Monday, August 30, 2010

LDIFDE - Export / Import data from Active Directory

http://support.microsoft.com/kb/555634

MORE INFORMATION

LDIFDE NOTE: 1. You can use LDIFDE to find any object. It may be a printer, a se...

LDIFDE NOTE:

1. You can use LDIFDE to find any object. It may be a printer, a server, a computer, a user, a person. All these objects are identified with *ObjectClass=object_class_name (either printer or user or OU).

2. By default account is disabled when imported and also password is set to NULL.

3. To modify AD attribute you must put “-“ on a single line followed by a completely blank line on the next line. Please see the format below.

4. When a user is exported to LDF file, by default “changetype” is Add.

5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions.

6. LDIFDE doesn’t support exporting Passwords.

7. By default “User must change password at next logon” attribute is selected.

8. LDIFDE doesn’t support importing Passwords. To change user’s password you need to convert from Plain Text to Base64 character. We can use a utility to convert from Plain Text to Base64.

9. Note that if no credentials are specified LDIFDE will use the currently logged on user’s credentials.

10. If you do an LDIFDE or CSVDE export, many of the attributes for user and group objects are owned by the system and cannot be re imported. Here's a trick. Run the export with the –m switch. This enables SAM Logic, which is another way of saying that the export skips the attributes that are owned by the system. This gives you a template to use when building your import files or spreadsheets.

11. You can also export all user accounts from a forest (including data from all domains). This requires that you run the LDIFDE command against a Global Catalog Server with –t switch to specify the port No.

12. You must place a “-“ and then a blank line very next followed by the “-“ for modify and change operation to work properly. Otherwise LDIFDE will fail!

13. Using the setting "userAccountControl: 66048" enables the newly created account. By default, an account is created disabled. Note that user account can’t be enabled with blank password if you have a complex password policy defined on the domain. So you’re first step is to change the password and then enable the account.

userAccountControl: 514 for disable account

14. There are more export-specific options but not Import. Note that while exporting user accounts/OU/person you can use –o with –I but you can’t use both the switches while importing the file to AD. This is because both the switches are export-specific.

15. The default mode is Export Mode. You need to specify –I to turn Import Mode on.

16. If you want to carry the line to next line then the first must be a space and then start new line.

17. If you do not specify a server when you use LDIFDE to export objects that are in the domain-naming context, LDIFDE searches for a global catalog server. When LDIFDE searches for a global catalog server, it may not use the domain of the object name or the user account that you specify to determine what global catalog server to connect to. LDIFDE may connect to a global catalog server that is in the same site as the client, but that is a member of a different domain in the forest. This global catalog server may not have all the required Active Directory attributes for the objects that you want to export. To work around this issue, use the -s server_name command-line option to specify a server when you use LDIFDE.

18. Ldifde sets password to blank unless you don’t have a complex password policy defined in your domain. Hence you can’t enable accounts with Blank Password.

19. Note that –o switch overrides –I switch if you plan to use both. Suppose you want to omit badPwdCount attribute from export and in the same command you specify –I switch to export this field. In this case attribute won’t be exported.

20. The contents of an object are on consecutive lines, starting with DN property. There must be an Empty Line if you want to perform an operation on another object.

21. Each property and its value must be on a separate line such as: givenname: dinesh. There should be a colon and a space.

22. DN property and its value must be placed at first line and any other property/value can be at any line.

23. Multiple values of a property should be on a separate line such as:

Otherhomephoneno: 512 513
Otherhomephoneno: 514 859

24. An empty value can be written by including only the property name with colon such as: sn:

25. A line that starts with pound (#) sign is a comment line.

26. Base64 Encoding works as follow:

a. The value to be encoded is divided into three-byte sections
b. Each 24-bit Section is divided into four 6-bit value
c. Each 6-bit value is mapped to one of the following 64 characters: uppercase alphabets A through Z, lowercase alphabets a through z, numbers 0 through 9, plus
sign (+), or slash (/).This results in a string of basic alphabets, numbers, and possibly some plus signs and slashes. If the number of bytes in the original value is not a
multiple of three, the encoded value will have one or two equals signs (=) at the end, so the number of characters is always a multiple of four.

27. LDIFDE exports only attributes those have their values in AD. It doesn’t export attributes those don’t have values. For example: if description is not defined for a user then it won’t export description attribute.

28. When exporting ONLY ONE USER, make sure you don’t have dash (-) after the end of file.

29. When a new user account is created, it is made member of Domain Users group by default.

30. LDIFDE doesn’t accept blank values. Do not include blank values in LDF files. You will see errors.

31. LDIFDE doesn’t accept space in value while exporting. For example if samaccountname is Jacson Sam then you should enclose it within the quotas.

Continue……..

APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows 2000 Standard Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Keywords:
kbpubmvp kbpubtypecca kbhowto KB555634

Step-by-Step Guide to Bulk Import and Export to Active Directory

http://technet.microsoft.com/en-us/library/bb727091%28printer%29.aspx

This guide introduces batch administration of the Active DirectoryTM service, using both the LDAP Data Interchange Format (LDIF) utility and a simple program you can write using the Visual Basic® Scripting Edition (VBScript) development system. Using these tools, you can export, import, and modify objects such as users, contacts, groups, servers, printers, and shared folders.

On This Page

Introduction
Using the LDIFDE Utility
Using VBScript and ADSI
Important Notes

Introduction

In this guide, you will perform the following tasks:

  • Perform batch operations using the LDIFDE utility. Export users from the Marketing organizational unit (OU) in the Reskit domain into a file format compatible with the LDIF standard format. Perform a batch modification of all the users in the Marketing OU. Use LDIF to create a new user and delete a user.

  • Perform batch operations using ADSI and VBScript. Export users from the Marketing OU in the Reskit domain into a text file, using a script written with ADSI and VBScript. Use VBScript to perform a batch modification of all the users in the Marketing OU. Use VBScript to create a new user and delete a user.

Requirements and Prerequisites

You must install the Windows 2000 Server operating system, including Active Directory, on a server in your network. You can then run the Administration Tools from the server or from a workstation running the Windows 2000 Professional operating system.

This step-by-step guide assumes that you have run the procedures in A Common Infrastructure for Windows 2000 Server Deployment Step-by-Step Part 1 [ http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.asp ] .

The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need to make the appropriate changes to this document. For the latest information about hardware requirements and compatibility for servers, clients, and peripherals, see the Windows 2000 Product Compatibility search page (http://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/default.asp [ http://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/default.asp ] ).

The Administration Tools are installed by default on all Windows 2000-based domain controllers. The LDIFDE utility described in this guide is installed by default on servers, and can be copied to any Windows 2000-based workstation. The VBScript programs that you create can be run from either servers or workstations.

For all procedures in this guide, you must be logged on as an administrator. If you log on using an account that does not have administrative privileges, you may not be able to perform export and import operations in Active Directory.

Using the LDIFDE Utility

The LDAP Data Interchange Format (LDIF) is an Internet draft standard for a file format that can be used for performing batch operations on directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as Add, Modify, and Delete to be performed in Active Directory. A utility called LDIFDE is included in the Windows 2000 operating system to support batch operations based on the LDIF standard.

Using LDIF to Export All Objects in the Marketing OU

You can use LDIFDE to export all objects in the Marketing organizational unit (OU), created in " Step-by-Step Guide to Common Infrastructure Part 1 [ http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.asp ] ". This example searches the organizational unit for certain objects and creates a file containing the names of those objects.

To export all objects in the Marketing OU

  1. Click Start, point to Programs, then point to Accessories, and click Command Prompt.

  2. At the command prompt, type:

    ldifde -f marketing.ldf -s hq-res-dc-01-d"ou=Marketing,dc= reskit,dc=com"-psubtree–r"(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=reskit,DC=com)"

This creates a LDIF file named Marketing.ldf, by connecting to the server named HQ-RES-DC-01 and executing a subtree search of the Marketing OU for all objects of the category Person. (See Figure 1 below.)

Note that objectCategory is an indexed attribute designed to enhance search performance.

Bb727091.bulkst01(en-us,TechNet.10).gif

Figure 1: Creating an LDF file

You can use this LDIF file to perform a batch import of all the objects from the Marketing OU into any other LDAP-compatible directory. Some attributes may not be applicable to other implementations of LDAP. In particular, if you use this mechanism to import the objects into another Active Directory, some attributes must be omitted because they are automatically generated during object creation. (If they are not specifically omitted, the operation will fail.)

For example, the LDIFDE command that is used to omit these attributes is:

ldifde -f marketing.ldf -s hq-res-dc-01 d
"ou=Marketing,dc= reskit,dc=com"–r
>"(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=reskit,DC=com)" –m

Using LDIF to Modify All Objects in the Marketing OU

In this example, the entire Marketing organization has moved to a new office address. You use LDIF to perform a batch modification for all user objects in the Marketing organization by altering the state, street, locality, and postal code attributes.

To modify all objects in the Marketing OU

  1. Click Start, point to Programs, then point to Accessories, and click Command Prompt.

  2. At the command prompt, type the following command to extract the required entries:

    ldifde -f marketing.ldf -s hq-res-dc-01-d"ou=Marketing,dc= reskit,dc=com"-psubtree–r"(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=reskit,DC=com)" –l "l,st,streetAddress, postalCode"

  3. Use a text editor such as Notepad to edit the LDIF file, Marketing.ldf. (Save the file as an .ldf file.) Modify each entry so that it is similar to that shown in Figure 2 below.

    Bb727091.bulkst02(en-us,TechNet.10).gif

    Figure 2: Editing attributes for a move
  4. Run LDIFDE to import the modifications into Active Directory. At the command prompt, type the following command, and then press > Enter. (See Figure 3 below.)

    ldifde –i -f marketing.ldf -s hq-res-dc-01

    Bb727091.bulkst03(en-us,TechNet.10).gif

    Figure 3: Importing modifications into the Active Directory
  5. To confirm that the entries have been modified, check the Active Directory Users and Computers snap-in. (For help with using this snap-in, see the Step-by-Step Guide to Managing the Active Directory [ http://technet.microsoft.com/en-us/library/bb742437.aspx ] . )

For further information on using LDIFDE, type LDIFDE /? at the command prompt.

Note: Another utility called CSVDE performs the same export functions as LDIFDE, but uses a comma-separated file format. Import operations with CSVDE are "add" only, and CSVDE does not offer the ability to modify or delete objects. The CSV file format is supported by applications such as Microsoft Excel.

Using LDIF to Create a New User

In this example, you use LDIF to add a new user named James Smith to the Marketing organizational unit.

  1. Start a text editor, such as Notepad, and create a new text file named Newuser.ldf. (Save the file as an ldif file, not as a text file.)

  2. Edit the LDIF file Newuser.ldf, and add the following text (see Figure 4 below):

    dn: CN=JamesSmith,OU=Marketing,DC=reskit,DC=com

    changetype: add
    cn: James Smith
    objectClass: user
    samAccountName: James
    > givenName: James
    > sn: Smith

  3. Save and close the LDIF file.

  4. Run LDIFDE to import the new user into Active Directory. On the Start menu, point to Programs, then point to Accessories, and click Command Prompt. Type the following command, and then press Enter.

    ldifde –i -f newuser.ldf -s hq-res-dc-01

  5. To confirm that the new user has been created, check the Active Directory Users and Computers snap-in.

    Bb727091.bulkst04(en-us,TechNet.10).gif

    Figure 4: Adding a new user to the Marketing OU

Using LDIF to Delete a User

In this example, you use LDIF to remove the user named James Smith from the Marketing OU.

  1. Start a text editor such as Notepad, and create a new file named Deluser.ldf.

  2. Edit the LDIF file Deluser.ldf, and add the following text.

    dn: CN=JamesSmith,OU=Marketing,DC=reskit,DC=com

    changetype: delete

    Figure 5: Remove James Smith from OU

    Figure 5: Remove James Smith from OU
  3. Run LDIFDE to delete the user from Active Directory. At the command prompt, type the following command, and then press Enter.

    ldifde –i -f deluser.ldf -s hq-res-dc-01

  4. To confirm that the user has been deleted, check the Active Directory Users and Computers snap-in.

Using VBScript and ADSI

Active Directory Services Interfaces (ADSI) makes it easy to develop directory-enabled applications. In conjunction with the Windows Script Host, batch directory operations can be scripted using VBScript or Jscript® development software. In this guide, the procedures that were described in the previous section (which used LDIF) are performed using simple applications written in VBScript.

Please note that these scripts do not include any error checking, nor are they meant to provide a programmer's reference to VBScript and ADSI. All of the examples included here assume you are logged on with the proper credentials on a machine that is a member of the target domain. It is possible in ADSI to explicitly specify credentials and a target domain. For more information on this, see the documentation on ADSI's OpenDSObject in the Platform SDK (http://msdn.microsoft.com/downloads/sdks/platform/platform.asp [ http://msdn.microsoft.com/downloads/sdks/platform/platform.asp ] ).

After each procedure, confirm that the entries have been modified by checking the Active Directory Users and Computers snap-in.

Using VBScript to Export All Objects in the Marketing OU

In this example, you use a text editor such as Notepad to create a VBScript program. The script searches the Marketing OU and creates a text file that lists all of the user objects and a subset of their attributes.

To create the export script

  1. Copy the following text into your text editor:

    'Global variables
    Dim oContainer
    Dim OutPutFile
    Dim FileSystem
    'Initialize global variables
    Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
    Set OutPutFile = FileSystem.CreateTextFile("marketing.txt", True)
    SetoContainer=GetObject("LDAP://OU=marketing,DC=reskit,DC=com")
    'Enumerate Container
    EnumerateUsers oContainer
    'Clean up
    OutPutFile.Close
    Set FileSystem = Nothing
    Set oContainer = Nothing
    WScript.Echo "Finished"
    WScript.Quit(0)
    Sub EnumerateUsers(oCont)
    Dim oUser
    For Each oUser In oCont
    Select Case LCase(oUser.Class)
    Case "user"
    If Not IsEmpty(oUser.distinguishedName) Then
    OutPutFile.WriteLine "dn: " & oUser.distinguishedName
    End If
    If Not IsEmpty(oUser.name) Then
    OutPutFile.WriteLine "name: " & oUser.Get ("name")
    End If
    'need to do this because oUser.name would get back the Relative
    Distinguished name (i.e. CN=Jo Brown)
    If Not IsEmpty(oUser.st) Then
    OutPutFile.WriteLine "st: " & oUser.st
    End If
    If Not IsEmpty(oUser.streetAddress) Then
    OutPutFile.WriteLine "streetAddress: " & oUser.streetAddress
    End If
    Case "organizationalunit" , "container"
    EnumerateUsers oUser
    End Select
    OutPutFile.WriteLine
    Next
    End Sub
  2. Save the file as Export.vbs.

  3. At the command prompt type export.vbs and press Enter. This creates a file named Marketing.txt, which contains a list of users and some of their attributes, such as distinguished name, name, state, and street address.

With appropriate modification, this script can be used with any application that supports COM and Visual Basic technologies. Such applications include Microsoft Visual Basic, Microsoft Excel, and Microsoft Access. Scripting can also be hosted by Internet Explorer and Internet Information Services 5.0, which is part of Windows 2000 Server.

Using VBScript to Modify All Objects in the Marketing OU

In this example, the Marketing organization has moved to a new office address. A simple VBScript program is used to perform a batch modification for all user objects in the Marketing organization. The script alters the state, street, locality, and postal code attributes.

  1. Copy the following text into your text editor:

    Dim
    oContainer Set oContainer=GetObject("LDAP://
    OU=marketing,DC=reskit,DC=com")
    ModifyUsers oContainer
    'cleanup
    Set oContainer = Nothing
    WScript.Echo "Finished"
    Sub ModifyUsers(oObject)
    Dim oUser
    oObject.Filter = Array("user")
    For Each oUser in oObject
    oUser.Put "st","New York"
    oUser.Put "streetAddress","825 Eighth Avenue"
    oUser.Put "postalCode","10019"
    oUser.Put "l","New York"
    oUser.SetInfo
    Next
    End Sub
  2. Save the file as Modify.vbs.

  3. At the command prompt, type modify.vbs and press Enter. This processes all objects in the Marketing organizational unit and modifies all users, altering the state, street address, postal code, and locality attributes.

Using VBScript to Create a User Object in the Marketing OU

In this example, you use VBScript to add a new user to the Marketing organization. This example illustrates how easy it is to use ADSI and VBScript to programmatically access the directory. Note that in this example, only a limited set of attributes are configured during the user creation.

To create the script and add the user

  1. Copy the following text into your text editor:

    Dim oContainer 'Parent container
    of new user Dim
    oUser 'Created user
    'Get parentcontainerSetoContainer=GetObject("LDAP://OU=marketing,
    DC=reskit,DC=com")
    'Create user
    Set oUser = oContainer.Create("User","CN=Jo Brown")
    'Assign properties values to user
    oUser.Put "samAccountName","Jo"
    oUser.Put "givenName","Jo"
    oUser.Put "sn","Brown"
    oUser.Put "userPrincipalName","jo@reskit.com"
    oUser.SetInfo
    'Clean up
    Set oUser = Nothing
    Set oContainer = Nothing
    WScript.Echo "Finished"
  2. Save the file as Adduser.vbs.

  3. At the command prompt, type adduser.vbs and press Enter. This creates a new user named Jo Brown in the Marketing OU.

Using VBScript to Delete a User

In this example, you use VBScript to delete a user from the Marketing organization.

  1. Copy the following text into your text editor:

    Dim oContainer 'Parent container of object to be
    deleted 'Get parent
    container Set oContainer=GetObject("LDAP://OU=marketing,
    DC=reskit,DC=com")
    'Delete user
    oContainer.Delete "user","CN=Jo Brown"
    'Clean up
    Set oContainer = Nothing
    WScript.Echo "Finished"
  2. Save the file as Deluser.vbs.

  3. At the command prompt, type deluser.vbs and press Enter. This deletes the user Jo Brown from the Marketing OU.

Important Notes

The example company, organization, products, people, and events depicted in these step-by-step guides are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization–for such information see the Active Directory documentation.

LDIFDE - Export / Import data from Active Directory

http://msmvps.com/blogs/systmprog/archive/2006/10/26/LDIFDE-_2D00_-Export-_2F00_-Import-data-from-Active-Directory.aspx

LDIFDE is a robust utility. This utility enables you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve/update AD information.

LDIFDE NOTE:

1. You can use LDIFDE to find any object. It may be a printer, a server, a computer, a user, a person. All these objects are identified with *ObjectClass=object_class_name (either printer or user or OU).

2. By default account is disabled when imported and also password is set to NULL.

3. To modify AD attribute you must put “-“ on a single line followed by a completely blank line on the next line. Please see the format below.

4. When a user is exported to LDF file, by default “changetype” is Add.

5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions.

6. LDIFDE doesn’t support exporting Passwords.

7. By default “User must change password at next logon” attribute is selected.

8. LDIFDE doesn’t support importing Passwords. To change user’s password you need to convert from Plain Text to Base64 character. We can use a utility to convert from Plain Text to Base64.

9. Note that if no credentials are specified LDIFDE will use the currently logged on user’s credentials.

10. If you do an LDIFDE or CSVDE export, many of the attributes for user and group objects are owned by the system and cannot be re imported. Here's a trick. Run the export with the –m switch. This enables SAM Logic, which is another way of saying that the export skips the attributes that are owned by the system. This gives you a template to use when building your import files or spreadsheets.

11. You can also export all user accounts from a forest (including data from all domains). This requires that you run the LDIFDE command against a Global Catalog Server with –t switch to specify the port No.

12. You must place a “-“ and then a blank line very next followed by the “-“ for modify and change operation to work properly. Otherwise LDIFDE will fail!

13. Using the setting "userAccountControl: 66048" enables the newly created account. By default, an account is created disabled. Note that user account can’t be enabled with blank password if you have a complex password policy defined on the domain. So you’re first step is to change the password and then enable the account.

userAccountControl: 514 for disable account

14. There are more export-specific options but not Import. Note that while exporting user accounts/OU/person you can use –o with –I but you can’t use both the switches while importing the file to AD. This is because both the switches are export-specific.

15. The default mode is Export Mode. You need to specify –I to turn Import Mode on.

16. If you want to carry the line to next line then the first must be a space and then start new line.

17. If you do not specify a server when you use LDIFDE to export objects that are in the domain-naming context, LDIFDE searches for a global catalog server. When LDIFDE searches for a global catalog server, it may not use the domain of the object name or the user account that you specify to determine what global catalog server to connect to. LDIFDE may connect to a global catalog server that is in the same site as the client, but that is a member of a different domain in the forest. This global catalog server may not have all the required Active Directory attributes for the objects that you want to export. To work around this issue, use the -s server_name command-line option to specify a server when you use LDIFDE.

18. Ldifde sets password to blank unless you don’t have a complex password policy defined in your domain. Hence you can’t enable accounts with Blank Password.

19. Note that –o switch overrides –I switch if you plan to use both. Suppose you want to omit badPwdCount attribute from export and in the same command you specify –I switch to export this field. In this case attribute won’t be exported.

20. The contents of an object are on consecutive lines, starting with DN property. There must be an Empty Line if you want to perform an operation on another object.

21. Each property and its value must be on a separate line such as: givenname: dinesh. There should be a colon and a space.

22. DN property and its value must be placed at first line and any other property/value can be at any line.

23. Multiple values of a property should be on a separate line such as:

Otherhomephoneno: 512 513

Otherhomephoneno: 514 859

24. An empty value can be written by including only the property name with colon such as: sn:

25. A line that starts with pound (#) sign is a comment line.

26. Base64 Encoding works as follow:

a. The value to be encoded is divided into three-byte sections

b. Each 24-bit Section is divided into four 6-bit value

c. Each 6-bit value is mapped to one of the following 64 characters: uppercase alphabets A through Z, lowercase alphabets a through z, numbers 0 through 9, plus

sign (+), or slash (/).This results in a string of basic alphabets, numbers, and possibly some plus signs and slashes. If the number of bytes in the original value is not a

multiple of three, the encoded value will have one or two equals signs (=) at the end, so the number of characters is always a multiple of four.

27. LDIFDE exports only attributes those have their values in AD. It doesn’t export attributes those don’t have values. For example: if description is not defined for a user then it won’t export description attribute.

28. When exporting ONLY ONE USER, make sure you don’t have dash (-) after the end of file.

29. When a new user account is created, it is made member of Domain Users group by default.

30. LDIFDE doesn’t accept blank values. Do not include blank values in LDF files. You will see errors.

31. LDIFDE doesn’t accept space in value while exporting. For example if samaccountname is Jacson Sam then you should enclose it within the quotas.

LDIFDE COMMANDS:

1. Command to export the user with a given name of SAM Account

ldifde -f exportuser.ldf -s computer_name -r (samaccountname=SAMLNAME)

2. Command to export Organizational Units:

Running this command exports all OUs except domain controllers into a file named ExportOU.ldf.

ldifde -f exportOu.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(objectClass=organizationalUnit)" -l "cn,objectclass,ou"

3. Export the User Accounts from the Source Domain

ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"

Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.

4. Command to Import users from a LDF file:

ldifde -i -f Exportuser.ldf -s Server2

5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)

This is another example filter that will export all User Account data except for the attributes that cannot be imported:

ldifde -f Exportuser.ldf -s -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"

Another Example: To export for any given SamAccountName:

ldifde -f Exportuser.ldf -s -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"

6. Exporting Objects from an Entire Forest (any given attribute will be exported with –i switch)

If you need to import everything from a forest you need to run LDIFDE command against Global Catalog server:

For example, to perform the export operation outlined against a GC, the LDIFDE command would be:

ldifde -f Exportuser.ldf -s Server1 -t 3268 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,sAMAccountName"

7. Simple Import of current domain: It will import only domain data NOT the Forest-Specific.

ldifde -i -f INPUT.LDF

8. Simple Export of current domain: It will export only domain related data NOT the Forest-Specific.

ldifde -f OUTPUT.LDF

9. Export of a domain with supplied credentials:

ldifde -m -f OUTPUT.LDF -b USERNAME DOMAINNAME -s SERVERNAME

-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"

-r "(objectClass=user)"

10. Exporting User or Person or Organizational Unit:

ldifde -v -s w2ks -d "dc=slowe,dc=com" -p subtree -r "(objectClass=clss_name)" -f usersonly.txt

You'll notice a number of additional parameters here:

  • · -v turns on verbose mode so that I could see the results
  • · -d specifies the root of the search. While it was not required for this search, I included it to show you the format.
  • · -p narrows the search to the subtree in question. The other options for the –p parameter are base and onelevel.
  • · -r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted only people, so I chose an objectClass of "person."

11. A Simple VBScript to change a user’s password: You can also modify strUser and strOU value:

strUser = InputBox("Enter full name of user")

strOU = InputBox("Enter OU where user's account resides")

Set objUser = GetObject("LDAP://CN=" & strUser & ",OU=" & strOU & ",DC=testdomain,DC=local")

objUser.SetPassword "password"

MsgBox "Done!"

12. To change a user’s password using LDIFDE tool:

The following sample Ldif file (chPwd.ldif) changes a password to newPassword:

dn: CN=TestUser,DC=testdomain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=
-

ldifde -i -f chPwd.ldif -t 636 -s dcname -b username domain password

Published Thu, Oct 26 2006 1:49 by Nirmal Sharma Filed under: , , ,

Running Adprep.exe

http://technet.microsoft.com/en-us/library/dd464018%28WS.10,printer%29.aspx

Updated: July 12, 2010

Applies To: Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2

This topic explains what Adprep.exe is. It also provides links to step-by-step instructions for running Adprep.exe.

What is Adprep.exe?

Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server. You must run various Adprep.exe commands on your existing domain controllers to complete these operations in the following cases:

  • Before you add the first domain controller that runs a version of Windows Server that is later than the latest version that is running in your existing domain.

    When you run the Active Directory Domain Services Installation Wizard (Dcpromo.exe), an error message appears if you have not yet run Adprep.exe.

  • Before you upgrade an existing domain controller to a later version of Windows Server, if that domain controller will be the first domain controller in the domain or forest to run that version of Windows Server.

    During Setup for the operating system upgrade, an error message appears if you have not yet run Adprep.exe.

For example, if your organization has domain controllers that run Windows 2000 Server or Windows Server 2003, before you can add a new domain controller that runs Windows Server 2008 R2 or upgrade one of the existing domain controllers to Windows Server 2008 R2, you must run Adprep.exe from the \Support\Adprep folder of the Windows Server 2008 R2 installation DVD on your existing domain controllers.

Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain controllers that run Windows Server 2003 and you want to add domain controllers that run Windows Server 2008 R2, you only have to run Adprep.exe from the Windows Server 2008 R2 operating system disk. It is not necessary to run the version from Windows Server 2008 because the version in Windows Server 2008 R2 includes all the changes from previous versions.

What does Adprep.exe do?

Adprep.exe has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs a later version of Windows Server. Not all versions of Adprep.exe perform the same operations, but generally the different types of operations that Adprep.exe can perform include the following:

  • Updating the Active Directory schema

  • Updating security descriptors

  • Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder

  • Creating new objects, as needed

  • Creating new containers, as needed

For more information about the changes that Adprep.exe performs for Windows Server 2003, see Prepare Your Infrastructure for Upgrade (http://go.microsoft.com/fwlink/?LinkId=138878 [ http://go.microsoft.com/fwlink/?LinkId=138878 ] ).

For more information about the changes that Adprep.exe performs for Windows Server 2003 R2, see Extending Your Active Directory Schema in Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=138879 [ http://go.microsoft.com/fwlink/?LinkId=138879 ] ).

For more information about the changes that Adprep.exe performs for Windows Server 2008, see Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS [ http://technet.microsoft.com/en-us/library/cc770703(WS.10).aspx ] .

For more information about the changes that Adprep.exe performs for Windows Server 2008 R2, see Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS [ http://technet.microsoft.com/en-us/library/dd378876(WS.10).aspx ] .

Considerations for using Adprep.exe in Windows Server 2008 R2

In Windows Server 2008 R2, Adprep.exe is located in the \Support\Adprep folder of the operating system disk. In Windows Server 2008, Adprep.exe is located in the \Sources\Adprep folder.

Windows Server 2008 R2 includes a 32-bit version and a 64-bit version of Adprep.exe. The 64-bit version runs by default. If you want to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of Adprep.exe (Adprep32.exe).

Running Adprep.exe

To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. The remaining sections in this topic contain more details about each command.

Command

Domain controller

Number of times to run the command

adprep /forestprep

Must be run on the schema operations master for the forest.

Once for the entire forest

adprep /domainprep

Must be run on the infrastructure operations master for the domain.

Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.

noteNote
Domains where you will not add a new domain controller will be affected by adprep /forestprep, but they do not require you to run adprep /domainprep.

adprep /domainprep /gpprep

Must be run on the infrastructure operations master for the domain.

If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for Windows Server 2008 or Windows Server 2008 R2.

Once in each domain within the forest

adprep /rodcprep

noteNote
This command is optional. Run it only if you want to install a read-only domain controller (RODC).

Can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible.

If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2.

Once for the entire forest

noteNote
If you plan to add an RODC to the forest, you can run adprep /rodcprep right after you run adprep /forestprep and then verify that both operations have replicated throughout the forest. Both commands require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.

If you are not sure which computer holds the operations master (also known as flexible single master operations or FSMO) role that you need, type the following command at a command prompt on a computer on which you have Netdom.exe installed, and then press ENTER:

netdom query FSMO

Netdom.exe is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. You can also install Netdom.exe on an administrative workstation. For more information, see Microsoft Remote Server Administration Tools for Windows Vista (KB941314) (http://go.microsoft.com/fwlink/?LinkID=89361 [ http://go.microsoft.com/fwlink/?LinkID=89361 ] ) or Windows Server 2003 Service Pack 2 32-bit Support Tools (http://go.microsoft.com/fwlink/?LinkID=100114 [ http://go.microsoft.com/fwlink/?LinkID=100114 ] ).

Running adprep /forestprep

Run the adprep /forestprep command to update the Active Directory schema and perform other forest-wide updates. The schema updates are required to support new object types. Other forest-wide updates are required to update permissions and default security descriptors. The following sections include more details about running adprep /forestprep:

Preparing to run adprep /forestprep

Organizations should review and understand the schema updates and other changes that Adprep.exe makes as part of the schema management process in Active Directory Domain Services (AD DS). For more information about how the Microsoft Information Technology (Microsoft IT) department handles AD DS schema updates, see Structured Active Directory Schema Management at Microsoft (http://go.microsoft.com/fwlink/?LinkId=137268 [ http://go.microsoft.com/fwlink/?LinkId=137268 ] ).

Test the Adprep.exe schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. There should not be any conflicts if your applications use Request for Comments (RFC)-compliant object and attribute definitions. For more information about the updates that Adprep.exe performs, see Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS [ http://technet.microsoft.com/en-us/library/cc770703(WS.10).aspx ] and Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS [ http://technet.microsoft.com/en-us/library/dd378876(WS.10).aspx ] .

We do not recommend that you disable replication on the schema master before you run Adprep.exe. Adprep.exe skips redundant updates. Conflicting updates, such as the introduction of duplicate object identifiers, cause Adprep.exe to stop until an administrator reconciles the conflicts. You can stop and restart Adprep.exe. It resumes at the point where it was stopped.

In addition, you might encounter the following issues if you disable replication:

  • If you boot the schema master on a private network, it will fail initial synchronization unless you also place a second domain controller on the same private network.

  • If you boot the schema master on a private network and it is not a DNS server, place a DNS server on the same private network and have the schema master point to it as the preferred DNS server.

  • If you boot the schema master on a private network and it is a DNS server and additional domain controllers are in the forest, you could wait several minutes for the operating system to start.

To help ensure that the adprep /forestprep command runs successfully, complete these additional steps before you run the command on the schema operations master role holder in the forest:

  1. Make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest. After the changes that adprep /forestprep makes replicate throughout the forest, they can be reversed only by forest recovery. You can implement forest recovery more effectively if you have recent and trusted system state backups. For more information about backing up a domain controller, see Performing an Unscheduled Backup of a Domain Controller (http://go.microsoft.com/fwlink/?LinkID=132632 [ http://go.microsoft.com/fwlink/?LinkID=132632 ] ). For more information about planning for forest recovery, see Planning for Active Directory Forest Recovery (http://go.microsoft.com/fwlink/?LinkId=140265 [ http://go.microsoft.com/fwlink/?LinkId=140265 ] ).

  2. Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

    noteNote
    The built-in Administrator account in the forest root domain is a member of the Schema Admins group by default.

  3. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). To obtain Windows 2000 Server SP4, see Windows 2000 Service Pack 4 Network Install for IT Professionals (http://go.microsoft.com/fwlink/?LinkId=140267 [ http://go.microsoft.com/fwlink/?LinkId=140267 ] ).

  4. If you are running Exchange 2000, see article 325379 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=140269 [ http://go.microsoft.com/fwlink/?LinkId=140269 ] ) for more information about preventing potential schema conflicts.

  5. Run the following Repadmin.exe command to ensure that replication is working throughout the forest:

    repadmin /replsum /bysrc /bydest /sort:delta

    All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the time that has elapsed since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that the domain controller uses for replication. The default replication frequency is 180 minutes.

  6. Antivirus software that is running on a schema master can interfere with running adprep /forestprep. The introduction of display specifiers during the adprep /forestprep operation calls an external function that can cause locks on files or folders that are used by antivirus software utilities.

    In this case, the following error can appear when you run adprep /forestprep:

    “Adprep was unable to complete because the call back function failed.”

    If you are running antivirus software on the schema master and receive this error when you run adprep /forestprep, temporarily disable the antivirus software until the command completes. For more information, see Adprep was unable to complete because the call back function failed.

For more information about completing these preparatory steps, see So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP) (http://go.microsoft.com/fwlink/?LinkId=138880 [ http://go.microsoft.com/fwlink/?LinkId=138880 ] ).

Running adprep /forestprep

You can run the adprep /forestprep command from the Windows Server DVD, or you can copy the contents of the folder that includes Adprep.exe to your schema master and run Adprep.exe from that location. If you copy Adprep.exe to the schema master, be sure to copy the entire contents of the folder.

For more information about how to run the adprep /forestprep command, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 [ http://technet.microsoft.com/en-us/library/cc753437(WS.10).aspx ] .

Verifying that adprep /forestprep completed successfully

When the adprep /forestprep command completes, a message appears in the Command Prompt window to indicate that Adprep has successfully updated the forest-wide information. You can also use the following procedure to verify that adprep /forestprep completed successfully.

To verify that adprep /forestprep completed successfully

  1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.

  2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

  3. Click Action, and then click Connect to.

  4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.

  5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

    where forest_root_domain is the distinguished name of your forest root domain.

  6. Double-click CN=ForestUpdates.

  7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

  8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

    If you ran adprep /forestprep for Windows Server 2008, confirm that the Revision attribute value is 2, and then click OK.

  9. Click ADSI Edit, click Action, and then click Connect to.

  10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.

  11. Double-click Schema.

  12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties

    where forest_root_domain is the distinguished name of your forest root domain.

  13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

    If you ran adprep /forestprep for Windows Server 2008, confirm that the objectVersion attribute value is set to 44, and then click OK.

Running adprep /domainprep

After the adprep /forestprep operations are complete, you are ready to run the adprep /domainprep command to prepare your domains. The following sections include more details about running adprep /domainprep:

Preparing to run adprep /domainprep

To help ensure that the adprep /domainprep command runs successfully, complete these steps before you run the command on the infrastructure operations master role holder in each domain:

  1. Make sure that the schema updates that adprep /forestprep performs replicated throughout the forest or that they at least replicated to the infrastructure master for the domain where you plan to run adprep /domainprep. For more information, see Verifying that adprep /forestprep completed successfully.

  2. Make sure that you can log on to the infrastructure master with an account that is a member of the Domain Admins group.

  3. Verify that the domain functional level is at least Windows 2000 native.

Running adprep /domainprep

When you are ready to run adprep /domainprep, insert the Windows Server operating system DVD into the DVD drive of the infrastructure master. Then, change directories to the folder that contains Adprep.exe and run the command. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 [ http://technet.microsoft.com/en-us/library/cc754670(WS.10).aspx ] .

Verifying adprep /domainprep

When adprep /domainprep completes, a message appears in the Command Prompt window to indicate that Adprep successfully updated the domain-wide information. You can also use the following procedure to verify that adprep /domainprep completed successfully.

To verify that adprep /domainprep completed successfully

  1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.

  2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

  3. Click Action, and then click Connect to.

  4. Click Select a well known Naming Context, select Default naming context in the list of available naming contexts, and then click OK.

  5. Double-click Default naming context, double-click the container that is the distinguished name of the domain, and then double-click CN=System.

  6. Double-click CN=DomainUpdates, right-click CN=ActiveDirectoryUpdate, and then click Properties.

  7. If you ran adprep /domainprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

    If you ran adprep /domainprep for Windows Server 2008, confirm that the Revision attribute value is 3, and then click OK.

Running adprep /domainprep /gpprep

If you ran the version of the adprep /domainprep command that is included in Windows Server 2008 or Windows Server 2008 R2, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy.

Running adprep /domainprep /gpprep can create a lot of replication traffic because every GPO is updated. Therefore, you might want to run this command during off-peak hours to minimize the impact of the additional replication.

If you run adprep /domainprep /gpprep before you run adprep /domainprep, Adprep.exe runs both commands sequentially. First, it performs the /domainprep operations, and then it performs the /gpprep operations.

If you are running an earlier version of Adprep.exe, see article 324392 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=140283 [ http://go.microsoft.com/fwlink/?LinkId=140283 ] ).

The following sections include more details about running adprep /domainprep /gpprep:

Preparing to run adprep /domainprep /gpprep

To help ensure that adprep /domainprep /gpprep runs successfully, complete these steps before you run the command on the infrastructure operations master role holder in each domain.

  1. Make sure that you have completed the preparatory steps for running adprep /domainprep. For more information, see Preparing to run Adprep /domainprep.

  2. Make sure that the Default Domain Policy and the Default Domain Controllers Policy are located on the infrastructure master. To do this, use Windows Explorer to navigate to the %windir%\SYSVOL\sysvol\domain_name\Policies folder. Confirm that the following globally unique identifiers (GUIDs) appear in the Policies folder:

    • {31B2F340-016D-11D2-945F-00C04FB984F9}

    • {6AC1786C-016F-11D2-945F-00C04fB984F9}

  3. Antivirus software that is running on an infrastructure master can interfere with running adprep /domainprep /gpprep. In this case, the following error message can appear when you run adprep /domainprep /gpprep:

    “Adprep was unable to complete because the call back function failed.”

    If you are running antivirus software on the infrastructure master and receive this error message when you run adprep /domainprep /gpprep, temporarily disable the antivirus software until the command completes. For more information, see Adprep was unable to complete because the call back function failed.

Running adprep /domainprep /gpprep

When you are ready to run the adprep /domainprep /gpprep command, insert the Windows Server operating system DVD into the DVD drive of the infrastructure master. Then, change directories to the folder that contains Adprep.exe and run the command. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 [ http://technet.microsoft.com/en-us/library/cc754670(WS.10).aspx ] .

Verifying adprep /domainprep /gpprep

If you have not yet run adprep /domainprep, when you run adprep /domainprep /gpprep you see a message that indicates that adprep /domainprep successfully updated the domain-wide information, followed by a message that indicates that Adprep successfully updated the GPO information. If you have already run adprep /domainprep, the message indicates that the domain-wide information has already been updated and that the operation will not be repeated, followed by the message that indicates that Adprep successfully updated the GPO information.

You can also verify that this command is complete by using the steps for verifying that adprep /domainprep completed successfully, or you can verify that the operation added the Read permission for the Enterprise Domain Controllers group on all GPOs. For more information, see Verifying adprep /domainprep.

Running adprep /rodcprep

Running the adprep /rodcprep command is optional. It is required only if you want to install an RODC in the forest. This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the partitions. Each application directory partition has an infrastructure master. The adprep /rodcprep command must update the security descriptor for each application directory partition on the infrastructure master for that partition.

There are two application directory partitions that are created by default for Domain Name System (DNS) data: DomainDNSZones and ForestDNSZones. If the infrastructure master for either of these partitions is offline or if it has been forcefully removed from the forest, adprep /rodcprep fails with an error. For more information, see article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=140285 [ http://go.microsoft.com/fwlink/?LinkId=140285 ] ). In addition, this command must contact the domain naming operations master to obtain a list of the application and domain directory partitions that are in the forest. Therefore, the domain naming master must be accessible when you run this command.

The following sections include more details about running adprep /rodcprep:

Preparing to run adprep /rodcprep

To help ensure that the adprep /rodcprep command runs successfully, complete these steps before you run the command:

  1. Make sure you can log on to a computer with an account that is a member of the Enterprise Admins group.

  2. Make sure that the domain naming master and the infrastructure master for each application directory partition are accessible.

Running adprep /rodcprep

When you are ready to run the adprep /rodcprep command, insert the Windows Server operating system DVD into the DVD drive of the computer. Then, change directories to the folder that contains Adprep.exe and run the command. For more information, see Prepare a Forest for a Read-Only Domain Controller [ http://technet.microsoft.com/en-us/library/cc771055(WS.10).aspx ] .

Verifying adprep /rodcprep

When the adprep /rodcprep command completes, a message appears in the Command Prompt window to indicate that all partitions are updated. You can also use the following procedure to verify that adprep /rodcprep completed successfully.

To verify that adprep /rodcprep completed successfully

  1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.

  2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

  3. Click Action, and then click Connect to.

  4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.

  5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

    where forest_root_domain is the distinguished name of your forest root domain.

  6. Double-click CN=ForestUpdates.

  7. Right-click CN=ActivedirectoryRodcUpdate, and then click Properties.

  8. Confirm that the Revision attribute value is 2, and then click OK.

Troubleshooting errors with Adprep.exe

This section explains how to correct problems when Adprep.exe fails. Adprep.exe errors are logged in the %windir%\Debug\Adprep\Logs folder. There will be a separate file each time that you run ADPREP. At the bottom of the file, you can see what the problem is. Some common causes for Adprep.exe errors include the following:

For more information, see Troubleshooting ADPREP Errors (http://go.microsoft.com/fwlink/?LinkId=138881 [ http://go.microsoft.com/fwlink/?LinkId=138881 ] ).

Insufficient credentials to run the command

Each Adprep.exe command requires a different set of credentials. The following table lists the credential requirements for each command.

Adprep.exe command

Credentials that are required to run the command

adprep /forestprep

  • Schema Admins

  • Enterprise Admins

  • Domain Admins of the domain that hosts the schema master

adprep /domainprep

Domain Admins

adprep /domainprep /gpprep

Domain Admins

adprep /rodcprep

Enterprise Admins

Operations master role holders are not accessible

If Adprep.exe cannot contact the operations master role holders that are required to complete the command, the command fails with an error. Because the adprep /forestprep and adprep /domainprep /gpprep commands must be run directly on the schema master and the infrastructure master, respectively, these commands are less likely to generate this type of error.

The adprep /rodcprep command, however, can be run from any computer. This command runs remotely, and it must contact the domain naming master for the forest to obtain a list of application directory partitions that are in the forest. It then must contact the infrastructure master for each of the application directory partitions. If an infrastructure master is offline or if it has been forcefully removed from the domain, the adprep /rodcprep command fails. For more information, see article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=140285 [ http://go.microsoft.com/fwlink/?LinkID=140285 ] ).

Schema conflicts

Schema conflicts can cause the following Adprep errors:

  • “OID will not be changed resulting in probable failure to add a new class”

    This error occurs when custom schema changes have been made or when non-Microsoft software makes schema changes that conflict with a schema change from Microsoft.

    To resolve this issue, open the ADPREP log to see what the failed object is. If you know the non-Microsoft software that is using the attribute, contact the makers of that software and determine if there is a fix. Otherwise, contact Microsoft Customer Support Services.

  • “Schema update failed: An attribute with the same link identifier already exists”

    This error occurs when you are trying to update or add an object in the schema and the link identifier already exists for another attribute. Some non-Microsoft applications modify the schema with a link identifier set that is owned by the operating system. For more information about resolving this error, see Troubleshooting ADPREP Errors (http://go.microsoft.com/fwlink/?LinkId=138881 [ http://go.microsoft.com/fwlink/?LinkId=138881 ] ).

Adprep was unable to complete because the call back function failed

This error message can appear when an external function called by adprep /forestprep or adprep /domainprep /gpprep causes locks on files or folders that are used by antivirus software utilities running on the schema master or the infrastructure master.

If you see this error message when you run adprep /forestprep, try disabling the antivirus software and running the command again. After the adprep /forestprep command completes, you can enable the antivirus software again.

If you see this error message when you run adprep /domainprep /gpprep, investigate and resolve the following possible causes:

  • The \SCRIPTS folder is absent from the SYSVOL shared folder.

  • The Default Domain Policy and the Default Domain Controller Policy are absent from SYSVOL.

  • The Default Domain Policy and the Default Domain Controller Policy do not have the default globally unique identifiers (GUIDs). The Default Domain Policy GUID is {31B2F340-016D-11D2-945F-00C04FB984F9}. The default Default Domain Controller Policy GUID is {6AC1786C-016F-11D2-945F-00C04fB984F9}.

  • The registry entry HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysVol does not exist or does not point to a valid SYSVOL path, such as %SystemRoot%\SYSVOL\sysvol.

  • There are problems with file system junction points between %SystemRoot%\SYSVOL\sysvol\domain and %SystemRoot%\SYSVOL\. Running a DIR command of the SYSVOL folder tree structure is not sufficient to validate the junction points. Instead, use LinkD to verify existence of junction points and validate linked folders. For more information about using LinkD, see Gather the SYSVOL path information (http://go.microsoft.com/fwlink/?LinkId=158003 [ http://go.microsoft.com/fwlink/?LinkId=158003 ] ).

You receive an error when you run adprep /forestprep that says “Adprep is valid, but is for a machine type other than the current machine”

You can receive this error if you try to run Adprep.exe from the Windows Server 2008 R2 installation DVD on a schema master that runs a 32-bit version of Windows Server. By default, Windows Server 2008 R2 runs the 64-bit version of Adprep.exe. To resolve this error, open an elevated command prompt on the schema master and run the 32-bit version of the command:

Adprep32.exe /forestprep

The Adprep32.exe tool is in the support\adprep folder of the Windows Server 2008 R2 installation DVD.

Friday, August 27, 2010

Prepare Your Infrastructure for Upgrade

http://technet.microsoft.com/en-us/library/cc771461%28WS.10,printer%29.aspx

Updated: July 26, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Preparing your Active Directory infrastructure for upgrade includes the following tasks. For more information about running Adprep.exe, see Run Adprep commands. If you are preparing for Windows Server 2008 R2 and your existing domain controllers run 32-bit version of Windows Server, use Adprep32.exe in the support/adprep folder of the operating installation disk. By default, Windows Server 2008 R2 runs a 64-bit version of Adprep.exe. If you are preparing for Windows Server 2008, there is only one version of adprep.exe, located in the sources/adprep folder.

  • Prepare the forest schema by running adprep /forestprep.

  • Prepare each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep.

  • Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by running adprep /rodcprep.

ImportantImportant
Review the list of operations that Adprep.exe performs in Windows Server 2008, and test the schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. There should not be any conflicts if your applications use RFC-compliant object and attribute definitions. For a list of specific operations that are performed when you update the Active Directory schema, see Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS [ http://go.microsoft.com/fwlink/?LinkId=177829 ] and Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS [ http://go.microsoft.com/fwlink/?LinkId=177828 ] .