Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Export/Import Active Directory

Status
Not open for further replies.
drkestrel

drkestrel

MIS
Sep 25, 2000
439
GB
I have a Windows 2000 Server domain controller, and I intend to rebuild it on a new server.

I obviously want to move the users and security group from the old server to the new server.

It appears that with LDIFDE, I can't import group membership. The following attributes appears to cause problems:
Code: 
    memberOf, primaryGroupID, badPwdCount, lastLogoff, lastLogon, logonCount, pwdLastSet, badPasswordTime, sAMAccountType

When I try to import an LDF file that contain these attributes, the following error is returned:

Logging in as current user using SSPI
Importing directory from file "c:\test.ldf"
Loading entries.
Add error on line 1: Unwilling To Perform
The server side error is "Access to the attribute is not permitted because the attribute is owned by the Security Accoun
ts Manager (SAM)."
0 entries modified successfully.
An error has occurred in the program


Code: 
badPwdCount, lastLogoff, lastLogon, logonCount, pwdLastSet, badPasswordTime
are probably not too crucial, but it would be quite a pain if group memberships cannot be imported. Note the same error occured even if I import the Security Group first before importing user objects with
Code: 
memberOf
and
Code: 
PrimaryGroupID
property set. In addition, the password is also not exported.

Questions:
1) Are there any ways to get LDIFDE to import group membership? If so, how?
2) Are there any ways to get LDIFDE to import passwords? If so, how? If not, if I were to use ADSI after an LDIFDE import:
Code: 
objADSIUser.ChangePassword
What parameter do I pass to the oldpassword argument?

Note, the source server is windows 2000 server with SP3, and the destination server is windows 2000 server with SP4.
 
Sort by date Sort by votes
Are you creating a new forest (changing the domain name)? If so, I think you can use the Active Directory Migration Tool to move everything over.

If you are just building a new DC on newer hardware, but keeping the domain the same, then the easiest process is:
[ul][li]Make the new box a DC of the existing domain[/li]
[li]Allow time for replication between the two to occur[/li]
[li]Transfer all of the FSMO roles to the new server[/li]
[li]Test to make sure everything is working correctly (servers, workstation logons, etc)[/li]
[li]Demote the original DC to a member server[/li]
[li]Test again :)[/li]
[li]Do whatever you want with the old server[/li]
[/ul]
This way all of your user accounts and groups are preserved as is, with nothing to import. This does make a few assumptions, such as that you have DNS on a separate server, but DNS is fairly easy to transfer as well.

Does that make sense?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
84
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
316
goombawaho
goombawaho
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
79
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
139
technome
technome
Rob Vleeschhouwer
  • Locked
  • Question
export/retrieving data
Replies
1
Views
78
technome
technome

Part and Inventory Search

Sponsor

Back
Top