import groups, run below command
ldifde -i –f ExportGroup.ldf -k –s DCservername
Where ExportOU.ldf: file name
DCservername: Domain Controller Name
e. Confirm users are imported successfully
4. Enable all users and reset the password
a. When you import users, it will be in disabled state. To enable it, right click saved queries and define new query. Give query name and click on define query. Click users and select ‘Disabled Accounts’. Click OK
b. Select all users and click on Enable Account
c. Select all users and click on Properties, Select Account and select check box for Users must change password at next logon, and click OK
d. To reset password for users, use below command
dsquery user -samid | dsmod user -pwd
Now you can ask users to login and test application J
ldifde -f ExportUser.ldf -s lhr_srv1 -d \”dc=tfmpk,dc=com\” -c \”dc=tfmpk,dc=com\” \”DC=tfmpk,DC=com\” -p subtree -r \”(&(objectCategory=person)(objectClass=User)(givenname=*))\” -l \”cn,givenName,objectclass,samAccountName,memberof\” –c fromDN ToDNi am unable to run subjected command your asistance is requested
LikeLike
Can you please post the exact error message…
LikeLike
It is possible that the commenter above got the error: \”A parameter has been defined more than once\”. In the commenter's command, and in the article, the \”-c\” parameter is listed twice, e.g., -c \”dc=domain,dc=com\” \”DC=destination,DC=com\” … –c fromDN ToDN . To fix this, just remove the trailing \”–c fromDN ToDN\” from the command. This was probably a cut and paste error.
LikeLike
export command work greate but unable to import users please define in simple how to import users
LikeLike
You can use gpmc for this http://technet.microsoft.com/en-us/library/cc782251%28v=ws.10%29.aspx
LikeLike
There is one issue with the how to. You export the memberof attribute which can't be imported.Thanx for the great instruction
LikeLike
thanks for this …i needed the same exactly same doamin with all settings but on new server . this helped
LikeLike
vận chuyển hàng đi nhậtnhận chuyển hàng từ nhật vềdịch vụ chuyển hàng từ nhậtchuyển hàng từ nhật vềdịch vụ chuyển hàng từ nhật về việt namdịch vụ chuyển hàng từ nhật bản về việt namdịch vụ vận chuyển hàng từ nhật về việt namdịch vụ chuyển hàng đi nhậtdịch vụ chuyển hàng từ nhật vềship hàng nhậtship hang nhat
LikeLike
Great Article Final Year Project Domains for CSE Project Centers in Chennai JavaScript Training in Chennai JavaScript Training in Chennai
LikeLike