MoveTree: The Active Directory Object Manager

Last week I talked to our network and infrastructure people, who were lamenting how Windows 2000 ships with almost no tools to help with Active Directory (AD) maintenance and administration. We pondered how strange it is to ship such a wonderful technology without the proper tools to maintain and administer it. Since Win2K shipped, we've written tools that help manage AD and other directory services. "What you really need to write," said my head network engineer, Chris George, "is an AD pruning and grafting tool." "You mean a Win32 the user could use to drag an organizational unit (OU) from one domain and drop it into another?" I asked. "Exactly, but Web-based," he replied.

Before diving into such a project, I set off to do a little research. During my research, I stumbled upon the Active Directory Object Manager (Movetree.exe), which ships in the Win2K Support Tools. You might remember from my previous columns that the Win2K Support Tools are installed from the Win2K Server, Advanced Server, or Data Center Server CD-ROMs but aren't installed with the OS. You can find the installation packages in the CD-ROMs' Support folders.

MoveTree is a command-line tool that lets IIS administrators move AD objects, such as OUs and users, between domains in a single forest. IIS administrators use this type of tool to consolidate domains or for organizational restructuring.

MoveTree syntax is fairly straightforward:

movetree {/start | /startnocheck | /continue | /check}
 /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain]Username /p Password] 
 [/verbose] [{/? | /help}]

Here's a brief description of the parameters (for more information, see the Win2K Support Tools help file):

• /start—Initiates a MoveTree operation. This command includes a /check operation by default. MoveTree tries to continue the operation until it completes; MoveTree pauses the operation if there's a network fault or if the destination domain controller becomes unavailable.
• /startnocheck—Starts a MoveTree operation with no /check.
• /continue—Continues the execution of a previously paused or failed MoveTree operation.
• /check—Performs a test run of the MoveTree operation, checking the entire tree without moving any objects. This parameter lets you determine whether the destination drive has sufficent disk space, whether there are any conflicts with object names, or whether there are any objects that couldn't be moved (such as Domain Local or Global groups). You then can take remedial action before performing the actual move.
• /s SrcDSA—Specifies the fully qualified primary DNS name of the source server in the domain from which the objects are being moved (e.g., Server1.Marketing.Microsoft.com). Required for all MoveTree commands.
• /d DstDSA—Specifies the fully qualified primary DNS name of the destination server in the domain to which the objects are being moved (e.g., Server2.Sales.Microsoft.com). Required for all MoveTree commands.
• /sdn SrcDN—Specifies the distinguished name of the source subtree or the object being moved (e.g., OU=Promotions,DC=Marketing,DC=Microsoft,DC=com). Required for the /start, /startnocheck, and /check commands; optional for /continue.
• /ddn DstDN—Specifies the distinguished name of the destination subtree to which the object is being moved (e.g., OU=Promotions,DC=Sales,DC=Microsoft,DC=com). Required for all MoveTree commands.
• /u [Domain]Username /p Password—Runs MoveTree under the credentials of a valid username and password.
• /verbose—Runs MoveTree in verbose mode.
• /? or /help—Displays the help file text on a command-line syntax screen.

MoveTree returns ErrorLevel 0 for success and ErrorLevels 1 to 5 for different kinds of failure. This is a powerful function because these values can be used as a criterion for branching when the tool is used in a batch file. Below are the error level meanings:

	1--command line syntax 
	2--directory conflict (duplicate names, 
	insufficient privilege, name conflict, immovable object) 
	3--network error (domain controller (DC) unavailable)
	4--system resource (low Virtual Machine (VM), disk space) 
	5--internal processing error

In the following example, the MoveTree command performs a test run, and if no errors are encountered, then moves the Engineers OU from the Engineers domain to the NetWorkGuys domain and renames the Engineers OU to NetOps:

movetree /start /s Server1.Engineers.InterKnowlogy.Com /d
Server2.NetworkGuys.InterKnowlogy.com /sdn OU=Engineers,
DC=InterKnowlogy,DC=Com /ddn OU=NetOps,DC=Engineers,DC=InterKnowlogy,DC=Com

MoveTree lets you move an OU from one domain to another but leaves all the Group Policy Objects (GPOs) linked to the original domain. After you move the GPO link, it continues to function properly. But clients receive their Group Policy settings from the GPOs located in the moved-from domain. Obviously, this action is inefficient. Instead, before executing the MoveTree command, review all GPOs that apply to a particular OU and note the Group Policy settings they contain. Then, using the desired settings, recreate those GPOs that are linked to the moved OU in the moved-to domain. When you're done, make sure you remove the GPOs that are linked from the old domain.

MoveTree has certain limitations, some obvious and some not so obvious, that are well documented in the Windows Support Tools help file. Nonetheless, MoveTree is a viable and powerful tool for your maintenance arsenal.