> movetree /start /sSourceDC
/dTargetDC
/sdnSourceDN
/ddnTargetDN
In the following example, the cn=jsmith
object in
the amer.rallencorp.com domain
will be moved to the emea.rallencorp.com domain.
> movetree /start /s dc-amer1 /d dc-emea1[RETURN] /ddn cn=jsmith,cn=users,dc=amer,dc=rallencorp,dc=com[RETURN] /sdn cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com[RETURN]
set objObject = GetObject("LDAP://TargetDC
/TargetParentDN
") objObject.MoveHere "LDAP://SourceDC
/SourceDN
", vbNullString
In the following
example, the cn=jsmith
object in the amer.rallencorp.com domain will be moved to
the emea.rallencorp.com domain.
set objObject = GetObject( _ "LDAP://dc-amer1/cn=users,dc=amer,dc=rallencorp,dc=com") objObject.MoveHere _ "LDAP://dc-emea1/cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com", _ vbNullString
You can move objects between domains assuming you follow a few guidelines:
The user requesting the move must have permission to modify objects in the parent container of both domains.
You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the “Cross Domain Move” LDAP control is being used behind the scenes. For more information on controls, see Recipe 4.3.
The move operation must be performed against the RID master for both domains.
Both domains must be in native mode.
When you move a
user
object to a different domain, itsobjectSID
is replaced with a new SID (based on the new domain), and the old SID is added to thesIDHistory
attribute.For
group
objects, you can only move universal groups. To move global or domain local groups, you must first convert them to universal.
Recipe 4.3 for more on LDAP controls, MS KB 238394 (How to Use the MoveTree Utility to Move Objects Between Domains in a Single Forest), and MSDN: IADsContainer::MoveHere
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.