Moving objects around in Active Directory may involve moving objects from one location to another within a domain, or you might have to move objects from one domain to another. You need to know the details associated with either operation for the MCSE Directory Services exam. Fortunately, you just need to remember some simple rules.
Moving objects within a domain
Moving objects within a domain is a simple process: Just right-click the object and choose Move. Windows 2000 displays a dialog box in which you simply choose the destination container object for the move. (In newer versions of Windows 2000, you can drag and drop Active Directory objects from one OU to another.)
A real-world example of moving an object within a domain involves moving a user account from one OU to another when the user transfers from one department to another in your organization. Moving the user's account enables the user to receive the benefits and restrictions you have defined for the new OU.
What is not as straightforward (and what you need to know for the exam) is the effect that moving objects has on permissions. Here are the rules you must know:
- Permissions you assign directly to an Active Directory object remain with the object after you move the object.
- The object inherits the permissions assigned to the new OU and loses any previously inherited permissions.
You may have already figured this one out: An excellent strategy for administering Active Directory objects is to move objects that need similar permission settings into the same OU. By doing so, you can easily manage your network, assigning permissions and delegating authority effectively with just a few mouse clicks.
Moving objects between domains
In a multiple-domain Windows 2000 forest, you may need to move objects (users, organizational units, groups) between these multiple domains. You use the MOVETREE command line utility to perform many of these operations.
When you move users and groups to a new domain, they receive new security identifiers (SIDs). Fortunately, Windows 2000 running in native mode supports an attribute called SIDHistory. As you move a user from domain to domain, Windows 2000 populates SIDHistory so you do not have to reset permissions to objects each time you perform the move operation.
MOVETREE assists you with most move operations between domains. And in those cases for which MOVETREE cannot do the job, you can turn to another utility called NETDOM. MOVETREE can
- Move most Active Directory objects (including nonempty containers) from one domain to another in the same forest.
- Move domain local and global groups between domains. These groups cannot contain members, however. The domains must exist within the same forest.
- Move universal groups and their members between domains of the same forest.
MOVETREE can move most Active Directory objects. Those that it cannot move when you try to relocate groups of objects become orphaned. Windows 2000 places these orphaned objects in a special container called LostAndFound. You can view this container by using the Advanced View feature of Active Directory Users and Computers.
You must have the appropriate administrative permissions to use MOVETREE from the command prompt. This command uses the following syntax:
MOVETREE {/start | /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain]Username /p Password] [/verbose] [{/? | /help}]
The italicized entries in this syntax represent information you must provide. Table 1 describes the switches you can use with the MOVETREE command.
Table 1 MOVETREE Command Switches
Switch | What It Does |
/start | Initiates the move operation. |
/startnocheck | Starts a MOVETREE operation with no /check. |
/continue | Continues the execution of a previously paused or failed MOVETREE operation. |
/check | Performs a test run of the MOVETREE operation. |
/s SrcDSA | Specifies the source server's fully qualified domain name (FQDN). |
/d DstDSA | Specifies the destination server's FQDN. |
/sdn SrcDN | Specifies the distinguished name of the object you are moving from the source. |
/ddn DstDN | Specifies the distinguished name of the object you are moving to the destination. |
/u | Runs MOVETREE under the credentials of the username and password provided. |
/verbose | Causes MOVETREE to display more details as it runs. |
/? | Displays help about MOVETREE. |
MOVETREE creates log files when operations are performed. You can check these log files for information regarding the success or failure of MOVETREE events:
- MOVETREE.ERR: Lists any errors encountered.
- MOVETREE.LOG: Lists statistical results of the operation.
- MOVETREE.CHK: Lists any errors detected from MOVETREE being executed in check mode.
MOVETREE moves computer objects from one domain to another for you, but it cannot disjoin the computer from the source domain and join it to the target domain. This limitation makes NETDOM a much better utility for moving computers between domains in a Windows 2000 Active Directory setting.
NETDOM uses the following syntax to move computer accounts:
MOVETREE {/NETDOM move /D:domain [/OU:ou_path] [/Ud:User /Pd:{Password|*}] [/Uo:User /Po:{Password|*}] [/Reboot:[time_in_seconds]]
Table 2 describes the switches you use with the NETDOM command.
Table 2 NETDOM Command Switches
Switch | What It Does |
/domain | Identifies the target domain. |
/OU:ou_path | Specifies the target OU. |
/Ud:User | Indicates the user account used to make the connection with the target domain. |
Pd:{Password|*} | Enters the password for the user account used to connect to the destination domain; if you use *, NETDOM prompts for the password. |
/Uo:User | Identifies the user account used to make the connection to the source domain. |
/Po:{Password|*} | Enters the password for the user account used to connect to the original domain; if you use *, NETDOM prompts for the password. |
/Reboot:[time_in_seconds] | Specifies that the computer being moved should shut down and reboot automatically in the given number of seconds after the move operation. |