Mergers and Acquisitions (M&A) are big businesses. Depending on the source, M&A undertakings now total over USD 5 trillion. Based on the real motive and type, an IT integration plan may be implemented post-signing.
Since Microsoft Active Directory Domain Services (AD DS) underpins the IT infrastructure of many enterprise systems, one common unification often executed post-merger is the consolidation of disparate AD DS. A critical procedure to perform in preparation for an AD DS consolidation is a directory remediation exercise, whereby discovery activities are conducted across both source and destination directories to:- Ensure you have a complete picture of every directory
- Find conflicts or collisions which exist between directories
- Complete a gap analysis between directories
- Find anomalies within a given directory
- Identity items to remediate
AD DS supports Lightweight Directory Access Protocol (LDAP), an application protocol for working with various directory services. Since searching is a fundamental service provided by LDAP, we can take advantage of some built-in, LDAP-query capable, command-line tools Microsoft provides to help us inventory, analyze and compare AD DS objects and their attribute values in preparation for consolidation. These command-line tools are:
- CSVDE.exe
- LDIFDE.exe
Both are available in Windows Server in the %windir%system32 folder when the Remote Server Administration Tools are installed. The syntax of these two tools is similar, the main difference being one works with CSV (comma-separated value) files and one with LDIF (LDAP Data Interchange Format) files. Each also has both import and export capabilities.
For this article, I will demonstrate only export commands, since this is all we need for object analysis and comparison. Also, all commands will be demonstrated with CSVDE since CSV format files can be read or imported more easily with comparison-capable software, like Microsoft Excel.
OFTEN USED PARAMETERS
Although the tools have several useful parameters, I find myself using very few when executing exports, these are:
| Parameter | Description |
| -f <FileName> | Identifies the import or export file name |
| -s <ServerName> | Specifies the domain controller to perform the import or export operation |
| -d <BaseDN> | Sets the distinguished name of the search base for data export |
| -r <LDAPFilter> | Creates an LDAP search filter for data export |
| -p <Scope> | Sets the search scope. Search scope options are Base, OneLevel, or SubTree |
| -l <LDAPAttributeList> | Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes |
| -n | Omits the export of binary values |
EXECUTION
Note: All commands should be run from an elevated command prompt on a Windows machine joined to the AD DS being queried. There are ways to execute local commands against external AD DS, however this is beyond the scope of this article
- The following command will export all user objects and any associated attributes which have values. I always like to omit the binary values using the ‘-n’ parameter since they do not provide any real value and simply bloat the output file
csvde -f AllUsers.csv -s DC01.lab.local -d “dc=lab,dc=local” -r “(&(objectClass=user)(objectCategory=person))” -p Subtree -n
- The following command will export all group objects and any associated attributes which have values
csvde -f AllGroups.csv -s DC01.lab.local -d “dc=lab,dc=local” -r “(&(objectClass=group)(objectCategory=group))” -p Subtree -n
- The following command will export all computer objects and any associated attributes which have values
csvde -f AllComputers.csv -s DC01.lab.local -d “dc=lab,dc=local” -r “(&(objectClass=computer)(objectCategory=computer))” -p Subtree -n
Once you have run the above commands across each AD DS, you can analyze the data to gain valuable insights into a single AD DS or use your favorite comparison tool to compare the output files between multiple AD DS. Useful reports to be generated include:
- How many user, group, or computer objects are in each domain
- How many user, group, or computer objects share a common account name between each AD DS
- What attributes have invalid or unused values or unsupported characters
- Number of disabled user accounts
- Number of groups with no members
- Computer inventory by operating system version
AD DS integrations are complex projects which require careful planning. Directory remediation is just one component of the due diligence needed to be conducted for a successful consolidation program.
For more on the complexities of mergers, acquisitions and divestitures read How to Prepare for Microsoft 365 Tenant to Tenant Migration and Consolidation Projects..
