Using LDIFDE to Import/Export Directory Objects to the Active Directory

ID: Q237677

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

SUMMARY

The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. A utility program called LDIFDE is included in Windows 2000 to support batch operations based on the LDIF file format standard. This article is designed to help you better understand how the LDIFDE utility can be used to migrate directories.


MORE INFORMATION

Viewing LDIFDE General Parameters

  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.


  2. At the command prompt, type: ldifde ? . The built-in Help file is then displayed as below.


General Parameters


-i              Turn on Import Mode (The default is Export)
-f filename     Input or Output filename
-s servername   The server to bind to
-c FromDN ToDN  Replace occurences of FromDN to ToDN
-v              Turn on Verbose Mode
-j              Log File Location
-t              Port Number (default = 389)
-?              Help

Export Specific Parameters



-d RootDN       The root of the LDAP search (Default to Naming Context)
-r Filter       LDAP search filter (Default to "(objectClass=*)")
-p SearchScope  Search Scope (Base/OneLevel/Subtree)
-l list         List of attributes (comma separated) to look for in an LDAP                 search.
-o list         List of attributes (comma separated) to omit from input
-g              Disable Paged Search
-m              Enable the SAM logic on export
-n              Do not export binary values

Import Specific Parameter


-k       The import will go on ignoring 'Constraint Violation' and 'Object          Already Exists' errors

Credentials Parameters


-a	Sets the command to run using the supplied user distinguished name
        and password. For example: "cn=yourname,dc=yourcompany,dc-com 
        password"	
-b	Sets the command to run as username domain password. The default is 
        to run using the credentials of the currently logged on user.
Note: This tool is very flexible and offers a number of command-line switches and arguments. The utility is included in Windows 2000 Server, but not with Windows 2000 Professional. The LDIFDE program can be copied to a computer running Windows 2000 Professional and be run remotely against the Windows 2000 Server Active Directory.

Using LDIFDE to Export and Import Directory Objects

The following is a step-by-step process to import and export Organizational Units (OUs) and user accounts from one Windows 2000 Active Directory to another. For this example, "Export" is the name of the domain from which objects are exported and "Import" is the name of the domain in which objects are imported. LDIFDE can also be used to import most third-party folders to the Active Directory. Export the Organizational Units from the Source Domain
  1. Log on as Administrator in the Export domain. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory.


  2. Click Start, point to Programs, point to Accessories, and then click Command Prompt.


  3. At the command prompt, type the following command:


    4. ldifde -f ExportOU.ldf -s Server1 -d "dc=Export,dc=com" -p subtree
  4. Running this command exports all OUs except domain controllers into a file named ExportOU.ldf.


Export the User Accounts from the Source Domain
  1. At the command prompt, type the following command:


    2. ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
  2. Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.


NOTE: Built-in accounts, such as Administrator, do not have a given name. By default, the LDAP filter used above does not export those accounts. LDIFDE does not support exporting passwords. Import the Organizational Units from Export to Import
  1. Log on as an Administrator in the Import domain. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations against the Active Directory.


  2. Open the file Exportou.ldf using Notepad.


  3. In Notepad, on the Edit menu, and the click Replace.


  4. In the Find what box type, Export. In the Replace with box type, Import.


  5. Click Replace All.


  6. After you verify that the domain names are replaced, save, and then close the file.


  7. At the command prompt, type the following command:


    8. ldifde -i -f ExportOU.ldf -s Server2
  8. You should see a message stating the number of entries that have been modified and that the command completed successfully.


NOTE: In this situation, you must complete the first step prior to completing the second step so that the OUs are available to contain the users. Import the Users from Export to Import
  1. Open the file Exportou.ldf using Notepad.


  2. In notepad, open the edit menu and select replace.


  3. In the find what box type, Export. In the Replace with box, type Import.


  4. Click Replace All.


  5. After you verify that the domain names are replaced, save, and then close the file.


  6. At the command prompt, type the following command:


    7. ldifde -i -f Exportuser.ldf -s Server2
  7. View the newly created contacts using either the Active Directory Users and Computers snap-in tool or using the Windows Address Book.


NOTE: Because LDIFDE does not export passwords, when the users are imported into the directory, the account is disabled and the password is set to null. This is done for security reasons. Also, the account option "User must change password at next logon" is selected.

Exporting Objects from an Entire Forest If you need to export OUs, users, and groups from an entire forest, you may either run the above LDIFDE export commands against each domain in the forest, or alternatively, run the query once against the global catalog (GC). To do this, ensure that the domain controller that is specified by the -s switch is a GC, and additionally, specify the GC port using the -t switch. The GC port number is 3268.

For example, to perform the export operation outlined against a GC the LDIFDE command would be:
ldifde -f Exportuser.ldf -s Server1 -t 3268 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,sAMAccountName"

Additional query words:

Keywords :
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.