This is something that I almost never do so I’m documenting it here to avoid future mistakes.
We are migrating between domains and while we considered ADMT, there was too much clutter and our AD structure changed. So a piece meal approach was decided on. Hint to future self, don’t do this again, use ADMT!
I’m transferring groups but this has proved problematic. Two main reasons for this, the AD structure is different and the Domain is different.
Big lesson first up is that you need to exclude many SAM entry’s using the -o modifier. My command for groups striped out everything but member. However all the member mappings changed so I excluded them as well. I ended up with:
ldifde -f exportfile.ldf -s <serverName> -d “OU=Tomcat,OU=Security Groups,OU=IBM,DC=<domain>,DC=<domain>,DC=local” -r “(objectCategory=CN=group,CN=Schema,CN=Configuration,DC=<domain>,DC=<domain>,DC=local)” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount,memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType,member”
Now to bring that over. I can convert using the -c option. In my case the OU’s lined up on the other side so the command was:
ldifde -i -f exportfile.ldf -s <serverName> -k -v -c “DC=<domain>,DC=<domain>,DC=local” “DC=<domain>,DC=<domain>,DC=org”
I have all the groups but no membership. Use ADMT next time.
Errors that you can get with any of the SAM accounts is discussed here: https://support.microsoft.com/en-us/kb/276382
Recent Comments