• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

Re-install Active Directory (but keep the user list)?

Hello Experts!

My basic questions are as follows:

1. What is the best way to re-install Active Directory for my company?
2. Can I "export" the user list for "import" into the new Active Directory Schema?
3. What are the consequences of doing this?

In addition to that, I feel it best to provide background information...

1. The administrator that I replaced didn't do anything with Active Directory except the most basic (i.e. DNS & User List). So there are no Organizational Units; there are no weird permission issues.

2. The "first domain controller" is on Windows 2000, and there is an "additional domain controller" on Windows 2003 Enterprise Edition.

3. It appears that the previous admin installed Exchange 2003 Standard on the Windows 2003 machine, and then "re-installed" a completely new instance of Windows 2003 and Exchange 2003 on that same machine, without first removing it properly from Active Directory.

4. The Exchange Server is not in use. Yet. But I would like it to be.

5. I need to completely remove Active Directory, not just install over it.

5. If possible, I want to use ldifde.exe to export ONLY the users, so that after the 2000 machine is DEMOTED and all of AD is uninstalled -I can then import the user list back in and the whole thing will seem transparent to my users. (side question: what happens to passwords if this happens?)


Thank you in advance to whomever is willing and able to answer!

-neomage

0
neomage23
Asked:
neomage23
1 Solution
 
wtp_isscCommented:
Export the User Accounts from the Source Domain
At the command prompt, type:
ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"

Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.

NOTE: Built-in accounts, such as Administrator, do not have a given name. By default, the LDAP filter used above does not export those accounts. LDIFDE does not support exporting passwords.


From the article:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q237/6/77.ASP&NoWebContent=1
0
 
kelo501Commented:
Check out csvde.exe.  If you do not have email setting to migrate and are only looking to automate user export and import it is simple and fast.  LDIFDE has alot of advantages over csvde.exe, but it does not sound like you need them.

Read this and see if it helps...

http://support.microsoft.com/default.aspx?scid=kb;en-us;327620
0
 
ralonsoCommented:
when you export users, you won't be exporting two important things:
- Passwords
- SIDS

There's a tool called "active directory migration tool" admt.exe
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp

That tool can keep the old SID for user and group accounts. That way, the old security applied to resources can still be used.

The common problem when migrating accounts is that you have to redefine permissions for all files (users' home directories, profiles, etc)

To use this tool, both domains will need to have different names.

If you have a relatively large number of users (say above 50), it can be a pain in the back going for a migration. Therefore I'd try to delete all traces of the exchange server in AD.
(see: http://www.brienposey.com/kb/removing_exchange_2000_from_ad.asp)

If you have less... I'd wipe the machines clean (not only AD) and reinstall from scratch. If you just uninstall AD, a lot of things will remain there (dns files for the zones, etc.). Deleting all those files and troubleshooting things that don't work 100% (group policies not replicating, ...) will take you much longer.

cheers
ruben
0
 
neomage23Author Commented:
Hey everyone! Thanks to all of you for responding and posting answers.

I ended up talking about this with someone from Microsoft and he suggested I try to de-evolve the network back to just the single GC by demoting the 2003 DC (using DCPROMO /FORCEREMOVAL) if necessary.

Then he reffered me to: http://support.microsoft.com/?id=216498 to remove stubborn AD Objects.

Between that and the Exchange removal article mentioned by "ruben" - I think that I'll just try to wipe exchange and the 2003 DC from AD and start fresh with a fresh new installation of the 2003 DC w/ Exchange 2003.

Thanks again!
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now