Installation af LDAP på Windows 2000 Server

Hej Jershauge

Ja det er muligt og du behøver ikke installere noget specielt for dette.

Der findes to "værktøjer" til dette som begge bruger LDAP protokolen.

CSVDE.EXE og LDIFDE som begge er commandline utilities.

CSVDE kan kun bruges til at oprette brugere i AD/Exchange, men LDIFDE kan bryges til at oprette, ændre, slette brugere.

Syntaxen for begge utilities er den samme, men filformatet er forskelligt.

Eksempel på en LDIFDE formatet:

dn: CN=sampleUser,CN=Users,DC=myDomain,DC=microsoft,DC=com
changetype: add
cn: sampleUser
description: Example of an Imported User using LDIFDE
objectClass: user
sAMAccountName: sampleUser

Eksempel på CSVDE formatet:

dn,cn,firstName,surname,description,objectClass,sAMAccountname
“cn=John Smith,cn=Users,dc=myDomain,dc=microsoft,dc=com”,John
Smith,John,Smith,Manager,user,jsmith
“cn=Jane Smith,cn=Users,dc=myDomain,dc=microsoft,dc=com”,Jane
Smith,Jane,Smith,President,user,janes

Når du så f. eks. skal indlæse nogen brugere i AD/Exchange bruger du følgende kommando: LDIFDE -i -f x:\filnavn eller CSVDE -i -f x:\filnavn.

Ellers kan du læse om LDIFDE i nedenstående Knowledge Base Artikel.

---------------------------------------------------------------------
PSS ID Number: Q237677
Article last modified on 01-08-2002

:2000




======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server
-------------------------------------------------------------------------------

SUMMARY
=======

The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file
format that may be used for performing batch operations against directories that
conform to the LDAP standards. LDIF can be used to export and import data,
allowing batch operations such as add, create, and modify to be performed
against the Active Directory. A utility program called LDIFDE is included in
Windows 2000 to support batch operations based on the LDIF file format standard.
This article is designed to help you better understand how the LDIFDE utility
can be used to migrate directories.

MORE INFORMATION
================

Viewing LDIFDE General Parameters
---------------------------------

1. Click Start, point to Programs, point to Accessories, and then click "Command
  Prompt".

2. At the command prompt, type: ldifde ? . The built-in Help file is then
  displayed as below.

General Parameters:

-i              Turn on Import Mode (The default is Export)
-f filename    Input or Output filename
-s servername  The server to bind to
-c FromDN ToDN  Replace occurrences of FromDN to ToDN
-v              Turn on Verbose Mode
-j              Log File Location
-t              Port Number (default = 389)
-?              Help

Export Specific Parameters:

-d RootDN      The root of the LDAP search (Default to Naming Context)
-r Filter      LDAP search filter (Default to "(objectClass=*)")
-p SearchScope  Search Scope (Base/OneLevel/Subtree)
-l list        List of attributes (comma separated) to look for in an LDAP                search.
-o list        List of attributes (comma separated) to omit from input
-g              Disable Paged Search
-m              Enable the SAM logic on export
-n              Do not export binary values

Import Specific Parameter:

-k      The import will go on ignoring 'Constraint Violation' and 'Object          Already Exists' errors

Credentials Parameters:

-aSets the command to run using the supplied user distinguished name
      and password. For example: "cn=yourname,dc=yourcompany,dc-com
      password"
-bSets the command to run as username domain password. The default is
      to run using the credentials of the currently logged on user.

NOTE: This tool is very flexible and offers a number of command-line switches and
arguments. The utility is included in Windows 2000 Server, but not with Windows
2000 Professional. The LDIFDE program can be copied to a computer running
Windows 2000 Professional and be run remotely against the Windows 2000 Server
Active Directory.

Using LDIFDE to Export and Import Directory Objects:

The following is a step-by-step process to import and export Organizational Units
(OUs) and user accounts from one Windows 2000 Active Directory to another. For
this example, "Export" is the name of the domain from which objects are exported
and "Import" is the name of the domain in which objects are imported. LDIFDE can
also be used to import most third-party folders to the Active Directory. Export
the Organizational Units from the Source Domain

1. Log on as Administrator in the Export domain. If you log on using an account
  that does not have administrative privileges, you may not be able to perform
  export and import operations against the Active Directory.

2. Click Start, point to Programs, point to Accessories, and then click "Command
  Prompt".

3. At the command prompt, type:

  ldifde -f exportOu.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r
  "(objectClass=organizationalUnit)" -l "cn,objectclass,ou"

Running this command exports all OUs except domain controllers into a file named
ExportOU.ldf.
Export the User Accounts from the Source Domain At the command prompt, type:

  ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree
  -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l
  "cn,givenName,objectclass,samAccountName"

Running this command exports all users in the Export domain into a file named
Exportuser.ldf. If you do not have all the required attributes, the import
operation does not work. The attributes objectclass and samAccountName are
required, but more can be added as needed.

NOTE: Built-in accounts, such as Administrator, do not have a given name. By
default, the LDAP filter used above does not export those accounts. LDIFDE does
not support exporting passwords. Import the Organizational Units from Export to
Import

1. Log on as an Administrator in the Import domain. If you log on using an
  account that does not have administrative privileges, you may not be able to
  perform export and import operations against the Active Directory.

2. Open the file Exportou.ldf using Notepad.

3. In Notepad, on the Edit menu, click Replace.

4. In the "Find what" box type, "Export" (without the quotation marks). In the
  "Replace with" box type, "Import" (without the quotation marks).

5. Click "Replace All".

6. After you verify that the domain names are replaced, save, and then close the
  file.

7. At the command prompt, type:

  ldifde -i -f ExportOU.ldf -s <Server2>

You should see a message stating the number of entries that have been modified
and that the command completed successfully.

NOTE: In this situation, you must complete the first step prior to completing the
second step so that the OUs are available to contain the users. Import the Users
from Export to Import

1. Open the file Exportuser.ldf using Notepad.

2. In notepad, open the Edit menu and click Replace.

NOTE: Remember that in this example, "Export" is the name of the domain from
which objects are exported and "Import" is the name of the domain to which
objects are imported. You will replace "Export" with the name of the domain you
exported from and you will have to replace "Import" with the domain you are
importing to.

3. In the "Find what" box type, "Export" (without the quotation marks). In the
  "Replace with" box, type "Import" (without the quotation marks).

4. Click "Replace All".

5. After you verify that the domain names are replaced, save, and then close the
  file.

6. At the command prompt, type:

  ldifde -i -f Exportuser.ldf -s <Server2>

7. View the newly created contacts using either the Active Directory Users and
  Computers snap-in tool or using the Windows Address Book.

NOTE: Because LDIFDE does not export passwords, when the users are imported into
the directory, the account is disabled and the password is set to null. This is
done for security reasons. Also, the account option "User must change password
at next logon" is selected. Exporting Objects from an Entire Forest If you need
to export OUs, users, and groups from an entire forest, you may either run the
above LDIFDE export commands against each domain in the forest, or
alternatively, run the query once against the global catalog (GC). To do this,
ensure that the domain controller that is specified by the -s switch is a GC,
and additionally, specify the GC port using the -t switch. The GC port number is
3268.

For example, to perform the export operation outlined against a GC, the LDIFDE
command would be:

  ldifde -f Exportuser.ldf -s <Server1> -t 3268 -d "dc=Export,dc=com" -p
  subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l
  "cn,givenName,objectclass,sAMAccountName"

NOTE: To Modify attributes in AD It is very important that the following format
be followed for the import file, especially the "-" on a single line followed by
a completely blank line on the next line. To import this file all you need to do
is run: ldifde -i -f Import.ldf -s <Server>.

Sample Import/Modify File Format:

dn: CN=Jane Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-

dn: CN=John Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-

Additional query words:

======================================================================
Keywords          : 
Technology        : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch kbWinDataServSearch
Version          : :2000
Issue type        : kbhowto
=============================================================================
Copyright Microsoft Corporation 2002.

Hej Flagz mange tak for hjælpen, det var helt kanon besvaret.

MVH
Chris Jershauge