Moving an Object to a Different Domain

You can move objects between domains assuming you follow a few guidelines:

  • The user requesting the move must have permissions to modify objects in the parent container of both domains.
  • You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the “Cross Domain Move” LDAP control is being used behind the scenes.
  • The move operation must be performed against the RID master for both domains. This is so that the move is a single master operation, which prevents conflicts (i.e., moving to two different domains from different DCs).
  • Both domains must be in native mode.
  • When you move a user object to a different domain, its objectSID is replaced with a new SID (based on the new domain), and the old SID is added to the sIDHistory attribute.
  • For group objects, you can move only universal groups. To move global or domain local groups, you must first convert them to universal.

Using a command-line interface

> movetree /start /s SourceDC /d TargetDC /sdn SourceDN /ddn TargetDN

In the following example, the cn=jsmith object in the amer.rallencorp.com domain will be moved to the emea.rallencorp.com domain:

> movetree /start /s dc-amer1 /d dc-emea1
   /ddn cn=jsmith,cn=users,dc=amer,dc=rallencorp,dc=com
   /sdn cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com

Using VBScript

set objObject = GetObject("LDAP://TargetDC/TargetParentDN")
objObject.MoveHere "LDAP://SourceDC/SourceDN", vbNullString

In the following example, the cn=jsmith object in the amer.rallencorp.com domain will be moved to the emea.rallencorp.com domain:

set objObject = GetObject( _
    "LDAP://dc-amer1/cn=users,dc=amer,dc=rallencorp,dc=com")
 objObject.MoveHere _
    "LDAP://dc-emea1/cn=jsmith,cn=users,dc=emea,dc=rallencorp,dc=com", _
    vbNullString