The sequence is of course to export the users and import them first. Then export the groups then import them. If you're doing a big directory, you have to watch out for adds/modifies/deletes that occur for users while you are dumping the groups. Generally not a problem if you export during a lull in AD writing, usually late at night on the weekend.
Even if the structures are not identical, as long as they are parallel (different forest/domain root, but same OU structure) then you can always use the -c switch in ldifde either at the export or import steps to rewrite the DNs. You have to be careful though since with any find-and-replace operation, you may not be doing what you think you're doing. Doing this is ok for one offs, but for on going sync, you'll of course want to use something like MIIS or LDSU (which is an HP Services product) or whatever your fave meta-directory product happens to be. Or if you'd rather, you can always custom script it. Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 24, 2006 10:17 AM To: [email protected] Subject: RE: [ActiveDir] ldifde question Cool, thanks guys. I was afraid I was going to run into issues because it's multi-valued. Seems to work fine. Thanks again <mc> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 24, 2006 12:57 PM To: [email protected] Subject: RE: [ActiveDir] ldifde question Assuming that the structures are now the same, then if you modify your query as follows: -l "cn,objectclass,ou,member", you should get an output that includes the DN of the members of each group. Then you should be able to import the output into your target AD. If the structures are not the same, then the DN will bite you during import, unless you manually adjust the output file before import. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com <http://www.akomolafe.com> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Fri 3/24/2006 8:28 AM To: [email protected] Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, I've been able to export/import users, groups and OUs from and into our test AD, but I'm trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least... ldifde -f c:\temp\exportOu.ldf -s myDC -d "dc=my,dc=domain,dc=com" -p subtre e -r "(&(objectCategory=group)(name=*))" -l "cn,objectclass,ou" Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
