The MoveTree utility is a core tool for use in intra-forest restructures. In this lesson, you'll learn how to obtain and use it.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
MoveTree is used from the command line to move a tree of objects within an Active Directory forest. The MoveTree tools can be found in the Support Tools folder on the Programs menu of the Start menu, because you installed the Support Tools from the Windows 2000 Server CD-ROM earlier in this chapter.
MoveTree can be scripted to allow administrators to move objects such as users and OUs between domains in a single forest. It is best used in conjunction with other migration utilities to support a domain consolidation or restructure of an existing forest. It updates the SIDhistory property of migrated objects so that you don't need to reapply permissions on objects that are accessed by the migrated users. The source domain for a MoveTree operation must be a native or mixed mode Windows 2000 domain, and the destination domain must be a native-mode Windows 2000 domain in the same forest.
The MoveTree command has the following syntax, which is explained in Table 9.10.
MoveTree [/start | /continue | /startnocheck] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u Dom\User] [/p password] [/quiet | /verbose]
Table 9.10 MoveTree Command Options
[/start /continue /startnocheck] | /start starts MoveTree with the /check option so that the move is checked before it starts; /continue continues a previously failed operation; /startnocheck starts MoveTree without a check. |
[/s srcDSA] | srcDSA is the fully qualified DNS name of the source server; for example, /s migrate1.migrate.microsoft.com |
[/d dstDSA] | dstDSA is the fully qualified DNS name of the destination server; for example, /d trainkit.microsoft.com |
/sdn SrcDN | SrcDN is the distinguished name of the source. Note that the distinguished name can include OUs; for example, /sdn OU=migrate,DC=trainkit,DC=microsoft,DC=com This denotes the Migrate OU in the trainkit.microsoft.com domain. |
/ddn DstDN | DstDN is the distinguished name of the destination. Note that the distinguished name can include OUs; for example, /ddn OU=marketing, DC=microsoft,DC=com denotes the Marketing OU in the microsoft.com domain. |
/u Dom\User | Dom\User is the optional domain name and user account name to be used for the operation; for example, /u trainkit\administrator denotes the administrator account in the trainkit domain. |
/p password | If the /u option is given, the password is also required. |
[/quiet | /verbose] | Verbose is the option that produces additional diagnostic output; the /quiet option does not. |
MoveTree produces a file called MoveTree.err that contains any error messages it produces.
MoveTree is most applicable at the end of a migration, to tidy up moving users from one domain to another in the same forest or when a decision is made to migrate all the domains in the same forest into a single large domain. If there are a lot of domains to consolidate and move into OUs, MoveTree can be scripted to perform this operation.
Because of the limitations of the MoveTree command, it is best used in conjunction with some of the scripts or management tools, such as the Remote Administration Scripts (included in the Microsoft Windows 2000 Server Resource Kit). For example, these are some of the objects that can't be moved using MoveTree:
MoveTree might also fail because of some of the following error conditions:
IMPORTANT
ADMT and MoveTree allow you to move a user without any closed set restrictions; however, if you don't move the object in a closed set, you'll lose access to resources in the source domain.
In this lesson, you learned that MoveTree is a tool used for intra-forest restructures and can be obtained from your Windows NT Server CD.