How to Copy\Mirror OU structure from one domain to another domain.

This is one of the regular task that we have to perform during Domain migration activities. So, today we will learn how to Copy\Mirror OU structure from one domain to another domain.

For my case, I used “LDIFDE” command to export and import the OU’s from one domain to another domain.

1.      Login to the Source Domain domain controller with sufficient privileges (Domain admin).

2.      Execute below command on Elevated command prompt

ldifde -f c:\Temp\OUs.ldf -r “(objectClass=organizationalUnit)” -l objectClass,description

3.      This command will export all OU’s from the source domain and create a LDF file with the name “Ous.LDF” in the directory C:\Temp

k  Copy this file on Destination domain domain controller and edit with notepad as we need to modify the Distinguish domain name based on Target domain name.

1.      Replace Distinguish name for all OU’s with the new domain distinguish Domain name.

a.      Ex : dc=testenv,dc=local entries with the new domain’s DN dc=testcorp,dc=local

1.      Remove the Domain controller OU information from the LDF file as it will come by default on all domains and it is not required to import again in target domain.

1.      Now file is ready and run below command with elevated command prompt on Target Domain domain controller.

a.      ldifde -i -f c:\Temp\OUs.ldf

Thanks,

Baji Nannam

Service Principle Name (SPN)

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

For Win32 services, a service installer specifies the logon account when an instance of the service is installed. The installer then composes the SPNs and writes them as a property of the account object in Active Directory Domain Services. If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Example : Take SQL as an example. SQL services on the server would run with the service account. Here we will register the SPN with that service account (Some times SPN's will be registered automatically if service account delegated to Write servicePrincipalName under Service account attributes). This SPN will be used for Kerberos authentication.

Syntax to Register SPN's for SQL

setspn -s MSSQLSvc/ServerFQDNName Domainname\ServiceAccount
setspn -s MSSQLSvc/ServerFQDNName:ServicePortNumber Domainname\ServiceAccount


Get list of SPN's with one Service account

setspn -L Domainname\ServiceAccount

Stpes to Delegate Write servicePrincipalName permission to a service account
1. Open Service account properies using ADSIEDIT.MSC and go to Security Tab.
2. Click on Advanced Security --> Click Add.  Click "Select a principal" and type in SELF and click OK. Leave the Type on "Allow" and change the Applies to: "Descendant User objects."  Scroll way down and check the box that says "Write servicePrincipalName".