importing AD objects

  • Thread starter Thread starter charlie
  • Start date Start date
C

charlie

We are having problems restoring our DC to dissimilar
hardware. I wondered if I could export/import AD
objects? I'm assuming the imported objects would have
different SID's? Could someone please confirm? Thanks,

- Charlie
 
You can't export/import objects that's correct, the objects will be created
during import and will receive a new Sid. only data in attributes will be
replaced during import.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
If there is more than 1 dc in your domain than AD will replicate all the
objects once you promote the server to a dc. If it is the only dc in your
domain then you are in for a challenge.
 
Charlie,

In addition to what Chris and Paul have stated, I might throw in my two
cents worth!

Let's look at two scenarios: one in which you can still access the 'old'
Domain Controller and one in which you can not.

Scenario 1: You could run ldifde using a bunch of the switches ( -m -r -l
et al ) to create a .ldf file that contains the user information that you
will need. You could do the same for the groups. Then, if necessary, use
the replace function in Notepad ( and it must be Notepad.... ) to change the
dc=olddomain,dc=com to dc=newdomain,dc=com as all of your user accounts will
have 'dc=olddomain,dc=com' in the .ldf file. Then, put that .ldf file on a
floppy or whatever and take it to the new DC. Simply import ( you need to
use ldifde -i -f users.ldf ) that and you have all of your user account
objects. As well as groups. I like to make them two separate .ldf files
but you can gladly make it all one file. Please look through this newsgroup
for my many posts on an example command syntax!

The SIDs would naturally be different as you are simply creating user
account objects in a new domain. Two separate things here. So, any
permissions that your users had via group membership to shared resources are
all gone in the new domain. You would have to redo this.

There is another possible solution here. Simply install the new domain.
Make sure that it has a different NetBIOS and different Domain name. Create
a trust between the two - you might want to consider using netdom for this.
Then use ADMT v2. Just make sure that the destination domain ( aka - the
new domain ) is in Native Mode.

Scenario 2: have fun!

But, what is the actual situation? Do you have a domain running now is did
the sole DC crash and burn and your backup is not working ( due to different
hardware )? If you have an additional Domain Controller ( this is why it so
often pays for itself to have a second DC for each and every domain ) then
you should be fine as that will have everything that you need ( well,
possibly minus any changed that were made directly before the crash and burn
but after the last successful AD Replication ).

HTH,

Cary


HTH,

Cary
 
Back
Top