DS_XDOM_MOVE Error 0x212C: Fix Domain Move Block
Active Directory won't let you move an object between domains? Here's why and how to fix it fast.
Hold up—you ran into error 0x212C, and I know exactly how that feels. Let's get you unstuck.
You're trying to move a user or computer object from one Active Directory domain to another, and bam—"ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION" with hex code 0x0000212C. I've been there. This error usually means the source or target domain controller has an outdated schema, or the object you're moving has a protected attribute that AD won't let go of.
The immediate fix
Skip the fancy tools for now. The fastest way to beat this is by using ADMT v3.2 with the right flags. Here's what I've done in production for Windows Server 2012 R2 through 2022:
- Open PowerShell as admin on the source domain controller.
- Run this command to force schema sync:
repadmin /syncall /AdeP - Wait 2-5 minutes, then check if the schema is up to date:
repadmin /showattr . CN=Schema,CN=Configuration,DC=yourdomain,DC=com /filter:(&(objectClass=attributeSchema)(lDAPDisplayName=msDS-AllowedToActOnBehalfOfOtherIdentity)) /attrs:revision - If the revision number is below 4, update the schema using
adprep /forestprepandadprep /domainprepon the schema master. - Retry the move using ADMT or PowerShell:
Move-ADObject -Identity "CN=JaneDoe,OU=Users,DC=source,DC=com" -TargetPath "OU=Users,DC=target,DC=com" -Server "target-DC.domain.com"
That worked for me when moving a user across two domains in a 2016 forest. The object had a msDS-AllowedToActOnBehalfOfOtherIdentity attribute that was flagged as illegal for cross-domain moves—AD hates that attribute crossing boundaries because it involves delegated Kerberos rights.
Why this error happens
Under the hood, error 0x212C means the source domain controller detected that the object you're moving references something unique to its current domain—usually a security identifier (SID) or a well-known GUID that doesn't translate to the target. The most common triggers I've seen:
- Group membership references: the object is a member of a local domain group that can't be moved.
- Resource-based constrained delegation (RBCD) attributes like
msDS-AllowedToActOnBehalfOfOtherIdentity. - Exchange-related attributes like
msExchHomeServerNamethat point to a specific server in the source domain. - Computer objects that are domain controllers—you can't move those across domains at all.
The error is AD's way of saying, "Hey, if I let this object go, it'll break something in the target domain." It's annoying but honest.
Less common variations and gotchas
Sometimes the error shows up with a different message but the same code. I've seen it pop as "The operation cannot be performed because the object's domain is different from the target domain's domain." Here are three tricky scenarios:
| Scenario | Fix |
|---|---|
Object has a sidHistory value | Strip it using Active Directory Users and Computers > Properties > Attribute Editor > clear sidHistory. Only do this if you're sure the old SID isn't needed. |
| Protected from accidental deletion flag | Uncheck that box in the object's Object tab before moving. |
| Target domain doesn't have the same schema class | Run adprep /domainprep /gpprep on the target to ensure the class exists. |
Another thing that tripped me up: Group Managed Service Accounts (gMSAs). These objects have a msDS-GroupMSAMembership attribute that AD refuses to move cross-domain. You'll need to delete and recreate them in the target domain.
Prevention—stop this from hitting you again
I know you don't want to deal with this twice. Here's what I recommend for anyone managing multi-domain forests:
- Run a pre-move audit script using PowerShell to check for problematic attributes. Something like:
Get-ADUser -Identity $username -Properties * | Select-Object Name, @{N='ProblemAttrs';E={$_.msDS-AllowedToActOnBehalfOfOtherIdentity, $_.sidHistory, $_.msExchHomeServerName}} - Keep all domain controllers at the same schema version. Use
repadmin /showattrto verify revision numbers match across DCs. - Enable strict replication consistency with
repadmin /options +DISABLE_OUTBOUND_REPLon problematic DCs (then re-enable after sync). - If you're moving groups, never move a group that contains members from multiple domains—ADMT will choke. Break those up first.
I've seen this error hit hardest during mergers or acquisitions when teams rush to consolidate domains. Take the extra 30 minutes to scrub objects before moving them. It'll save you hours of digging through event logs later.
One last thing: if you're still stuck, check the Microsoft-Windows-ActiveDirectory_DomainService event ID 1168 on the source DC. It often logs the exact attribute blocking the move. That's your golden ticket.
Was this solution helpful?