Re: Export/import AD
- From: "Cary Shultz [A.D. MVP]" <cwshultz@xxxxxxxx>
- Date: Fri, 19 Aug 2005 06:37:11 -0400
Peter,
I would do a search in this NG for postings from me about five to eight
months ago. If you are using Outlook Express for your NG reader then this
should be easy to do.
Anyway, for the user account objects try something like this:
c:\>ldifde -i -f c:\users.ldf -s dc01.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -r "(sAMAccountType=805306369)" -p subtree -l
"cn,sAMAccountName,objectClass,userAccountControl,displayName,givenName,sn"
For the group objects try something like this:
c:\>ldifde -i -f c:\groups.ldf -s dc01.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -r objectClass=group)" -l "cn,groupType,member"
Now, this is a very generic solution. Let's say, for example, that you keep
all of your user account objects in an OU structure that looks like this:
OU=Offices
OU=Roanoke
OU=Richmond
OU=Blacksburg
OU=Raleigh
You search parameter for the user account objects could look like this: -d
"OU=Offices,DC=yourdomain,DC=com" -p subtree. This might be a little bit
better.
NOTE: if you use the -m switch, then you can not use -r
"(sAMAccountType=805306369)". You would have to go with the standard filter
of -r "(&(objectCategory=person)(objectClass=user))".
What does the -m switch do? It removed 'domain-specific information'. Now,
what does that mean? Let's say that you have a mailbox size restriction.
One that you have created with a policy on the Exchange Server. I forget
the exact attributes but they are something like mbdefaultlimit,
mboverdefaultlimit and mbhardoverdefaultlimit ( going from memory
here.....something like this ). Each user account object that was subject
to this policy would have those attributes and the corresponding value.
Were you to use the -m switch then you would not see these attributes /
values since they are specific to that domain!
So, this is what you would run on your production environment. Then,
recreate the environment on the test / lab server ( run dcpromo, et al ).
Then, simply run c:\>ldifde -f c:\users.ldf ( assuming that this is where
you have placed the .ldf file ). Next, run the c:\>ldifde -f c:\group.ldf
file.
Just make sure that your OU structure is the same in your test environment
as in your producation environment. If it is not there will be a problem.
Does that clear things up?
Now, for a good into to ldifde and how to use it take a look at the
following:
http://support.microsoft.com/?id=237677
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Peter K" <pmkdatabase_at_yahoo_dot_ca> wrote in message
news:n1a8g1t9r2n1u47boopgtmsulkf2ar6ff5@xxxxxxxxxx
> Hi Cary,
>
> I am trying that now. The system is W2K SP4+rollup and you do
> understand the situation correctly.
>
> My problem at the moment is figuring out what attributes to export in
> order to get just users and groups. I've tried using the -m switch as
> well as various filters on ldifde but can't get it.
>
> Even something as simple as this, run on dc1.local.pmci.net gives an
> error "A referral was returned from the server"
>
> <text file starts here>
> dn: DC=local,DC=pmci,DC=net
> changetype: add
> name: local
>
> dn: OU=No screen lock,DC=local,DC=pmci,DC=net
> changetype: add
> name: No screen lock
>
> dn: CN=(Ying) Chanram Sornsilp,OU=No screen
> lock,DC=local,DC=pmci,DC=net
> changetype: add
> name: (Ying) Chanram Sornsilp
>
> dn: OU=Staff,DC=local,DC=pmci,DC=net
> changetype: add
> name: Staff
> <text file ends here>
>
> Thanks a lot,
>
> Peter
>
> On Tue, 16 Aug 2005 14:14:53 -0400, "Cary Shultz [A.D. MVP]"
> <cwshultz@xxxxxxxx> wrote:
>
>>Peter,
>>
>>I will take a different approach from the one that Paul is suggesting.
>>And
>>here is why ---- just to make sure that I am reading your post correctly.
>>
>>It sounds to me like you want to take all of the user account objects and
>>group objects from an existing domain and somehow 'import' them into
>>another
>>domain. Most likely for testing purposes. In other words, you want to
>>recreate your existing production environment into a testing environment
>>without having to manually create each group object and user account
>>objects
>>et al.
>>
>>I would very much look at ldifde for this. It will do a very nice job.
>>Have used it several times in production environments.
>>
>>All you would do would make sure that you specify the attributes that you
>>want included in the .ldf file ( by using the -l switch ....and that is a
>>lower case letter 'L' and not the number "1" ). Then, in your test domain
>>simply recreate the OU structure ( assuming that you have created such a
>>structure ) and then import that .ldf file. That would be your user
>>account
>>objects. I would then do the same for the groups objects.
>>
>>Now, the one caveat that you might need to consider ( well, there are
>>several ) is if you are using different domain names. Say that your
>>production environment is abc.com and your test environment is abc.local.
>>Clearly there will be a problem when you try to import that .ldf file.
>>So,
>>to create this simply use the 'replace' function in Notepad and replace
>>dc=abc, dc=com with dc=abc,dc=local. Then there should be no problems.
>>
>>Please notice that ldifde does not allow you to create a
>>password.....well,
>>not without a lot of trouble. So, you will be creating a bunch of user
>>account objects in the test domain that do not have a password. Since you
>>did not mention if this is in a WIN2000 or a WIN2003 environment you might
>>have a problem with the creation of the user account objects. Simply
>>disable the requirement for complex passwords - if that is indeed the
>>problem - and you should be fine.
>>
>>HTH,
>>
>>--
>>Cary W. Shultz
>>Roanoke, VA 24012
>>Microsoft Active Directory MVP
>>
>>http://www.activedirectory-win2000.com
>>http://www.grouppolicy-win2000.com
>>
>>
>>
>>"Peter Kaufman" <pmkdatabase_at_yahoo_dot_ca> wrote in message
>>news:5lj3g1tupl4ucibud1fr33ht7hqhnartq3@xxxxxxxxxx
>>> For various reasons, I want to recreate, not rebuild, a domain Put
>>> another way, replace the domain with another one of the same name,
>>> which will contain the same users, groups, and eventually mailboxes
>>> and mail.
>>>
>>> Right now my concern is not with the workstations but AD and Exchange.
>>> Will tools like csvde or ldifde allow me to import *just* users and
>>> groups into the new domain - are they designed for different forests
>>> like that?
>>>
>>> Playing around with this on virtual machines I am not getting very
>>> far, but would like to know if I am working in the right direction.
>>>
>>> Thanks,
>>>
>>> Peter
>>>
>>
>
.
- Follow-Ups:
- Re: Export/import AD
- From: Peter Kaufman
- Re: Export/import AD
- From: Peter Kaufman
- Re: Export/import AD
- References:
- Export/import AD
- From: Peter Kaufman
- Re: Export/import AD
- From: Cary Shultz [A.D. MVP]
- Re: Export/import AD
- From: Peter K
- Export/import AD
- Prev by Date: adm template to outlook 6
- Next by Date: anonymous lookups
- Previous by thread: Re: Export/import AD
- Next by thread: Re: Export/import AD
- Index(es):
Relevant Pages
|
Loading
