Table of Contents

Systems - AD: Create LDIF backup

Introduction

In many cases, it is useful to be able to create a backup of MS AD (or LDAP). This backup isn't really meant to be used as a full backup, it doesn't contain enough relevant data. Before you make changes to the AD system properties (especially before starting to manage AD for the first time), make sure the customer creates a full AD backup which can be restored. Instead, this backup allows you to simply check the original values in AD and to keep them around for some time. If in the future you need to know the original membership values, you can always find it here.

Script

To create the backup LDIF, you can run this very simple script. It will create the file ad_backup.ldif in the directory you are currently in. Note that you need ldapsearch for this to work. If you don't have it installed, do so: yum install openldap-clients

ldapsearch -x -h domain.controller.address -LLL -o ldif-wrap=no -E pr=1000/noprompt -D samacountname.user@domain -b OU=org.unit,DC=to,DC=be,DC=exported -W > ad_backup.ldif

To use this script, change the following parts:

  1. "domain.controller.address" - the hostname or IP address of the DC (Server hostname in IdM's AD configuration)
  2. "samacountname.user@domain" - the sAMAccountname of the user and the domain name (Principal in IdM's AD configuration)
  3. "OU=org.unit,DC=to,DC=be,DC=exported" - specify which OU you want to backup

Simply run the script in the console (or you can create a .sh file if you want to run the script again). It will ask you for the password of the user whose sAMAccountname you put in.

See also

Our blog post with a more elaborate script