Advanced LDIFDE

[Guest]

I want to import all the objects in a DC to another DC. Does it give the same output as that of system state restore? Can I do it with LDIFDE?

In fact I tried it, am successfull in exporting all the objects in the AD. But when trying to import getting strange errors and no hint from Microsoft sites

Any advice will be highly appreciated. I want to import all the computers, Lost and found, groups, email address associated with the user accounts, groups

Thanks so much

 

[Cary Shultz [A.D. MVP]]

TTS,

I was under the impression that we took care of this already. I may be
mistaken.

If you want to import all of the user account objects from one DC ( of one
domain ) to another DC ( of a different domain ) then you can follow the
example that I gave you in our last exchange. You need to first export all
of the user information from the first domain to a .ldf file and then import
that information ( after making the necessary changes ) to the second
domain.

Here is an example:

C:\>ldifde -f users.ldf -s yourserver.yourfirstdomain.com -t 389 -d
"DC=yourfirstdomain,DC=com" -p subtree -r
"(&(objectCategory=person)(objectClass=user))" -l
"DN,objectClass,userAccountControl,sAMAccountName,displayName,givenName,sn,s
treetAddress,l,st,postalCode,c,co,countryCode,
department,company,physicalDeliveryOfficeName,telephoneNumber"

This will give you the majority of the common fields/attributes in the user
account objects from 'yourfirstdomain.com' in a nice .ldf file called
users.ldf. Please note that there could be more attributes that you might
need to add ( such as homePath, etc. ). You can then change the appropriate
information to reflect 'yourseconddomain.com' via the find and replace tool
in Notepad. Then simply import that file on your second DC (
C:\>ldifde -i -f users.ldf ) and there you have it.....

For the groups you can use the syntax that I gave you in our first exchange
as well. Just in case you do not have it here it is ( probably the same ):

C:\> ldifde -f groups.ldf -s yourserver.yourfirstdomain.com -t 389 -d
"DC=yourfirstdomain,DC=com" -p subtree -r "(objectClass=group)" -l
"DN,member,info,description,groupType,instanceType,objectClass,name,sAMAccou
ntName"

This gives you the nice file called groups.ldf which will contain all of
your groups. Please note that there will be some domain specific groups
that you might not want to include. I might suggest that you use the -m
switch. All you would then need to do is to import the groups.ldf file in
your new domain ( C:\>ldifde -i -f groups.ldf ).

Not sure that I would do this for the computer account objects or for the
lost and found. Do not believe that it works this way. For the system
state you need to simply install WIN2000 Server and then run dcpromo to
create yourseconddomain.com. You can not - to my knowledge - use ldifde to
do this. Another alternative is to do a restore from backup....but that is
a whole other situation.

As to the e-mail addresses I think that I would first install Exchange 2000
in 'yourseconddomain.com', import the users.ldf file and then the groups.ldf
file and finally manually create the 'mailbox' for each user. You can do
this en masse via the ADUC. This might be easier for you.

I do not know what else to tell you. I gave you the three links to the RFC
and the MSKB link on how to use ldifde. I know that this can be a bit
frustrating for people when they are first beginning with ldifde as it has a
rather unforgiving syntax.

My suggestion would be to play with it in a test lab and become more
familiar with it. This is how I became familiar with it.

BTW - I would be remiss if I did not mention that you could use the -m
switch when exporting all of the user information. The -m switch removes
some of the domain specific information. However, with using the -l switch
with the attributes that I have suggested and then doing the one time (
hopefully ) find and replace from within Notepad you should have a clean
slate.

HTH,

Cary


PS. Please note that there are also other tools to do this. One of the
limitations of ldifde is that you can not really do anything about the
passwords. You would simply have a blank password for each user account
object initially. This may or may not be acceptable. You could look at
addusers.exe ( which allows you to include passwords ) and then use ADModify
to add the majority of other fields. However, the drawback there is that
you have to pretty much create the original file from scratch. ldifde is
much easier in this regard.

I want to import all the objects in a DC to another DC. Does it give the

same output as that of system state restore? Can I do it with LDIFDE?

In fact I tried it, am successfull in exporting all the objects in the AD.

But when trying to import getting strange errors and no hint from Microsoft
sites.

Any advice will be highly appreciated. I want to import all the computers,

Lost and found, groups, email address associated with the user accounts,
groups.

 

[Herb Martin]

I want to import all the objects in a DC to another DC. Does it give the
same output as that of system state restore? Can I do it with LDIFDE?

Cary gave you a definitive answer but the wording of your
question implies that you might be trying to do this within
a SINGLE domain.

i.e., "DC to another DC", "Lost and Found"

LDIFDE is inappropriate for that and might account for your
"strang errors."

If you are trying to synchronize or build another DC for the SAME
domain, then you must either do a DCPromo OR restore system state
from one DC to another server.

--
Herb Martin

In fact I tried it, am successfull in exporting all the objects in the AD.

But when trying to import getting strange errors and no hint from Microsoft
sites.

Any advice will be highly appreciated. I want to import all the computers,

Lost and found, groups, email address associated with the user accounts,
groups.

 

[Cary Shultz [A.D. MVP]]

Herb,

You are correct. However, I know from a previous post that this is not the
case.

Thank you for clarifying this though!

Cary

 

[Herb Martin]

Herb,

You are correct. However, I know from a previous post that this is not the
case.

Thank you for clarifying this though!

Actually, without that information from the other thread, the fact
(from your post) that you had previously answered was another
indication that he was not really using two domains.

Given that he didn't use the information you gave, it might even
be that the other thread had erroneous information from the poster.

But, in any case, he really needs to give a clearer explanation of the
error message he is receiving and exactly what he is doing.

You gave him an excellent answer -- apparently twice.

 

[Guest]

Thanks guys. I really appreciate Cary's response

----- Herb Martin wrote: ----

Herb th

Actually, without that information from the other thread, the fac
(from your post) that you had previously answered was anothe
indication that he was not really using two domains

Given that he didn't use the information you gave, it might eve
be that the other thread had erroneous information from the poster

But, in any case, he really needs to give a clearer explanation of th
error message he is receiving and exactly what he is doing

You gave him an excellent answer -- apparently twice

 

[Cary Shultz [A.D. MVP]]

Always glad to help.

TTS, if you need more attributes that I might not have included you can
always create a test OU and in that create a test user account and populate
every field that you might need. Then you would simply run ldifde to get
that particular OU information ( where you would enter -d
"OU=Test,DC=yourfirstdomain,DC=com" -p subtree in place of what I have
previously given you ) and NOT use the -l switch. This way you will have
everything.

Then, take a look at that .ldf file and you will see what the attributes
names are. Then, you can include them in the -l switch when you run it for
real!

Anyway, if you have more questions please feel free to ask. I will do what
I can to help.

Cary

 

[Guest]

Oh man, the import jes simply don't work. Am i missing something here? I used the same commands replaced with my domain name and did an import with ldifde -i -f filename. It throws out error parameter is incorrect. How can I troubleshoot this?

----- Cary Shultz [A.D. MVP] wrote: ----

Always glad to help

TTS, if you need more attributes that I might not have included you ca
always create a test OU and in that create a test user account and populat
every field that you might need. Then you would simply run ldifde to ge
that particular OU information ( where you would enter -
"OU=Test,DC=yourfirstdomain,DC=com" -p subtree in place of what I hav
previously given you ) and NOT use the -l switch. This way you will hav
everything

Then, take a look at that .ldf file and you will see what the attribute
names are. Then, you can include them in the -l switch when you run it fo
real

Anyway, if you have more questions please feel free to ask. I will do wha
I can to help

Car

 

[Cary Shultz [A.D. MVP]]

Did you change the domain name like I suggested? In your old domain (
yourolddomain.com ) where you originally ran ldifde to create the users.ldf
file you have the entry "DC=yourolddomain,DC=com". You will need to change
this to "DC=yournewdomain,DC=com". Thjis is what I was suggesting with the
Find and Replace tools in Notepad.

HTH,

Cary

Oh man, the import jes simply don't work. Am i missing something

here? I used the same commands replaced with my domain name and did an
import with ldifde -i -f filename. It throws out error parameter is
incorrect. How can I troubleshoot this?

----- Cary Shultz [A.D. MVP] wrote: -----

Always glad to help.

TTS, if you need more attributes that I might not have included you can
always create a test OU and in that create a test user account and populate
every field that you might need. Then you would simply run ldifde to get
that particular OU information ( where you would enter -d
"OU=Test,DC=yourfirstdomain,DC=com" -p subtree in place of what I have
previously given you ) and NOT use the -l switch. This way you will have
everything.

Then, take a look at that .ldf file and you will see what the attributes
names are. Then, you can include them in the -l switch when you run it for
real!

Anyway, if you have more questions please feel free to ask. I will do what
I can to help.

Cary

Thanks guys. I really appreciate Cary's response. is not
the the fact
(from your post) that you had previously answered was another
indication that he was not really using two domains. even
be that the other thread had erroneous information from the poster.

explanation of
the

error message he is receiving and exactly what he is doing.

 

[Guest]

To get familarize, I setup an AD box in my test lab with the same domain. let me say xx.com. I exported from production xx.com and imported to the test lab AD box called xx.com. The lab is totally isolated and will not talk anywhere else. Any sugegstions

Thank

----- Cary Shultz [A.D. MVP] wrote: ----

Did you change the domain name like I suggested? In your old domain
yourolddomain.com ) where you originally ran ldifde to create the users.ld
file you have the entry "DC=yourolddomain,DC=com". You will need to chang
this to "DC=yournewdomain,DC=com". Thjis is what I was suggesting with th
Find and Replace tools in Notepad

HTH

Car

here? I used the same commands replaced with my domain name and did a
import with ldifde -i -f filename. It throws out error parameter i
incorrect. How can I troubleshoot this

----- Cary Shultz [A.D. MVP] wrote: ----
Always glad to help
TTS, if you need more attributes that I might not have included yo

ca
always create a test OU and in that create a test user account an populat
every field that you might need. Then you would simply run ldifde t ge
that particular OU information ( where you would enter -
"OU=Test,DC=yourfirstdomain,DC=com" -p subtree in place of what hav
previously given you ) and NOT use the -l switch. This way you wil hav

everything
Then, take a look at that .ldf file and you will see what th

attribute
names are. Then, you can include them in the -l switch when you ru it fo
real

Anyway, if you have more questions please feel free to ask. I wil

do wha
I can to help

Car
Thanks guys. I really appreciate Cary's response is no
th the fac
(from your post) that you had previously answered was anothe
indication that he was not really using two domains eve
be that the other thread had erroneous information from th poster

explanation o
th

error message he is receiving and exactly what he is doing