Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1240
  • Last Modified:

AD Migration

Hello All,
We are going to be breaking off a complete OU to a new domain include all the sub-OU's, users and groups.  I have done some research and and ldif seems to be the way to go.  Will need to change the domain from abc.com to xyz.com.  ADMT is not an option.

The question I have is what attributes need to be exported and then changed in the ldif file before I import into the new domain.
0
92corrado
Asked:
92corrado
  • 2
  • 2
  • 2
1 Solution
 
Neil RussellTechnical Development LeadCommented:
Can I ask WHY you can not use ADMT?
0
 
Neil RussellTechnical Development LeadCommented:
Also can i politely ask WHY a new Domain? Is this a new domain in the same forest or a new child domain or.....?
0
 
92corradoAuthor Commented:
Can't use admt period.  why doesn't really matter.

This is a completely new domain.  We are branching off from the parent company.  But need to move the ou's, users, groups, group memberships.

Essentially it is starting new and fresh, except we need to move over one ou and all its user's, groups, sub-ou's etc.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jwillekeCommented:
No reason why LDIF will not work.

There are some limitations: (AFAIK)
You will not be able to get passwords
ACLs assigned to any of the entries
Access to any File Systems will not transfer


I would recommend you obtain Apache Studio or LDAP Administrator and do a few tests to make sure you get what you want.

Exporting all "User" Attributes (not operational) should work for what it appears you want.

You will, of course need to have the "new" AD instance installed and running before you can do this.

Good Luck and let us know how it goes.
-jim
0
 
92corradoAuthor Commented:
The new AD instance is built and ready to go.  I have an LDAP Admin to do the export/import.  I also already know about the password issue and File System issue.  But you also mention the ACL's.  Does this mean the ACL's (Permissions) will not transfer?

From what you are saying I can import ALL the user attributes after changing/updating the domain in the ldif file?
0
 
jwillekeCommented:
You should be able to.

You will need to check the exported LDIF and do a search and replace for any "non-conforming" data.

Like for Groups, you will see something like:
CN=MediaAdmins,CN=Users,DC=mad,DC=willeke,DC=com

If you new tree and ou is different, you will need to replace the "CN=Users,DC=mad,DC=willeke,DC=com" with something like "OU=NewPlace,,DC=mad,DC=willeke,DC=com"

Be prepared to import ONE "test" user a couple of time until you get it right.

When I look at mine AD, (which is pretty simple):
Looks like you may need to pull a couple of attributes.
You would not want to bring in these:
uSNChanged: 434239
uSNCreated: 20752
whenChanged: 20110219205054.0Z
whenCreated: 20090111114242.0Z
objectGUID:: NBsCZBfLX0Orm/JCsaqgnQ==
objectSid:: AQUAAAAAAAUVAAAAJY7P3hHw1rfWR5hfVQQAAA==
distinguishedName: CN=jim,CN=Users,DC=mad,DC=willeke,DC=com


You may not want these:
accountExpires: 0
adminCount: 1
badPasswordTime: 129161469496434072
badPwdCount: 0
lastLogoff: 0
lastLogon: 129170286789973419
lastLogonTimestamp: 129426222542305700
logonCount: 2

-jim
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now