MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

You move objects from one location to another when organizational or administrative functions change—for example, when an employee moves from one department to another. This lesson shows you how to move Active Directory objects within and between domains.

After this lesson, you will be able to

• Move objects within a domain
• Move objects between domains
• Move workstations or member servers between domains
• Move domain controllers between sites

Estimated lesson time: 20 minutes

Moving Objects

In the logical environment, you can move objects within and between domains in Active Directory. In the physical environment, you can move domain controllers between sites.

Moving Objects Within a Domain

To reduce administrative overhead, you can move objects with identical security requirements into an OU or container within a domain. You can then assign access permissions to the OU or container and all objects in it.

Follow these steps to move objects within a domain:

1. In Active Directory Users And Computers, select the object to move, and then from the Action menu, click Move.
2. In the Move dialog box (see Figure 19.6), select the OU or container to which you want the object to move, and then click OK.

The following conditions apply when you move objects between OUs or containers:

• Permissions that are assigned directly to objects remain the same.
• The objects inherit permissions from the new OU or container. Any permissions that were previously inherited from the old OU or container no longer affect the objects.
• You can move multiple objects at the same time.

Figure 19.6 The Move dialog box

NOTE

Moving Objects Between Domains

To support domain consolidation or organizational restructuring operations, Windows 2000 allows you to move objects between domains. The MOVETREE command-line utility is used to move Active Directory objects such as OUs, users, and groups between domains in a single forest, with some exceptions. This tool is available in Windows 2000 Support Tools. The Windows 2000 Support Tools are included on the Windows 2000 CD-ROM in the \SUPPORT\TOOLS folder.

The procedure for moving an object (whether it be a leaf object or the root object) involves taking an existing object and moving it below an existing parent. The distinguished name of the moved object reflects its new position in the hierarchy. The object's globally unique identifier (GUID) is unchanged by a move or rename.

As users and groups are migrated from one domain to another, they are given a new security identifier (SID). To preserve the security credentials of an account when it is moved from one domain to another, Windows 2000 supports SIDHistory, a security attribute available only in Windows 2000 Native mode. As users and groups are moved from one domain to another, to reduce the administrative overhead of resetting ACLs and ownership of resources, the old SID is added to the SIDHistory attribute for the new object. Whenever users log on, any SIDs present in their SIDHistory, or any SIDs present in the SIDHistory of a group of which the users are members, are added to their access token, and they are given permissions and ownership to any resources that they previously had.

MOVETREE allows an OU to be moved to another domain, keeping all of the linked group policy objects (GPOs) in the old domain intact. The GPO link is moved and continues to work, although clients receive their group policy settings from the GPOs located in the old domain.

Supported MOVETREE Operations

The following operations are supported with the MOVETREE utility:

• Move an object or a nonempty container to a different domain. Valid only within the same forest.
• Move Domain Local and Global groups between domains without members and within domains with members. Valid only within the same forest.
• Move Universal groups with members within and between domains. Valid only within the same forest.

Unsupported MOVETREE Operations

Some objects and information are not moved. Objects that are not moved are classified as orphaned objects and are placed in an "orphan" container in the LostAndFound container in the source domain. The LostAndFound container is visible in the Active Directory Users And Computers console in Advanced View. The orphan container is named using the GUID of the parent container being moved and it contains the objects that were selected for the MOVETREE operation. Specifically, objects and information that cannot be moved by using the MOVETREE utility are:

• Local and Domain Global groups that contain members. Universal group memberships remain intact so that security is not compromised.
• The domain join information for computer objects. The MOVETREE utility can move a computer object from one domain to another, along with its subordinate objects. However, the MOVETREE utility does not disjoin a computer from its source domain and rejoin it to the target domain. For this reason, the NETDOM utility is recommended to move computer objects.
• Associated object data. This includes group policies, user profiles, logon scripts, users' personal data, encrypted files, smart cards, and public key certificates. Group policies would need to be applied to the users, groups, or computers. New smart cards and certificates would need to be issued from the Certificate Authority (CA) in the new domain. Use additional scripts or management tools, such as the Remote Administration Scripts, in conjunction with MOVETREE, to perform these additional steps.
• System objects. Those objects identified by the objectClass being marked as systemOnly.
• Objects in the configuration or schema naming contexts.
• Objects in the special containers in the domain. Objects in the Builtin, ForeignSecurityPrincipals, System, and LostAndFound containers.
• Domain controllers or any object whose parent is a domain controller.
• Any object with the same name as an object that already exists in the target domain.

MOVETREE may fail due to some of the following error conditions:

• The source domain controller cannot transfer the relative ID master role owner.
• The source object is locked due to another operation in progress. For example, if another user is currently creating child objects under the source object that is selected for the move operation.
• Either the source or destination domain has invalid credentials.
• The destination knows the source object is deleted but the source does not. For example, the source object has been deleted on a different domain controller, but due to replication latency the source domain controller has not yet received the deletion event.
• There is a failure at the destination domain controller. For example, if the destination domain controller's disk is full.
• The source and destination have a schema mismatch.

Moving Users

Moving users between domains is supported with the following restrictions:

• If the user object contains any objects, the move operation fails. The user object must be a leaf object.
• If a security accounts manager (SAM) constraint is met, the move operation fails. SAM constraints include when the user's samAccountName already exists in the destination domain, or if the user's password length does not meet the password restrictions in the target domain.
• If the user object belongs to a Global group from the source domain, its membership is voided and the move operation fails. This is because a Global group can only have a member in the same domain, thereby preventing movement of any member of a Global group.

However, there is one exception: If the user object belongs to the Domain Users group (without belonging to any other Global groups) and the Domain Users group is this user object's Primary group, the move operation succeeds. It succeeds because when a user object is created, the system automatically places it into the Domain Users group and assigns the Domain Users group as its Primary group.

Moving Groups

Like users, groups can be moved between domains, with similar restrictions:

• If the group object contains any object, the move operation fails.
• If its membership and its reverse memberships do not fulfill the requirements of its type, the operation fails.
• If the group's samAccountName exists on the destination domain, the move operation fails.

Moving Objects Between Domains Using MOVETREE

Before using the MOVETREE utility, verify that you have the necessary privileges to perform this operation. For example, make sure that you are authorized to move and create objects in both the source and destination domains. The MOVETREE utility can be used from the command line and can be called from a batch file to script user and group creation.

Follow these steps to move objects between domains using MOVETREE:

1. Open a command prompt and type movetree {/start | /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain\]Username /p Password] [/verbose] [{/? | /help}]

   where:

   • /start initiates a MOVETREE operation. This command includes a /check operation by default. To start a MOVETREE operation with no check, use /startnocheck.
   • /continue continues the execution of a previously paused or failed MOVETREE operation.
   • /check performs a test run of the MOVETREE operation, checking the whole tree without moving any objects.
   • /s SrcDSA is the source server's fully qualified primary DNS name.
   • /d DstDSA is the destination server's fully qualified primary DNS name.
   • /sdn SrcDN is the distinguished name of the leaf, container, or subtree you are moving from the source domain.
   • /ddn DstDN is the distinguished name of the leaf, container, or subtree you are moving to the destination domain.
   • /u [Domain\]Username /p Password runs MOVETREE under the credentials of a valid Username and Password. Optionally, a Domain can be specified as well. If these optional arguments are not provided, MOVETREE uses the credentials of the currently logged-on user.
   • /verbose runs MOVETREE in Verbose mode, which displays more details about the operation as it runs (optional).
   • /? or /help displays syntax information.

MOVETREE Command Example

In the Marketing domain, there is a server called Server1 and an OU called Promotions. In the Sales domain, there is a server called Server2. The desired operation is to move the Promotions OU from Marketing to Sales and rename the new OU Sales Promotions. The MOVETREE command performs a test run, and then, if no errors are encountered, performs the move operation.

movetree /start /s Server1.Marketing.Reskit.Com /d Server2.Sales.Reskit.com /sdn OU=Promotions,DC=Marketing,DC=Reskit,DC=Com /ddn OU=Sales Promotions,DC=Sales,DC=Reskit,DC=Com

MOVETREE Log Files

The following log files are created after the MOVETREE operation. They are located in the directory where you performed the MOVETREE operation.

• MOVETREE.ERR lists any errors encountered during the MOVETREE operation.
• MOVETREE.LOG lists statistical results of the MOVETREE operation.
• MOVETREE.CHK lists any potential errors or conflicts detected during the move operation's precheck phase (or test phase).

Moving Workstations or Member Servers Between Domains

You can use NETDOM Windows 2000 Domain Manager support tool to move a workstation or member server from one domain to another. This tool is available in the Windows 2000 Support Tools. The Windows 2000 Support Tools are included on the Windows 2000 CD-ROM in the \Support\Tools folder.

Follow these steps to move a workstation or member server from one domain to another:

1. Open a command prompt and type netdom move /D:domain [/OU:ou_path] [/Ud:User /Pd:{password|*}] [/Uo:User /Po:{password|*}] [/Reboot:[time_in_seconds]]

   where:

   • /domain is the domain that the workstation or member server should belong to after the operation is completed.
   • /OU:ou_path is the name of a destination OU in /D:domain.
   • /Ud:User is the user account used to make the connection with the domain specified by the /D argument. If this option is not specified, the current user account is used.
   • /Pd:{password|*} is the password of the user account specified with /Ud. If *, then the password is prompted for.
   • /Uo:User is the user account used to make the connection with the object on which the action is to be performed. If this option is not specified, the current user account is used.
   • /Po:{password|*} is the password of the user account specified with /Uo. If the value used is *, the password is prompted for.
   • /Reboot:[time_in_seconds] specifies that the computer being moved should be shut down and automatically rebooted after the operation has completed. If the number of seconds is not specified, a default value of 20 seconds is used.

NETDOM Command Example

To move a workstation named mywksta from its current domain into the mydomain domain, you would type the following command:

netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password

If the destination is a Windows 2000 domain, the SIDHistory for the workstation is updated, retaining the security permissions that the computer account had previously.

Moving Domain Controllers Between Sites

In general, you can install a domain controller into a site that has existing domain controllers. The exception to this rule is the first domain controller installed, which automatically creates the Default-First-Site-Name site. You cannot create a first domain controller in any site but Default-First-Site-Name, but you can create a domain controller in a site that has a previously existing domain controller and then move it to another site. Therefore, after the first domain controller has been installed, creating Default-First-Site-Name, you can create other domain controllers in this site and then move them to alternative sites.

The following procedure may also be used to move member servers between sites.

Follow these steps to move a domain controller between sites:

1. In Active Directory Sites And Services, select the domain controller that you want to move to a different site, and then click Move on the Action menu.
2. In the Move Server dialog box (see Figure 19.7), select the site to which you want to move the domain controller, and then click OK.

Figure 19.7 The Move Server dialog box

Practice: Moving Objects Within a Domain

In this practice you move three user accounts from one OU to another. You also attempt to log on using a different account.

Exercise 1: Move Objects Within the Domain

In this exercise, you will move user accounts from one OU to another.

1. Log on to your domain as Administrator, and then open Active Directory Users And Computers.
2. In the console tree, click Users.
3. Select all three user accounts (User20, User21, and User22) that you created in Lesson 1 of this chapter by clicking one of the user accounts, press Ctrl, and then click the remaining two user accounts.
4. On the Action menu, click Move.
5. In the Move dialog box, to select the new location for the user accounts, expand your domain, click Security1 (the OU you set up in Lesson 2), and then click OK.

   Notice that the user accounts that you moved no longer appear in the Users container.

6. To verify that the user accounts were moved to the correct location, in the console tree, click Security1.

   Notice that the user accounts that you moved are now located in the Security1 OU.

7. Close the Active Directory Users And Computers console.

Exercise 2: Log On as a User in a Nonstandard OU

In this exercise, you will attempt to log on to one of the accounts you just moved to a new OU.

1. Log on to your domain by using the User21 account.

   Did Windows 2000 require you to specify the OU in which your user account is located as part of the logon process? Why or why not?

   Answer

2. Log off Windows 2000.

Lesson Summary

In this lesson, you learned how to move objects within domains in Active Directory using the Move dialog box. You learned how to move objects between domains using the MOVETREE command-line utility. You learned how to move workstations or member servers between domains using the NETDOM command-line utility. You also learned how to move domain controllers between sites using the Move Server dialog box.

In the practice portion of this lesson, you used Active Directory Users and Computers to select the object to move within a domain, and you used the Move dialog box to select the location to which you want to move the object.