MoveTree is the main tool (and the only standard one, if you exclude the Active Directory Migration Tool) that allows administrators to reconstruct AD-based domains which belong to the same forest. This tool can move both single Active Directory objects and entire containers (OU) from one domain to another. The following objects are supported:
Users (the passwords are preserved)
Empty domain local and global groups
Universal groups (all members are preserved)
Organizational units (with or without contents)
You cannot use MoveTree to move computer accounts, system objects, or domain controllers.
If you prefer GUI tools, try the Active Directory Migration Tool (ADMT), which has many additional options when compared to MoveTree. ADMT version 2.0 can be controlled from scripts.
The documentation on MoveTree in the Support Tools Help fails to mention the most important restriction of the tool: the target domain must be in native mode. Only native-mode domains support the slDHistory attribute (updateable by the tool) for the security principals. You may not consider this fact to be a limitation, but do not forget about it while working with mixed mode domains!
Revise data (such as user profiles, logon scripts, etc.) associated with user objects being moved. These data are not moved, although the user objects preserve all settings. You might need to re-create shared volumes or copy user data, such as logon scripts, before users will be able to successfully log on to the new domain.
The syntax of MoveTree is quite simple: you must specify the source and destination of an operation, as well as the operation's type. Practically all parameters are mandatory. MoveTree has two "modes":
The test mode that checks many conditions without really moving any object
The working mode that initiates or continues a move operation
Moving OUs with all their child objects is arguably the most attractive feature of MoveTree. You must take into consideration the fact that when an OU is moved, it retains all links with Group Policy Objects (GPOs) assigned to this OU. It is necessary to re-create these GPOs in the new domain, and break the links with GPOs from the old domain.
Suppoce, for example, we would like to move the Personnel OU from the net.dom domain to the subdom.net.dom domain and rename it Staff. You must have appropriate privileges in both source and target domains. The following "test mode" command checks whether this operation is carried out correctly (you might also need to provide administrative credentials for the destination domain):
C:\>movetree /check /s netdc1.net.dom /d netdc2.subdom.net.dom /sdn OU=Personnel, DC=net, DC=dom /ddn OU=Staff, DC=subdom, D=net, DC=dom
Notice that the destination OU name differs from the source OU name. Suppose you got the following messages:
MOVETREE PRE-CHECK FINISHED. MOVETREE DETECTED THERE ARE SOME OBJECTS CAN NOT BE MOVED. PLEASE CLEAN THEM UP FIRST BEFORE TRYING TO START THE MOVE TREE OPERATION. READ movetree.chk FOR DETAILS.
The movetree.chk file (in the same folder where the command has been executed) always contains diagnostics messages for each step of the command execution (successful operations have the "0x0" code). This file is generated for each check or successful move operation. (You may also specify the /verbose parameter with the command, and all detailed diagnostics will be displayed on the console.) You can easily locate the problem and source of an error (marked here in bold), for example:
ReturnCode: 0x0 The operation completed successfully.MoveTree check destination RDN conflict for object: OU=Personnel,DC=net,DC=dom ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: OU=Personnel,DC=net,DC=dom ... ReturnCode: 0x212d Can't move objects with memberships across domain boundaries as once moved, this would violate the membership conditions of the account group. Remove the object from any account group memberships and retry.MoveTree cross domain move check for object: CN=Dan,OU=Personnel, DC=net, DC=dom ...
With the Windows 2000 version of MoveTree, you will get the 0x212d error if you try to move a computer account (a single account or an account included in an OU). The Windows .NET version of MoveTree reports the 0x2081 error just when a move operation is really performed. Use NetDom or ADMT for moving computers.
If you delete the reported user object (cn=Dan) from any domain local or global security group (excluding universal groups and the primary group — Domain Users) and repeat the command, you will get the following result:
MOVETREE PRE-CHECK FINISHED. MOVETREE IS READY TO START THE MOVE OPERATION.
The movetree.err file will be empty in this case.
This means that the command has found no errors, and the move operation has a chance to succeed. Now you can complete the move operation by replacing the /check parameter with either the /startnocheck or /start parameter. All diagnostic messages are always written to the movetree.log file located in the current folder.
The "test mode" (with the /check parameter) does not guarantee that the operation will not fail. For example, the following error ("Insufficient access rights to perform the operation") may appear only in the "working mode":
MOVETREE FAILED. 0x2098 READ movetree.err FOR DETAILS.
After directory objects have been moved, force replication or wait until replication is completed. The Infrastructure operations master and Global Catalog must be updated. Otherwise, some changes in the domains may not be "understood" in the forest.
If for some reason a move operation fails to complete, any remaining objects are placed to the LostAndFound container in the source domain. For example, in the Windows .NET environment, such a situation can occur if you try to move an OU containing computer accounts. To solve this problem, view the operation log, delete or move conflicting objects from the LostAndFound container, and restart the operation using the /continue parameter. When the move operation is successfully completed, this container will be empty (if there are no failed operations that move other directory objects).
The destination container must already exist before a user or group account is moved. The object can be renamed when moving; you only need to specify the appropriate distinguished names along with the /sdn and /ddn parameters.
Local and global groups must be empty when moved. (Only universal groups retain all their members when moved.) Otherwise, a message similar to the following will appear in the movetree.chk file:
ERROR: 0x2132 Cross-domain move of non-empty account groups is not allowed. MoveTree object CN=GlobalGroup,OU=Staff,DC=net,DC=dom failed the Cross Domain Move Check
ERROR: 0x2133 Cross-domain move of non-empty resource groups is not allowed. MoveTree object CN=LocalGroup,OU=Staff,DC=net,DC=dom failed the Cross Domain Move Check