| Author | Messages | |
dloder
Posts:40
 | | 07/21/2008 1:36 PM |
| We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six Universal Groups out of the default Microsoft Exchange Security Groups OU in the root domain and into one of our child account domains before we allow them to be used for anything. So their membership is exactly as the forest prep steps define them to be. (So preemptive answer - no issues with the groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation targeting the destination RID master. Tests fine in dev, QA and in an air-gapped production replica we spin up for schema changes. However, doing it in prod under EA credentials results in error -2147016651. The server is unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same error.
Packet trace doesn't show anything useful that's different from when it succeeds in Dev. In Dev you see the Modify RDN request, as referral response from the destination RID master, RPC traffic of the domain move, LDAP bind for the new object, success response and unbind. In prod, after the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| michael1
Posts:178
| | 07/21/2008 7:17 PM |
| So...is this what you did? If not, let us see some code, sanitized as
necessary.
$sourceDC = "dc1.region1.example.com"
$targetDC = "dcX.region2.example.com"
$sourceDomain = "dc=region1,dc=example,dc=com"
$targetDomain = "dc=region2,dc=example,dc=com"
$sourceOU = "ou=Microsoft Exchange Security Groups," + $sourceDomain
$targetOU = "ou=Microsoft Exchange Security Groups," + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = "LDAP://" + $targetDC + "/" + $targetOU
$sourceString = "LDAP://" + $sourceDC + "/" + "cn=" + $whichGroup +
"," + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup "Exchange Organization Administrators"
moveExchangeGroup "Exchange Public Folder Administrators"
moveExchangeGroup "Exchange Recipient Administrators"
moveExchangeGroup "Exchange Servers"
moveExchangeGroup "Exchange View-Only Administrators"
moveExchangeGroup "ExchangeLegacyInterop"
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six
Universal Groups out of the default Microsoft Exchange Security Groups OU in
the root domain and into one of our child account domains before we allow
them to be used for anything. So their membership is exactly as the forest
prep steps define them to be. (So preemptive answer - no issues with the
groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation
targeting the destination RID master. Tests fine in dev, QA and in an
air-gapped production replica we spin up for schema changes. However, doing
it in prod under EA credentials results in error -2147016651. The server is
unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same
error.
Packet trace doesn't show anything useful that's different from when it
succeeds in Dev. In Dev you see the Modify RDN request, as referral
response from the destination RID master, RPC traffic of the domain move,
LDAP bind for the new object, success response and unbind. In prod, after
the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| dloder
Posts:40
| | 07/22/2008 10:56 AM |
| strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain "OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com> wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So…..is this what you did? If not, let us see some code, sanitized as necessary.
$sourceDC = “dc1.region1.example.com”
$targetDC = “dcX.region2.example.com”
$sourceDomain = “dc=region1,dc=example,dc=com”
$targetDomain = “dc=region2,dc=example,dc=com”
$sourceOU = “ou=Microsoft Exchange Security Groups,” + $sourceDomain
$targetOU = “ou=Microsoft Exchange Security Groups,” + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = “LDAP://” + $targetDC + “/” + $targetOU
$sourceString = “LDAP://” + $sourceDC + “/” + “cn=” + $whichGroup + “,” + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup “Exchange Organization Administrators”
moveExchangeGroup “Exchange Public Folder Administrators”
moveExchangeGroup “Exchange Recipient Administrators”
moveExchangeGroup “Exchange Servers”
moveExchangeGroup “Exchange View-Only Administrators”
moveExchangeGroup “ExchangeLegacyInterop”
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six Universal Groups out of the default Microsoft Exchange Security Groups OU in the root domain and into one of our child account domains before we allow them to be used for anything. So their membership is exactly as the forest prep steps define them to be. (So preemptive answer - no issues with the groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation targeting the destination RID master. Tests fine in dev, QA and in an air-gapped production replica we spin up for schema changes. However, doing it in prod under EA credentials results in error -2147016651. The server is unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same error.
Packet trace doesn't show anything useful that's different from when it succeeds in Dev. In Dev you see the Modify RDN request, as referral response from the destination RID master, RPC traffic of the domain move, LDAP bind for the new object, success response and unbind. In prod, after the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| michael1
Posts:178
| | 07/22/2008 4:07 PM |
| That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain
"OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization
Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com>
wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So...is this what you did? If not, let us see some code, sanitized as
necessary.
$sourceDC = "dc1.region1.example.com"
$targetDC = "dcX.region2.example.com"
$sourceDomain = "dc=region1,dc=example,dc=com"
$targetDomain = "dc=region2,dc=example,dc=com"
$sourceOU = "ou=Microsoft Exchange Security Groups," + $sourceDomain
$targetOU = "ou=Microsoft Exchange Security Groups," + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = "LDAP://" + $targetDC + "/" + $targetOU
$sourceString = "LDAP://" + $sourceDC + "/" + "cn=" + $whichGroup +
"," + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup "Exchange Organization Administrators"
moveExchangeGroup "Exchange Public Folder Administrators"
moveExchangeGroup "Exchange Recipient Administrators"
moveExchangeGroup "Exchange Servers"
moveExchangeGroup "Exchange View-Only Administrators"
moveExchangeGroup "ExchangeLegacyInterop"
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six
Universal Groups out of the default Microsoft Exchange Security Groups OU in
the root domain and into one of our child account domains before we allow
them to be used for anything. So their membership is exactly as the forest
prep steps define them to be. (So preemptive answer - no issues with the
groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation
targeting the destination RID master. Tests fine in dev, QA and in an
air-gapped production replica we spin up for schema changes. However, doing
it in prod under EA credentials results in error -2147016651. The server is
unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same
error.
Packet trace doesn't show anything useful that's different from when it
succeeds in Dev. In Dev you see the Modify RDN request, as referral
response from the destination RID master, RPC traffic of the domain move,
LDAP bind for the new object, success response and unbind. In prod, after
the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| dloder
Posts:40
| | 07/23/2008 10:25 AM |
| We were able to figure it out.
The move has to originate from the source RID master. The target doesn't matter.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbl_fsm_uvhg.mspx?mfr=true
We were not sourcing from the RID master in the parent domain.
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
.ExternalClass p.EC_MsoNormal, .ExternalClass li.EC_MsoNormal, .ExternalClass div.EC_MsoNormal
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass p
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_emailstyle18
{;}
.ExternalClass span.EC_emailstyle181
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass span.EC_EmailStyle20
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass .EC_MsoChpDefault
{;}
@page Section1
{size:8.5in 11.0in;}
.ExternalClass div.EC_Section1
{page:Section1;}
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain "OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com> wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So…..is this what you did? If not, let us see some code, sanitized as necessary.
$sourceDC = “dc1.region1.example.com”
$targetDC = “dcX.region2.example.com”
$sourceDomain = “dc=region1,dc=example,dc=com”
$targetDomain = “dc=region2,dc=example,dc=com”
$sourceOU = “ou=Microsoft Exchange Security Groups,” + $sourceDomain
$targetOU = “ou=Microsoft Exchange Security Groups,” + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = “LDAP://” + $targetDC + “/” + $targetOU
$sourceString = “LDAP://” + $sourceDC + “/” + “cn=” + $whichGroup + “,” + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup “Exchange Organization Administrators”
moveExchangeGroup “Exchange Public Folder Administrators”
moveExchangeGroup “Exchange Recipient Administrators”
moveExchangeGroup “Exchange Servers”
moveExchangeGroup “Exchange View-Only Administrators”
moveExchangeGroup “ExchangeLegacyInterop”
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six Universal Groups out of the default Microsoft Exchange Security Groups OU in the root domain and into one of our child account domains before we allow them to be used for anything. So their membership is exactly as the forest prep steps define them to be. (So preemptive answer - no issues with the groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation targeting the destination RID master. Tests fine in dev, QA and in an air-gapped production replica we spin up for schema changes. However, doing it in prod under EA credentials results in error -2147016651. The server is unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same error.
Packet trace doesn't show anything useful that's different from when it succeeds in Dev. In Dev you see the Modify RDN request, as referral response from the destination RID master, RPC traffic of the domain move, LDAP bind for the new object, success response and unbind. In prod, after the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| michael1
Posts:178
| | 07/23/2008 2:44 PM |
| I had no clue of that. Thanks for feeding back.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We were able to figure it out.
The move has to originate from the source RID master. The target doesn't
matter.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib
/dsbl_fsm_uvhg.mspx?mfr=true
We were not sourcing from the RID master in the parent domain.
_____
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain
"OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization
Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com>
wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
| | | |
| listmail
Posts:428
| | 07/23/2008 2:48 PM |
| Dave, you should have looked at AdMod to do this move...
In the usage notes
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the requirements
please look up IADsContainer::MoveHere in MSDN Library.
Then if you look up IADsContainer::MoveHere you see
Remarks
In Active Directory, you can move an object within the same domain or from
different domains in the same directory forest. For the cross domain move,
the following restrictions apply:
* The destination domain must be in the native mode.
* Objects to be moved must be a leaf object or an empty container.
* NT LAN Manager (NTLM) cannot perform authentication; use Kerberos
authentication or delegation. Be aware that if Kerberos authentication is
not used, the password transmits in plaintext over the network. To avoid
this, use delegation with secure authentication.
* You cannot move security principals (for example, user, group,
computer, and so on) belonging to a global group. When a security principal
is moved, a new SID is created for the object at the destination. However,
its old SID from the source, stored in the sIDHistory attribute, is
preserved, as well as the password of the object.
Note Use the Movetree.exe utility to move a subtree among different
domains. To move objects from a source domain to a destination domain using
the Movetree command-line tool, you must connect to the domain controller
holding the source domain's RID master role. If the RID master is
unavailable then objects cannot be moved to other domains. If you attempt to
move an object from one domain to another using the Movetree tool and you
specify a source domain controller that is not the RID master, a nonspecific
"Movetree failed" error message results.
Note When using the
<http://msdn.microsoft.com/en-us/library/aa772238(VS.85).aspx> ADsOpenObject
function to bind to an ADSI object, you must use the ADS_USE_DELEGATION flag
of the <http://msdn.microsoft.com/en-us/library/aa772247(VS.85).aspx>
ADS_AUTHENTICATION_ENUM in the dwReserved parameter of this function in
order to create cross-domain moves with IADsContainer::MoveHere. The
ADsOpenObject function is equivalent to the
<http://msdn.microsoft.com/en-us/library/aa706065(VS.85).aspx>
IADsOpenDSObject: penDsObject method. Likewise, using the OpenDsObject
method to bind to an ADSI object, the InReserved parameter of this method
must contain the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM in
order to make cross-domain moves with IADsContainer::MoveHere.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We were able to figure it out.
The move has to originate from the source RID master. The target doesn't
matter.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib
/dsbl_fsm_uvhg.mspx?mfr=true
We were not sourcing from the RID master in the parent domain.
_____
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain
"OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization
Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com>
wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So...is this what you did? If not, let us see some code, sanitized as
necessary.
$sourceDC = "dc1.region1.example.com"
$targetDC = "dcX.region2.example.com"
$sourceDomain = "dc=region1,dc=example,dc=com"
$targetDomain = "dc=region2,dc=example,dc=com"
$sourceOU = "ou=Microsoft Exchange Security Groups," + $sourceDomain
$targetOU = "ou=Microsoft Exchange Security Groups," + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = "LDAP://" + $targetDC + "/" + $targetOU
$sourceString = "LDAP://" + $sourceDC + "/" + "cn=" + $whichGroup +
"," + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup "Exchange Organization Administrators"
moveExchangeGroup "Exchange Public Folder Administrators"
moveExchangeGroup "Exchange Recipient Administrators"
moveExchangeGroup "Exchange Servers"
moveExchangeGroup "Exchange View-Only Administrators"
moveExchangeGroup "ExchangeLegacyInterop"
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six
Universal Groups out of the default Microsoft Exchange Security Groups OU in
the root domain and into one of our child account domains before we allow
them to be used for anything. So their membership is exactly as the forest
prep steps define them to be. (So preemptive answer - no issues with the
groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation
targeting the destination RID master. Tests fine in dev, QA and in an
air-gapped production replica we spin up for schema changes. However, doing
it in prod under EA credentials results in error -2147016651. The server is
unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same
error.
Packet trace doesn't show anything useful that's different from when it
succeeds in Dev. In Dev you see the Modify RDN request, as referral
response from the destination RID master, RPC traffic of the domain move,
LDAP bind for the new object, success response and unbind. In prod, after
the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| dloder
Posts:40
| | 07/23/2008 4:26 PM |
|
If only we didn't have that pesky policy about freeware....Ώ]
And your sample's really helpful. I'm assuming that's only in your super secret version of AdMod since that text is not in your current released version. I bet it probably takes out the garbage too.
But even in the current AdMod, why does xdom have a requirement for destination DC? Your help appears to me to perpetuate the same problem - that it's somehow the destination RID master that's important. I can *now* do a MoveHere to a hostless destination LDAP URL with my script.
Once you know what to look for, it's easy to find. But too much of the stuff out there that I've seen either doesn't reference the RID requirement at all, or does it backwards.
Ώ]Oh to long for the days when it wasn't even freeware for a few special peopleΐ].
ΐ]Or to be the proper owner of the source code.
From: listmail@joeware.net
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Wed, 23 Jul 2008 14:47:09 -0400
Dave, you should have looked at AdMod to do this move...
In the usage notes
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the requirements
please look up IADsContainer::MoveHere in MSDN Library.
Then if you look up IADsContainer::MoveHere you see
Remarks
In Active Directory, you can move an object within the same domain or from different domains in the same directory forest. For the cross domain move, the following restrictions apply:
The destination domain must be in the native mode.
Objects to be moved must be a leaf object or an empty container.
NT LAN Manager (NTLM) cannot perform authentication; use Kerberos authentication or delegation. Be aware that if Kerberos authentication is not used, the password transmits in plaintext over the network. To avoid this, use delegation with secure authentication.
You cannot move security principals (for example, user, group, computer, and so on) belonging to a global group. When a security principal is moved, a new SID is created for the object at the destination. However, its old SID from the source, stored in the sIDHistory attribute, is preserved, as well as the password of the object.
Note Use the Movetree.exe utility to move a subtree among different domains. To move objects from a source domain to a destination domain using the Movetree command-line tool, you must connect to the domain controller holding the source domain's RID master role. If the RID master is unavailable then objects cannot be moved to other domains. If you attempt to move an object from one domain to another using the Movetree tool and you specify a source domain controller that is not the RID master, a nonspecific "Movetree failed" error message results.
Note When using the ADsOpenObject function to bind to an ADSI object, you must use the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM in the dwReserved parameter of this function in order to create cross-domain moves with IADsContainer::MoveHere. The ADsOpenObject function is equivalent to the IADsOpenDSObject:penDsObject method. Likewise, using the OpenDsObject method to bind to an ADSI object, the InReserved parameter of this method must contain the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM in order to make cross-domain moves with IADsContainer::MoveHere.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We were able to figure it out.
The move has to originate from the source RID master. The target doesn't matter.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbl_fsm_uvhg.mspx?mfr=true
We were not sourcing from the RID master in the parent domain.
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
@page Section1
{size:8.5in 11.0in;}
.ExternalClass P.EC_MsoNormal
{font-size:12pt;margin-bottom:0pt;font-family:'Times New Roman','serif';}
.ExternalClass LI.EC_MsoNormal
{font-size:12pt;margin-bottom:0pt;font-family:'Times New Roman','serif';}
.ExternalClass DIV.EC_MsoNormal
{font-size:12pt;margin-bottom:0pt;font-family:'Times New Roman','serif';}
.ExternalClass P
{font-size:12pt;margin-left:0in;margin-right:0in;font-family:'Times New Roman','serif';}
.ExternalClass SPAN.EC_emailstyle18
{;}
.ExternalClass SPAN.EC_emailstyle181
{color:#1f497d;font-family:'Calibri','sans-serif';}
.ExternalClass SPAN.EC_EmailStyle20
{color:#1f497d;font-family:'Calibri','sans-serif';}
.ExternalClass .EC_MsoChpDefault
{;}
.ExternalClass DIV.EC_Section1
{page:Section1;}
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain "OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com> wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So…..is this what you did? If not, let us see some code, sanitized as necessary.
$sourceDC = “dc1.region1.example.com”
$targetDC = “dcX.region2.example.com”
$sourceDomain = “dc=region1,dc=example,dc=com”
$targetDomain = “dc=region2,dc=example,dc=com”
$sourceOU = “ou=Microsoft Exchange Security Groups,” + $sourceDomain
$targetOU = “ou=Microsoft Exchange Security Groups,” + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = “LDAP://” + $targetDC + “/” + $targetOU
$sourceString = “LDAP://” + $sourceDC + “/” + “cn=” + $whichGroup + “,” + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup “Exchange Organization Administrators”
moveExchangeGroup “Exchange Public Folder Administrators”
moveExchangeGroup “Exchange Recipient Administrators”
moveExchangeGroup “Exchange Servers”
moveExchangeGroup “Exchange View-Only Administrators”
moveExchangeGroup “ExchangeLegacyInterop”
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six Universal Groups out of the default Microsoft Exchange Security Groups OU in the root domain and into one of our child account domains before we allow them to be used for anything. So their membership is exactly as the forest prep steps define them to be. (So preemptive answer - no issues with the groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation targeting the destination RID master. Tests fine in dev, QA and in an air-gapped production replica we spin up for schema changes. However, doing it in prod under EA credentials results in error -2147016651. The server is unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same error.
Packet trace doesn't show anything useful that's different from when it succeeds in Dev. In Dev you see the Modify RDN request, as referral response from the destination RID master, RPC traffic of the domain move, LDAP bind for the new object, success response and unbind. In prod, after the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| listmail
Posts:428
| | 07/24/2008 12:37 AM |
| LOL, busted. You are right, V01.10.00 has the short help for that switch...
My bad, sorry, it is in the still buggy unreleased V01.11.00 - trust me you
don't want this version yet.
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
I added the rest of that info as a DCR in a way that could reflect the
current requirements anytime you looked. 
As for why you have to specify the destination host... I believe (I wrote
that code over 2 years ago) the CROSSDOM Server control requires a DC in
FQDN format to be specified in the control. I could probably crutch it by
doing some extra work and picking a DC through the locator process if not
specified but honestly, something like this should be pretty well defined in
what you are doing and I wanted people to understand what they are doing.
Also, if I wanted someone to specify a RID master I would have specified it
in the usage, at least I expect I would. <eg>
Without being able to use joeware there anymore... you guys must be
rewriting a ton of processes and tools. There was a lot that was dependent
on various joeware utilities. You guys should just pay me to come back, it
would probably be cheaper.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
If only we didn't have that pesky policy about freeware....Ώ]
And your sample's really helpful. I'm assuming that's only in your super
secret version of AdMod since that text is not in your current released
version. I bet it probably takes out the garbage too.
But even in the current AdMod, why does xdom have a requirement for
destination DC? Your help appears to me to perpetuate the same problem -
that it's somehow the destination RID master that's important. I can *now*
do a MoveHere to a hostless destination LDAP URL with my script.
Once you know what to look for, it's easy to find. But too much of the
stuff out there that I've seen either doesn't reference the RID requirement
at all, or does it backwards.
Ώ]Oh to long for the days when it wasn't even freeware for a few special
peopleΐ].
ΐ]Or to be the proper owner of the source code.
_____
From: listmail@joeware.net
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Wed, 23 Jul 2008 14:47:09 -0400
Dave, you should have looked at AdMod to do this move...
In the usage notes
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the requirements
please look up IADsContainer::MoveHere in MSDN Library.
Then if you look up IADsContainer::MoveHere you see
Remarks
In Active Directory, you can move an object within the same domain or from
different domains in the same directory forest. For the cross domain move,
the following restrictions apply:
* The destination domain must be in the native mode.
* Objects to be moved must be a leaf object or an empty container.
* NT LAN Manager (NTLM) cannot perform authentication; use Kerberos
authentication or delegation. Be aware that if Kerberos authentication is
not used, the password transmits in plaintext over the network. To avoid
this, use delegation with secure authentication.
* You cannot move security principals (for example, user, group,
computer, and so on) belonging to a global group. When a security principal
is moved, a new SID is created for the object at the destination. However,
its old SID from the source, stored in the sIDHistory attribute, is
preserved, as well as the password of the object.
Note Use the Movetree.exe utility to move a subtree among different
domains. To move objects from a source domain to a destination domain using
the Movetree command-line tool, you must connect to the domain controller
holding the source domain's RID master role. If the RID master is
unavailable then objects cannot be moved to other domains. If you attempt to
move an object from one domain to another using the Movetree tool and you
specify a source domain controller that is not the RID master, a nonspecific
"Movetree failed" error message results.
Note When using the
<http://msdn.microsoft.com/en-us/library/aa772238(VS.85).aspx> ADsOpenObject
function to bind to an ADSI object, you must use the ADS_USE_DELEGATION flag
of the <http://msdn.microsoft.com/en-us/library/aa772247(VS.85).aspx>
ADS_AUTHENTICATION_ENUM in the dwReserved parameter of this function in
order to create cross-domain moves with IADsContainer::MoveHere. The
ADsOpenObject function is equivalent to the
<http://msdn.microsoft.com/en-us/library/aa706065(VS.85).aspx>
IADsOpenDSObject:penDsObject method. Likewise, using the OpenDsObject
method to bind to an ADSI object, the InReserved parameter of this method
must contain the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM in
order to make cross-domain moves with IADsContainer::MoveHere.
--
O'Reilly Active Directory Third Edition -
<http://www.joeware.net/win/ad3e.htm> http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We were able to figure it out.
The move has to originate from the source RID master. The target doesn't
matter.
<https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distri
b/dsbl_fsm_uvhg.mspx?mfr=true>
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib
/dsbl_fsm_uvhg.mspx?mfr=true
We were not sourcing from the RID master in the parent domain.
_____
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain
"OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization
Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com>
wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So...is this what you did? If not, let us see some code, sanitized as
necessary.
$sourceDC = "dc1.region1.example.com"
$targetDC = "dcX.region2.example.com"
$sourceDomain = "dc=region1,dc=example,dc=com"
$targetDomain = "dc=region2,dc=example,dc=com"
$sourceOU = "ou=Microsoft Exchange Security Groups," + $sourceDomain
$targetOU = "ou=Microsoft Exchange Security Groups," + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = "LDAP://" + $targetDC + "/" + $targetOU
$sourceString = "LDAP://" + $sourceDC + "/" + "cn=" + $whichGroup +
"," + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup "Exchange Organization Administrators"
moveExchangeGroup "Exchange Public Folder Administrators"
moveExchangeGroup "Exchange Recipient Administrators"
moveExchangeGroup "Exchange Servers"
moveExchangeGroup "Exchange View-Only Administrators"
moveExchangeGroup "ExchangeLegacyInterop"
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six
Universal Groups out of the default Microsoft Exchange Security Groups OU in
the root domain and into one of our child account domains before we allow
them to be used for anything. So their membership is exactly as the forest
prep steps define them to be. (So preemptive answer - no issues with the
groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation
targeting the destination RID master. Tests fine in dev, QA and in an
air-gapped production replica we spin up for schema changes. However, doing
it in prod under EA credentials results in error -2147016651. The server is
unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same
error.
Packet trace doesn't show anything useful that's different from when it
succeeds in Dev. In Dev you see the Modify RDN request, as referral
response from the destination RID master, RPC traffic of the domain move,
LDAP bind for the new object, success response and unbind. In prod, after
the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
| rkaramchand
Posts:12
| | 07/24/2008 6:34 AM |
| David
You could have simply used movetree from resource kit running from root
RID
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
If only we didn't have that pesky policy about freeware....Ώ]
And your sample's really helpful. I'm assuming that's only in your
super secret version of AdMod since that text is not in your current
released version. I bet it probably takes out the garbage too.
But even in the current AdMod, why does xdom have a requirement for
destination DC? Your help appears to me to perpetuate the same problem
- that it's somehow the destination RID master that's important. I can
*now* do a MoveHere to a hostless destination LDAP URL with my script.
Once you know what to look for, it's easy to find. But too much of the
stuff out there that I've seen either doesn't reference the RID
requirement at all, or does it backwards.
Ώ]Oh to long for the days when it wasn't even freeware for a few
special peopleΐ].
ΐ]Or to be the proper owner of the source code.
________________________________
From: listmail@joeware.net
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
Date: Wed, 23 Jul 2008 14:47:09 -0400
Dave, you should have looked at AdMod to do this move...
In the usage notes
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the
requirements
please look up IADsContainer::MoveHere in MSDN Library.
Then if you look up IADsContainer::MoveHere you see
Remarks
In Active Directory, you can move an object within the same domain or
from different domains in the same directory forest. For the cross
domain move, the following restrictions apply:
* The destination domain must be in the native mode.
* Objects to be moved must be a leaf object or an empty container.
* NT LAN Manager (NTLM) cannot perform authentication; use
Kerberos authentication or delegation. Be aware that if Kerberos
authentication is not used, the password transmits in plaintext over the
network. To avoid this, use delegation with secure authentication.
* You cannot move security principals (for example, user, group,
computer, and so on) belonging to a global group. When a security
principal is moved, a new SID is created for the object at the
destination. However, its old SID from the source, stored in the
sIDHistory attribute, is preserved, as well as the password of the
object.
Note Use the Movetree.exe utility to move a subtree among different
domains. To move objects from a source domain to a destination domain
using the Movetree command-line tool, you must connect to the domain
controller holding the source domain's RID master role. If the RID
master is unavailable then objects cannot be moved to other domains. If
you attempt to move an object from one domain to another using the
Movetree tool and you specify a source domain controller that is not the
RID master, a nonspecific "Movetree failed" error message results.
Note When using the ADsOpenObject
<http://msdn.microsoft.com/en-us/library/aa772238(VS.85).aspx> function
to bind to an ADSI object, you must use the ADS_USE_DELEGATION flag of
the ADS_AUTHENTICATION_ENUM
<http://msdn.microsoft.com/en-us/library/aa772247(VS.85).aspx> in the
dwReserved parameter of this function in order to create cross-domain
moves with IADsContainer::MoveHere. The ADsOpenObject function is
equivalent to the IADsOpenDSObject:penDsObject
<http://msdn.microsoft.com/en-us/library/aa706065(VS.85).aspx> method.
Likewise, using the OpenDsObject method to bind to an ADSI object, the
InReserved parameter of this method must contain the ADS_USE_DELEGATION
flag of the ADS_AUTHENTICATION_ENUM in order to make cross-domain moves
with IADsContainer::MoveHere.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
<http://www.joeware.net/win/ad3e.htm>
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
We were able to figure it out.
The move has to originate from the source RID master. The target
doesn't matter.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/dis
trib/dsbl_fsm_uvhg.mspx?mfr=true
<https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/di
strib/dsbl_fsm_uvhg.mspx?mfr=true>
We were not sourcing from the RID master in the parent domain.
________________________________
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is
supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain
"OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization
Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com>
wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So.....is this what you did? If not, let us see some code,
sanitized as necessary.
$sourceDC = "dc1.region1.example.com"
$targetDC = "dcX.region2.example.com"
$sourceDomain = "dc=region1,dc=example,dc=com"
$targetDomain = "dc=region2,dc=example,dc=com"
$sourceOU = "ou=Microsoft Exchange Security Groups," +
$sourceDomain
$targetOU = "ou=Microsoft Exchange Security Groups," +
$targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = "LDAP://" + $targetDC + "/" + $targetOU
$sourceString = "LDAP://" + $sourceDC + "/" + "cn=" +
$whichGroup + "," + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup "Exchange Organization Administrators"
moveExchangeGroup "Exchange Public Folder Administrators"
moveExchangeGroup "Exchange Recipient Administrators"
moveExchangeGroup "Exchange Servers"
moveExchangeGroup "Exchange View-Only Administrators"
moveExchangeGroup "ExchangeLegacyInterop"
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups
Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six
Universal Groups out of the default Microsoft Exchange Security Groups
OU in the root domain and into one of our child account domains before
we allow them to be used for anything. So their membership is exactly
as the forest prep steps define them to be. (So preemptive answer - no
issues with the groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation
targeting the destination RID master. Tests fine in dev, QA and in an
air-gapped production replica we spin up for schema changes. However,
doing it in prod under EA credentials results in error -2147016651. The
server is unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the
same error.
Packet trace doesn't show anything useful that's different from when it
succeeds in Dev. In Dev you see the Modify RDN request, as referral
response from the destination RID master, RPC traffic of the domain
move, LDAP bind for the new object, success response and unbind. In
prod, after the same RID master referral response, it goes straight to
an unbind.
Any help??
| | | |
| dloder
Posts:40
| | 07/25/2008 2:01 AM |
|
Except I didn't want to move a whole OU, so we never looked at MoveTree.
MoveTree also suffers from the same documentation problem. The help for MoveTree has no reference to the source needing to be the RID master. It doesn't even mention RID masters at all. The only thing that's nice about MoveTree is that it actually returns the useful error message.
ReturnCode: 0x2012 The requested operation could not be performed because the directory service is not the master for that type of operation.
ADSI only returns unwilling to perform. We had to bump up Directory Access diags to get that useful error logged in the event viewer, which led us to our solution.
Why even offer source server as a required input parameter when there's only one possible value that can result in anything other than failure?
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Thu, 24 Jul 2008 06:31:09 -0400
From: Rajeev.Chauhan@hud.gov
To: ActiveDir@mail.activedir.org
.ExternalClass .EC_shape
{;}
.ExternalClass p.EC_MsoNormal, .ExternalClass li.EC_MsoNormal, .ExternalClass div.EC_MsoNormal
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass h4
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';font-weight:bold;}
.ExternalClass a:link, .ExternalClass span.EC_MsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass a:visited, .ExternalClass span.EC_MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass p
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_ec376554418-23072008
{;}
.ExternalClass span.EC_Heading4Char
{font-family:'Cambria','serif';color:#4F81BD;font-weight:bold;font-style:italic;}
.ExternalClass p.EC_ecnote, .ExternalClass li.EC_ecnote, .ExternalClass div.EC_ecnote
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_ec625444604-27012006
{;}
.ExternalClass p.EC_ecmsonormal, .ExternalClass li.EC_ecmsonormal, .ExternalClass div.EC_ecmsonormal
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_ecemailstyle181
{;}
.ExternalClass span.EC_ecemailstyle20
{;}
.ExternalClass p.EC_ecmsonormal1, .ExternalClass li.EC_ecmsonormal1, .ExternalClass div.EC_ecmsonormal1
{margin-right:0in;margin-bottom:0in;margin-left:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_ecemailstyle1811
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass span.EC_ecemailstyle201
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass p.EC_ececmsonormal, .ExternalClass li.EC_ececmsonormal, .ExternalClass div.EC_ececmsonormal
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_EmailStyle30
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass .EC_MsoChpDefault
{;}
@page Section1
{size:8.5in 11.0in;}
.ExternalClass div.EC_Section1
{page:Section1;}
.ExternalClass ol
{margin-bottom:0in;}
.ExternalClass ul
{margin-bottom:0in;}
David
You could have simply used movetree from resource kit running from root RID
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
If only we didn't have that pesky policy about freeware....Ώ]
And your sample's really helpful. I'm assuming that's only in your super secret version of AdMod since that text is not in your current released version. I bet it probably takes out the garbage too.
But even in the current AdMod, why does xdom have a requirement for destination DC? Your help appears to me to perpetuate the same problem - that it's somehow the destination RID master that's important. I can *now* do a MoveHere to a hostless destination LDAP URL with my script.
Once you know what to look for, it's easy to find. But too much of the stuff out there that I've seen either doesn't reference the RID requirement at all, or does it backwards.
Ώ]Oh to long for the days when it wasn't even freeware for a few special peopleΐ].
ΐ]Or to be the proper owner of the source code.
From: listmail@joeware.net
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Wed, 23 Jul 2008 14:47:09 -0400
Dave, you should have looked at AdMod to do this move...
In the usage notes
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the requirements
please look up IADsContainer::MoveHere in MSDN Library.
Then if you look up IADsContainer::MoveHere you see
Remarks
In Active Directory, you can move an object within the same domain or from different domains in the same directory forest. For the cross domain move, the following restrictions apply:
The destination domain must be in the native mode.
Objects to be moved must be a leaf object or an empty container.
NT LAN Manager (NTLM) cannot perform authentication; use Kerberos authentication or delegation. Be aware that if Kerberos authentication is not used, the password transmits in plaintext over the network. To avoid this, use delegation with secure authentication.
You cannot move security principals (for example, user, group, computer, and so on) belonging to a global group. When a security principal is moved, a new SID is created for the object at the destination. However, its old SID from the source, stored in the sIDHistory attribute, is preserved, as well as the password of the object.
Note Use the Movetree.exe utility to move a subtree among different domains. To move objects from a source domain to a destination domain using the Movetree command-line tool, you must connect to the domain controller holding the source domain's RID master role. If the RID master is unavailable then objects cannot be moved to other domains. If you attempt to move an object from one domain to another using the Movetree tool and you specify a source domain controller that is not the RID master, a nonspecific "Movetree failed" error message results.
Note When using the ADsOpenObject function to bind to an ADSI object, you must use the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM in the dwReserved parameter of this function in order to create cross-domain moves with IADsContainer::MoveHere. The ADsOpenObject function is equivalent to the IADsOpenDSObject:penDsObject method. Likewise, using the OpenDsObject method to bind to an ADSI object, the InReserved parameter of this method must contain the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM in order to make cross-domain moves with IADsContainer::MoveHere.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Wednesday, July 23, 2008 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We were able to figure it out.
The move has to originate from the source RID master. The target doesn't matter.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbl_fsm_uvhg.mspx?mfr=true
We were not sourcing from the RID master in the parent domain.
From: michael@TheEssentialExchange.com
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
Date: Tue, 22 Jul 2008 16:05:45 -0400
That looks right. Try the PowerShell. J
I got no other suggestions, sorry. What you are trying to do is supported.
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 22, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
strTargetRID = WScript.Arguments.Unnamed.Item(0)
strTargetOU = WScript.Arguments.Unnamed.Item(1)
strSourceDN = WScript.Arguments.Unnamed.Item(2)
set objObject = GetObject("LDAP://" & strTargetRID & "/" & strTargetOU)
objObject.MoveHere "LDAP://" & strSourceDN, vbNullString
Then called as
cscript Move.vbs RID_Target_in_child_domain "OU=Groups,OU=Exchange,OU=Apps,dc=child" "CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=parent"
for each group.
--- On Mon, 7/21/08, Michael B. Smith <michael@TheEssentialExchange.com> wrote:
From: Michael B. Smith <michael@TheEssentialExchange.com>
Subject: RE: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
To: ActiveDir@mail.activedir.org
Date: Monday, July 21, 2008, 7:13 PM
So…..is this what you did? If not, let us see some code, sanitized as necessary.
$sourceDC = “dc1.region1.example.com”
$targetDC = “dcX.region2.example.com”
$sourceDomain = “dc=region1,dc=example,dc=com”
$targetDomain = “dc=region2,dc=example,dc=com”
$sourceOU = “ou=Microsoft Exchange Security Groups,” + $sourceDomain
$targetOU = “ou=Microsoft Exchange Security Groups,” + $targetDomain
function moveExchangeGroup ([string]$whichGroup)
{
$targetString = “LDAP://” + $targetDC + “/” + $targetOU
$sourceString = “LDAP://” + $sourceDC + “/” + “cn=” + $whichGroup + “,” + $sourceOU
##$targetstring
##$sourcestring
##$targetObject = [adsi]$targetString
$sourceObject = [adsi]$sourceString
$sourceObject.psbase.MoveTo($targetString)
}
moveExchangeGroup “Exchange Organization Administrators”
moveExchangeGroup “Exchange Public Folder Administrators”
moveExchangeGroup “Exchange Recipient Administrators”
moveExchangeGroup “Exchange Servers”
moveExchangeGroup “Exchange View-Only Administrators”
moveExchangeGroup “ExchangeLegacyInterop”
Regards,
Michael B. Smith
MCITP:SA,EMA/MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Monday, July 21, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unable to move E2K7 Universal Groups Cross-Domain
We just forest prepped for E2K7 this past weekend.
One of the last cleanup steps we wanted to perform was moving the six Universal Groups out of the default Microsoft Exchange Security Groups OU in the root domain and into one of our child account domains before we allow them to be used for anything. So their membership is exactly as the forest prep steps define them to be. (So preemptive answer - no issues with the groups being members of domain local groups in the root)
Quick google and whip up a short vbscript for the MoveHere operation targeting the destination RID master. Tests fine in dev, QA and in an air-gapped production replica we spin up for schema changes. However, doing it in prod under EA credentials results in error -2147016651. The server is unwilling to process the request.
We try transferring the RID owner, but the new owner still throws the same error.
Packet trace doesn't show anything useful that's different from when it succeeds in Dev. In Dev you see the Modify RDN request, as referral response from the destination RID master, RPC traffic of the domain move, LDAP bind for the new object, success response and unbind. In prod, after the same RID master referral response, it goes straight to an unbind.
Any help??
| | | |
|
|