Export Users, Groups and OU’s from one AD to another AD

Export Users, Groups and OU’s from one Windows 2003/2008 Active Directory Domain to other Windows 2003/2008 Active Directory Domain
One of our engagement with client, client wants to upgrade of Windows 2003 Domain Controller to Windows 2008 R2 Domain Controller and to assure that once upgrade, application integrated with Active Directory will have no impact, we want it to test with Windows 2008 R2 Active Directory Domain. We deploy one fresh Windows 2008 R2 Domain from scratch. The next is to create users, groups OU structure similar to the production environment. So we thought to use LDAP export and import to do that. We have to first import OU, then Users and last Groups. Here are steps we followed to achieve the same.

1.       Export OU structure from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a.    To export users, login with Domain Admin credential to Windows 2003 DC and run below command
ldifde -f ExportOu.ldf -s DCservername -d “dc=domain,dc=com” -p subtree -r “(objectCategory=organizationalUnit)” -l “cn,objectclass,ou” -c fromDN ToDN
Where ExportOU.ldf: file name
DCservername: Domain Controller Name
 fromDN: Source Domain Name
 ToDN: Destination Domain Name
b.    Copy File ExportOu.ldf to Windows 2008 R2 Domain Controller
c.     Login to Windows 2008 R2 DC with Domain Admin credential
d.    To import OU structure, run below command
ldifde -i -f ExportOu.ldf -k -s DCservername
Where ExportOU.ldf: file name
DCservername: Domain Controller Name
e.    Confirm OU structure is similar to Windows 2003 Active Directory Domain
2.       Export Users from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a.       To export users login to Windows 2003 DC and run below command
ldifde -f ExportUser.ldf -s DCservername -d “dc=domain,dc=com” -c “dc=domain,dc=com” “DC=destination,DC=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,samAccountName,memberof” –c fromDN ToDN
Where ExportUser.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
 ToDN: Destination Domain Name
b.    Copy File ExportUser.ldf to Windows 2008 R2 Domain Controller
c.     Login to Windows 2008 R2 DC with Domain Admin credential
d.    To import Users, run below command
ldifde -i –f ExportUser.ldf -k –s DCservername
Where ExportUser.ldf: file name
DCservername: Domain Controller Name
e.    Confirm users are imported successfully
3.       Export Groups  from Windows 2003 DC and import it in Windows 2008 R2 Domain Controller
a.    To export Groups login to Windows 2003 DC and run below command
ldifde -f ExportGroup.ldf -s DCservername -d “dc=domain,dc=com” -c “dc=domain,dc=com” “DC=destination,DC=com” -p subtree -r “(&(objectCategory=group)(objectClass=group))” -l “cn,givenName,objectclass,member,memberof,managedby” –c fromDN ToDN
Where ExportGroup.ldf: file name
DCservername: Domain Controller Name
fromDN: Source Domain Name
 ToDN: Destination Domain Name
b.    Copy ExportGroup.ldf File to Windows 2008 R2 Domain Controller
c.     Login to Windows 2008 R2 DC with Domain Admin credential
d.    To import groups, run below command
ldifde -i –f ExportGroup.ldf -k –s DCservername
Where ExportOU.ldf: file name
DCservername: Domain Controller Name
e.    Confirm users are imported successfully
4.    Enable all users and reset the password
a.    When you import users, it will be in disabled state. To enable it, right click saved queries and define new query. Give query name and click on define query. Click users and select ‘Disabled Accounts’. Click OK
b.    Select all users and click on Enable Account
c.    Select all users and click on Properties, Select Account and select check box for Users must change password at next logon, and click OK
d.    To reset password for users, use below command
   dsquery user -samid | dsmod user -pwd
Now you can ask users to login and test application J

9 thoughts on “Export Users, Groups and OU’s from one AD to another AD

  1. ldifde -f ExportUser.ldf -s lhr_srv1 -d \”dc=tfmpk,dc=com\” -c \”dc=tfmpk,dc=com\” \”DC=tfmpk,DC=com\” -p subtree -r \”(&(objectCategory=person)(objectClass=User)(givenname=*))\” -l \”cn,givenName,objectclass,samAccountName,memberof\” –c fromDN ToDNi am unable to run subjected command your asistance is requested

    Like

    Reply

  3. It is possible that the commenter above got the error: \”A parameter has been defined more than once\”. In the commenter's command, and in the article, the \”-c\” parameter is listed twice, e.g., -c \”dc=domain,dc=com\” \”DC=destination,DC=com\” … –c fromDN ToDN . To fix this, just remove the trailing \”–c fromDN ToDN\” from the command. This was probably a cut and paste error.

    Like

    Reply

  6. There is one issue with the how to. You export the memberof attribute which can't be imported.Thanx for the great instruction

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s