Solved

Folder Permissions - Domain Migration without Trust being setup

Posted on 2008-10-30
9
4,908 Views
Last Modified: 2013-12-05
We are currently switching our entire infrastructure to a new domain, logically & Physically. There is no trusts between these domains. All users and groups have been recreated on the new domain. OLDDOM is AD 2003 / server is 2000 Adv. NEWDOM is 2008 / servers 2008 / 2003 (for legacy apps)

On the OLDDOM we have multiple levels of security and permissions set, some as deep as 25 levels from the directory root. We don't want to have recreate this entire structure, we want to replicate it. We cannot loose this permissioning schema.

I have used ROBOCOPY to transfer the folder and file structure of 1 of the folder branches, using the /COPY:DATS to ensure that the security descriptors remain complete. It is transferred to an external drive from OLDDOM and then attached to NEWDOM.

Prior to transferring up to the server from the external drive, I want to change all permissions for OLDDOM to NEWDOM. All accounts have been re-created new on the NEWDOM.

So far I have tried (after losing a week with powershell get-acl and set-acl):

SetACL.exe - My Input & Output.

SetACL.exe -on MYFOLDER -ot file -actn domain -rec cont_obj -dom "n1:OLDDOM;n2:NEWDOM;da:repldom;w:dacl"

ERROR: AddDomain: Domain name <OLDDOM> is probably incorrect.
ERROR while processing command line: Domain: n1:OLDOM;n2:NEWDOM;da:repldom;w:dacl could not be set!

SubinACL.exe - My Input & Output
subinacl /subdirectory T:\MYFOLDER\*.* /migratetodomain=OLDDOM=NEWDOM
WARNING : Error parsing line +subdirectory t:\myfolder\*.*
Use :
SubInacl /help to get the usage information
or
SubInAcl /help syntax to understand SubInAcl syntax.

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : Error parsing line +subdirectory t:\myfolder\*.*

Can anyone help in this situation. I am pulling my hair out in Despair...
Regards.
Robert



0
Comment
Question by:Gr8-Ideas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22849507
You nead to configure trust to be able to transfer permissions between domains.
0
 

Author Comment

by:Gr8-Ideas
ID: 22879659
Thanks henjoh09

This unfortunatley does not help as no trust can be established.

from the subinacl.exe help

/offlinesam=FileName
Specifies a text file that matches user names to their SIDs, and directs SubInACL to look up SIDs in this file instead of on the server on which the object is located. This is useful if the domain is unaccessible or no longer exists.

/offlinesam

The task in this example is to migrate the security settings of the files on a server from one domain to another. This example assumes that you have access to the source domain and know you will not have access to it during the migration.
Store a record of user names and their corresponding SIDs from the source domain in a text file named C:\Samfile.txt. Use the following format:
_cachefileonly_=s-1-9-cacheonly
[Domain\UserName | Server\UserName]=SID
Type the following at the command line:
subinacl /offlinesam=C:\SAMFILE.TXT /subdirect \\SERVER\SHARE\*.* /migratetodomain=SOURCEDOMAIN=DESTDOMAIN
Press ENTER.


When I run this however, I get -

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Any clues, anyone??
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22880270
Sorry, I missed that subinacl has /offlinesam
/offlinesam is for source domain. With the error posted, it sounds like you've swapped the parameters.
/migratetodomain will add NEWDOM-ACE into ACLs. As the old domain is offline and not usable, I guess it would be better to use /changedomain to replace ACE with NEWDOM
Optional argument is to add a mapping file in the changedomain and migratedomain parameters.

subinacl /offlinesam=C:\SAMFILE.TXT /subdirect c:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

C:\SAMFILE.txt:
OLDDOM\jdoe=S-1-5-12-...

C:\mapping.txt
jdoe=johndoe
administrator=administrator
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:Gr8-Ideas
ID: 22887711
Hi,

I have created the mapping file as suggested:

subinacl /offlinesam=C:\cached_sids.txt /subdirect C:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

Sample of cached sid:
__cachefileonly__
olddom\clusteradmin=S-1-5-21-3............
system=S-1-5-18
builtin\administrators=S-1-5-32...........

Sample of mapping.txt
clusteradmin=clusteradmin
administrators=administrators
domain admins=domain admins
domain users=domain users

Here is the error:

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Current object C:\folder\*.* will not be processed

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : /changedomain=OLDDOM=NEWDOM=C:\mapping.txt : Error when checking arguments - C:\folder\*.*

This is now becoming critical. As some educated manager has suggested that this can be done manually quicker than a scritped solution!!!

Any help appreciated.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22899191
Remove __cachefileonly__ from cached_sids.txt

From subinacl help:
"With the __cachefileonly__ line in the file, SubInAcl.exe will not query SAM Server(s) anymore. All needed SIDs should be found in the SAM cache file"
0
 

Author Comment

by:Gr8-Ideas
ID: 22917502
Hi henjoh09

I removed the __cachefileonly__ line in the file.

Now It reverts to looking for the OLDDOM SAM server. Error is:

1355 Could not find domain name : OLDDOM
Error finding domain name : 1355 The specified domain either does not exist or could not be contacted.

Aggggggggggggggghhhhhhhhhhhhhhhh !!!!!!!!!!!

There is a solution to this, I know there is...............
0
 
LVL 1

Expert Comment

by:dsesko
ID: 23260184
All,
Here is my fix
Create the /offlinesam=C:\source.txt
copy file to destination server
add the following lines to the end of the file
domaina=the SID for the domain
domainb=the SID for the domain
I used psgetSID to get the sid of one  domain controller in each domain
http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

Then I created a temp folder on my destination server with all the users and groups on it
I then created another /offlinesam=Destination.txt of the temp file
I then appended the contents of the destination file to the end of the source file and ran the command as follows
Subinacl /offlinesam=C:\source.txt /subdirect C:\data\*.* /changedomain=domaina=domain

Sample file
__cachefileonly__
domaina\domain users=MYSIDA
domaina\dsesko=MYSIDA
domaina=MYSIDA
domainb=MYSIDB
domainb\dsesko=MYSIDB
domainb\domain users=MYSIDB
0
 
LVL 1

Accepted Solution

by:
dsesko earned 500 total points
ID: 23260202
Upon further testing
i also found that if you remove the  __cachefileonly__  from the top of the source file and just add the
the sid from the source domain it works as well

Hope this helps

sample
domaina\domain users=MYSIDA
domaina\dsesko=MYSIDA
domaina=MYSIDA
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question