Lesson 7: Using MoveTree in a Restructure
The MoveTree utility is a core tool for use in intra-forest restructures. In this lesson, you'll learn how to obtain and use it.
After this lesson, you will be able to
- Identify when to use the MoveTree tool.
- Identify the strengths and weaknesses of the tool.
Estimated lesson time: 30 minutes
MoveTree is used from the command line to move a tree of objects within an Active Directory forest. The MoveTree tools can be found in the Support Tools folder on the Programs menu of the Start menu, because you installed the Support Tools from the Windows 2000 Server CD-ROM earlier in this chapter.
MoveTree can be scripted to allow administrators to move objects such as users and OUs between domains in a single forest. It is best used in conjunction with other migration utilities to support a domain consolidation or restructure of an existing forest. It updates the SIDhistory property of migrated objects so that you don't need to reapply permissions on objects that are accessed by the migrated users. The source domain for a MoveTree operation must be a native or mixed mode Windows 2000 domain, and the destination domain must be a native-mode Windows 2000 domain in the same forest.
The MoveTree command has the following syntax, which is explained in Table 9.10.
MoveTree [/start | /continue | /startnocheck] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u Dom\User] [/p password] [/quiet | /verbose]
Table 9.10 MoveTree Command Options
| [/start /continue /startnocheck] | /start starts MoveTree with the /check option so that the move is checked before it starts; /continue continues a previously failed operation; /startnocheck starts MoveTree without a check. |
| [/s srcDSA] | srcDSA is the fully qualified DNS name of the source server; for example, /s migrate1.migrate.microsoft.com |
| [/d dstDSA] | dstDSA is the fully qualified DNS name of the destination server; for example, /d trainkit.microsoft.com |
| /sdn SrcDN | SrcDN is the distinguished name of the source. Note that the distinguished name can include OUs; for example, /sdn OU=migrate,DC=trainkit,DC=microsoft,DC=com This denotes the Migrate OU in the trainkit.microsoft.com domain. |
| /ddn DstDN | DstDN is the distinguished name of the destination. Note that the distinguished name can include OUs; for example, /ddn OU=marketing, DC=microsoft,DC=com denotes the Marketing OU in the microsoft.com domain. |
| /u Dom\User | Dom\User is the optional domain name and user account name to be used for the operation; for example, /u trainkit\administrator denotes the administrator account in the trainkit domain. |
| /p password | If the /u option is given, the password is also required. |
| [/quiet | /verbose] | Verbose is the option that produces additional diagnostic output; the /quiet option does not. |
MoveTree produces a file called MoveTree.err that contains any error messages it produces.
When to Use MoveTree
MoveTree is most applicable at the end of a migration, to tidy up moving users from one domain to another in the same forest or when a decision is made to migrate all the domains in the same forest into a single large domain. If there are a lot of domains to consolidate and move into OUs, MoveTree can be scripted to perform this operation.
Limitations of MoveTree
Because of the limitations of the MoveTree command, it is best used in conjunction with some of the scripts or management tools, such as the Remote Administration Scripts (included in the Microsoft Windows 2000 Server Resource Kit). For example, these are some of the objects that can't be moved using MoveTree:
- Objects in the special containers: Builtin, ForeignSecurityPrincipal, System, LostAndFound
- Computer objects such as domain controllers or any object whose parent is a domain controller
- Any object in the source that has the same name as an existing object in the target domain
- Any object containing associated data that exists externally to Active Directory such as policies, profiles, logon scripts, and users' personal data
- Local group objects
- System objects (identified by the objectClass being marked as systemOnly)
- Objects in the configuration or schema naming contexts
MoveTree might also fail because of some of the following error conditions:
- The source object is locked because of another operation in progress. (For example, if another user is currently creating child objects under the source object that is selected for the move operation.)
- Either the source or destination domain have invalid administrator credentials.
- The destination knows the source object is deleted but the source does not. (For example, the source object had been deleted on a different domain controller, but because of replication latency, the source domain controller has not yet received the deletion event.)
- There is a failure at the destination domain controller (for example, Disk Full).
- A SAM constraint is met, such as a duplicate user account name or OU, or the source object password length doesn't meet the password restrictions in the target domain.
- The source and destination have a schema mismatch.
IMPORTANT
ADMT and MoveTree allow you to move a user without any closed set restrictions; however, if you don't move the object in a closed set, you'll lose access to resources in the source domain.
Lesson Summary
In this lesson, you learned that MoveTree is a tool used for intra-forest restructures and can be obtained from your Windows NT Server CD.
EAN: 2147483647
Pages: 126