15.12. Moving an Object to a Different Domain

Problem

You want to move an object to a different domain within the same forest.

Solution

Using a command-line interface

> movetree /start /s SourceDC /d TargetDC /sdn SourceDN /ddn TargetDN

In the following example, the cn=jsmith object in the amer.rallencorp.com domain will be moved to the emea.rallencorp.com domain:

> movetree /start /s dc-amer1 /d dc-emea1 
  /ddn cn=jsmith,cn=users,dc=amer,dc=rallencorp,dc=com 
  /sdn cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com

Using VBScript

set objObject = GetObject("LDAP://TargetDC/TargetParentDN")
objObject.MoveHere "LDAP://SourceDC/SourceDN", vbNullString

In the following example, the cn=jsmith object in the amer.rallencorp.com domain will be moved to the emea.rallencorp.com domain:

set objObject = GetObject( _
   "LDAP://dc-amer1/cn=users,dc=amer,dc=rallencorp,dc=com")
objObject.MoveHere _
   "LDAP://dc-emea1/cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com", _
   vbNullString

Discussion

You can move objects between domains assuming you follow a few guidelines:

  • The user requesting the move must have permissions to modify objects in the parent container of both domains.

  • You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the "Cross Domain Move" LDAP control is being used behind the scenes.

  • The move operation must be performed against the RID master for both domains. This is so that the move is a single master operation, which prevents conflicts (i.e., moving ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.