2/2/2017 How to Migrate Your Microsoft Active Directory Users to Simple AD | AWS Security Blog

 
AWS Security Blog Search the Security Blog

How to Migrate Your Microsoft Active Directory Users to Simple

AD Search
by Chen Wong | on 17 AUG 2015 | in How-To Guides | Permalink |  Comments

AWS Directory Service allows you to create a standalone, highly available AWS-managed directory called Simple AD in a Other AWS blogs
matter of minutes. With Simple AD, you can centrally manage user accounts and group memberships for Amazon EC2
The Official AWS Blog
instances joined to a domain. It also allows you to use a single set of credentials to log in across all EC2 instances as well
as provide authentication to your applications. For more information about Simple AD, see What is AWS Directory Service Amazon SES
Simple AD?
AWS Architecture
In this blog post, I will talk about the commands to use when migrating identities from a directory such as Microsoft Active
AWS Big Data
Directory to Simple AD.

Important note: Before making changes to your Simple AD directory, it is important to keep snapshots as a backup. If you AWS Blog (Brazil)
need to create a snapshot of your directory now, follow these instructions. AWS Blog (China)

Migrating to Simple AD AWS Blog (Germany)

You can easily migrate existing identities from your Active Directory to Simple AD. Additionally, if you have been testing out
AWS Blog (Japan)
Simple AD with our free trial, you can also migrate those identities to your production Simple AD by following the steps in
this post. You can perform this migration by using csvde, which is a command-line tool that imports and exports data from AWS Blog (Korea)
Active Directory by using comma-separated value (CSV) files.
AWS Blog (LATAM)
Note: As a security measure, passwords are not migrated using csvde. You will have to set new passwords for the
accounts that are created on the new domain. AWS Compute

Step 1: Install AD DS tools in order to use csvde AWS Database Blog

Ensure that you have an EC2 Windows instance that is joined to the Simple AD (follow these instructions, if you need to AWS DevOps Blog
perform a join first). Log in with a user that has the ability to install roles or features on the Windows instance, and create
AWS for SAP Blog
objects in the domain such as the Administrator account. You’ll need to run the command in this step on the EC2
Windows instance that you’ve set up. Your existing Active Directory should have the tools installed already, but you can AWS Internet of Things Blog
run the same command if the tools do not appear.
AWS Java Development
Open Windows PowerShell and run one of the following two commands to get the Active Directory tools that include
AWS Mobile Development
csvde.
AWS .NET Development
Use the following command for Windows Server 2008 R2.
AWS Partner Network
> Add-WindowsFeature RSAT-ADDS-Tools
AWS PHP Development

AWS Public Sector Blog

Use the following command for Windows Server 2012 and later.
AWS Ruby Development

> Install-WindowsFeature RSAT-ADDS-Tools AWS Startup Blog

Feedback
Step 2: Export identities from your existing Active Directory (or Simple AD)

Run the following command from your Domain Controller running Active Directory to export your user identities to a file. Comments? Questions? Send us
feedback

> csvde -f users.csv -l "DN, objectclass, objectcategory, givenName, sn, name, samAccou
ntName, displayname" -r "(&(objectClass=user)(objectCategory=person))" RSS Feed

 Subscribe to this blog's feed

Using the -l flag allows you to choose specific attributes to export. You can add additional options if you would like to
include other information about your objects. You can review the entire list of attributes available for user objects.

Step 3: Import identities into Simple AD

Copy the users.csv file to the EC2 instance that is joined to the Simple AD. Before importing the identities, open the
users.csv file and review the content. You can remove lines for the users such as Administrator, Guest, and krbtgt,
because they already exist by default in all directories. Only keep the lines for the users that you wish to exist in the new
directory. If you are also importing the identities into a domain with a different domain name, you will need to update
values such as dn and objectCategory for the new domain name, because they have references to them.

The following sample shows a .csv file with one user account.

DN,objectClass,name,sAMAccountName,objectCategory,displayName,givenName,
sn,userPrincipalName

https://aws.amazon.com/blogs/security/how-to-migrate-your-microsoft-active-directory-users-to-simple-ad/ 1/3
2/2/2017 How to Migrate Your Microsoft Active Directory Users to Simple AD | AWS Security Blog
"CN=John Doe,CN=Users,DC=example,DC=com",user,John Doe,johndoe,"CN=Person,CN=Schema,CN=
Configuration,DC=example,DC=com",John Doe,John,Doe,johndoe@example.com

Enter the following command on the EC2 instance that is joined to the Simple AD to import users from the .csv file.

> csvde –i –f .users.csv

After the users have been imported, they will be disabled and require a password. You can install the Active Directory
Administration Tools and run the Active Directory Users and Computers tool on the EC2 instance that you launched to
enable the account and create a new password. You should always use long and complex values for your passwords.

Conclusion
This post has shown you how to easily migrate existing identities in your Active Directory to a Simple AD by using the
csvde tool. Using this tool also allows you to perform a bulk import of your identities. With the ability to quickly create
Simple AD directories in a matter of minutes and create a copy of all your identities, you can start to establish an
environment that is similar to your current setup.

You can post comments below, or visit the AWS Directory Service forum to post comments and questions.

– Chen

TAGS: Amazon EC2, csvde, Directory Service, Simple AD, Windows PowerShell

 View Comments

Sign In to the Console

  AWS on Twitter   AWS on Facebook   AWS on Google+   AWS Blog   What's New? RSS

AWS & Cloud Computing

What is Cloud Computing?
Products & Services
Customer Success
Economics Center
Architecture Center
Security Center
What's New
Whitepapers
AWS Blog
Events
Sustainable Energy
Press Releases
AWS in the News
Analyst Reports
Legal

Solutions
Websites & Website Hosting
Business Applications
Backup & Recovery
Disaster Recovery
Data Archive
DevOps
Big Data
High Performance Computing
Mobile Services
Digital Marketing
Game Development
Digital Media
Government & Education
Health
Financial Services
Windows on AWS

https://aws.amazon.com/blogs/security/how-to-migrate-your-microsoft-active-directory-users-to-simple-ad/ 2/3
2/2/2017 How to Migrate Your Microsoft Active Directory Users to Simple AD | AWS Security Blog
Resources & Training
Developers
Java on AWS
JavaScript on AWS
Mobile on AWS
PHP on AWS
Python on AWS
Ruby on AWS
Windows & .NET on AWS
SDKs & Tools
AWS Marketplace
User Groups
Support Plans
Service Health Dashboard
Discussion Forums
FAQs
Documentation
Articles & Tutorials
Test Drives
AWS Business Builder

Manage Your Account

Management Console
Billing & Cost Management
Subscribe to Updates
Personal Information
Payment Method
AWS Identity & Access Management
Security Credentials
Request Service Limit Increases
Contact Us

Amazon Web Services is Hiring.

Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring Software Development Engineers, Product Managers, Account
Managers, Solutions Architects, Support Engineers, System Engineers, Designers and more. Visit our Careers page or our Developer-specific Careers page to learn more.

Amazon Web Services is an Equal Opportunity Employer.

Language Deutsch English Español Français Italiano Português Ρусский ⽇本語 한국어 中⽂ (简体) 中⽂ (繁體)

Site Terms | Privacy

© 2016, Amazon Web Services, Inc. or its affiliates. All rights reserved.

https://aws.amazon.com/blogs/security/how-to-migrate-your-microsoft-active-directory-users-to-simple-ad/ 3/3