Configuring and Reconfiguring Domains and Organizational Units

Although it might seem that domains and OUs are fairly permanent objects, the truth of the matter is that objects can be moved pretty freely within a forest. Although this freedom is very valuable it should not be used as a crutch for a poor initial design. Moving objects around can drastically affect application of Group Policy Objects as well as make it difficult for other administrators to find objects that have been relocated . Moving objects to another domain could result in those objects no longer having a local domain controller and an increase in WAN traffic would result.

Moving Objects Between Domains

In an environment with multiple domains there will invariably be situations in which you need or want to move objects from one domain to another. This might be due to domain consolidation or reorganization within the company. Windows 2003 provides a tool for this function called MoveTree. MoveTree.exe is a command-line utility that enables you to move Active Directory objects such as organizational units, users, or groups between domains in a single forest. Although MoveTree can move Active Directory objects between domains, not all objects can be moved in this manner. Potentially, there might be associated data such as profiles or login scripts that are not moved. Computer objects are not moved during a MoveTree operation; they require the use of the Active Directory Migration Tool (ADMT). Not unlike ADMT, MoveTree requires that the target domain be in Native mode.

When objects are moved via MoveTree, they are first copied to the Lost and Found container in the source domain and then they are moved to the destination domain. A file named MoveTree.log tracks all objects that are moved. This file also contains all error messages that are recorded during the move. Objects that cannot be moved to the target domain remain in an orphan container in the Lost and Found container of the source domain. Domain global and local groups cannot be moved during a MoveTree operation. However, group memberships remain intact so that security is not compromised.

Usage of the MoveTree utility is as follows :

 MoveTree /start /s Server1 /d Server2 /sdn OU=SourceOU,DC=Dom1 /ddn OU=DestOU,DC=Dom2 /u Dom1\administrator /p * 

The source and destination servers must be the RID masters for each domain. Otherwise an error will be logged stating " ERROR: 0x2012 The requested operation could not be performed because the directory service is not the master for that type of operation ."

In the case of moving organizational units to another domain, you should be aware that although the GPO link moves with the OU and continues to function, the GPO is actually linked to the source domain. This can result in a degradation of performance. It is strongly recommended that the GPO either be re-created or exported via the Group Policy Management Console and imported into the target domain.

Moving Objects Between Organizational Units

Moving objects between Organizational Units is a simple way to keep a domain organized. Administrators are the only people in the network who can see OU structures, so administrators can build and modify OU structures without concern for how it will look to end users. Moving an object from one OU to another is as simple as right-clicking the object in Users and Computers and choosing Move. This will prompt you for the destination OU or container. Multiple objects can be moved at the same time.

Because OUs are often used to delegate control of objects and for the application of GPOs, you should be aware of the implications of moving objects. Objects that had explicit permissions assigned directly to them will retain those permissions after the move. Permissions that were inherited from the previous container or OU will no longer affect the object. The object will inherit permissions set on the new OU or container.