Whenever an organization undergoes structural changes due to mergers, acquisitions, etc. They must also copy the OU structure from one domain to another. This is an essential task that is to be prioritized by the admin in charge of the migration. To assist them we have prepared this write-up that contains the complete guidance necessary for the task.
Furthermore, we also explain how the automated tool overcomes challenges posed by the PowerShell method. Before we can learn the OU cloning technique, let’s look at the design parameters of an Organizational Unit.
Exactly is an Organizational Unit in an Active Directory & When to Copy it
OU can be understood as a container that resides inside the Microsoft Windows Active Directory (AD) domain. It is a subdivision designed to hold users, groups, computers, and even other organizational units. It is the smallest unit that can be assigned its unique policy settings and permissions. Within an OU objects with similar properties are put together which makes it easier to manage and access them. Now that we have a basic understanding of OU let’s look at real-life scenarios to replicate its structure.
During the testing of a new product companies often assign a new OU. To save time and avoid mistakes during an OU creation it is better to copy an existing structure and start working on it directly.
When a merger or acquisition takes place, the new employee data can be directly moved to the parent company’s database. So admins can make a replica of the Host’s OU shift the employee data in it and then sync the OU with the database.
Times when OU data becomes corrupted admins can clone the structure and look for any issues present in it. After the issue resolution, the data can be restored on the new OU from a backup.
Now we begin with a technical method for copying the OU structure.
Using PowerShell to Copy OU Structure From One Domain to Another
PowerShell does not directly give us the intended result. Here we have to manipulate the end result to replicate the original OU structure in the target domain. To ensure all the requirements match the targets users need to first generate a CopyOfOUstructure.ldif file as an output. Our aim here is to move the OUs and then tweak the outputs so that no trace of the original domain remains. In other words, delete the domain name itself.
Also Read: A Step-By-Step Approach for How to Migrate SharePoint List to Another Site Easily
Follow the script below as a template and make changes according to your requirements
$Domain = get-addomain ldifde -f OUStructure.ldif -d $($domain.Distinguishedname) -c `"$($domain.Distinguishedname)`" `"DC=X`" --% -r "(objectclass=organizationalUnit)" -l "ou,description,objectclass,displayName,displayNamePrintable,msCOM-UserPartitionSetLink,x121Address,uPNSuffixes,co,telexNumber,teletexTerminalIdentifier,telephoneNumber,street,st,seeAlso,searchGuide,registeredAddress,preferredDeliveryMethod,postalCode,postalAddress,postOfficeBox,physicalDeliveryOfficeName,managedBy,thumbnailLogo,l,internationalISDNNumber,facsimileTelephoneNumber,destinationIndicator,desktopProfile,defaultGroup,countryCode,c,businessCategory"
Add or replace the variables according to your own organization’s constraints. Ensure that these match the original OU structure otherwise, your may get corrupted.
get-content OUStructure.ldif | %{$_ -replace 'Source','Target'} | Out-file Oustructure-reOrg.ldif
Then copy the ldif file to the target server and execute the following commands to load the OU structure.
$Domain = get-addomain ldifde -i -v -k -f OUStructure.ldif -c `"DC=X`" `"$($domain.Distinguished-name)`"
Limitations of the PowerShell Mechanism
Confusing: PowerShell commands are broad in scope, so getting an organizational-specific template can be tricky. As each business operates differently, this confusion on which command to use causes delays and reduces workplace efficiency.
Highly Technical: Requires in-depth knowledge of PowerShell commands and their functionalities. Lack of knowledge can result in data corruption and data loss.
Absence of Support: Admins only have their knowledge base to rely on. Moreover, if anything goes wrong, there is no support to guide and resolve the error.
Also Read: Best Active Directory Migration Checklist to Overcome Migration Challenges
Hit and Trial Process: The command line is not a direct way to get the result users have to spend a lot of time to try and tweak the results. Only when
No Tracking or Reporting Feature: When users want to copy OU structure from one domain to another, they often need to track the progress. However, no such feature is present to directly view the progress in real-time within PowerShell. Moreover, the absence of a report makes it difficult to track if the operation was successful or not.
Conclusion
In this write-up, we showed the way to copy the OU structure from one domain to another using a variety of methods. The PowerShell method, although available, is not recommended due to the complexity of the operation. On the other hand, the tool mentioned earlier simplified the entire process. So it’s better to save both time and effort by utilizing the tool.
FAQs
Q. I am not well versed in PowerShell commands; is there an alternative for the same?
Ans. Yes, the automated utility provided in the above section is more than enough to copy and replicate the OU structure between domains.
Q. What is the meaning of exporting and importing an OU structure using LDIFDE.exe?
Ans. ldifde.exe is an executable file in a text file that admins need to run on their Domain controller. It can then replicate the OU structure.
Q. Is the OU hierarchy maintained during the cloning?
Ans. Yes, the tool makes sure no unwanted changes take place within the OU itself. Only a clone of the structure gets generated at the destination domain.