Skip navigation

JSI Tip 3368. LDIFDE does NOT import users from trusted domains?

When you use the LDIFDE utility to export and then import users or groups for Windows 2000 domains, users from trusted domains do NOT get added back to the Windows 2000 domain groups?

If you run the import in Verbose mode, you receive The object does not exist. LDIFDE then ignores the object.

Users from trusted domains are automatically added to the FSP (Foreign Security Principals) container, which stores the SID and logon name. When you export users from trusted domains, they are exported like:

member: CN=S-1-5-21-1656841636-584466940-1124750213-1006,CN=ForeignSecurityPrincipals,DC=sales,DC=jsiinc,DC=com

A domain user is exported like:

member: CN=JohnDoe,CN=Users,DC=sales,DC=jsiinc,DC=com If you rebuild the domain, the FSP container does NOT contain the required objects, and the import fails.

To workaround this behavior, export all the objects in the FSP container. Import these objects before you import users or groups.

NOTE: You might want to try Ideal Migration and Advanced Ideal Administration for your import/export and administration chores.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.