Merging 4 Active Directories into one and avoid data loss

twpping · August 8, 2025, 7:01am

Hello, I have the problem that I am merging four active directories into one. The structure is such that I have five Nextcloud instances, some of which have different login attributes. for example: (&(&(|(objectclass=person)))(samaccountname=%uid))

I would now like to export the users from an old AD and put them into the new AD without causing data loss in the Nextcloud backend.

The new AD is a Windows Server 2022, the old AD servers are 2016. What I am currently trying is to export this using the ADMT tool. It says there that you should install a PES tool on the old (source) AD and then the ADMT tool on the new AD.
Does anyone have any experience with this or is there some kind of guideline?

I’ve already looked around the forum a bit and found the following from Mr. Vorderwaldler:

1create a backup of everything
2have a local user available (e.g. the admin who is created during installation) who has admin rights

3 connect the new AD via the LDAP plugin
4 remove the old AD from the LDAP connection
5shut down the NextCloud briefly (stop web server + enter maintenance mode)
6get the SID of each NextCloud user from the Active Directory
7log into the database
8The oc_ldap_user_mapping table is your new friend
9Now send these commands per user:

Unfortunately, I can’t figure this out because I don’t really understand how to proceed here. If I delete the AD, for example, and enter the new one, I haven’t yet exported the users from the old one to the new one. Do I retrieve the SIDs via PowerShell on the old AD? Please excuse all the questions in advance… I’m still new to Nextcloud.

Is my approach above with the ADMT tool correct?

wwe · August 8, 2025, 10:31am

Hello @twpping,

welcome to the Nextcloud community!

I highly recommend you reach out to Nextcloud professional support as such requests are out of scope of this forum. The question is almost unrelated to Nextcloud as well.

At the end Nextcloud user is linked using some attributes to the AD user. As long you manage to move the required attribute to the new directory it should work but details might be challenging e.g. it’s not possible to copy/enforce some attributes like SID for the new user.

From Nextcloud POV you could try to fiddle with the DB (which is obviously not easy and unsupported) or you introduce some login middleware like Keycloak or Authentik and use them as SSO instance. Here you could customize login attributes (on both sides IdP and also NC SSO app) so you could have completely new AD user with old login attribute stored in some extended property linked to an existing Nextcloud user.

Another approach could be to create new Nextcloud user based on new AD user an move data using “transfer ownership” in UI or occ This approach might be more work-intensive but could also result in much cleaner system without many historical remainings.