Introduction to LDIFDE 2003/8 Example
People are always asking me for more ‘real world’ examples of scripts. Well a reader has kindly sent in his practical example of a set of LDIFDE scripts for us to amend. The purpose of these LDIFDE scripts is to export all OUs, Users and Groups from not one but two domains.
Source Forest – Two domains: DNS Namespaces: (root.guy and guy.com). Once you understand the examples within this zip file you can be change it to any two namespaces, ie: root.local and corp.local. But the zip referrers to root.guy and guy.com.
Target Forest – One domain: (guy.local).
(Click to enlarge)
So what we are doing is exporting all OUs, Users, and Groups out of source domain: (guy.com) from the two domain forest where guy.com is the user domain and root.guy is just the security holder of Enterprise/Schema Admins.
Now I needed a Test Forest (different namespace, you can imagine why!) out in the production network with the same OUs, Users, and Groups from the user domain guy.com, but I did not want the complexity of a two domain forest. Hence why I am doing this.
Extract the zip. You will see: The example LDIFDE Zip File
\ldifde\ou
\ldifde\user
\ldiefde\group
In the root of ldifde\ you will see an exportall. Self explanatory when you look at the bat file. Then inside the OU\, User\ and Group\ are the import bat files. They are separated to house a log file at the -j . (the logs).
Pay close attention to the: -c dc=guy,dc=com DC=guy,DC=local in the exportall.bat and -c dc=root,dc=guy DC=guy,DC=local in the import.bat files. This is the trick to reduce from two domain namespaces down to one domain name space. Do not ask me how to do this with 3 or more domains!
So if you want to pull this off build a two domain forest as your source. Add a bunch of OUs, Users, and Groups. Run the Exportall. This builds the ldf files for the import process. Go build a test forest with one domain to house these imports. Then go to your target one domain forest and run the individual imports.
The TOUGH work in this process was identifying the -o omit attributes. You could have done this another way by just doing the list, but I chose to figure -o to eliminate the system attributes. More flexible in my mind.
NOTE: Now it is important to match your schema extensions in both forests, meaning you must extend the schema in the new target forest so attributes will map. For example, I had to do an Exchange schema extend and an LCS 2010 schema extend.
I realize I garbled this together rather quickly. You just let me know if you can make sense out of this babbling. You are most welcome to call me for more details.
Note: we have many segregated labs that were built off a virtual dc in production for both domains in our production forest, which most of our testing can get by on this. The downfall of this process is that the namespace is identical and by know means can you have two forest with the same namespaces out in production. Hence he need for this process.
I needed to build a copy of this forest with different names for my Identity Management project. I eventually will end up with three forests:
Development – guydev.com
Q/A – guyqa.com
Production – guyprod.com
In the NT days we collect domains for political realms, now we will be collecting forests for the multitude of test scenarios we will soon embark on. This new test forest methodology in the production is the first for our company. Microsoft brained washed our System Administrators that this was taboo and would destroy the universe as we know it today. Microsoft scare tactic! After working with it now we all realize that is bogus and we now realize the value of many test forests in the production network.
Guy Recommends: SolarWinds’ Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
See also
If you like this page then please share it with your friends
Download your eBook: How to use LDIFDE commands – only $5.25
Save hours of frustration and buy Guy’s eBook. The extra features include: detailed instructions on how to add and modify user accounts. Worked LDIFDE examples on changetype: and unicodePwd.
You get a printer friendly version with copy enabled, and no expiry date.
