Recipe15.12.Moving an Object to a Different Domain


Recipe 15.12. Moving an Object to a Different Domain

Problem

You want to move an object to a different domain within the same forest.

Solution

Using a command-line interface
> movetree /start /s SourceDC /d TargetDC /sdn SourceDN /ddn TargetDN

In the following example, the cn=jsmith object in the amer.rallencorp.com domain will be moved to the emea.rallencorp.com domain:

> movetree /start /s dc-amer1 /d dc-emea1    /ddn cn=jsmith,cn=users,dc=amer,dc=rallencorp,dc=com    /sdn cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com

Using VBScript
set objObject = GetObject("LDAP://TargetDC/TargetParentDN") objObject.MoveHere "LDAP://SourceDC/SourceDN", vbNullString

In the following example, the cn=jsmith object in the amer.rallencorp.com domain will be moved to the emea.rallencorp.com domain:

set objObject = GetObject( _    "LDAP://dc-amer1/cn=users,dc=amer,dc=rallencorp,dc=com") objObject.MoveHere _    "LDAP://dc-emea1/cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com", _    vbNullString

Discussion

You can move objects between domains assuming you follow a few guidelines:

  • The user requesting the move must have permissions to modify objects in the parent container of both domains.

  • You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the "Cross Domain Move" LDAP control is being used behind the scenes.

  • The move operation must be performed against the RID master for both domains. This is so that the move is a single master operation, which prevents conflicts (i.e., moving to two different domains from different DCs).

  • Both domains must be in native mode.

  • When you move a user object to a different domain, its objectSID is replaced with a new SID (based on the new domain), and the old SID is added to the sIDHistory attribute.

  • For group objects, you can move only universal groups. To move global or domain local groups, you must first convert them to universal.

There is currently no direct method to move user accounts between domains in different forests. This requires a restructuring tool such as ADMT 2.0, which actually creates new objects rather than actually moving the original objects. You can download ADMT from http://download.microsoft.com.

See Also

Chapter 4 of Active Directory Cookbook (O'Reilly) for more on LDAP controls, MS KB 238394 (How to Use the MoveTree Utility to Move Objects Between Domains in a Single Forest), and MSDN: IADsContainer::MoveHere



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net