We wrote a migration tool (C#) for a large domain migration project of a customer. The customer has one forest with one parent domain and several child domains. They want to move all user objects from the child domains to the parent domain.
Apart from a lot of customer specific stuff, the migration tool moves user objects from the child to the parent domain using following ADSI method:
IADsContainer::MoveHere https://msdn.microsoft.com/en-us/library/aa705991%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
According to the following article it is possible to move objects across domains if certain requirements are met: https://technet.microsoft.com/en-us/library/ee198798.aspx?f=255&MSPPError=-2147217396
For test purpose I am using following VBScript which does basically the same as my C# application:
Set objOU = GetObject("LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com")
objOU.MoveHere "LDAP://cn=AckermanPilar,ou=Management,dc=fabrikam,dc=com",vbNullString
The VBScript from above works in my test environment. If we try the same script in the production it fails with following useless error message:
Error: The server is unwilling to process the request.
Code: 80072035
Source: Active Directory
However if we run the same script to move a user object from the parent domain to the child domain it works.
The user object we try to move doesn't have any group memberships apart from the primary group which is a universal group. We run the script from the source domain (child) and the user account we use to run the script has enterprise administrator privileges. We also double checked all the requirements from the links above.
Does anyone have an idea what the problem might be and/or how I can solve it?
