Mergers and Acquisitions (M&A) are big businesses. Depending on the source, M&A undertakings now total over USD 5 trillion. Based on the real motive and type, an IT integration plan may be implemented post-signing. <\/p>\n\n\n\nSince Microsoft Active Directory Domain Services (AD DS) underpins the IT infrastructure of many enterprise systems, one common unification often executed post-merger is the consolidation of disparate AD DS. A critical procedure to perform in preparation for an AD DS consolidation is a directory remediation exercise, whereby discovery activities are conducted across both source and destination directories to:\n
\n\n\n\n
AD DS supports Lightweight Directory Access Protocol (LDAP), an application protocol for working with various directory services. Since searching is a fundamental service provided by LDAP, we can take advantage of some built-in, LDAP-query capable, command-line tools Microsoft provides to help us inventory, analyze and compare AD DS objects and their attribute values in preparation for consolidation. These command-line tools are: <\/p>\n\n\n\n
Both\u00a0are available in Windows Server in the\u00a0%windir%system32 folder\u00a0when the\u00a0Remote Server Administration Tools are installed.\u00a0The syntax of these two tools is\u00a0similar, the\u00a0main\u00a0difference being one works with CSV\u00a0(comma-separated value)\u00a0files and one with LDIF\u00a0(LDAP Data Interchange Format)\u00a0files.\u00a0Each\u00a0also has both import and export capabilities.\u00a0<\/p>\n\n\n\n
For this article, I will demonstrate only export commands, since this is all we need for object analysis and comparison. Also, all commands will be demonstrated with CSVDE since CSV format files can be read or imported more easily with comparison-capable software, like Microsoft Excel.<\/p>\n\n\n\n
Although the tools have several useful parameters, I find myself using very few when executing exports, these are:<\/p>\n\n\n\n Note:<\/strong> <\/strong> All commands should be run from an elevated command prompt on a Windows machine joined to the AD DS being queried. There are ways to execute local commands against external AD DS, however this is beyond the scope of this article<\/p>\n\n\n\n csvde -f AllUsers.csv -s DC01.lab.local -d “dc=lab,dc=local” -r “(&(objectClass=user)(objectCategory=person))” -p Subtree -n<\/p>\n\n\n\n csvde -f AllGroups.csv -s DC01.lab.local -d “dc=lab,dc=local” -r “(&(objectClass=group)(objectCategory=group))” -p Subtree -n<\/p>\n\n\n\n csvde -f AllComputers.csv -s DC01.lab.local -d “dc=lab,dc=local” -r “(&(objectClass=computer)(objectCategory=computer))” -p Subtree -n<\/p>\n\n\n\n Once you have run the above commands across each AD DS, you can analyze the data to gain valuable insights into a single AD DS or use your favorite comparison tool to compare the output files between multiple AD DS. Useful reports to be generated include:<\/p>\n\n\n\n AD DS integrations are complex projects which require careful planning. Directory remediation is just one component of the due diligence needed to be conducted for a successful consolidation program.<\/p>\n\n\n\nParameter<\/td> Description<\/td><\/tr><\/thead> -f <FileName><\/td> Identifies the import or export file name<\/td><\/tr> -s <ServerName><\/td> Specifies the domain controller to perform the import or export operation<\/td><\/tr> -d <BaseDN><\/td> Sets the distinguished name of the search base for data export<\/td><\/tr> -r <LDAPFilter><\/td> Creates an LDAP search filter for data export<\/td><\/tr> -p <Scope><\/td> Sets the search scope. Search scope options are Base, OneLevel, or SubTree<\/td><\/tr> -l <LDAPAttributeList><\/td> Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes<\/td><\/tr> -n<\/td> Omits the export of binary values<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n EXECUTION<\/span><\/h3>\n\n\n\n