What if I told you that Windows 2000 includes a utility that can easily import and export Active Directory (AD) records for reporting and migration purposes? What if this tool could also automatically add, modify, or delete AD objects? The Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) Directory Exchange tool, better known as Ldifde, lets you export data from AD, object by object (e.g., user, group), attribute by attribute (e.g., name, company, department) to a file in LDIF format. LDIF is an Internet standard file format based on Internet Engineering Task Force (IETF) Request for Comments (RFC) 2849 for importing and exporting data from LDAP directories such as AD. After you export the data, you can use the LDIF file to import the same objects into a different LDAP directory. Or, you can use Ldifde's output as raw data for a report or as a starting point for creating an LDIF file of changes to reimport into AD.
Let's look at some sample LDIF files so that you can learn how to use Ldifde and its sister utility, Csvde, to get the most out of your AD data. Csvde is the comma-separated value (CSV) version of Ldifde that lets you import data into database applications such as Microsoft Access or spreadsheet applications such as Microsoft Excel that support CSV-formatted files. Ldifde and Csvde come with Win2K Server, but you can copy these utilities from the Win2K Server installation CD-ROM and execute them on Windows XP and Win2K workstations.
Exporting Data from AD
Before you begin using Ldifde, you need to understand the LDIF file structure. Figure 1 displays an organizational unit (OU) called Monterey that contains four users and a group. To export this AD information, I need to execute the command
ldifde -f monterey.ldif -d "ou=Monterey,DC=ad,dc=local"
to create the Monterey.ldif file, as Web Figure 1 shows. (You can either invoke Ldifde from within a script or run the executable from the command prompt.) The -f parameter lets you specify the name of the LDIF file (e.g., monterey.ldif). The -d parameter lets you specify the root distinguished name (DN) of the domain or OU to export from (e.g., the Monterey OU of the ad.local domain), then outputs all attributes for all objects from that point down, including the OU. Be aware that some attributes might be missing (e.g., phone numbers for some users) if these attributes are optional and don't exist until they're explicitly set on each object.
As Web Figure 1 shows, each record in an LDIF file begins with a DN line denoted by dn:. In an LDAP directory, an object's DN uniquely identifies the object for the entire directory. The second line in Web Figure 1 begins with changetype:, which specifies the type of change that Ldifde should execute on the object that the DN identified. All the records in Monterey.ldif have a changetype of add. Whenever you export records, Ldifde formats the file in such a way that you can use the file to import those records into another LDAP directory. After specifying the changetype, Ldifde lists each object attribute in the following format:
:
You can determine the class of each object by noting the objectClass attribute. Monterey.ldif lists the OU followed by three users, a group, and the final user.
If you need to export AD data (e.g., a list of usernames) for reporting purposes, you must limit Ldifde's output by selection criteria (e.g., class) and specify what object attributes you want to export: You can use the -r and -l parameters to accomplish both objectives. The -r parameter lets you specify a search filter in LDAP syntax in which you specify one or more attributes and their desired values. For example, type
ldifde -r "(objectClass=User)"
to export just the user records. Alternatively, type
ldifde -r "(&(objectClass=user)(sn=Smith))"
to export all users whose surname is Smith.