How We Can Import Data From Active Directory Domain Services?

The Active Directory Domain Services can be a great source of information that we would like to import into our new Windows Server 2016. There are two ways that we can go about this, either exporting data from Active Directory Domain Services and then importing the data into the new domain, or migrating the domain out of Active Directory Domain Services and then importing it in using our newest server.

To import data from Active Directory Domain Services (AD DS), you can use PowerShell or a graphical user interface tool such as Microsoft’s Active Directory Users and Computers. Here are the general steps to follow:

Using PowerShell:

1. Open PowerShell as an administrator.
2. Import the Active Directory module by running the command: Import-Module ActiveDirectory
3. Connect to the Active Directory domain by running the command: Connect-ADDirectoryService
4. Use the Get-ADUser, Get-ADComputer, or other related cmdlets to retrieve the desired data. For example, to get all users in a specific organizational unit (OU),
5. run the command: Get-ADUser -Filter * -SearchBase “OU=MyOU,DC=mydomain,DC=com”
6. Save the retrieved data to a file or export it to a different system.

Using Active Directory Users and Computers:

1. Open the Active Directory Users and Computers console on a domain-joined computer.
2. Navigate to the desired OU or container that contains the data you want to import.
3. Right-click on the OU or container and select “Export List”.
4. Choose the format and location for the exported file.
5. Open the exported file in a spreadsheet or other tool to manipulate the data as needed.
   Note: Importing data from AD DS requires appropriate permissions and authentication to the domain.

Through this article, we will explore how to backup AD DS, back up AD DS using dcpromo.exe, migrate from one server to another using dcpromo.exe, and finally how to import data back into AD after the migration process is complete.

This article assumes that the Domain Admins group is available on Windows Server 2016.

Backing up Active Directory Domain Services

The first step to backing up Active Directory Domain Services is to open a Powershell window and run the below command:

Backup-ADDomain -Directory <Source> -LogPath <Destination> 

To backup our Test-ADDS01 domain, we will run the below command: 

Backup-ADDomain -Directory "Test-ADDS01" -LogPath "C:\Test-Backup\Test-Backup.log" 

The above command will create a log file called Test-Backup.log in the C:\Test-Backup folder.

The log will contain all the objects that are being backed up and other information about the Backup process. As shown below, I have selected to back up a specific OU called “Clients”. If we do not specify an OU to backup, ADDS will backup all the OU in that domain. We can backup only the System Drive by using the “-SystemDrive <drive>” parameter.

Next, we will learn how we can backup AD DS using dcpromo.exe. We can use dcpromo as a last resort measure if all else fails and we have to migrate the domain out of Active Directory Domain Services, but still, have access to the data that was stored in our domain before the migration.

Backing up Active Directory Domain Services using dcpromo.exe:

To back up the Active Directory Domain Services using dcpromo, we will run the command “dcpromo /export /f <destination>” The syntax above stands for: -d:
-c: Installs or configures a server. Prerequisites include at least one of these options (InstallDNS OR FixUpAD OR FullServer).
-f: Performs an offline migration. This option is not available on DCs that have been promoted from member servers (not possible on DCs with an existing installation of Active Directory).
-h: Displays the help for the command.

It will create a file called ntuser.dat in our destination folder. The file is located in “C:\Users\<username>\NTUSER.DAT”
importing into a different directory service
Next, we will learn how to export and import data from Active Directory Domain Services using PowerShell. To do this, we will use the Move-ADDirectoryObject cmdlet to export an object from active directory domain services and then move it into another server running a different directory service such as Novell eDirectory or OpenLDAP. We can also use this method to migrate an object from one domain in the active directory to another domain.

Import data from Active Directory Domain Services:

Active Directory Domain Services (AD DS) enables secure authentication in Windows 2000 Server and later operating systems and networks by converting names into claims that are presented to the Windows Kerberos V5 authentication service for verification.

It’s the backend to all of this stuff and is managed by a couple of roles: Domain Administrators (da) and Global Catalog (GC). Let’s format that for readability:

Active Directory Domain Services:

(AD DS) makes secure authentication possible in Windows 2000 Server and later operating systems. It manages the following two roles: Domain Admins (da) and Global Catalog Servers (gc).

The rest of the AD DS system components are made up of servers, databases, scripts, and tools that you’ll need to know how to use in order to accomplish your desired goals. There are two areas where you’ll find knowledge here: Server Roles & Features and Schema Designers.

Server Roles & Features:

Server Roles & Features is a set of roles, service packs, and features that are required to manage domains within Active Directory. It also contains the default schemas for AD DS and any optional AD DS enhancements. 

This list is categorized by OS, server type, and version so you can find the best fit for your organization. These roles are crucial in the early phases of any project, as they determine what are called “Service Principal Names” (SPNs). SPNs are basically accounting names that you’ll use to connect to your domain from other network locations. They’re also the glue that keeps everything together.

Step-by-Step Procedure for Importing data from Active Directory Domain Services:

Here are all the steps:

1. Open up “Mozilla Thunderbird”. 
2. Right-click on “Tools” in your sidebar and then click on “Account Settings”. 
3. Click on “Add Account” under “Account Type:” Choose a name for your mail account that is different than your company email address (e.g., “import@example.com”).
4. In the “Email Address:” field, type in the company’s email address. In the “Name:” field, type in your name. The name should remain as “Account Name.”
5. Next, it will ask you to have a password. DO NOT PUT ANYTHING HERE!
6. Click on “Next”. It should ask if you want to use a particular server or an IMAP server. Select IMAP and click on next. 
7. On the next page, again select IMAP and click on next (this is mostly for corporate clients.).
8. Click on “Finish”. The program may ask for your LDAP server, click on “use LDAP server” and provide it with the info if needed.
9. It will now ask you for your password for Remote Directory. Choose a strong password here.
10. Type in the name of your company (or whatever you want to call it).
11. Next, it asks to select where all of the users from their company in Active Directory are located. Again, choose “Use Active Directory” and click next (if you can’t access Active Directory because you are an administrator then select “Use Another Server” instead).
12. Click on “Next”. It should now ask you to provide the appropriate information for your company. Here are the settings:
13. Click on “Next”. It will now ask you to select your company and then click on OK. 
14. Click on “Import All Users…”
15. It will ask if you want to import users as they are added. Choose “Yes” and click on “Save”. The program may tell that it did not find a user but if you go back into Active Directory, all of the users should be imported.
16. Click on the “Close” button of the program.