Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

LDIFDE isn't importing AD info.

Status
Not open for further replies.
GVN

GVN

MIS
Dec 2, 2005
238
US
I am trying to clone my w2k server in a lab network so that I can test an upgrade. Once the upgrade works correctly, then I will perform the upgrade on the production server.

To get all the Active Directory accounts cloned as well, I was trying to use LDIFDE. I was successful on running "LDIFDE -f FILENAME.ldf" to export the AD accounts and groups from the production server.

I am having the issue on IMPORTING them onto the lab server. I have tried "LDIFDE -i FILENAME.ldf" and other variations of that syntax, such as "LDIFDE -i FILENAME.ldf -s SERVERNAME" but nothing seems to work.

The error message I get says:

Connecting to "servername.domain_name.com"
Logging in as current user using SSPI
Importing directory from file FILENAME.LDF
Error occured during initialization
File operation failure
0 entries modified successfully

I am logged on with the same username as the one I do on the production server. The only diffrence is that I had to manually create the lab user Active Directory account that I am logged on as during this process, as the lab server didn't have that account already created yet.

Any ideas?

GVN
 
Sort by date Sort by votes
This doesn't really help me out unfortunately.

Hey, the first 2 lines of the LDF file of mine looks like this:

dn: DC=mydomain,DC=com
changetype: add

As opposed to looking like this:

dn: CN=Amie Baldwin,OU=Test OU,DC=dpetri,DC=net
changetype: add

Does that make a difference, because before I was getting some kind of error message saying it didn't like the 'add' keyword that it had in it...

GVN
 
Upvote 0 Downvote
When I did this procedure I had to create the OU structure before I imported the users. By running ldifde it does not create the OU structure, so if the structure is not in place the import will not work.

For example, taking the exmple above.
dn: CN=Amie Baldwin,OU=Test,DC=dpetri,DC=net
Make sure the OU test is already built in the domain before you try to import the user.

So two steps: 1. Import Export OU Structure 2. Import Export User objects.
Export the organizational units from the source domain
1. Log on as Administrator in the Export domain. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory.
2. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
3. At the command prompt, type:
ldifde -f exportOu.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"
Running this command exports all OUs except domain controllers into a file named ExportOU.ldf.

Export the user accounts from the source domain
At the command prompt, type:
ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.

NOTE: Built-in accounts, such as Administrator, do not have a given name. By default, the LDAP filter used above does not export those accounts. LDIFDE does not support exporting passwords.
Import the organizational units from Export to Import
1. Log on as an Administrator in the Import domain. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory.
2. Open the file Exportou.ldf using Notepad.
3. In Notepad, on the Edit menu, click Replace.
4. In the Find what box type, Export. In the Replace with box type, Import.
5. Click Replace All.
6. After you verify that the domain names are replaced, save, and then close the file.
7. At the command prompt, type:
ldifde -i -f ExportOU.ldf -s Server2
You should see a message stating the number of entries that have been modified and that the command completed successfully.

Note In this situation, you must complete the first step prior to completing the second step so that the OUs are available to contain the users.
Import the users from Export to Import
1. Open the file Exportuser.ldf using Notepad.
2. In notepad, open the Edit menu and click Replace.

Note Remember that in this example, "Export" is the name of the domain from which objects are exported and "Import" is the name of the domain to which objects are imported. You will replace "Export" with the name of the domain you exported from and you will have to replace "Import" with the domain you are importing to.
3. In the Find what box type, Export. In the Replace with box, type Import.
4. Click Replace All.
5. After you verify that the domain names are replaced, save, and then close the file.
6. At the command prompt, type:
ldifde -i -f Exportuser.ldf -s Server2
7. View the newly created contacts using either the Active Directory Users and Computers snap-in tool or using the Windows Address Book.
NOTE: Because LDIFDE does not export passwords, when the users are imported into the directory, the account is disabled and the password is set to null. This is done for security reasons. Also, the account option "User must change password at next logon" is selected.

Here is the link for the info above.
 
Upvote 0 Downvote
That worked, thanks!!!!, however I thought I would let you know what it did to the accounts that I've noticed so far:

1. It disabled all the accounts. (no big deal)
2. It only gave them 'Domain Users' membership. All other Groups have been stripped out. (not a problem in my lab environment, but could pose an issue to others, CACLS may be an easy fix with scripting...)

Also, the ExportOu.ldf still had the Domain Controllers OU in it as the first entry, so it had to be manually removed, then re-ran again because it errored out on line 1 and the import process failed. After figuring it out and removing it, it ran fine then.

GVN
 
Upvote 0 Downvote
This is why your accounts are disabled - "LDIFDE does not support exporting passwords."
There is a way to do this but I don't remeber the solution off the top of my head.

The reason your group membership is not there is because you pobably did not export that attribute from the domain. If you ran the sample above:
(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"

You only exported:
cn
givenName
ojectclass
SamAccount

You can play around with this to pull more attributes out of active directory.

Glad it is now working for you.
 
Upvote 0 Downvote
Is there a book or web site that explains all the "language" that is used to do scripting like this for AD?
 
Upvote 0 Downvote
Who-rah!!! as the soldiers say...

LOL

Have a great weekend!

GVN
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
345
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
151
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
223
DTGMI
DTGMI
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
439
gbaughma
gbaughma
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
117
on3mansh0w
on3mansh0w

Part and Inventory Search

Sponsor

Back
Top