Windows .NET Server 2003 Domains & Active Directory

Overview

Moving Active Directory objects within a domain is a rather simple operation. You only need to open the Active Directory Users and Computers snap-in, point to the object, and select a target container for the Move operation. Moving objects between domains is a more complicated task, requiring specific tools. When the domains belong to different forests, then you should talk about migrating rather than moving objects.

This chapter describes utilities that allow an administrator to reconfigure domains as well as to migrate (copy) the user, group, and other directory objects from one AD-based forest (or a Windows NT 4.0-based domain) to another forest:

• MoveTree.exe moves the user, group, and OU objects within an AD-based forest (intra-forest migration); the user accounts retain their passwords after moving.

• ClonePrincipal duplicates (clones) the user and group objects between different AD-based forests or from an Windows NT 4.0 domain to an AD-based domain (inter-forest migration); does not maintain users' passwords.

• Active Directory Migration Tool version 2.0 (ADMT) can work as both MoveTree (within AD-based forests) and ClonePrincipal (between forests or Windows NT 4.0 domains and AD-based forest); creates new passwords or migrates existing passwords.

The first two utilities have been included in the Support Tools pack, whereas ADMT can be downloaded freely from the Microsoft website (see Appendix A).

The main difference between these utilities is that MoveTree operates only in intra-forest scenarios, and ClonePrincipal only provides inter-forest operations. Besides, MoveTree destroys the source object (assigning its GUID to the new object), and ClonePrincipal creates a copy of the object, leaving the source intact. ADMT 2.0 can provide both migration scenarios. All of the utilities add the original objects' SIDs to the sIDHistory attribute of target objects.