Skuami Skuami -4 years ago 76
C# Question

Move user object across domain

We wrote a migration tool (C#) for a large domain migration project of a customer. The customer has one forest with one parent domain and several child domains. They want to move all user objects from the child domains to the parent domain.

Apart from a lot of customer specific stuff, the migration tool moves user objects from the child to the parent domain using following ADSI method:

IADsContainer::MoveHere
https://msdn.microsoft.com/en-us/library/aa705991%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

According to the following article it is possible to move objects across domains if certain requirements are met:
https://technet.microsoft.com/en-us/library/ee198798.aspx?f=255&MSPPError=-2147217396

For test purpose I am using following VBScript which does basically the same as my C# application:

Set objOU = GetObject("LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com")
objOU.MoveHere "LDAP://cn=AckermanPilar,ou=Management,dc=fabrikam,dc=com",vbNullString


The VBScript from above works in my test environment. If we try the same script in the production it fails with following useless error message:

Error: The server is unwilling to process the request.
Code: 80072035
Source: Active Directory


However if we run the same script to move a user object from the parent domain to the child domain it works.

The user object we try to move doesn't have any group memberships apart from the primary group which is a universal group. We run the script from the source domain (child) and the user account we use to run the script has enterprise administrator privileges. We also double checked all the requirements from the links above.

Does anyone have an idea what the problem might be and/or how I can solve it?

Answer Source

We tried alot of different configurations, permissions, settings and so on. In the end we tried to run the script on a different domain controller (also in the child domain) and it just worked.

We haven't found out yet what the differences are between those two domain controllers but it works for now.

Update: The server on which the script runs has the PDC role. I haven't found any article that says you have to run the script on a PDC but it looks like you have to.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download