Active Directory (AD) should be structured to mimic your company's organizational layout. But what about when your company undergoes a reorganization or a merger? If all the objects you need to move remain with their present domain, no big deal. But when you must move objects from one domain to another, things can get a bit messy. Here are some tips for moving workstation, member server, and domain controller AD objects among domains.
Your command is my wish
Before I explain how to move objects between domains, there are a few things that you should know. One, moving objects between domains can be tedious. Rather than using a simple point-and-click operation, you’ll have to use a command-line utility.
Also, the command-line utilities for these operations are very sensitive. Even if you follow the rules for a particular object type, a number of other things could cause the move to fail. I know it’s no fun to try reorganizing an AD and end up with half the objects moved and half of the objects generating errors and staying in their original locations.
Moving workstations and member servers
Although you should use the Movetree command for moving objects such as users and groups, I don’t recommend using Movetree to move computers. I’ve seen Web articles describing a method of moving computer accounts with Movetree. However, these attempts often end up with big problems, such as corrupted AD databases or lost or confused properties in objects. So how do you go about moving computer accounts if Movetree isn’t reliable?
There are at least two methods for moving a computer from one domain to another. The first involves opening the Active Directory Users And Computers console and navigating to Active Directory Users And Computers | your domain | Computers, where your domain stands for the name of your actual domain. When you select the Computers container, you’ll see the computers registered as a part of the domain appear in the column to the right. To move the computer to a new domain, you'll first have to remove it from the domain it is in. To remove it, right-click the computer account and select the Delete command from the context menu. Then, "move" it by going to the computer and joining a different domain.
This process works well if you have only one or two computers to move and those computers happen to be in the same building you’re located in. But what if those computers are located in a remote office a thousand miles away? Or, what if you need to move ten thousand computer accounts? In either situation, you wouldn’t want to go through the process of manually moving each machine in the manner that I just described.
Instead, you should move them with the Netdom utility, which is part of the Windows 2000 Support Tools. To install the Windows 2000 Support Tools, insert your Windows 2000 Server CD. When you see the splash screen, select the option to browse the CD’s contents. Now, navigate through the CD’s directory structure to the \Support\Tools directory and run the Setup.exe program.
Then you're ready to use the Netdom tool. Although Netcom isn’t quite as sensitive as Movetree, you need to take care when using it.
Having said that, let’s take a look at the command syntax. If you enter the Netdom Move/Help command in a command prompt, you’ll see a syntax explanation that looks something like this:
The syntax of this command is:
NETDOM MOVE machine /Domain:domain [/OU:ou path] [/UserD:user]
[/PasswordD:[password | *]]
[UserO:user] [/PasswordO:[password | *]]
[/REBoot[:Time in seconds]]
This command is a little complicated. To make things easier, Windows 2000 automatically displays a summary of each parameter and its function. Click here to view exactly what you’ll see when examining the command syntax.
Okay, the summary is more helpful, but what about a real-world move? The actual move process isn’t really that bad. Suppose I want to move a computer named PC1 from its current domain to the domain Posey. In such a case, you could use the following command:
NETDOM MOVE /DOMAIN:POSEY PC1 /USERD:POSEY\ADMINISTRATOR /PASSWORDD:MY_PASSWORD
Moving domain controllers
Perhaps the trickiest move of all is moving a domain controller. There are a couple of different ways to move domain controllers within your organization. However, you don’t want to use Movetree or Netdom to move a domain controller.
Where you are trying to move it dictates the method you'll use to move it. This may sound strange at first. After all, you can’t move objects between forests, so where else could you move a domain controller except to a different domain within the same organization?
Although moving a domain controller to a different domain may be the most obvious type of move given the context of this article, it isn’t the only type of move that you can make. You can move a domain controller within its present domain. Yes, you read that correctly. Remember that unlike Windows NT, Windows 2000 allows you to create sites. Sites allow you to combine geographically isolated networks within a common domain. Because each site is usually separated from the other sites in the organization by a slow WAN link, you need at least one domain controller in each site. That way, network clients don’t have to send traffic across a slow WAN link just to authenticate or to query AD.
As your organization evolves, you may see the need to move a domain controller out of a shrinking site and into a site that’s growing. Remember that all of these sites are a part of the same domain; therefore, the move process is simple. Just open the Active Directory Sites And Services console and select the domain controller that you want to move. Remember that you must leave at least one domain controller in each site. Now, select Move from the console’s Action menu. When you do, you’ll see the Move Server dialog box, which allows you to select the site into which the domain controller should be moved.
So moving a domain controller between sites sounds easy. But what about moving a domain controller between domains? You first need to make sure that you have plenty of time on your hands before trying it. You also need to do some planning to determine the impact of the move. Remember that most of the time, domain controllers aren’t just domain controllers. They may be running other services such as DNS or acting as file servers, print servers, or backup servers. So if your domain controller is acting as anything other than just a domain controller in the purest sense, you first need to offload the other services onto a different server.
Once you’ve minimized the domain controller’s responsibilities, you need to convert the domain controller into a member server. You can do so by entering the Dcpromo command. Remember that the process of converting a domain controller into a member server can take a really long time and can place a considerable strain on your network. This operation is best performed at night or on the weekend.
Once the domain controller becomes a member server, the process of moving it is identical to moving any other member server or workstation. Just use the Netdom command like I explained in the section above.
When you’ve moved the server to the new domain, you must make it a domain controller once again. To do so, run the Dcpromo command again. Once again, this is a long process and will bog down your network. The amount of time the process takes and the amount of strain that it places on your network depends on the size of the domain. If the domain contains many objects, the process will take quite some time. If there are only a few user accounts and a couple of computer accounts, the process may go somewhat quickly.
Although you can use the Movetree command to move many types of AD objects between domains, it’s usually a pain to do so. You have to follow a specific set of rules that differ depending on the type of object that you’re moving. For workstation, computer, and server objects, there are better and safer options for moving objects around your AD tree, such as the ones I have described.