Restructure your Active Directory domains

I sometimes feel that I never design anything correctly the first time, which is why I like the Movetree tool. Movetree is a command-line utility that lets you move user accounts, computer accounts, groups, and organizational units (OUs) from one domain in an Active Directory (AD) forest to another domain in the same forest.

You use the following syntax with Movetree: movetree operation /s source domain controller /d destination domain controller /sdn source distinguished name /ddn destination distinguished name. The operation field contains the command /check, /start, or /continue. The /check command runs a test to see whether your Movetree command syntax makes sense and to ensure that you have permission to perform the action you're trying to complete. To move an object from one domain to another, you need to log on with an account that both domains recognize as an administrator account. The /check option doesn't catch every problem; I've run /check and found no problems but had the Movetree command fail when I tried to run it. The /start option runs the Movetree command. The /continue option restarts the Movetree command if the command stops before it completes (e.g., if it encounters a problem partway through the operation). This switch lets Movetree restart from a partially completed move rather than starting from scratch.

The source domain controller and destination domain controller options designate the DNS names of a domain controller from the source and destination domains. Suppose you're running the pepsi.com and tacobell.com domains, and the tacobell.com domain has an OU named gorditas that markets some of your company's products. Then, suppose Pepsi wants to centralize the marketing folks in all the company's divisions, including Taco Bell, into the pepsi.com domain. To write a Movetree command to accomplish this task, you need to know the names of one of the pepsi.com domain controllers and one of the tacobell.com domain controllers. For illustrative purposes, let's call the domain controllers pepsgen.pepsi.com and bigbell.tacobell.com.

The source distinguished name option is the name (e.g., gorditas) and location (e.g., tacobell.com) of the object you want to move. The destination distinguished name is the name of the object (e.g., gorditas) and the location you want to move the object to (e.g., pepsi.com). To complete the Movetree command in my example, you specify that the command is moving an OU named gorditas from tacobell.com to pepsi.com.

The tricky part about writing the source distinguished name is that you need to use a distinguished name (DN) format to specify an OU named gorditas in tacobell.com. In DN format, you'd write ou=gorditas, dc=tacobell,dc=com. The ou parameter is the name of the organizational unit, and the dc parameter is the device context. You use as many dc parameters in the DN as necessary to express the parts of the DNS name. For example, the DN for the domain downtown.acme.com is dc=downtown,dc=acme,dc=com. You use the parameter cn (common name) to designate objects that aren't OUs and aren't part of the DNS name (e.g., user accounts, groups, non-OU folders such as Users or Computers). Thus, the source distinguished name for an account named Sue in the Users folder of tacobell.com is cn=sue,cn=Users,dc=tacobell,dc=com.

The Movetree command to move the OU gorditas from the domain tacobell.com to the domain pepsi.com is movetree /start /s bigbell.tacobell.com /d pepsigen.pepsi.com/sdn ou=gorditas,dc=tacobell,dc=com /ddn ou=gorditas,dc=pepsi,dc=com. Suppose you have a user named Larry, whose account you want to move from an OU named burritos in tacobell.com to the Users folder in pepsi.com. The Movetree command to accomplish this task is movetree /start /s bigbell.tacobell.com /d pepsigen.pepsi.com /sdn cn=larry,ou=burritos,dc=tacobell,dc=com /ddn cn=larry,cn=Users,dc=pepsi,dc=com.

Movetree has several limitations. You can't use the command to consolidate users, computers, or OUs from one forest to another. In addition, you can't move part of a group—you must move all the group's members. For example, if you want to move a group from domain A to domain B, but the group has members in domain A whose user accounts aren't moving to domain B, you can't use Movetree to move the group. Finally, Movetree works only on AD domains running in native mode (i.e., with no Windows NT 4.0 domain controllers). The command's documentation neglects to mention this important point.