MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, between domains in a single forest. These types of operations support domain reconsolidation or organizational restructuring.
Although MoveTree moves Active Directory objects between domains, there are some Active Directory objects that cannot be moved between domains. There may also be associated data outside the Active Directory that also is not moved. Computer objects are not moved during a MoveTree operation.
When objects are moved, they are initially copied to the Lost and Found
container in the source domain, and then they are moved to the destination domain. All objects that are moved are recorded in the MoveTree.log file, and all error messages are recorded in the MoveTree.err file. Objects that cannot be moved remain in an orphan
container in the Lost and Found
container in the source domain. Local and domain global groups are not moved during a MoveTree operation. However, group memberships remain intact; therefore, security is not compromised.
Associated data that is not moved during MoveTree operations includes profiles, logon scripts, and users' personal data. Additional scripts or management tools need to be used in conjunction with MoveTree to perform these additional steps. MoveTree enables an organizational unit to be moved with all of the linked Group Policy objects in the source domain intact. Although the Group Policy object link moves and continues to work, clients receive their group policy settings from the source domain. Due to this potential performance degradation, you are strongly recommended to re-create the Group Policy objects for the moved organizational unit in the destination domain, and then delete the old Group Policy objects in the source domain.
MoveTree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA]
[/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password] [/quiet]
/start : Start a MoveTree operation with /check option by default.
: Instead, you could be able use /startnocheck to start a
: MoveTree operation without a check.
/continue : Continue a failed MoveTree operation.
/check : Check the whole tree before actually moving any object.
/s <SrcDSA> : Source domain DSA name. Required.
/d <DstDSA> : Destination domain DSA name. Required.
/sdn <SrcDN> : Source subtree's root domain name.
: Required in Start and Check case.
: Optional in Continue case.
/ddn <DstDN> : Destination subtree's root domain name. Required.
/u <Domain\UserName> : Domain name and user account name. Optional.
/p <Password> : Password. Optional.
/quiet : Quiet mode. Without any display. Optional.
- MoveTree /check /s Server1 /d Server2 /sdn OU=SourceOU,DC=Dom1 /ddn OU=DestOU,DC=Dom2 /u Dom1\administrator /p *
- MoveTree /start /s Server1 /d Server2 /sdn OU=SourceOU,DC=Dom1 /ddn OU=DestOU,DC=Dom2 /u Dom1\administrator /p MySecretPwd
- MoveTree /startnocheck /s Server1 /d Server2 /sdn OU=SourceOU,DC=Dom1 /ddn OU=DestOU,DC=Dom2 /u Dom1\administrator /p MySecretPwd
- MoveTree /continue /s Server1 /d Server2 /ddn OU=DestOU,DC=Dom1 /u Dom1\administrator /p * /quiet
Key Guidelines for Using MoveTree
- Ensure Domain Name Server (DNS) name resolution is working correctly.
- Ensure that you have permissions on the source and destination domains to complete the move. The following error message is logged in the MoveTree.err file if you have insufficient permissions:
Error: 0x2098 Insufficient Access Rights to perform the operation.
MoveTree cross domain move failed. The extended error is 00002098: SrcErr:DSID-0031B02E2, problem 5003 (WILL_NOT_PERFORM), data 0
- Use quotation marks for parameters with spaces.
- Use all lowercase letters when designating the source and destination subtree root domain names. If you use uppercase letters, the following error message is logged in the MoveTree.err file:
Error: 0x20e4 The Naming Context could not be found.
MoveTree cross domain move failed.
The extended error is 0000020e4: SvcErr: DSID-031B02E2, problem 5003
(WILL_NOT_PERFORM), data 0
MoveTree moves the computer accounts, but the accounts are not valid in the new domain. Active Directory Users and Computers in the new domain show all the computer accounts that MoveTree moved, but the individual computers are not able to log into the new domain. Netdom must be used to move the computer accounts.NOTE
: Movetree requires that the destination domain be in Native mode.NOTE
: The command has to be run on the Rid Master of the src domain against the Rid master of the dst domain, otherwise you will see following error:
ERROR: 0x2012 The requested operation could not be performed because the directory service is not the master for that type of operation.