newexhsh
asked on
Move user account between 2 child DC in the same forest
Dear All,
I have situation like that
AD root - test.com
child DC - hk.test.com ( this DC store example.com 's mailbox )
AD root - example.com
(When I create an account in example.com for user login, At the same time, I would also create the same mail-enable account in hk.test.com using exchange2003.
That mean
create user1 in example.com for login
then
create user1 in hk.test.com for email account)
And I have 2 choices
Choice 1
I would like to demote example.com and then dcpromo this server to become cn.test.com. Then, I cannot manage the account easily. But the duplicate account will be a problem when I join this computer to be cn.test.com. Is there any solution to solve the problem easily?
Choice 2
I have new server installed with windows2003, then, I join this server to be child DC called cn.test.com. But can I move the account from hk.test.com to cn.test.com, whose mailbox account is for example.com before.
What choice is better, or is there any other good solutions?
Thanks everyone to reply in advance
I have situation like that
AD root - test.com
child DC - hk.test.com ( this DC store example.com 's mailbox )
AD root - example.com
(When I create an account in example.com for user login, At the same time, I would also create the same mail-enable account in hk.test.com using exchange2003.
That mean
create user1 in example.com for login
then
create user1 in hk.test.com for email account)
And I have 2 choices
Choice 1
I would like to demote example.com and then dcpromo this server to become cn.test.com. Then, I cannot manage the account easily. But the duplicate account will be a problem when I join this computer to be cn.test.com. Is there any solution to solve the problem easily?
Choice 2
I have new server installed with windows2003, then, I join this server to be child DC called cn.test.com. But can I move the account from hk.test.com to cn.test.com, whose mailbox account is for example.com before.
What choice is better, or is there any other good solutions?
Thanks everyone to reply in advance
ASKER
Hi Chris,
I have created the OU "idaccount" in hk.test.com, now I want to move this OU including OU 's user to cn.test.com
movetree /check/ s hk.test.com /d cn.test.com /sdn OU=idaccount,DC=hk,DC=test
then it shown
"MOVETREE PRE-CHECK FINISHED.
MOVETREE IS READY TO START THE MOVE OPERATIION"
However, when I type
movetree /start / s hk.test.com /d cn.test.com /sdn OU=idaccount,DC=hk,DC=test
The movetree.err shown
"ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed. The extended error is 80090303: SecErr: DSID-031B0677, problem 4001 (INAPPROPRIATE_AUTH), data 0
ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed to move object OU=idaccount,cn=a946fb0f-4
I have raise the operational level, so it is in Window2003 native mode
Is it I miss something?
Thanks
I have created the OU "idaccount" in hk.test.com, now I want to move this OU including OU 's user to cn.test.com
movetree /check/ s hk.test.com /d cn.test.com /sdn OU=idaccount,DC=hk,DC=test
then it shown
"MOVETREE PRE-CHECK FINISHED.
MOVETREE IS READY TO START THE MOVE OPERATIION"
However, when I type
movetree /start / s hk.test.com /d cn.test.com /sdn OU=idaccount,DC=hk,DC=test
The movetree.err shown
"ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed. The extended error is 80090303: SecErr: DSID-031B0677, problem 4001 (INAPPROPRIATE_AUTH), data 0
ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed to move object OU=idaccount,cn=a946fb0f-4
I have raise the operational level, so it is in Window2003 native mode
Is it I miss something?
Thanks
/s and /d are (at least when we tested it) the Servernames. So /s Server1.hk.test.com and /d Server1.cn.test.com.
It could also be that I remember the syntax incorrectly. Could you try creating an OU called idaccount on CN to see if it just does from that point down?
Chris
ASKER
I have tried to create the idaccount OU in cn.test.com
then, I run the movetree command again
it shown
" MOVETREE PRE-CHECK FINISHED.
MOVETREE DETECTED THERE ARE SOME OBJECTS CAN NOT BE MOVED.
PLEASE CLEAN THEM UP FIRST BEFORE TRYING TO START THE MOVE TREE OPERATION."
"ReturnCode: 0x210a The replication operation failed due to a collision of object names.
MoveTree check destination RDN conflict for object: OU=idaccount,DC=hk,DC=test
ReturnCode: 0x0 The operation completed successfully.
MoveTree cross domain move check for object: OU=idaccount,DC=hk,DC=test
ReturnCode: 0x0 The operation completed successfully.
MoveTree cross domain move check for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.
MoveTree check Duplicate SAM Account Name for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.
MoveTree cross domain move check for object: CN=idaccount2,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.
MoveTree check Duplicate SAM Account Name for object: CN=idaccount2,OU=idaccount
THANKS
then, I run the movetree command again
it shown
" MOVETREE PRE-CHECK FINISHED.
MOVETREE DETECTED THERE ARE SOME OBJECTS CAN NOT BE MOVED.
PLEASE CLEAN THEM UP FIRST BEFORE TRYING TO START THE MOVE TREE OPERATION."
"ReturnCode: 0x210a The replication operation failed due to a collision of object names.
MoveTree check destination RDN conflict for object: OU=idaccount,DC=hk,DC=test
ReturnCode: 0x0 The operation completed successfully.
MoveTree cross domain move check for object: OU=idaccount,DC=hk,DC=test
ReturnCode: 0x0 The operation completed successfully.
MoveTree cross domain move check for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.
MoveTree check Duplicate SAM Account Name for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.
MoveTree cross domain move check for object: CN=idaccount2,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.
MoveTree check Duplicate SAM Account Name for object: CN=idaccount2,OU=idaccount
THANKS
A little odd that it wouldn't do that the first time, but as long as it has the user accounts across.
Chris
ASKER
When I specify the user account, it still fails
I run
movetree /start / s hk.test.com /d cn.test.com /sdn CN=idaccount1,OU=idaccount
"ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed. The extended error is 80090303: SecErr: DSID-031B0677, problem 4001 (INAPPROPRIATE_AUTH), data 0
ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed to move object CN=idaccount1,OU=idaccount
Thanks
I run
movetree /start / s hk.test.com /d cn.test.com /sdn CN=idaccount1,OU=idaccount
"ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed. The extended error is 80090303: SecErr: DSID-031B0677, problem 4001 (INAPPROPRIATE_AUTH), data 0
ERROR: 0x80090303 The specified target is unknown or unreachable
MoveTree cross domain move failed to move object CN=idaccount1,OU=idaccount
Thanks
Could you try:
movetree /start / s hk.test.com /d cn.test.com /sdn CN=idaccount1,OU=idaccount
Basically just remove the user account from the destination.
Chris
Hmmm no I don't think that'll do it. It should work, and normally works with the full DN of the target specified as you've written above.
The only difference between the command you're using and the examples and the tests I've done is the exclusion of the
server names - it should really be done from the RID Master on each domain. Or are you filling those in?
Chris
The MS examples of it are here. They're a bit better explained than mine:
http://technet2.microsoft.com/WindowsServer/en/Library/ee76d911-1fd4-4a04-be49-03ba407d6dde1033.mspx
Chris
ASKER
I have followed the instruction to do, but it still fail, now i wonder it is not the command problem, does i need to configure something in order to move user between different domain and site in a AD forest?
thanks
thanks
Not that I'm aware of, I just set it up to work between the two RID Masters on our network and didn't bump into any problems after that.
Chris
ASKER
Can I know how can I set the 2 DC to be RID masters?
thanks
thanks
Run "netdom query fsmo" at the command line to find it, then use the respective server for each domain with the /s and /d switches.
Chris
ASKER
Hi Chris
I have run "netdom query fsmo" in both server
however, i still get this error from "movetree.chk" when i type this command
"ReturnCode: 0x210a The replication operation failed due to a collision of object names.MoveTree check destination RDN conflict for object: OU=idaccount,DC=hk,DC=team
ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: OU=idaccount,DC=hk,DC=test
ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.MoveTree check Duplicate SAM Account Name for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: CN=idaccount2,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.MoveTree check Duplicate SAM Account Name for object: CN=idaccount2,OU=idaccount
why show
"ReturnCode: 0x210a The replication operation failed due to a collision of object names.MoveTree check destination RDN conflict for object"
I dont have this account in my destination server
also,
"ReturnCode: 0x0 The operation completed successfully.MoveTree check Duplicate SAM Account Name for object: CN=idaccount1,OU=idaccount
duplicate SAM? I dont know why there are dupicate SAM
and what is the difference between movetree.err and movetree.chk ?
thanks
I have run "netdom query fsmo" in both server
however, i still get this error from "movetree.chk" when i type this command
"ReturnCode: 0x210a The replication operation failed due to a collision of object names.MoveTree check destination RDN conflict for object: OU=idaccount,DC=hk,DC=team
ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: OU=idaccount,DC=hk,DC=test
ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.MoveTree check Duplicate SAM Account Name for object: CN=idaccount1,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.MoveTree cross domain move check for object: CN=idaccount2,OU=idaccount
ReturnCode: 0x0 The operation completed successfully.MoveTree check Duplicate SAM Account Name for object: CN=idaccount2,OU=idaccount
why show
"ReturnCode: 0x210a The replication operation failed due to a collision of object names.MoveTree check destination RDN conflict for object"
I dont have this account in my destination server
also,
"ReturnCode: 0x0 The operation completed successfully.MoveTree check Duplicate SAM Account Name for object: CN=idaccount1,OU=idaccount
duplicate SAM? I dont know why there are dupicate SAM
and what is the difference between movetree.err and movetree.chk ?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can use ADMT to do that finially
Thanks
Thanks
Hi, I am trying to use MoveTree Utility to move users between two domains in a single forest.
i am using the following syntax:
MoveTree /start /s source domain controller /d destination domain controller /sdn "cn=username,ou=london,dc=
but i get the follwing eror throw up: ERROR: 0x208f The object name has bad syntax
Any help would be appriciated,
K
i am using the following syntax:
MoveTree /start /s source domain controller /d destination domain controller /sdn "cn=username,ou=london,dc=
but i get the follwing eror throw up: ERROR: 0x208f The object name has bad syntax
Any help would be appriciated,
K
If you're using the default Users container then it's CN=Users, not OU=Users.
Chris
Hi,
It's not too tricky to move an account between Domains in the same forest. You need to use the Support Tools utility called MoveTree.
It's a command line too but works very well (or at least did when we tested it).
First of all you need to boot the user out of any groups they're in. Then you can use MoveTree (it's a bit of a long command) to first :
MoveTree /check /s <SourceDC> /d <DesintationDC> /sdn CN=User Name,OU=SomeOU,OU=SomeOthe
Then the same again with /start to move it:
MoveTree /start /s <SourceDC> /d <DesintationDC> /sdn CN=User Name,OU=SomeOU,OU=SomeOthe
The mailbox will still be attached to the original mail server at this point and if you need to move it you can do so with the Move Mailbox function from Exchange Tasks.
Full documentation on the command is here:
http://support.microsoft.com/?kbid=238394
All our testing was with Windows 2003 Domains and we didn't bump into any problems using it.
Chris