Migrating a domain controller from SAMBA to ActiveDirectory
So it's time to talk about the method, which is a method of scientific tyke, a few smart people and a few hours of free time helped me migrate the domain, built by the previous admin with SAMBA on ActiveDirectory.
Many people know and use the opportunity to use SAMBA as a domain, but, in my opinion, this can only be used as a laboratory stand, and in real life it is better not to use it. Everyone decides for himself, I was not satisfied with the absence of group policies, the constant impossibility of authorization, frequent freezes and incredible memory leaks (after 30 days of continuous work, sometimes all 16 GiB of RAM is devoured and the entire swap partition is consumed). Therefore, my patience came to an end, I tried to collect my thoughts and tried several times to emulate the transition in a virtual environment, but there was still no time until the Siberian fluffy animal arrived and did not put the whole structure and bind9 depending on it, which completely paralyzed office work in 70 people. It was then that the time came for an urgent transition, 2 days of reading different manuals, 2 days of attempts to take off from ActiveDirectory did not lead to anything, until I came across this article and it is on TechNet .
They also tried to change domain roles, i.e. introduce Windows Server into the Linux domain and make it a backup controller, and then increase its role to pdc, but, as shown by 1 test in a virtual environment, this was a bad idea, because all the glitches of the GPO were transferred (they simply did not exist), and perhaps some more misunderstandings.
I still didn’t manage to reduce everything to a single button click, so Active Perl (x86) , Microsoft Office Excel (did for 2003 and 2007), Batch, VBS, as well as the newsid utility ( which was successfully removed on the site ) and optional module acctinfo .
All actions will take place in the Windows environment at the workstation, and then Windows Server (here I would like to clarify that Windows Server was 2003 R2 SP2 for some reasons, therefore, work on more modern systems was not tested), there is also a caveat, Windows Server it is better to use the English version, without MUI, while the migration is taking place, then nothing prevents it from being delivered.
')
So, enough water, let's proceed to the process itself.
Before further work, you can start installing the system, but without setting up or creating anything in it (I didn’t even install the driver until we create users).
The day we started, we need to pull out a list of all users and groups in which they are (I had a problem, not all users were exported with the groups into which they belong, we need to check), for this we use the vbs script that I found here , but I had to modify to get more visually and the necessary parameters (it is also worth mentioning that this should be done on a PC that is included in the domain and under the domain account, I did under the account of the global domain administrator).
export AD User Accounts.vbs
On Error Resume Next strFileName = "Users-Groups-SIDs.xlsx" Set objShell = CreateObject("Wscript.Shell") strPath = Wscript.ScriptFullName Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.GetFile(strPath) strFolder = objFSO.GetParentFolderName(objFile) SET objExcelApp = CREATEOBJECT("Excel.Application") SET objWB = objExcelApp.Workbooks.Add SET objExcel = objWB.Worksheets(1) objWB.SaveAs(strFolder & "\" & strFileName) Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 'Set the path of the file to the same folder of the script 'Open the file and make the workbook visible Set objExcel = CreateObject("Excel.Application") Set objWorkbook = objExcel.Workbooks.Open(strFolder & "\" & strFileName) objExcel.Visible = True 'objExcel.Cells(1, 1).Value = "Name" 'objExcel.Cells(1, 1).Font.Bold = TRUE 'objExcel.Columns(1).ColumnWidth = 40 'objExcel.Cells(1, 2).Value = "Security ID" 'objExcel.Cells(1, 2).Font.Bold = TRUE 'objExcel.Columns(2).ColumnWidth = 60 'Starting row of the Excel is 2, since first row are column headings y = 2 objCommand.CommandText = _ "SELECT * FROM 'LDAP://DC=mvi,DC=srv' WHERE objectCategory='user'" Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF strADsPathUser = objRecordSet.Fields("ADsPath").Value 'wScript.echo strADsPathUser Set objUser = GetObject(strADsPathUser) z = 1 objExcel.Cells(y,z) = objUser.sn objExcel.Cells(1, z).Value = "sn" 'Wscript.Echo objUser.sn objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.givenName objExcel.Cells(1, z).Value = "givenName" 'Wscript.Echo objUser.givenName objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.initials objExcel.Cells(1, z).Value = "initials" 'Wscript.Echo objUser.initials objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.description objExcel.Cells(1, z).Value = "description" objExcel.Cells(1, z).Font.Bold = TRUE 'Wscript.Echo objUser.description z = z + 1 objExcel.Cells(y,z) = objUser.codePage objExcel.Cells(1, z).Value = "codePage" objExcel.Cells(1, z).Font.Bold = TRUE 'Wscript.Echo objUser.codePage z = z + 1 objExcel.Cells(y,z) = objUser.sAMAccountName objExcel.Cells(1, z).Value = "sAMAccountName" 'Wscript.Echo objUser.sAMAccountName objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.codePage objExcel.Cells(1, z).Value = "codePage" objExcel.Cells(1, z).Font.Bold = TRUE 'Wscript.Echo objUser.codePage z = z + 1 objExcel.Cells(y,z) = objUser.mail objExcel.Cells(1, z).Value = "mail" 'Wscript.Echo objUser.mail objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 intUserSID = fnGet_HexString(objUser.ObjectSID) objExcel.Cells(y,z) = intUserSID objExcel.Cells(1, z).Value = "ObjectSID" 'Wscript.Echo objUser.ObjectSID objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.userPrincipalName objExcel.Cells(1, z).Value = "userPrincipalName" 'Wscript.Echo objUser.userPrincipalName objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.displayName objExcel.Cells(1, z).Value = "displayName" 'Wscript.Echo objUser.displayName objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.distinguishedName objExcel.Cells(1, z).Value = "distinguishedName" 'Wscript.Echo objUser.distinguishedName objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 intUserSID = stringlist(objUser.memberOf) objExcel.Cells(y,z) = intUserSID objExcel.Cells(1, z).Value = "memberOf" 'Wscript.Echo objUser.memberOf objExcel.Cells(1, z).Font.Bold = TRUE ' z = z + 1 objExcel.Cells(y,z) = objUser.physicalDeliveryOfficeName objExcel.Cells(1, z).Value = "physicalDeliveryOfficeName" 'Wscript.Echo objUser.physicalDeliveryOfficeName objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.telephoneNumber objExcel.Cells(1, z).Value = "telephoneNumber" 'Wscript.Echo objUser.telephoneNumber objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.profilePath objExcel.Cells(1, z).Value = "profilePath" 'Wscript.Echo objUser.profilePath objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.scriptPath objExcel.Cells(1, z).Value = "scriptPath" 'Wscript.Echo objUser.scriptPath objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.homeDirectory objExcel.Cells(1, z).Value = "homeDirectory" 'Wscript.Echo objUser.homeDirectory objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.homeDrive objExcel.Cells(1, z).Value = "homeDrive" 'Wscript.Echo objUser.homeDrive objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.title objExcel.Cells(1, z).Value = "title" 'Wscript.Echo objUser.title objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.department objExcel.Cells(1, z).Value = "department" 'Wscript.Echo objUser.department objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.company objExcel.Cells(1, z).Value = "company" 'Wscript.Echo objUser.company objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.manager objExcel.Cells(1, z).Value = "manager" 'Wscript.Echo objUser.manager objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.homePhone objExcel.Cells(1, z).Value = "homePhone" 'Wscript.Echo objUser.homePhone objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.pager objExcel.Cells(1, z).Value = "pager" 'Wscript.Echo objUser.pager objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.mobile objExcel.Cells(1, z).Value = "mobile" 'Wscript.Echo objUser.mobile objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.facsimileTelephoneNumber objExcel.Cells(1, z).Value = "facsimileTelephoneNumber" 'Wscript.Echo objUser.facsimileTelephoneNumber objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.ipphone objExcel.Cells(1, z).Value = "ipphone" 'Wscript.Echo objUser.ipphone objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.info objExcel.Cells(1, z).Value = "info" 'Wscript.Echo objUser.info objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.streetAddress objExcel.Cells(1, z).Value = "streetAddress" 'Wscript.Echo objUser.streetAddress objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.postOfficeBox objExcel.Cells(1, z).Value = "postOfficeBox" 'Wscript.Echo objUser.postOfficeBox objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.l objExcel.Cells(1, z).Value = "l" 'Wscript.Echo objUser.l objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.st objExcel.Cells(1, z).Value = "st" 'Wscript.Echo objUser.st objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.c objExcel.Cells(1, z).Value = "c" 'Wscript.Echo objUser.c objExcel.Cells(1, z).Font.Bold = TRUE z = z + 1 objExcel.Cells(y,z) = objUser.wWWHomePage objExcel.Cells(1, z).Value = "wWWHomePage" 'Wscript.Echo objUser.wWWHomePage objExcel.Cells(1, z).Font.Bold = TRUE ''''''''''''''''''''''''''' y = y + 1 objRecordSet.MoveNext Loop objCommand.CommandText = _ "SELECT * FROM 'LDAP://DC=mvi,DC=srv' WHERE objectCategory='group'" Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF strADsPathGroup = objRecordSet.Fields("ADsPath").Value 'wScript.echo strADsPathGroup Set objGroup = GetObject(strADsPathGroup) 'if objGroup.groupType = "-2147483646" then objExcel.Cells(y,1) = objGroup.sAMAccountName 'Wscript.Echo objUser.sAMAccountName intGroupSID = fnGet_HexString(objGroup.ObjectSID) objExcel.Cells(y,2) = intGroupSID 'Wscript.Echo intUserSID 'End if y = y + 1 objRecordSet.MoveNext Loop objRecordSet.Close objConnection.Close SET objSheet = NOTHING SET objWB = NOTHING objExcelApp.Quit() SET objExcelApp = NOTHING Wscript.echo "Script Finished..." ''' Function stringlist(memberOf) Dim objmemberOf ' Heart of the script, extract a list of Groups from memberOf objmemberOf = objUser.GetEx("memberOf") For Each objGroup in objmemberOf strList = strList & """" & objGroup & """" & " " Next stringlist = strUser & strList 'WScript.Echo "Groups for " & strUser & strList End Function ''' Function fnGet_HexString(intSID) Dim strRet, i, b strRet = "" For i = 0 to Ubound(intSID) b = hex(ascb(midb(intSID,i+1,1))) If( len(b) = 1 ) then b = "0" & b strRet = strRet & b Next fnGet_HexString = fnHexStrToDecStr(strRet) End Function Function fnHexStrToDecStr(strSid) Dim arrbytSid, lngTemp, j ReDim arrbytSid(Len(strSid)/2 - 1) For j = 0 To UBound(arrbytSid) arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2)) Next fnHexStrToDecStr = "S-" & arrbytSid(0) & "-" & arrbytSid(1) & "-" & arrbytSid(8) lngTemp = arrbytSid(15) lngTemp = lngTemp * 256 + arrbytSid(14) lngTemp = lngTemp * 256 + arrbytSid(13) lngTemp = lngTemp * 256 + arrbytSid(12) fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp) lngTemp = arrbytSid(19) lngTemp = lngTemp * 256 + arrbytSid(18) lngTemp = lngTemp * 256 + arrbytSid(17) lngTemp = lngTemp * 256 + arrbytSid(16) fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp) lngTemp = arrbytSid(23) lngTemp = lngTemp * 256 + arrbytSid(22) lngTemp = lngTemp * 256 + arrbytSid(21) lngTemp = lngTemp * 256 + arrbytSid(20) fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp) lngTemp = arrbytSid(25) lngTemp = lngTemp * 256 + arrbytSid(24) fnHexStrToDecStr = fnHexStrToDecStr & "-" & CStr(lngTemp) End Function At the start, the Office Excel window will open, with the Users-Groups-SIDs.xlsx open file and data will be written to it line by line (do not touch the mouse, do not click anywhere until the work is completed, otherwise there may be errors in the data retrieval). After the script finishes, we will receive a notification, Script Finished ... which means its completion, now we will wait a few seconds for the script to free the table, we will receive a notification from the office that the table is available for recording, agree and click the “save” button. At the output we get a table screen table where there are columns: sn; givenName; initials; description; codePage; sAMAccountName; codePage; mail; ObjectSID; userPrincipalName; displayName; distinguishedName; memberOf; physicalDeliveryOfficeName; telephoneNumber; profilePath; scriptPath; homeDirectory; homeDrive; title; department; company; manager; homePhone; pager; mobile; facsimileTelephoneNumber; ipphone; info; streetAddress; postOfficeBox; l; st; c; wWWHomePage
We don’t need most of them (you can fix them in the script itself by removing unnecessary parameters, but for the first time let it be all).
From the obtained values, we now need the sAMAccountName and ObjectSID columns , sort the ObjectSID in ascending order (from A to Z) and copy them saving to the text file users.txt , slightly changing their appearance, should learn this: sAMAccountName, ObjectSID
Those. like this:
dns-gw-sult,S-1-5-21-833212901-2941102506-3986841923-1101 DnsAdmins,S-1-5-21-833212901-2941102506-3986841923-1102 IIS_IUSRS,S-1-5-21-833212901-2941102506-3986841923-1102 DnsUpdateProxy,S-1-5-21-833212901-2941102506-3986841923-1103 ivanov,S-1-5-21-833212901-2941102506-3986841923-1105 ozonov,S-1-5-21-833212901-2941102506-3986841923-1108 elina,S-1-5-21-833212901-2941102506-3986841923-1111 anna,S-1-5-21-833212901-2941102506-3986841923-1113 dash,S-1-5-21-833212901-2941102506-3986841923-1115 denis,S-1-5-21-833212901-2941102506-3986841923-1116 danuev,S-1-5-21-833212901-2941102506-3986841923-1119 As you can see, each entry is in a separate line, you can see that the last numbers go in order, but there are also missing intervals (since samba wrote users in LDAP with different RIDs (ie, numbers in order), and AD will create users in a row, starting with some specific RID, you need to create all the missing users and somehow more or less understandably call them), so we fill them in using the perl script script-add user.pl :
script-add user.pl
use strict; use warnings; use Data::Dumper; my (%input, %output,$max); my $input_file = "users.txt"; my $output_file = "output.txt"; my $sambaSID = "S-1-5-21-833212901-2941102506-3986841923-"; open FIN, "<$input_file"; while (<FIN>) { chomp(); if (/(.*),$sambaSID(.*)/) { $input{$2}=$1; $max=$2 if $2 > $max; } } close FIN; print Dumper(\%input); print Dumper($max); open FOUT, ">$output_file"; for (my $i=1001;$i<=$max;$i++) { if (exists $input{$i}) { print "input: $input{$i} i: $i\n"; print FOUT "$input{$i}\n"; } else { print FOUT "user$i\n"; } } close FOUT; In the original article there are not very working moments, so I asked a friend to correct errors, at least the script worked as planned.
And at the output we received the file output.txt (in which users will start with RID 1001 and further and have the names user1001, etc.) with the content:
output.txt
user1001 user1002 user1003 user1004 user1005 user1006 user1007 user1008 user1009 user1010 user1011 user1012 user1013 user1014 user1015 user1016 user1017 user1018 user1019 user1020 user1021 user1022 user1023 user1024 user1025 user1026 user1027 user1028 user1029 user1030 user1031 user1032 user1033 user1034 user1035 user1036 user1037 user1038 user1039 user1040 user1041 user1042 user1043 user1044 user1045 user1046 user1047 user1048 user1049 user1050 user1051 user1052 user1053 user1054 user1055 user1056 user1057 user1058 user1059 user1060 user1061 user1062 user1063 user1064 user1065 user1066 user1067 user1068 user1069 user1070 user1071 user1072 user1073 user1074 user1075 user1076 user1077 user1078 user1079 user1080 user1081 user1082 user1083 user1084 user1085 user1086 user1087 user1088 user1089 user1090 user1091 user1092 user1093 user1094 user1095 user1096 user1097 user1098 user1099 user1100 dns-gw-sult IIS_IUSRS DnsUpdateProxy user1104 ivanov user1106 user1107 ozonov user1109 user1110 elina user1112 anna user1114 dash denis user1117 user1118 danuev The resulting list is placed in the dsadd-new.xls table and had to be slightly modified to fit our needs. In the modified table, put in the Login column. The initial user SIDs in the SID column and check that the user user-1101 should be S-1-5-21-833212901-2941102506-3986841923-1101 the user user-1102 is such S-1-5-21-833212901-2941102506-3986841923 -1102 (I think that the logic of the work is clear, and the SID of known users should remain the same as it was, we have it in the Users-Groups-SIDs.xlsx file ). To put the user in the group in which he was previously, then for this you need to take the memberOf column from the Users-Groups-SIDs.xlsx file and put each user in the dsadd-new.xls file in the GROUP column . It is also necessary to fill in all the other fields, if necessary, but it is necessary to fill out the Last Name and First Name columns, if this is not done, the creation of commands to create will be incorrect . The Login column will automatically generate a username to log in to the domain, if you are not satisfied with the login change, change the template or write the required login yourself (some of my users didn’t have the same login name, so they replaced it with the required one).
I also ask you to pay attention to the fact that if:
- the Patronymic column will not be filled, then when creating users, an extra space will be added to them at the end, which may lead to problems for some programs;
- I didn’t manage to automatically create a group, so we’ll create groups using a crypt that will create them in OU-Users, but this may lead to inoperability of some authorizations in various services (Apache, OpenVPN, etc.), because . I also had OU-Builtin and OU-Groups, but decided to lay it all together for the time being.
add_group.cmd
rem (CN) CN Users rem dsadd group "cn=,cn=users,dc=mvi,dc=srv" for %%A in ( jira-users, jira-administrators, Developers, jira-developers, mvi-users, berry-dev, online-developers, marketing-users, Marketing, ne-users, ne-developers, ne-admin, marketing-administrators, online-users, bills,QA, ) do dsadd group "cn=%%A,cn=users,dc=mvi,dc=srv" rem (OU) rem dsadd group "cn=,cn=groups,dc=mvi,dc=srv" dsadd ou "ou=Groups,dc=mvi,dc=srv" for %%B in ( vpn-users, svn-users, jenkins-adm, jenkins, PHP_Developers, amazon-users, ) do dsadd group "cn=%%B,ou=groups,dc=mvi,dc=srv" After performing routine operations on copy-paste and verification, you can prepare bat files that will help create users and teams to add them to groups. In the columns: TOTAL and TOTAL , the group contains commands for creating users and teams for adding them to groups, respectively, and save their contents in bat files add_user.cmd , add_group.cmd .
Formation of users and groups is ready.
Now let's do a Windows Server. To date, the system must be installed. We will need the newsid utility. Take the SID from the list of users, this is S-1-5-21-833212901-2941102506-3986841923 (from the received user SID, delete the last characters, up to "-" and get the domain SID), and replace the current SID of the system with ours. The system will start the changes and reboot (after rebooting, you can run the utility again and see that the SID has changed). Everything, you can install the ActiveDirectory service (I don’t know how, but I first set the DNS, skipping its settings, then using dcpromo, I set up the domain service itself), but before that I need to either turn off the SAMBA server and bind , or turn off these services (I had to turn off the service, because it is also the gateway to the Internet
dsadd User "cn=user-1101 user-1101 ,cn=users,dc=mvi,dc=srv" -UPN dns-gw-sult@mvi.srv -samid dns-gw-sult -display "user-1101 user-1101 " -fn user-1101 -ln user-1101 -pwd "p6Jx3Xre" -mustchpwd yes -disabled no -pwdneverexpires yes We look in the "Active Directory Users and Computers" what is its SID in the properties in the tab Additional Account Info . If the username matches with his SID ending, then everything is correct and does not require correction (if the SID does not match, then we start with the user with the next SID number, ie, add 1 to the current one). At this place, I had epic fail with one user, his SID contained 1105, and my users started creating from 1106, so I had to suffer for a long time and transfer all user data, because his id was incorrect.
After clarifying the order from which users are created, it is necessary to correct the creation of users by removing / commenting out commands that no longer correspond, i.e. remove everything that is up to user-1107 and you can safely run the script add_user.cmd . After the execution, you need to create groups, otherwise nothing will come out. Run add_group.cmd, check if all groups have been created (you should pay attention to the fact that global security groups are created, if other types are needed, then you need to add to the script -scope {l | g | u}, read the manual on dsadd group ).
dsadd group /?
. . : dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}] [-samid <SAMName>] [-desc <Description>] [-memberof <Group ...>] [-members <Member ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}] <DN_> stdin. (DN) . , (stdin). -secgrp {yes | no} , (yes) (no) . : yes. -scope {l | g | u} , (l), (g) (u). , . : . -samid <_SAM> SAM <_SAM> (, "operators"). -desc <> <>. -memberof <...> , DN <...>. -members <...> . <...>. {-s <> | -d <>} -s <> () <>. -d <> . : . -u <> <>. : . : , \ - (UPN). -p {<> | *} <>. *, . -q : . {-uc | -uco | -uci} -uc . -uco . -uci . . , (STDIN). STDIN , . STDIN , CTRL+Z (EOF). , (, "CN=Ivan Ivanov,CN=Users,DC=microsoft,DC=com"). , (, ). . : dsadd computer /? - . dsadd contact /? - . dsadd group /? - . dsadd ou /? - . dsadd user /? - . dsadd quota /? - . : dsadd /? - . dsget /? - . dsmod /? - . dsmove /? - . dsquery /? - , . dsrm /? - . After verification, we run a script that will add users to the add_user_group.cmd groups (note that there may be differences, check where the groups were created and which are specified by the user).
So we finished the migration, now we have ActiveDirectory instead of SAMBA , users have the same identifiers, it remains to enter the computers themselves into the domain and the task will be completed, we will only have to finish some moments that are individual for each.
The text, written by me, as usual, muddled, chaotic, contains errors, possibly inaccuracies, etc.
All scripts in one place (with examples).
PS
I hope everyone remembers that cmd, in this case, should be saved using OEM encoding?
Error please report for correction.
Source: https://habr.com/ru/post/173985/
All Articles