This post is a note to self, as well as a note to any geek out there who has the misfortune of dealing with moving Active Directory accounts across domains.
So, as you may know, I use User Management Resource Administrator (UMRA) to manage my 34,000 students. Some of the challenges I have were more or less self-inflicted, pre-Windows 2008, and the ability to do granular control of password complexity rules. That is for another topic though. I have to allow my script to move accounts from one domain (DOMAIN1), for elementary students, to the second domain (DOMAIN2) for the secondary students.
If you know about Active Directory, and Security Groups, you will quickly realize that the scope of the security groups in which the AD object resides, and/or any attributes that don’t comply with the second domain will stop the process from migrating that object from one domain to the other.
As of last year, I had 2 main domain controllers holding the FSMO roles without any particular distribution of roles, so my process would work fine. This year, as I’m running the scripts to import the students, every single account that needed a cross-domain migration failed, with the ugly error:
Error 0×80072035 (8245) moving AD object. Error moving-renaming object. The server is unwilling to process the request. (-2147016651)
Yup, that’s ugly, but fortunately, as I explained above is caused by incompatible attributes between the two domains, and therefore fairly easy to fix.
Of course, since my scripts haven’t changed at their core from last year to this year, I didn’t know what was going on.
After additional research, here’s what I found out:
Moving an Active Directory object from one domain controller to another requires that the server to which the object is bound for the move operation hold the RID Master role. Well of course, this summer, when I added additional domain controllers to the child domain, I didn’t think of that one line in the 3000 line script. Well, it broke stuff!
Sure enough, after changing the object binding from a non RID Master domain controller, to the RID Master domain controller, everything was peachy again.
What we take out of this: When moving Active Directory objects from one domain to the other, within the same forest, the operation needs to be bound to the domain controller holding the RID Master role.