Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE method), with the names changed to protect the guilty. A couple of batch scripts are included that you can modify. Hope it helps.
******************* 1. Ldifde is loaded by default on servers but not workstations. If running this command on a workstation, you must first copy the ldifde.exe file from the WINNT\System32 folder on a server to a location on your system. 2. Since the command with all of the required attributes is quite long, batch files have been created. The contents of these files are listed in the appendix. 3. The batch files reference specifically the my.domain.com domain, export server SERVER1 (production) and import server SERVER99 (lab). If any of these components change or if the goal is to export/import a different domain, the appropriate changes will have to be made to the batch files 4. Including many attributes creates a very large export file. Verify that enough disk space is available before beginning (about 70 MB currently) 5. Other command options are available, see KB237677 at this link: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s upport/kb/articles/Q237/6/77.ASP&NoWebContent=1 6. Passwords are not included in the export. Therefore, when the import is performed, passwords for each user are blank 7. Administrator is not included in the export, to avoid overwriting the existing Administrator Section 1: Export OUs and Users from the Production Directory 1. Log on to the exporting domain as an administrator 2. Batch files are located on \\SERVER1\C$\SCRIPTS 3. Run the batch file export_OUs.bat (see appendix for command) Note: folder c:\temp must already exist. File created will be exportOU.ldf 4. Run the batch file export_users.bat (see appendix for command) Note: File created will be exportUser.ldf 5. Save the two ldf files to a CD since the production and test environments are not networked together 6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the same CD: a. Import_ous.bat b. Import_users.bat Section 2: Import OUs and Users into the Test Lab Active Directory 1. Copy the files from the CD to C:\Temp on the import domain controller SERVER99 2. Remove the read-only attribute from the files 3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are missing in the test lab that are present in the production environment, they will be created. Others are ignored 4. From the command prompt, launch c:\temp\import_users.bat. If any users are missing in the test lab that are present in the production environment, they will be created with their associated attributes. Accounts are created disabled, and the password set to null. This is because LDIFDE does not support exporting/importing passwords 5. When the batch files have completed, verify that no errors were reported, and check for the existence of the new users in ADUC. 6. Close the command prompt window and delete the contents of c:\temp Appendix Script Contents Export_OUs.bat ldifde - f c:\temp\exportOu.ldf -s server1 -d "dc=my,dc=domain,dc=com" -p subtree -r "(objectClass=organizationalUnit)" -l "cn,objectclass,ou" Export_Users.bat ldifde - f c:\temp\exportusers.ldf -s server1 -d "dc=my,dc=domain,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" - l "cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL astSet,displayName,distinguishedName" Import_OUs.bat ldifde - i -k -f c:\temp\exportou.ldf -s server99 Import_Users.bat ldifde - i -k -f c:\temp\exportusers.ldf -s server99 ********************************* -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that "An attemp was made to add an object to the directory with a name that is already in use" or "Directory Object not found". my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a directed recover to it, but this seems like a huge amount of time and effort for something that should be pretty easy. Especillay for DR purposes. How many of us will recover AD to a system that has identical hardware? but I digress ;-) Any advice or ideas would bre greatly appreciated. Thanks in advance. Phil. -------------------------------------------------------- Philip H. McDougal Application Support Engineer Jenner & Block LLP One IBM Plaza Chicago, IL 60611-7603 Tel (312) 222-9350 Fax (312) 840-8879 [EMAIL PROTECTED] www.jenner.com CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system. -------------------------------------------------------- List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
