We wrote a migration tool (C#) for a large domain migration project of a customer. The customer has one forest with one parent domain and several child domains. They want to move all user objects from the child domains to the parent domain.
Apart from a lot of customer specific stuff, the migration tool moves user objects from the child to the parent domain using following ADSI method:
According to the following article it is possible to move objects across domains if certain requirements are met:
For test purpose I am using following VBScript which does basically the same as my C# application:
Set objOU = GetObject("LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com")
Error: The server is unwilling to process the request.
Source: Active Directory
We tried alot of different configurations, permissions, settings and so on. In the end we tried to run the script on a different domain controller (also in the child domain) and it just worked.
We haven't found out yet what the differences are between those two domain controllers but it works for now.
Update: The server on which the script runs has the PDC role. I haven't found any article that says you have to run the script on a PDC but it looks like you have to.