Solved

Folder Permissions - Domain Migration without Trust being setup

Posted on 2008-10-30
9
4,959 Views
Last Modified: 2013-12-05
We are currently switching our entire infrastructure to a new domain, logically & Physically. There is no trusts between these domains. All users and groups have been recreated on the new domain. OLDDOM is AD 2003 / server is 2000 Adv. NEWDOM is 2008 / servers 2008 / 2003 (for legacy apps)

On the OLDDOM we have multiple levels of security and permissions set, some as deep as 25 levels from the directory root. We don't want to have recreate this entire structure, we want to replicate it. We cannot loose this permissioning schema.

I have used ROBOCOPY to transfer the folder and file structure of 1 of the folder branches, using the /COPY:DATS to ensure that the security descriptors remain complete. It is transferred to an external drive from OLDDOM and then attached to NEWDOM.

Prior to transferring up to the server from the external drive, I want to change all permissions for OLDDOM to NEWDOM. All accounts have been re-created new on the NEWDOM.

So far I have tried (after losing a week with powershell get-acl and set-acl):

SetACL.exe - My Input & Output.

SetACL.exe -on MYFOLDER -ot file -actn domain -rec cont_obj -dom "n1:OLDDOM;n2:NEWDOM;da:repldom;w:dacl"

ERROR: AddDomain: Domain name <OLDDOM> is probably incorrect.
ERROR while processing command line: Domain: n1:OLDOM;n2:NEWDOM;da:repldom;w:dacl could not be set!

SubinACL.exe - My Input & Output
subinacl /subdirectory T:\MYFOLDER\*.* /migratetodomain=OLDDOM=NEWDOM
WARNING : Error parsing line +subdirectory t:\myfolder\*.*
Use :
SubInacl /help to get the usage information
or
SubInAcl /help syntax to understand SubInAcl syntax.

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : Error parsing line +subdirectory t:\myfolder\*.*

Can anyone help in this situation. I am pulling my hair out in Despair...
Regards.
Robert



0
Comment
Question by:Gr8-Ideas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22849507
You nead to configure trust to be able to transfer permissions between domains.
0
 

Author Comment

by:Gr8-Ideas
ID: 22879659
Thanks henjoh09

This unfortunatley does not help as no trust can be established.

from the subinacl.exe help

/offlinesam=FileName
Specifies a text file that matches user names to their SIDs, and directs SubInACL to look up SIDs in this file instead of on the server on which the object is located. This is useful if the domain is unaccessible or no longer exists.

/offlinesam

The task in this example is to migrate the security settings of the files on a server from one domain to another. This example assumes that you have access to the source domain and know you will not have access to it during the migration.
Store a record of user names and their corresponding SIDs from the source domain in a text file named C:\Samfile.txt. Use the following format:
_cachefileonly_=s-1-9-cacheonly
[Domain\UserName | Server\UserName]=SID
Type the following at the command line:
subinacl /offlinesam=C:\SAMFILE.TXT /subdirect \\SERVER\SHARE\*.* /migratetodomain=SOURCEDOMAIN=DESTDOMAIN
Press ENTER.


When I run this however, I get -

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Any clues, anyone??
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22880270
Sorry, I missed that subinacl has /offlinesam
/offlinesam is for source domain. With the error posted, it sounds like you've swapped the parameters.
/migratetodomain will add NEWDOM-ACE into ACLs. As the old domain is offline and not usable, I guess it would be better to use /changedomain to replace ACE with NEWDOM
Optional argument is to add a mapping file in the changedomain and migratedomain parameters.

subinacl /offlinesam=C:\SAMFILE.TXT /subdirect c:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

C:\SAMFILE.txt:
OLDDOM\jdoe=S-1-5-12-...

C:\mapping.txt
jdoe=johndoe
administrator=administrator
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:Gr8-Ideas
ID: 22887711
Hi,

I have created the mapping file as suggested:

subinacl /offlinesam=C:\cached_sids.txt /subdirect C:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

Sample of cached sid:
__cachefileonly__
olddom\clusteradmin=S-1-5-21-3............
system=S-1-5-18
builtin\administrators=S-1-5-32...........

Sample of mapping.txt
clusteradmin=clusteradmin
administrators=administrators
domain admins=domain admins
domain users=domain users

Here is the error:

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Current object C:\folder\*.* will not be processed

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : /changedomain=OLDDOM=NEWDOM=C:\mapping.txt : Error when checking arguments - C:\folder\*.*

This is now becoming critical. As some educated manager has suggested that this can be done manually quicker than a scritped solution!!!

Any help appreciated.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22899191
Remove __cachefileonly__ from cached_sids.txt

From subinacl help:
"With the __cachefileonly__ line in the file, SubInAcl.exe will not query SAM Server(s) anymore. All needed SIDs should be found in the SAM cache file"
0
 

Author Comment

by:Gr8-Ideas
ID: 22917502
Hi henjoh09

I removed the __cachefileonly__ line in the file.

Now It reverts to looking for the OLDDOM SAM server. Error is:

1355 Could not find domain name : OLDDOM
Error finding domain name : 1355 The specified domain either does not exist or could not be contacted.

Aggggggggggggggghhhhhhhhhhhhhhhh !!!!!!!!!!!

There is a solution to this, I know there is...............
0
 
LVL 1

Expert Comment

by:dsesko
ID: 23260184
All,
Here is my fix
Create the /offlinesam=C:\source.txt
copy file to destination server
add the following lines to the end of the file
domaina=the SID for the domain
domainb=the SID for the domain
I used psgetSID to get the sid of one  domain controller in each domain
http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

Then I created a temp folder on my destination server with all the users and groups on it
I then created another /offlinesam=Destination.txt of the temp file
I then appended the contents of the destination file to the end of the source file and ran the command as follows
Subinacl /offlinesam=C:\source.txt /subdirect C:\data\*.* /changedomain=domaina=domain

Sample file
__cachefileonly__
domaina\domain users=MYSIDA
domaina\dsesko=MYSIDA
domaina=MYSIDA
domainb=MYSIDB
domainb\dsesko=MYSIDB
domainb\domain users=MYSIDB
0
 
LVL 1

Accepted Solution

by:
dsesko earned 500 total points
ID: 23260202
Upon further testing
i also found that if you remove the  __cachefileonly__  from the top of the source file and just add the
the sid from the source domain it works as well

Hope this helps

sample
domaina\domain users=MYSIDA
domaina\dsesko=MYSIDA
domaina=MYSIDA
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question