Active Directory
HOW TO USE LDIFDE to export and to import directory objects
by admin on Sep.11, 2009, under Active Directory
This is a step-by-step guide to import and export Organizational Units (OUs) and user accounts from one Active Directory to another. For this example, “SourceDomain” is the name of the domain from which objects are exported and “TargetDomain” is the name of the domain in which objects are imported. LDIFDE can also be used to import most third-party folders to Active Directory.
Log on as Administrator in the Source Domain. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory.
At the command prompt, type:
ldifde -f exportOu.ldf -s DC01 -d “dc=SourceDomain,dc=se” -p subtree -r “(objectCategory=organizationalUnit)” -l “cn,objectclass,ou”
DC01 is the Server name of the Source Domain Controller
This command exports all OUs except domain controllers into a file named ExportOU.ldf.
At the command prompt, type:
ldifde -f Exportuser.ldf -s DC01 -d “dc=SourceDomain,dc=se” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,samAccountName”
DC01 is the Server name of the Source Domain Controller
INFO: Built-in accounts, such as Administrator, do not have a given name. By default, the LDAP filter used above does not export those accounts. LDIFDE does not support exporting passwords.
INFO: When you omit the -s parameter, LDIFDE chooses a global catalog for exports. Depending on the domain controller placement, this server might be a domain controller for a different domain, and exports might fail. You see this when you examine the output of LDIFDE. In this case, specify a local domain controller of the domain in which the objects are hosted.
Log on as an Administrator in the TargetDomain domain. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory.
Open the file Exportou.ldf using Notepad.
In Notepad, on the Edit menu, click Replace.
In the Find what box type, SourceDomain. In the Replace with box type, TargetDomain.
Click Replace All.
After you verify that the domain names are replaced, save, and then close the file.
At the command prompt, type:
ldifde -i -f ExportOU.ldf -s DC02
DC02 is the Server name of the Target Domain Controller
INFO: In this situation, you must complete the first step prior to completing the second step so that the OUs are available to contain the users.
Open the file Exportuser.ldf using Notepad.
INFO: Remember that in this example, “SourceDomain” is the name of the domain from which objects are exported and “TargetDomain” is the name of the domain to which objects are imported. You will replace “SourceDomain” with the name of the domain you exported from and you will have to replace “TargetDomain” with the domain you are importing to.
In the Find what box type, SourceDomain. In the Replace with box, type TargetDomain.
Click Replace All.
After you verify that the domain names are replaced, save, and then close the file.
At the command prompt, type:
ldifde -i -f Exportuser.ldf -s DC02
NOTE: DC02 is the Server name of the Target Domain Controller
View the newly created contacts using either the Active Directory Users and Computers snap-in tool or using the Windows Address Book.
: Because LDIFDE does not export passwords, when the users are imported into the directory, the account is disabled and the password is set to null. This is done for security reasons. Also, the account option “User must change password at next logon” is selected.
For example, to perform the export operation outlined against a GC, the LDIFDE command would be:
ldifde -f Exportuser.ldf -s DC01 -t 3268 -d “dc=SourceDomain,dc=se” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,sAMAccountName”
DC01 is the Server name of the Source Domain Controller
Sample Import/Modify File Format:
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
–
dn: CN=John Doe,OU=UserAccounts,DC=harun,DC=se
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
–
Import files with multivalued attributes have the form of:
dn: distinguishedName
changetype: modify
replace: attribute
modify replace: attribute [this is the attribute to be changed]
attribute: value1
attribute: value2
attribute: valueN [where N is the next value] – [hyphen, required to terminate input file]
example:
dn: CN=Connector for Lotus Notes (EX1),CN=Connections,CN=First Routing Group,CN=Routing Groups,CN=First Administrative Group,CN=Administrative Groups,CN=HARUN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=harun,DC=se changetype: modify replace: msExchExportContainersLinked msExchExportContainersLinked: OU=GroupWise Users,DC=harun,DC=se msExchExportContainersLinked: OU=AD Users,DC=harun,DC=se msExchExportContainersLinked: CN=Users,DC=harun,DC=se
LDIFDE Parameters
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to
-c FromDN ToDN Replace occurrences of FromDN to ToDN
-v Turn on Verbose Mode
-j Log File Location
-t Port Number (default = 389)
-? Help
Export Parameters
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to “(objectClass=*)”)
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an LDAP
search.
-o list List of attributes (comma separated) to omit from input
-g Disable Paged Search
-m Enable the SAM logic on export
-n Do not export binary values
Import Parameter
-k The import will go on ignoring ‘Constraint Violation’ and ‘Object
Already Exists’ errors
Credentials Parameters
-a Sets the command to run using the supplied user distinguished name
and password. For example: “cn=yourname,dc=yourcompany,dc-com
password”
-b Sets the command to run as username domain password. The default is
to run using the credentials of the currently logged on user.