AWS Directory Service allows you to create a standalone, highly available AWS-managed directory called Simple AD in a matter of minutes. With Simple AD, you can centrally manage user accounts and group memberships for Amazon EC2 instances joined to a domain. It also allows you to use a single set of credentials to log in across all EC2 instances as well as provide authentication to your applications. For more information about Simple AD, see What is AWS Directory Service Simple AD?
In this blog post, I will talk about the commands to use when migrating identities from a directory such as Microsoft Active Directory to Simple AD.
Important note: Before making changes to your Simple AD directory, it is important to keep snapshots as a backup. If you need to create a snapshot of your directory now, follow these instructions.
Migrating to Simple AD
You can easily migrate existing identities from your Active Directory to Simple AD. Additionally, if you have been testing out Simple AD with our free trial, you can also migrate those identities to your production Simple AD by following the steps in this post. You can perform this migration by using csvde, which is a command-line tool that imports and exports data from Active Directory by using comma-separated value (CSV) files.
Note: As a security measure, passwords are not migrated using csvde. You will have to set new passwords for the accounts that are created on the new domain.
Step 1: Install AD DS tools in order to use csvde
Ensure that you have an EC2 Windows instance that is joined to the Simple AD (follow these instructions, if you need to perform a join first). Log in with a user that has the ability to install roles or features on the Windows instance, and create objects in the domain such as the Administrator account. You’ll need to run the command in this step on the EC2 Windows instance that you’ve set up. Your existing Active Directory should have the tools installed already, but you can run the same command if the tools do not appear.
Open Windows PowerShell and run one of the following two commands to get the Active Directory tools that include csvde.
Use the following command for Windows Server 2008 R2.
> Add-WindowsFeature RSAT-ADDS-Tools
Use the following command for Windows Server 2012 and later.
> Install-WindowsFeature RSAT-ADDS-Tools
Step 2: Export identities from your existing Active Directory (or Simple AD)
Run the following command from your Domain Controller running Active Directory to export your user identities to a file.
> csvde -f users.csv -l "DN, objectclass, objectcategory, givenName, sn, name, samAccountName, displayname" -r "(&(objectClass=user)(objectCategory=person))"
Using the -l flag allows you to choose specific attributes to export. You can add additional options if you would like to include other information about your objects. You can review the entire list of attributes available for user objects.
Step 3: Import identities into Simple AD
Copy the users.csv file to the EC2 instance that is joined to the Simple AD. Before importing the identities, open the users.csv file and review the content. You can remove lines for the users such as Administrator, Guest, and krbtgt, because they already exist by default in all directories. Only keep the lines for the users that you wish to exist in the new directory. If you are also importing the identities into a domain with a different domain name, you will need to update values such as dn and objectCategory for the new domain name, because they have references to them.
The following sample shows a .csv file with one user account.
DN,objectClass,name,sAMAccountName,objectCategory,displayName,givenName, sn,userPrincipalName "CN=John Doe,CN=Users,DC=example,DC=com",user,John Doe,johndoe,"CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com",John Doe,John,Doe,firstname.lastname@example.org
Enter the following command on the EC2 instance that is joined to the Simple AD to import users from the .csv file.
> csvde –i –f .\users.csv
After the users have been imported, they will be disabled and require a password. You can install the Active Directory Administration Tools and run the Active Directory Users and Computers tool on the EC2 instance that you launched to enable the account and create a new password. You should always use long and complex values for your passwords.
This post has shown you how to easily migrate existing identities in your Active Directory to a Simple AD by using the csvde tool. Using this tool also allows you to perform a bulk import of your identities. With the ability to quickly create Simple AD directories in a matter of minutes and create a copy of all your identities, you can start to establish an environment that is similar to your current setup.
You can post comments below, or visit the AWS Directory Service forum to post comments and questions.