3.1.1.5.4.2.2 Constraints

The following constraints MUST be satisfied for the Modify DN operation.

• DeleteOldRDN = TRUE. Otherwise, the server returns error unwillingToPerform / ERROR_INVALID_PARAMETER.

• OldDN ≠ NULL and NewParentDN ≠ NULL. Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

• NewRDN ≠ NULL. Otherwise, the server returns error protocolError / ERROR_INVALID_PARAMETER.

• (O!systemFlags & FLAG_DISALLOW_DELETE = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION if the DC functional level is DS_BEHAVIOR_WIN2000, and unwillingToPerform / ERROR_DS_CANT_DELETE if the DC functional level is DS_BEHAVIOR_WIN2003 or greater.

• IsEffectiveRoleOwner(RoleObject(default NC, RidAllocationMaster)) = TRUE. Otherwise, the server returns error unwillingToPerform / ERROR_DS_INCORRECT_ROLE_OWNER. This constraint is enforced to avoid conflicting cross-domain move operations.

• Let C be the classSchema object of the most-specific structural class of O. C!systemOnly = FALSE. Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_MOD_SYSTEM_ONLY.

• C!lDAPDisplayName MUST not be any of the following. Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

  • addressBookContainer

  • attributeSchema

  • builtinDomain

  • certificationAuthority

  • classSchema

  • configuration

  • cRLDistributionPoint

  • crossRef

  • crossRefContainer

  • dMD

  • domain

  • dSA

  • foreignSecurityPrincipal

  • infrastructureUpdate

  • linkTrackObjectMoveTable

  • linkTrackOMTEntry

  • linkTrackVolEntry

  • linkTrackVolumeTable

  • lostAndFound

  • nTDSConnection

  • nTDSDSA

  • nTDSSiteSettings

  • rIDManager

  • rIDSet

  • samDomain

  • samDomainBase

  • samServer

  • site

  • siteLink

  • siteLinkBridge

  • sitesContainer

  • subnet

  • subnetContainer

  • trustedDomain

• (O!systemFlags & FLAG_DOMAIN_DISALLOW_MOVE = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.

• (O!isCriticalSystemObject ≠ TRUE). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.

• (O!userAccountControl & ADS_UF_SERVER_TRUST_ACCOUNT = 0) and (O!userAccountControl & ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

• Let K be the RID of SID O!objectSid. (K > 1000). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

• (O!instanceType & IT_WRITE ≠ 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

• (O!instanceType & IT_NC_HEAD = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

•  (O!isDeleted ≠ TRUE). Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_MOVE_DELETED_OBJECT.

• If (O is a group object), then (O!groupType & GROUP_TYPE_BUILTIN_LOCAL_GROUP = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

• If (O is a group object) and ((attribute O!member is present) or (attribute O!msDS-NonMembers is present)), then (O!groupType & GROUP_TYPE_ACCOUNT_GROUP = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_MOVE_ACCOUNT_GROUP.

• If (O is a group object) and ((attribute O!member is present) or (attribute O!msDS-NonMembers is present)), then (O!groupType & GROUP_TYPE_RESOURCE_GROUP = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_MOVE_RESOURCE_GROUP.

• If (O is a group object) and ((attribute O!member is present) or (attribute O!msDS-NonMembers is present)), then (O!groupType & GROUP_TYPE_APP_BASIC_GROUP = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_MOVE_APP_BASIC_GROUP. This constraint is enforced only if the DC functional level is DS_BEHAVIOR_WIN2003 or greater.

• If (O is a group object) and ((attribute O!member is present) or (attribute O!msDS-NonMembers is present)), then (O!groupType = 0). Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_MOVE_APP_QUERY_GROUP. This constraint is enforced only if the DC functional level is DS_BEHAVIOR_WIN2003 or greater.

• If ((O is a user object) or (O is a group object)) and (O is a member of any global group), then (O is a member of only one global group and that group is its primary group). Otherwise, the server returns error unwillingToPerform / ERROR_DS_CANT_WITH_ACCT_GROUP_MEMBERSHPS.

• Let N be the root of NC replica where OldDN exists. Let R be a crossRef object such that R!nCName = N. R MUST exist and (R!systemFlags & FLAG_CR_NTDS_NC ≠ 0) and (R!systemFlags & FLAG_CR_NTDS_DOMAIN ≠ 0). Otherwise, the server returns error noSuchObject / ERROR_DS_CANT_FIND_EXPECTED_NC.

• Let NN be the root of NC replica where NP exists. Let NR be a crossRef object such that NR!nCName = NN!distinguishedName. NR MUST exist and (NR!systemFlags & FLAG_CR_NTDS_NC ≠ 0) and (NR!systemFlags & FLAG_CR_NTDS_DOMAIN ≠ 0). Otherwise, the server returns error noSuchObject / ERROR_DS_CANT_FIND_EXPECTED_NC.

• R ≠ NR. Otherwise, the server returns error invalidDNSyntax / ERROR_DS_SRC_AND_DST_NC_IDENTICAL.

• Let WKS be a set of all attribute values for N!wellKnownObjects. There is no attribute value V in WKS such that V.object_DN = O!distinguishedName. Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION.

• O has no child objects. Otherwise, the server returns error notAllowedOnNonLeaf / ERROR_DS_CHILDREN_EXIST.