Tag Archives: LDAP

How to create Active Directory Snapshots?

In one of my previous posts I explain what system state is and how we can use it to backup active directory data. With windows 2008 server Microsoft introduces a new feature called active directory snapshots which can use to backup active directory data. Basically this tools creates a shadow copy of volumes that holds active directory data (Database and logs) using “Volume Shadow Copy Service (VSS)” running on server.

In order to create, view or restore AD snapshots, you need to be member of domain admin group or the enterprise administrator group.

Let’s see how we can create active directory snapshots.

1)    Log in the domain controller as a domain administrator or enterprise administrator with appropriate permissions.
2)    Right click on start button and select “Command Prompt (Admin)". It will open up the command line interface.

snap1

3)    In command prompt type ntdsutil and enter to open up the ntdsutil tool.

snap2

4)    Then type snapshot and press enter.

snap3

5)    In next type activate instance ntds and press enter.

snap4

6)    Then type create and press enter. It will start to create snapshot and give the similar output as following.

snap5

7)    Type and enter quit to exit from the utility. You have to do it twice.

Before we use a snapshot created by this process we need to mount it using active directory mounting tool. Let’s see how we can do it.

1)    Log in the domain controller as a domain administrator or enterprise administrator with appropriate permissions.
2)    Right click on start button and select “Command Prompt (Admin)". It will open up the command line interface.
3)    In command prompt type ntdsutil and enter to open up the ntdsutil tool.
4)    In next type activate instance ntds and press enter.
5)    Then type snapshot and press enter.

snap6

6)    Then type list all

snap7

7)    It will list down all the snapshot created.
8)    Then run command mount 2 ( this is the order number showing in list of snapshot and I needed to mount the one listed in number 2)

snap8

9)    Then as it saying it successfully mounted to the C: drive with folder $SNAP_201502260503_VOLUMEE$

snap9

10)    Then enter quit command twice to exit from utility.

Now to connect with the mounted snapshot we need to execute following,

dsamain –dbpath C:\$SNAP_201502260503_VOLUMEE$\ADDB\ntds.dit –ldapport 10000

In here the dbpath will change according to the snapshot mount you made. Ldapport is any openport in the server to run this snapshot instance.

snap10

 

Now we can access snapshot using port 10000.

Keep this open till we finish with next steps.

Let’s see how we can view the content of snapshot using active directory users and computers console.

1)    Go to server manager > tools > active directory users and computers

snap11

2)    In mmc right click on active directory users and computers option and select change domain controller option

snap12

3)    In here type the domain controller name and the port. Then click ok. Here according to my demo the port should be 10000 ( the one we use with snapshot)  

snap13

4)    As we can see here it successfully connect with the instance.

snap14

Disconnect and unmounts snapshot

In order to disconnect from the running instance, open the command line we left open and press CTRL+C

snap15

1)    Then type ntdsutil to go in to ntdsutil tool
2)    In next type activate instance ntds and press enter.
3)    Then type snapshot and press enter.
4)    Then type list all
5)    It will list down all the snapshot created.

snap16

6)    Then type unmount 2 ( this is the snapshot number I mapped before ). It will unmount the snapshot.
7)    Then enter quit command twice to exit from utility.

snap17

In this article I explain what active directory snapshot is and how we can use it for recoveries. If you have any questions feel free to contact me on rebeladm@live.com

Automate User Creation on AD, Part 4

This is the part 4 of the article which explains about automation tools which we can use to automate procedure to import/export data into/from active directory. If you still not read the other 3 parts of the article, you can access them using

Part 1 – http://www.rebeladmin.com/2014/07/automate-user-creation-on-ad-part-1/

Part 2 – http://www.rebeladmin.com/2014/07/automate-user-creation-on-ad-part-2/

Part 3 – http://www.rebeladmin.com/2014/07/automate-user-creation-on-ad-part-3/

In this part 4 i will explain the practical use of the LDIFDE tool. As explain on previous post, LDIFDE tool supports more batch operations than CDVDE tool. some of the tasks it can use is

  1. Import/Export Active Directory objects
  2. Edit/Delete already existing AD objects
  3. Export objects from entire AD forest
  4. Import/Export objects data between different active directory domains

In here i will not be able to demonstrate all of these, but i will explain how to do the import/export objects.

Export objects data using LDIFDE

In the demo i am going to export all of the user details in the contoso.com domain in to a ldf file. the command i will be using is

ldifde -f C:\Sales\Exportuser.ldf -s DCPR1 -d "dc=Contoso,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"

-f C:\Sales\Exportuser.ldf defines the file name which will contain the data. (&(objectCategory=person)(objectClass=User)(givenname=*))"
 defines the filter parameters and just export only the user accounts details on contoso.com domain. cn,givenName,objectclass,samAccountName defines the attributes data which will be exported in to the file.

To run this need to log in as administrator to the DC server and run it on command line interface.

ldf1

According to above screenshot it successfully exported 6 entries to the LDF file. lets open the .ldf file and see the entries. this file can be open using any text editor and i am using notepad for the task.

ldf2

According to above screenshot it exported the information we required via the export parameters.

Import objects using LDIFDE

Let's see how we import /create objects using batch file. for the demo i have created a file called NewUsers.ldf and it is containing the following

dn: CN=LDIFDE User 1,OU=Sales Department,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: LDIFDE User 1
sn: User 1
title: Sales Rep
givenName: LDIFDE User 1
displayName: LDIFDE User 1
company: Contoso, Ltd.
instanceType: 4
sAMAccountName: user1
userPrincipalName: ldifde.user1@contoso.com
mail: ldifde.user1@contoso.com

According to the values it will be create user account called LDIFDE User 1 on Sales Department OU. Its user name will be ldifde.user1 and the email account will be ldifde.user1@contoso.com. Also his title will be Sales Rep and company name will list as Contoso, Ltd.

Lets run this file using command

ldifde -i -f C:\Sales\NewUsers.ldf -k

in it -i defines the import mode and -f defines the file path. -k will ignore the errors about already existing object and process the command.

ldf3

It is successfully run the batch file and lets see in AD if its created the user.

ldf4

It is successfully create the user, and its in disabled mode initially. because LDIFDE cannot import the passwords so we have to reset the password and enable it manually like we did it with CSVDE.

lets see the account properties to verify its have all the info imported.

General Tab

ldf5

Account Tab

ldf6

Organization Tab

ldf7

So its created the user according to the data which is passed via ldf file.

This is the end of series of articles which explains automation tools which can use import/export AD objects.

Automate User Creation on AD, Part 2

This is the part 2 of the post which discuss about the user accounts import/export automation tools. if you not read the first part you can find it in here http://www.rebeladmin.com/2014/07/automate-user-creation-on-ad-part-1/

In previous post i explain how to use CSVDE tool to export Active directory user details in to .csv file. Also I explain how to pass parameters and filter the output according to requirement.

CSVDE tool also can use to import data in to the Active directory and it will help to automate the user creation process. Please note CSVDE tool only can use to import/export AD details only. it will not possible to use with modify or delete data in AD.

The basic syntax for the import process is

csvde -i -f filename -k

in here -i specifies the import mode. CSVDE default mode is for export. -f parameter specify the "File". -k parameter will ignore errors about "object already exist" with the import.

using this we can pass values from a comma-delimited text file (csv or txt) and automate the user account creation. for the demo i will use the following values in a CSV file.

DN,objectClass,givenName,userPrincipalName,sn
"CN=John Smith,OU=Sales Department,DC=contoso,DC=com",user,John Smith,john.smith@contoso.com,

DN,objectClass,givenName,userPrincipalName,sn – Defines attributes by thier LDAP attributes names.

"CN=John Smith,OU=Sales Department,DC=contoso,DC=com",user,John Smith,john.smith@contoso.com, – Line will create user called John Smith in the Sales Department OU under domain contoso. It also contain the values which pass to the listed LDAP attributes in first line.

One disadvantage of CSVDE is you cannot import user passwords. there for when user create in AD user will initially add as disabled account and administrator need to set a password and enable it manually.

Lets test the user import,

The command which can use this is

csvde -i -f C:\Sales\NewUsers.csv -k

C:\Sales\NewUsers.csv –  Is the path for the csv file.

This command need to run on cmd as administrator and it should be AD server.

csvp1

According to message , it saying one entry is added successfully. let's go to the AD and confirm the account creation.

csvp2

as we can see the user account successfully created. lets check if its pass the info defined in the CSV file.

General Properties

csvp3

Account Properties

csvp4

So according to above screenshots its successfully added the info which is defined on the csv file.

as i explain before the account will be in disabled mode as we cant import passwords. to enable it we need to set a password.

to do it right click on the user account and select option "reset password"

csvp5

In next window we can define the password and click ok.

csvp6

To enable the account again right click on user account and from the options select "Enable Account"

csvp7

This is the end of part 2 of the article and in next post will explain about another automation tool.

Automate User Creation on AD, Part 1

In a active directory when it comes to user creation if the number of user accounts are small we can either add them with typical user add wizard or create them using user account templates which i explained in a previous post. But if its a large number of accounts it is not practical to do so. if there is way we can automate this process it will save lot of time and resources.

Not only that, on some occasions we will need to grab information stored in AD. if its small number of users, components can query these information either manually viewing properties, doing AD search etc. but if its large complex setup it will not easy to get the info you need. for ex- lets say we need to get list of users start names with "James" if its 10-50 users still you can go and search users and list there properties. but if its setup which have 500+ users and many OUs it will not practical to do it manually.

so it is definitely advantage if there is sort of automation tools which we can use to import/export/create user account details, other resources details. well good news is AD have this feature inbuilt and we can use these tools for automate this processes. In next few posts I will explain what are these tools and how we can use them.

CSVDE (Comma Separated Value Directory Exchange)

CSVDE is a command-line utility which allows to import/export active directory objects to/from CSV ( Comma-Seperate Value) file. This files can simply open/edit by using Microsoft Office Excel or any other text editor. we cant use this tool to modify or delete entries from active directory.

To use this tool just need to use "Command Prompt" in active directory server with administrator privileges.

We can open the "help" file of this utility by typing csvde /?

csv1

Export user attributes using CSVDE

The basic syntax for the export is

csvde -f filename

This will export all the objects in active directory domain. but most of the time we will not need export all info and its will be more useful with filtered info.

There are few parameters we can use to filter the info and which can use to export filtered information.

-d – Specifies the distinguish name of the container. the default value is the domain.

-p – Specifies the scope of the search

r – Filters the objects returns with -d and -p parameters.

-l – Specifies the attributes which will be exported.

Lets test this will a practical example.

In AD test environment under domain contoso.com i have 3 sales department users called Sales A, Sales B, Sales C

with csvde i'm going to export user list which start their name with text "Sales"

the syntax i will use is

csvde -f C:\Sales\UsersNamedSales.csv -r "(name=Sales*)" -l DN,objectClass,sAMAcountName,sn,givenName,userPrincipalName

in here C:\Sales\UsersNamedSales.csv is the file path to save the CSV file.

-r "(name=Sales*)" filters the attributes which start name "Sales" on it.

-l DN,objectClass,sAMAcountName,sn,givenName,userPrincipalName lists the attributes which will be exported to the file.

once the command is executed its gives following,

csv2

according to it, saying its exported 8 entrees successfully to the file. lets open the file from C:\Sales\UsersNamedSales.csv and check. i will use Notepad to open the csv file.

csv3

As it shows above its list the users i needed, it also listed some other info as well which uses "Sales" in its attributes.

in next posts lets look in to use of CSVDE tool further.