Active Directory

Active Directory data export - how to do it right?

Necessary :
​​Transfer accounts of computers, users, groups, divisions from domain controller1 to domain controller2 .
The forests are identical. Controller1 (physical server - the actual server of the company) and controller2 (virtual server - mockup for testing) have the same names, but they are in different networks and do not know about each other's existence. Controller2 has its own duplicate brother (also virtual). A network without subdomains must be organized (as it is now).
A simple AD migration is discarded under the pretext that the current server in AD has "a lot of jambs and it is very dirty".
At the moment, it was possible to copy the departments and users of these departments. User records are all disabled and passwordless. You need to enable them en masse. there are about 500 user records + about 500 computer records, and how a huge pile of all sorts of groups should be.
The export of divisions looked like this:

ldifde -f exportOu.ldf -s kontora -d "dc=kontora,dc=ru" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"

The account export looks like this:

ldifde -f Exportuser.ldf -s kontora -d "dc=kontora,dc=ru" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"

Confused about LDAP filtering. Plus, with other filters, it gives an error in the presence of a log. I can not figure out how to work with the magazine.