AWS Security Blog
How to Migrate Your Microsoft Active Directory Users to Simple AD or AWS Managed Microsoft AD
July 21, 2020: We’ve updated this post to include AWS Managed Microsoft AD, as well as Simple AD.
AWS Directory Service allows you to create a standalone, highly available AWS-managed directory called Simple AD in a matter of minutes. With Simple AD, you can centrally manage user accounts and group memberships for Amazon EC2 instances joined to a domain. It also allows you to use a single set of credentials to log in across all EC2 instances as well as provide authentication to your applications. For more information about Simple AD, see Simple Active Directory in the documentation.
In this blog post, I will talk about the commands to use when migrating identities from a directory such as Microsoft Active Directory to Simple AD.
Important note: Before making changes to your Simple AD directory, it is important to keep snapshots as a backup. If you need to create a snapshot of your directory now, follow these instructions.
Migrating to Simple AD or AWS Managed Microsoft AD
You can easily migrate existing identities from your Active Directory to Simple AD or AWS Managed Microsoft AD. Additionally, if you have been testing out Simple AD with our free trial, you can also migrate those identities to your production Simple AD or AWS Managed Microsoft AD by following the steps in this post. You can perform this migration by using csvde, which is a command-line tool that imports and exports data from Active Directory by using comma-separated value (CSV) files.
Note: As a security measure, passwords are not migrated using csvde. You will have to set new passwords for the accounts that are created on the new domain.
Step 1: Install AD DS tools in order to use csvde
Ensure that you have an EC2 Windows Server 2012 or newer instance that is joined to your Simple AD or joined to your AWS Managed Microsoft AD. Log in with a user that has the ability to install roles or features on the Windows instance, and create objects in the domain such as the Administrator (with Simple AD) or Admin (with AWS Managed Microsoft AD) account. You’ll need to run the command in this step on the EC2 Windows instance that you’ve set up. Your existing Active Directory should have the tools installed already, but you can run the same command if the tools do not appear.
Open Windows PowerShell and run the following command to get the Active Directory tools that include csvde.
> Install-WindowsFeature RSAT-ADDS-Tools
Step 2: Export identities from your existing Active Directory (or Simple AD / AWS Managed Microsoft AD)
Run the following command from your Domain Controller running Active Directory to export your user identities to a file.
> csvde -f users.csv -l "DN, objectclass, objectcategory, givenName, sn, name, samAccountName, displayname" -r "(&(objectClass=user)(objectCategory=person))"
Using the -l flag allows you to choose specific attributes to export. You can add additional options if you would like to include other information about your objects. You can review the entire list of attributes available for user objects.
Step 3: Import identities into Simple AD or AWS Managed Microsoft AD
Copy the users.csv file to the EC2 instance that is joined to the Simple AD or AWS Managed Microsoft AD. Before importing the identities, open the users.csv file and review the content. You can remove lines for the users such as Administrator, Guest, and krbtgt, because they already exist by default in all directories. Only keep the lines for the users that you wish to exist in the new directory. If you are also importing the identities into a domain with a different domain name, you will need to update values such as dn and objectCategory for the new domain name, because they have references to them.
The following sample shows a .csv file with one user account.
DN,objectClass,name,sAMAccountName,objectCategory,displayName,givenName, sn,userPrincipalName "CN=John Doe,CN=Users,DC=example,DC=com",user,John Doe,johndoe,"CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com",John Doe,John,Doe,johndoe@example.com
Before importing the users into your AWS Managed Microsoft AD, modify the users .csv file to ensure the users are imported into the correct Organizational Unit (OU). This step is required because the “Admin” account in your AWS Managed Microsoft AD has permissions only in the pre-provisioned OU for your directory.
Note: This modification to the .csv is only required when importing users in AWS Managed Microsoft AD.
The following sample shows a .csv from Simple AD [Domain name: sad.com]
DN,objectClass,name,sAMAccountName,objectCategory,givenName,displayName "CN=User01,CN=Users,DC=sad,DC=com",user,User01,User01,"CN=Person,CN=Schema,CN=Configuration,DC=sad,DC=com",User01,User01 "CN=User02,CN=Users,DC=sad,DC=com",user,User02,user02,"CN=Person,CN=Schema,CN=Configuration,DC=sad,DC=com",User02,User02
The following sample shows a modified .csv before importing it into AWS Managed Microsoft AD [Domain name: mad.com]
DN,objectClass,name,sAMAccountName,objectCategory,givenName,displayName "CN=User01,OU=Users,OU=MAD,DC=mad,DC=com",user,User01,User01,"CN=Person,CN=Schema,CN=Configuration,DC=mad,DC=com",User01,User01 "CN=User02,OU=Users,OU=MAD,DC=mad,DC=com",user,User02,User02,"CN=Person,CN=Schema,CN=Configuration,DC=mad,DC=com",User02,User02
***Note the difference in the details of the Distinguished Names [DN]***
Enter the following command on the EC2 instance that is joined to the Simple AD or AWS Managed Microsoft AD to import users from the .csv file.
> csvde –i –f .users.csv
After the users have been imported, they will be disabled and require a password. You can install the Active Directory Administration Tools and run the Active Directory Users and Computers tool on the EC2 instance that you launched to enable the account and create a new password. You should always use long and complex values for your passwords.
Conclusion
This post has shown you how to easily migrate existing identities in your Active Directory to a Simple AD by using the csvde tool. Using this tool also allows you to perform a bulk import of your identities. With the ability to quickly create Simple AD directories in a matter of minutes and create a copy of all your identities, you can start to establish an environment that is similar to your current setup.
You can post comments below, or visit the AWS Directory Service forum to post comments and questions.
– Chen
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.