MoveTree Notes

Before using MoveTree you should do the following to maintain peak performance:

1. Review all Group Policy objects that apply to a particular organizational unit, and make a note of the Group Policy settings they contain.
2. Recreate the Group Policy objects, linked to the moved organizational unit in the new domain, with the desired settings.
3. Make sure to remove the Group Policy objects linked from the old domain.

While MoveTree can move some Active Directory objects between domains, certain objects cannot be moved. MoveTree is also unable to move certain associated data that may exist externally to Active Directory.

Detailed Limitations

Local and Domain Global Groups

Universal Groups

Computer Objects

Associated Data

MoveTree cannot move the following objects:

• system objects (identified by the objectClass being marked as systemOnly)
• objects in the configuration or schema naming contexts
• objects in the special containers in the domain: Builtin, ForeignSecurityPrincipal, System, LostAndFound
• domain controllers or any object whose parent is a domain controller
• any object with the same name as an object that already exists in the target domain

MoveTree may fail due to some of the following error conditions:

• The source domain controller cannot transfer the RID role owner.
• The source object is locked due to another operation in progress (for example, if another user is currently creating child objects under the source object that is selected for the move operation).
• Either the source or destination domain have invalid credentials.
• The destination knows the source object is deleted but the source does not (for example, the source object had been deleted on a different domain controller, but due to replication latency, the source domain controller has not yet received the deletion event).
• There is a failure at the destination domain controller (for example, Disk Full).
• A Security Accounts Manager (SAM) constraint is met (for example, Duplicate SAM Account Name or source object password length does not meet the password restrictions in the target domain).
• The source and destination have a schema mismatch.

During a MoveTree operation, if the process is paused or halted, then any objects that have yet to be moved remain in an orphan container in the Lost And Found container in the source domain. The Lost And Found container can be viewed in the Active Directory Users and Computers snap-in (a Windows XP Professional administrative tool) when the Advanced View menu option is selected. The orphan container is named using the globally unique identifier (GUID) of the parent container being moved and can be readily identified; it will contain the objects that were selected for the MoveTree operation.

For example, if an organizational unit called "Sales" was being moved, and it has an object GUID of {123-abc}, and the MoveTree operation were halted, then the tree structure would look like this:

Lost + Found
		 {123-abc}
			 Sales

MoveTree returns ErrorLevel 0 for success and ErrorLevels 1 through 5 for different kinds of failure. These values can be used as criteria for branching, when the tool is used in a batch file; see Example 5: Use MoveTree in a Batch File in MoveTree Examples.

Error Level	Meaning
0	Success
1	Error – command line syntax
2	Error – directory conflict (duplicate names, insufficient privilege, name conflict, immovable object)
3	Error - network error (DC unavailable)
4	Error – system resource (Low VM, disk space)
5	Error – internal processing error