How do I solve LDIFDE errors on "last token starts with 'C'" and "change-modify entry is missing the terminator '-'" when..?

active-directory domain-controller migration ldif
11,606

Here is what your file should look like. I've just tested this against LDS on Windows 8 to be certain.

dn: CN=PrinterAdmins,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=John Doe,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local
-

If you have no special characters in the values, then an ANSI file should do just fine.

Chances are you have but in case you havent http://support.microsoft.com/kb/237677 might help.

Share:
11,606
BlueToast
Author by

BlueToast

Updated on September 18, 2022

Comments

  • BlueToast
    BlueToast almost 2 years

    How do I solve LDIFDE errors on "last token starts with 'C'" and "change-modify entry is missing the terminator '-'" when trying to pair existing users to exiting security groups (domain migration)?

    I execute this:

    C:\Users\Administrator\Downloads\ldif_files>ldifde -i -k -f test.ldf -v -j "C:\Users\Administrator\Downloads\ldif_files"
Connecting to "dc1.company.local"
Logging in as current user using SSPI
Importing directory from file "test.ldf"
Loading entries

There is a syntax error in the input file
Failed on line 6.  The last token starts with 'C'.
The change-modify entry is missing the terminator '-'.
0 entries modified successfully.
An error has occurred in the program

C:\Users\Administrator\Downloads\ldif_files>

    test.ldf is this:

    dn: CN=PrinterAdmins,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
objectClass: top
objectClass: group
member: CN=John Doe,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local

    I have painstakingly troubleshooted this for a couple or few hours now without success. I have tried...

    • Adding a single link '-' at the end
    • Adding a line '-' followed by a blank line (two lines total) at the end
    • several other things; have spent lots of time Googling for solutions and trying everything without having success

    The OUs, security group, and user exists. For the life of me, I can't figure it out. I have successfully imported an OU structure from 'oldcompany.com' domain, used Notepad++ to remove a particular space/enter character and also to replace 'dc=oldcompany,dc=com' with 'dc=company,dc=local', imported the users, imported the security groups -- everything successfully.. all that is left is to import the part of memberships to every group (tying users to their groups).

    Please help. :(

    What am I doing / trying to do / have done already? I have roughly around 700 groups that I need to pair several hundred users to. Importing of OU structure, followed by users, followed by [empty] groups was successful. All that is left is pairing users to their groups. Moving from an old "company.com" domain (from 2003 DC) to "company.local" on brand new 2012 DC. Want to avoid having to go through all 700 groups manually adding users (because I do have an Excel report that tells me the member of every group / what group every user is a member of).

    EDIT: SOLUTION!

    This is what I had to do to get it to work:

    • Remove all objectClass lines; next time I need to leave this out of the command parameters for exporting
    • The first line of the file should be a blank line, followed by the "dn:" line of the first group
    • The second to last line of the file should be a -, followed by a blank line (the last line of the file)

    So to import users, security groups, and group memberships from company.com to company.local, this is what I had to do:

    1. Exporting the OU structure from company.com; on company.com, we had an OU "CMPNY" in the root of the domain when you use Active Directory Users and Computers that contained everything (security groups, users, OUs, GPOs, etc)
      • Execute ldifde -f exportOUs.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou" on any machine connected to the old company.com AD domain; it will connect to srvADdc1 (a domain controller) to search and export from
    2. Exporting the Users from company.com
      • Execute difde -f exportUsers.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(objectCategory=Person)(objectClass=user))" -l "cn,displayName,distinguishedName,name,objectCategory,objectClass,sAMAccountName"
    3. Export Groups from company.com WITHOUT members (so as just empty security groups)
      • Execute ldifde -f exportGroupsEmpty.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,name,sAMAccountName,grouptype,objectclass"
    4. Export Groups from company.com WITH members (contains bare minimum information to identify what User objects are a Member of what Group)
      • Execute ldifde -f exportGroupsMembers.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(ObjectCategory=group)(objectClass=group)(name=)(member=))" -l "member"
    5. Importing the OU skeleton of the old company.com into the new company.local domain; we're using a different OU skeleton structure in company.local (no "CMPNY" OU at root), so this OU skeleton we're importing is merely just for the sake of importing old data, and after we import everything, we can rename/cleanup/delete whatever, and then move and arrange the imported objects over to our new/different OU skeleton structure standard that we've decided to use on our new company.local domain
      • Modify exportOUs.ldf via Notepad++ (my personal preference), find DC=com and replace all with DC=local, and save the file
      • Execute ldifde -i -k -f exportOUs.ldf -v -j "C:\"; you can change the path for the value of -j parameter, or remove -j "C:\" entirely -- all it does is log any errors to file
    6. Import Users from company.com into company.local
      • Modify exportUsers.ldf via Notepad++, find DC=com and replace all with DC=local, and save the file
      • Execute ldifde -i -k -f exportUsers.ldf -v -j "C:\"
    7. Import empty [Security] Group shells from company.com into company.local
      • Modify exportGroupsEmpty.ldf via Notepad++, find DC=com and replace all with DC=local, and save the file
      • Execute ldifde -i -k -f exportGroupsEmpty.ldf -v -j "C:\"
    8. Import the Membership pairing between Users and Groups from company.com to company.local
      • Open exportGroupsMembers.ldf via Notepad++
        • Examine the contents of this file very carefully; notice how a single item is split out over multiple lines (like if someone decided to hit the ENTER key 1/3 the way through a line) -- they should normally be on one line instead of overflowing into multiple lines
        • The first thing is to fix the multiple line overflowing issue. To do this, select all the character data in between two lines that would need to be deleted to fix it (for just that one instance), and 'replace all' it with literally nothing
        • Find dc=com and replace all with dc=local
        • Replace all empty lines with two lines: the first one should be a single - character, and the second should be a blank line; you can accomplish this by selecting that space and doing a replace all with \r\n-\r\n\r\n with Extended search mode in Notepad++
        • Make sure that the first line of the file is a blank empty line (no spaces, just empty line) before the first "dn:" line (for the first group)
        • Make sure the second to last line of the file is a - line, followed by a blank line (as the last line)
      • Find "changetype: add" and replace all with changetype: modify\r\nadd: member (basically, this changes 'add' to 'modify', and creates new line below this "add: member")
      • Execute ldifde -i -k -f exportGroupsMembers.ldf -v -j "C:\"

    Example exportGroupsMembers.ldf (first line has a space in it -- it is not supposed to have a space in it, just supposed to be a blank line; last line after the - line is supposed to be a blank line too):

    dn: CN=ERP_User_Test,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=Ralph Doe,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Grace McPhillip,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Logan Rowley,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local
-

dn: CN=FolderSecurity_StockReportsDatabase_C,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=David Collins,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Kelly Paris,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=genericSalesUser,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
-

dn: CN=FolderSecurity_StockReportsDatabase_R,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=Ron Burgandy,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Jane Doe,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Bill Gates,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
-

    What this primarily accomplishes is that when we migrate shared network drives over to the new network, individual folder security permissions are retained. We don't have to go and recreate all the groups, add members back into the groups, and then go weed through over 1000 folders of unique security permissions (stupid, I know).

    After all this, we can..

    • Go in and DELETE all the user objects that are permanently obsolete (such as genericITAdmin and genericITModerator and genericITTech administrator, test accounts, random one-off accounts, etc) but keep real human person accounts that have been deactivated
    • Rename security groups to standardize on naming conventions, then later begin cleaning up security groups to consolidate, find patterns, remove unqiue security permissions, etc
    • Move objects over to our new OU skeleton structure and delete the CMPNY OU from root after we're done weeding through it, manipulating, removing, renaming old stuff

    I thank the responders at the following threads: - [H]ardForum - ServerFault - TechNet

    Primary resource from which I followed the overall export and import workflow

    Additional helpful information I utilized or influenced me in my journey

  • user460272
    user460272 over 11 years
    You my friend are a hero! Thanks so much for your guide. I had to do some googling around this bit: Replace all empty lines with two lines: the first one should be a single - character, and the second should be a blank line; you can accomplish this by selecting that space and doing a replace all with \r\n-\r\n\r\n with Extended search mode in Notepad++ You need to replace \r\n\r\n with \r\n-\r\n\r\n Excellent thanks!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Migrating existing domain to a new domain controller and keeping the server name
How to import a groups members using 'ldifde'?
Modifying Active Directory Passwords via ldapmodify
If my single domain controller is down, what happens?
Can't connect to domain controller
AdPrep logs show an LDAP error
how long to replicate adprep /forestprep to second domain controller?
Cannot connect Windows 7 machine to windows 2003 domain
Cannot rename a computer on a domain
lmhosts and hosts file to allow user joining to domain controller