Moving and Renaming Computers with Active Directory - Moving a Computer to a New Domain

(Page 2 of 4 )

Problem

You want to move a computer object to a different domain. 

Solution

Using a graphical user interface

To migrate a computer object between domains in the same forest, use the following steps:

1. Open the ADMT MMC snap-in.
   
2. Right-click on the Active Directory Migration Tool folder and select the Computer Account Migration Wizard.
   
3. On the Domain Selection page, enter the DNS or NetBIOS name of the source and target domains. Click Next.
   
4. On the Translate Objects screen, specify which objects should have new ACLs applied in the new domain. Select any, none, or all of the following, and then click Next to continue:
   
   • Files and folders
     
   •  Local groups
     
   •  Printers
     
   •  Registry
     
   •  Shares
     
   •  User profiles
     
   •  User rights
     
5. On the Security Migration Options screen, select the following options to determine how local user accounts will be migrated into the new domain. Select one of the following and click Next to continue:
   
   Replace
      This option will replace any references to
      objects from the source domain with
      references to objects in the target domain.
   
   Add
      This option adds references to objects in the
      target domain while leaving the source domain
      objects intact.
   
   Remove
      This option removes all references to source
      domain objects.
   
6. On the Naming Conflicts page, configure how the wizard should handle naming conflicts during the migration process. Select one of the following and click Next to continue:
   
   
   • Ignore conflicting accounts and don’t migrate.
     
   • Replace conflicting accounts.
     
   • Rename conflicting accounts by adding a designated prefix or suffix.
     
7. On the Options screen, select the amount of time the wizard should wait before rebooting the target computer into the new domain.
   
8. Click Next to review your choices and begin the migration process.

Using a command-line interface

The following command will migrate a computer object from the rallencorp.com domain to the emea.rallencorp.com domain. It will place the migrated object in the Finance OU and will wait two minutes before rebooting the target computer:

  ADMT COMPUTER /N "FIN101-A" "FIN101-A" /SD:"emea.rallencorp.com" 
  /TD:"emea.rallencorp.com" /TO:"Finance" /RDL:2

Using VBScript

  set objObject = GetObject(LDAP://TargetDC/TargetParentDN)
  objObject.MoveHere "LDAP://SourceDC/SourceDN", vbNullString

Discussion

You can move objects between domains assuming you follow a few guidelines:

1. The user requesting the move must have permission to modify objects in the parent container of both domains.
   
2. You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the Cross Domain Move LDAP control is being used behind the scenes. (For more information on controls, see Recipe 4.4.)
   
3. The move operation must be performed against the RID master for both domains. This is done to ensure that two objects that are being moved simultaneously don’t somehow get assigned the same RID.
   
4. Both domains must be in native mode.

See Also

Recipe 4.4 for more on LDAP controls, MSDN: IADsContainer::MoveHere, and MS KB 326480 (How to Use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003)

Next: Renaming a Computer >>
 

More Windows Scripting Articles
More By O'Reilly Media

Comments On: Moving and Renaming Computers with Active Directory

· This article is an excerpt from the book "Active Directory Cookbook, Second...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.