subject:"RE\: \[ActiveDir\] Importing AD into a test lab ..."

RE: [ActiveDir] Importing AD into a test lab ...

2005-04-27 Thread Al Mulnick

Should it be easy?  

Option 3: Create a Virtual environment (Vmware or VirtualServer would
work) and introduce a DC into your environment that's only a VM and not
used by clients (sites?)

What you can do then is shutdown the VM in the prod environment, copy
the file to the lab virtual server (could be same server with a separate
segment into lab environment depending on how you decide to do this and
what you have to work with).  Restart the original on the production and
restart the lab on the isolated lab segment. 

Variation: You could just restore the production to a Virtual machine
and copy it into the lab (don't restart after restoration).  

Using LDIFDE has not been my favorite method in the past.
Al
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McDougal,
Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ... 

Hello,
 
I have a question concerning getting my existing AD into a test lab.  I
saw some help in the archives but I'd like a fresh look on the topic.  I
am considering 2 options, that I know of:
 
1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into
the test lab.  I built a box with W2003 Standard and DCPROMO'd it up
with different machine name but same Domain name.  This avenue sounded
pretty good but I keep getting failure errors when I try to import the
ldf files saying that An attemp was made to add an object to the
directory with a name that is already in use or Directory Object not
found.
 
my other choice was
 
2.  http://support.microsoft.com/default.aspx?scid=kb;en-us;263532  But
since this is a test lab, my library is not available and neither is my
backup server.  Plus, it's a DC and I don't want to introduce it to my
existing domain.  I guess I could DCPROMO it back out and then bring it
into the existing domain as a standalone and then do a directed recover
to it, but this seems like a huge amount of time and effort for
something that should be pretty easy.  Especillay for DR purposes.  How
many of us will recover AD to a system that has identical hardware?  but
I digress ;-)
 
Any advice or ideas would bre greatly appreciated.

Thanks in advance.
Phil. 





 


Philip H. McDougal
Application Support Engineer
Jenner  Block LLP
One IBM Plaza
Chicago, IL 60611-7603
Tel (312) 222-9350
Fax (312) 840-8879
[EMAIL PROTECTED]
www.jenner.com

 

CONFIDENTIALITY WARNING: This email may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). Any unauthorized use or disclosure of this communication
is prohibited. If you believe that you have received this email in
error, please notify the sender immediately and delete it from your
system.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Importing AD into a test lab ...

2005-04-27 Thread Creamer, Mark

Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE 
method), with the names
changed to protect the guilty. A couple of batch scripts are included that you 
can modify. Hope it
helps.

***

1. Ldifde is loaded by default on servers but not workstations. If running this
command on a workstation, you must first copy the ldifde.exe file from the
WINNT\System32 folder on a server to a location on your system.
2. Since the command with all of the required attributes is quite long, batch 
files
have been created. The contents of these files are listed in the appendix.
3. The batch files reference specifically the my.domain.com domain, export 
server
SERVER1 (production) and import server SERVER99 (lab). If any of these
components change or if the goal is to export/import a different domain, the
appropriate changes will have to be made to the batch files
4. Including many attributes creates a very large export file. Verify that 
enough disk
space is available before beginning (about 70 MB currently)
5. Other command options are available, see KB237677 at this link:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s
upport/kb/articles/Q237/6/77.ASPNoWebContent=1
6. Passwords are not included in the export. Therefore, when the import is
performed, passwords for each user are blank
7. Administrator is not included in the export, to avoid overwriting the 
existing Administrator


Section 1: Export OUs and Users from the Production Directory
1. Log on to the exporting domain as an administrator
2. Batch files are located on \\SERVER1\C$\SCRIPTS
3. Run the batch file export_OUs.bat (see appendix for command) Note: folder
c:\temp must already exist. File created will be exportOU.ldf
4. Run the batch file export_users.bat (see appendix for command) Note: File
created will be exportUser.ldf
5. Save the two ldf files to a CD since the production and test environments 
are not
networked together
6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the
same CD:
a. Import_ous.bat
b. Import_users.bat

Section 2: Import OUs and Users into the Test Lab Active Directory
1. Copy the files from the CD to C:\Temp on the import domain controller
SERVER99
2. Remove the read-only attribute from the files
3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are
missing in the test lab that are present in the production environment, they 
will be
created. Others are ignored
4. From the command prompt, launch c:\temp\import_users.bat. If any users are
missing in the test lab that are present in the production environment, they 
will be
created with their associated attributes. Accounts are created disabled, and the
password set to null. This is because LDIFDE does not support
exporting/importing passwords
5. When the batch files have completed, verify that no errors were reported, and
check for the existence of the new users in ADUC.
6. Close the command prompt window and delete the contents of c:\temp


Appendix

Script Contents

Export_OUs.bat
ldifde - f c:\temp\exportOu.ldf -s server1 -d dc=my,dc=domain,dc=com -p 
subtree -r
(objectClass=organizationalUnit) -l cn,objectclass,ou
Export_Users.bat
ldifde - f c:\temp\exportusers.ldf -s server1 -d dc=my,dc=domain,dc=com -p 
subtree -r
((objectCategory=person)(objectClass=User)(givenname=*)) - l
cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co
mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL
astSet,displayName,distinguishedName

Import_OUs.bat
ldifde - i -k -f c:\temp\exportou.ldf -s server99

Import_Users.bat
ldifde - i -k -f c:\temp\exportusers.ldf -s server99


*

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
McDougal, Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ... 

Hello,
 
I have a question concerning getting my existing AD into a test lab.  I saw 
some help in the archives
but I'd like a fresh look on the topic.  I am considering 2 options, that I 
know of:
 
1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into the 
test lab.  I built a box
with W2003 Standard and DCPROMO'd it up with different machine name but same 
Domain name.  This avenue
sounded pretty good but I keep getting failure errors when I try to import the 
ldf files saying that
An attemp was made to add an object to the directory with a name that is 
already in use or
Directory Object not found.
 
my other choice was
 
2.  http://support.microsoft.com/default.aspx?scid=kb;en-us;263532  But since 
this is a test lab, my
library is not available and neither is my backup server.  Plus, it's a DC and 
I don't want to
introduce it to my existing domain.  I guess I could DCPROMO it back out and 
then bring it into the
existing domain as a standalone and then do a

RE: [ActiveDir] Importing AD into a test lab ...

2005-04-27 Thread McDougal, Philip H

Thanks for the reply Al.
 
I was also thinking of checking VMware to do this but, of course, my resources 
are very limited at the moment.
 
I know what you mean about the LDIFDE option.  But of course, right after I 
sent out my email, I had an epiphany to those errors I was getting.  I had 
notice that when it exported the AD data, it didn't export it logically, so the 
problem I was having was trying to import a child OU to an OU that doesn't 
exist yet.  So I got my OUs and then Users back, but I'm still having Schema 
issues.  
 
Doing the restore to the another system can be done as I've done it a long time 
ago.  It just takes too much time if you're under the gun.  A simple 
Export/Import of your AD or certain aspects of your AD would be a nice option 
to get running smoothly.  Hopefully, I can get my schema back and running 
before the developers get too worked up ;-)
 
Thanks for the insight, I appreciate it.
 
Phil.
 



From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 4/27/2005 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Importing AD into a test lab ... 



Should it be easy? 

Option 3: Create a Virtual environment (Vmware or VirtualServer would
work) and introduce a DC into your environment that's only a VM and not
used by clients (sites?)

What you can do then is shutdown the VM in the prod environment, copy
the file to the lab virtual server (could be same server with a separate
segment into lab environment depending on how you decide to do this and
what you have to work with).  Restart the original on the production and
restart the lab on the isolated lab segment.

Variation: You could just restore the production to a Virtual machine
and copy it into the lab (don't restart after restoration). 

Using LDIFDE has not been my favorite method in the past.
Al


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McDougal,
Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ...

Hello,

I have a question concerning getting my existing AD into a test lab.  I
saw some help in the archives but I'd like a fresh look on the topic.  I
am considering 2 options, that I know of:

1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into
the test lab.  I built a box with W2003 Standard and DCPROMO'd it up
with different machine name but same Domain name.  This avenue sounded
pretty good but I keep getting failure errors when I try to import the
ldf files saying that An attemp was made to add an object to the
directory with a name that is already in use or Directory Object not
found.

my other choice was

2.  http://support.microsoft.com/default.aspx?scid=kb;en-us;263532  But
since this is a test lab, my library is not available and neither is my
backup server.  Plus, it's a DC and I don't want to introduce it to my
existing domain.  I guess I could DCPROMO it back out and then bring it
into the existing domain as a standalone and then do a directed recover
to it, but this seems like a huge amount of time and effort for
something that should be pretty easy.  Especillay for DR purposes.  How
many of us will recover AD to a system that has identical hardware?  but
I digress ;-)

Any advice or ideas would bre greatly appreciated.

Thanks in advance.
Phil.








Philip H. McDougal
Application Support Engineer
Jenner  Block LLP
One IBM Plaza
Chicago, IL 60611-7603
Tel (312) 222-9350
Fax (312) 840-8879
[EMAIL PROTECTED]
www.jenner.com



CONFIDENTIALITY WARNING: This email may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). Any unauthorized use or disclosure of this communication
is prohibited. If you believe that you have received this email in
error, please notify the sender immediately and delete it from your
system.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Importing AD into a test lab ...

2005-04-27 Thread Lou Vega

One way I had done it in the past was using the LDIFDE to export users,
ou's, etc. and then editing the output files to work with the new domain,
(i.e., replace domain1 with domain2) and also manually removing default
entries (such as Administrator accounts, etc.)

Also - take care when exporting in the first place...not all fields are
going to import nicely. For my purposes I just needed essentially a
boatload of users migrated to the test domain and all groups, and OU's. So
I only exported the following attributes on users:
(Command used = 
ldifde -f exportUsers.ldf -d dc=MyDomain,dc=COM  -r (objectClass=user)
-l cn,objectclass,ou,samAccountName )


Groups and OU's had similar limitations. If I can dig up the original BAT
files I used to create those LDIFDE dumps, I'll send them to you if you're
interested.

Hope that helps!

Lou

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ... 

Hello,
 
I have a question concerning getting my existing AD into a test lab.  I saw
some help in the archives but I'd like a fresh look on the topic.  I am
considering 2 options, that I know of:
 
1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into the
test lab.  I built a box with W2003 Standard and DCPROMO'd it up with
different machine name but same Domain name.  This avenue sounded pretty
good but I keep getting failure errors when I try to import the ldf files
saying that An attemp was made to add an object to the directory with a
name that is already in use or Directory Object not found.
 
my other choice was
 
2.  http://support.microsoft.com/default.aspx?scid=kb;en-us;263532  But
since this is a test lab, my library is not available and neither is my
backup server.  Plus, it's a DC and I don't want to introduce it to my
existing domain.  I guess I could DCPROMO it back out and then bring it into
the existing domain as a standalone and then do a directed recover to it,
but this seems like a huge amount of time and effort for something that
should be pretty easy.  Especillay for DR purposes.  How many of us will
recover AD to a system that has identical hardware?  but I digress ;-)
 
Any advice or ideas would bre greatly appreciated.

Thanks in advance.
Phil. 





 


Philip H. McDougal
Application Support Engineer
Jenner  Block LLP
One IBM Plaza
Chicago, IL 60611-7603
Tel (312) 222-9350
Fax (312) 840-8879
[EMAIL PROTECTED]
www.jenner.com

 

CONFIDENTIALITY WARNING: This email may contain privileged or confidential
information and is for the sole use of the intended recipient(s). Any
unauthorized use or disclosure of this communication is prohibited. If you
believe that you have received this email in error, please notify the sender
immediately and delete it from your system.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Importing AD into a test lab ...

2005-04-27 Thread McDougal, Philip H

Thanks Mark! 
 
This looks great.  I will start playing with this immediately.
 
Thank you for the script and doc, very much appreciated.!!!  
 
Phil.
 



From: [EMAIL PROTECTED] on behalf of Creamer, Mark
Sent: Wed 4/27/2005 9:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Importing AD into a test lab ... 



Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE 
method), with the names
changed to protect the guilty. A couple of batch scripts are included that you 
can modify. Hope it
helps.

***

1. Ldifde is loaded by default on servers but not workstations. If running this
command on a workstation, you must first copy the ldifde.exe file from the
WINNT\System32 folder on a server to a location on your system.
2. Since the command with all of the required attributes is quite long, batch 
files
have been created. The contents of these files are listed in the appendix.
3. The batch files reference specifically the my.domain.com domain, export 
server
SERVER1 (production) and import server SERVER99 (lab). If any of these
components change or if the goal is to export/import a different domain, the
appropriate changes will have to be made to the batch files
4. Including many attributes creates a very large export file. Verify that 
enough disk
space is available before beginning (about 70 MB currently)
5. Other command options are available, see KB237677 at this link:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s
upport/kb/articles/Q237/6/77.ASPNoWebContent=1
6. Passwords are not included in the export. Therefore, when the import is
performed, passwords for each user are blank
7. Administrator is not included in the export, to avoid overwriting the 
existing Administrator


Section 1: Export OUs and Users from the Production Directory
1. Log on to the exporting domain as an administrator
2. Batch files are located on \\SERVER1\C$\SCRIPTS
3. Run the batch file export_OUs.bat (see appendix for command) Note: folder
c:\temp must already exist. File created will be exportOU.ldf
4. Run the batch file export_users.bat (see appendix for command) Note: File
created will be exportUser.ldf
5. Save the two ldf files to a CD since the production and test environments 
are not
networked together
6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the
same CD:
a. Import_ous.bat
b. Import_users.bat

Section 2: Import OUs and Users into the Test Lab Active Directory
1. Copy the files from the CD to C:\Temp on the import domain controller
SERVER99
2. Remove the read-only attribute from the files
3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are
missing in the test lab that are present in the production environment, they 
will be
created. Others are ignored
4. From the command prompt, launch c:\temp\import_users.bat. If any users are
missing in the test lab that are present in the production environment, they 
will be
created with their associated attributes. Accounts are created disabled, and the
password set to null. This is because LDIFDE does not support
exporting/importing passwords
5. When the batch files have completed, verify that no errors were reported, and
check for the existence of the new users in ADUC.
6. Close the command prompt window and delete the contents of c:\temp


Appendix

Script Contents

Export_OUs.bat
ldifde - f c:\temp\exportOu.ldf -s server1 -d dc=my,dc=domain,dc=com -p 
subtree -r
(objectClass=organizationalUnit) -l cn,objectclass,ou
Export_Users.bat
ldifde - f c:\temp\exportusers.ldf -s server1 -d dc=my,dc=domain,dc=com -p 
subtree -r
((objectCategory=person)(objectClass=User)(givenname=*)) - l
cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co
mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL
astSet,displayName,distinguishedName

Import_OUs.bat
ldifde - i -k -f c:\temp\exportou.ldf -s server99

Import_Users.bat
ldifde - i -k -f c:\temp\exportusers.ldf -s server99


*

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
McDougal, Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ...

Hello,

I have a question concerning getting my existing AD into a test lab.  I saw 
some help in the archives
but I'd like a fresh look on the topic.  I am considering 2 options, that I 
know of:

1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into the 
test lab.  I built a box
with W2003 Standard and DCPROMO'd it up with different machine name but same 
Domain name.  This avenue
sounded pretty good but I keep getting failure errors when I try to import the 
ldf files saying that
An attemp was made to add an object to the directory with a name that is 
already in use or
Directory Object not found.

my other choice

RE: [ActiveDir] Importing AD into a test lab ...

2005-04-27 Thread McDougal, Philip H

Thank you Lou!

Sounds like I'm on the right track as I've tried to do what you're
explaining here.  The only part I didn't realize was the chaotic order
in which the fields gets exported. And I'd love to see those BAT files
if you still have them.  Any and all help is appreciated!

Thank you!!
Phil.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega
Sent: Wednesday, April 27, 2005 9:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Importing AD into a test lab ... 

One way I had done it in the past was using the LDIFDE to export users,
ou's, etc. and then editing the output files to work with the new
domain, (i.e., replace domain1 with domain2) and also manually
removing default entries (such as Administrator accounts, etc.)

Also - take care when exporting in the first place...not all fields are
going to import nicely. For my purposes I just needed essentially a
boatload of users migrated to the test domain and all groups, and
OU's. So I only exported the following attributes on users:
(Command used =
ldifde -f exportUsers.ldf -d dc=MyDomain,dc=COM  -r
(objectClass=user)
-l cn,objectclass,ou,samAccountName )


Groups and OU's had similar limitations. If I can dig up the original
BAT
files I used to create those LDIFDE dumps, I'll send them to you if
you're
interested.

Hope that helps!

Lou

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McDougal,
Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ... 

Hello,
 
I have a question concerning getting my existing AD into a test lab.  I
saw
some help in the archives but I'd like a fresh look on the topic.  I am
considering 2 options, that I know of:
 
1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into
the
test lab.  I built a box with W2003 Standard and DCPROMO'd it up with
different machine name but same Domain name.  This avenue sounded pretty
good but I keep getting failure errors when I try to import the ldf
files
saying that An attemp was made to add an object to the directory with a
name that is already in use or Directory Object not found.
 
my other choice was
 
2.  http://support.microsoft.com/default.aspx?scid=kb;en-us;263532  But
since this is a test lab, my library is not available and neither is my
backup server.  Plus, it's a DC and I don't want to introduce it to my
existing domain.  I guess I could DCPROMO it back out and then bring it
into
the existing domain as a standalone and then do a directed recover to
it,
but this seems like a huge amount of time and effort for something that
should be pretty easy.  Especillay for DR purposes.  How many of us will
recover AD to a system that has identical hardware?  but I digress ;-)
 
Any advice or ideas would bre greatly appreciated.

Thanks in advance.
Phil. 





 


Philip H. McDougal
Application Support Engineer
Jenner  Block LLP
One IBM Plaza
Chicago, IL 60611-7603
Tel (312) 222-9350
Fax (312) 840-8879
[EMAIL PROTECTED]
www.jenner.com

 

CONFIDENTIALITY WARNING: This email may contain privileged or
confidential
information and is for the sole use of the intended recipient(s). Any
unauthorized use or disclosure of this communication is prohibited. If
you
believe that you have received this email in error, please notify the
sender
immediately and delete it from your system.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Importing AD into a test lab ...

RE: [ActiveDir] Importing AD into a test lab ...

RE: [ActiveDir] Importing AD into a test lab ...

RE: [ActiveDir] Importing AD into a test lab ...

RE: [ActiveDir] Importing AD into a test lab ...

RE: [ActiveDir] Importing AD into a test lab ...

6 matches

Site Navigation

Mail list logo

Footer information