Capabilities of the MOVETREE Command
In a Windows 2000 network, you can use the MOVETREE Command to move universal groups within a domain or between domains that exist in the same forest. But beware the limitations of this tricky but powerful command.
In part 1 ( Reorganizing Active Directory ), I explained how to move objects within a domain. I then explained that a command called MOVETREE can be used to move some types of objects between domains. In this article, I'll continue the discussion by talking about MOVETREE in more detail.
As I mentioned in part 1, MOVETREE is a tricky command. It is powerful, but many of its operations are very limited. Before I discuss the procedures involved in using MOVETREE, I'll discuss what MOVETREE is and isn't capable of.
Supported MOVETREE Functions
Because MOVETREE's entire purpose is moving objects between domains, it should come as no surprise that moving an object or a non-empty container to a different domain within the same forest is one of the supported functions. However, as open-ended as this function sounds, it has some significant restrictions: One such restriction involves working with groups. For example, you can only move domain local groups and global groups between domains (within the same forest) if the groups have no members. If the groups have members, you're limited to moving them within their present domain.
These group restrictions don't apply to universal groups, however. As you may recall from my series of articles on Windows 2000 groups, universal groups are specific to Windows 2000 networks running entirely in native mode. Because of the versatility of universal groups, moving them is a snap. You can use MOVETREE to move universal groups within a domain or between domains that exist in the same forest.
Unsupported MOVETREE Functions
Some types of objects just can't be moved or have serious limitations placed on them. In this section, I'll discuss these objects and limitations.
One such limitation involves computer objects. As you may know, in Windows 2000 it's necessary for Windows 2000 Professional machines to join a domain by using an administrator's password, prior to the first time a user uses the workstation as a part of the domain. The MOVETREE command is capable of moving a computer object from one Active Directory location to another. Unfortunately, doing so doesn't disjoin the computer from its previous domain and join it to its new domain. After the move, the computer will still belong to its original domain. To join a new domain, I recommend using the NETDOM utility.
Another limitation is that although MOVETREE can move user accounts, it can't move data associated with the user. This includes things like login scripts, user profiles, certificates, smart card information, and the user's personal data. When moving a user, you can write custom scripts to move all the data except smart card data and certificates. These will have to be issued by the certificate authority in the new domain.
Along with the limitations I've mentioned, there are also certain types of objects you can't move at all. These include system objects, which are those objects whose object class identifies them as System Only. Likewise, you can't move objects that exist in schema naming or in configuration containers within the Active Directory. Furthermore, you can't use MOVETREE to move domain controllers, objects whose parent object is a domain controller, and objects located in special Active Directory containers, such as the Builtin, ForeignSecurityPrincipals, LostAndFound, or System container.
|The LostAndFound Container|
|In case you're unfamiliar with the LostAndFound container, its purpose is storing Active Directory objects that have been orphaned. You can view the LostAndFound container by using the Active Directory Users and Computers snap-in for Microsoft Management Console. The LostAndFound container is found in the Advanced view. Whenever the MOVETREE command moves an object into the LostAndFound container, it assigns the object the GUID of the parent object.|
With so many limitations, you may wonder what happens if you accidentally try to move one of these objects. For example, suppose you try to move a big chunk of the Active Directory, and some of the objects I mentioned just happen to fall within that section. In such a situation, the objects that can be moved successfully will be moved. The remaining objects will be moved to the LostAndFound container in the original domain.