How to Retain User Permissions When Adding a File Server to a New Domain

Posted on 2010-03-26
Medium Priority
Last Modified: 2013-11-25
I currently have a file server on my network that is also a domain controller.  It is running Server 2003 but Active Directory is in 2000 Native Mode.  I also have Security Groups in Active Directory that specify what users are allowed to access on that server.  It is the only Windows domain controller.  

Old Domain Controller:  server.olddomainname.com & File Server
New Domain Controllers:  server1.newdomainname.com & server2.newdomainname.com

I have built a new Active Directory domain with a primary and secondary DCs and adding an Exchange 2007 server.  Both DCs are Windows Server 2003 in 2003 Native Mode.  I need to know how I can retain permission for those security groups on the old domain after demoting the file server/old domain server and then joining it to the new domain.  I have already created the same Security Groups in the new domain in hopes that I will be able to use them.  Another kink in this rope is our old account naming structure was <firstname>_<lastname>.  I am changing this to <firstinitial><lastname>.  My intention is to ease the amount of typing to log in and allow easier email capability.

Please let me know if you need any further information.  I am grateful for any assistance...
Question by:devryguy81
  • 5
  • 4
  • 3
  • +1
LVL 27

Expert Comment

by:Jason Watkins
ID: 28767297

i think your best bet is to create a DFS (distributed file system) and add the new server to it.
LVL 18

Expert Comment

ID: 28893250
Since the permissions on your existing file server(the one old domain controller) probably granted to the domain security group of the existing domain. When you demote this domain controller, you will not be able to make any sense out fo those permissions currently granted on the file system. Here's what I would do. While you have an old old domain and a new domain, create trust between those domains.
There will be some manual steps you need to take since your file server is the sole domain controller. After the trust is established. You can use ADMT tools to migrate those group overs from old domain to new domain. Here you have option to leave the existing group in the old domain as is or disable them. You also have option to migrate and automatically create those group and user objects over to the new domain by retaining the SID. You can then later rename both the group or user account to whatever you need but the SID would be the same. Then you would go to the file system. Since you have already created the group and probably he new user objects as well, then you probably don't need the ADMT tools as it really not going to save you any time where you already created those groups and user account. So, the SID would not need to be retained if that's the case. But regardless, you would still need to manually grant the file system permissions to the new domain groups and remove the old domain groups simply because you are going to remove the old domain and that is the file server. When that is done, and user are accessing your old domain controller file system with the new user account and other accessibility is validated and ready to demote your old domain controller. You simply just remove the trust and demote the old domain controller and join the file server to the new domain. File permissions granted to the new groups in the new domain will remain the same once join in the new domain.

Author Comment

ID: 29023075

Thank you for your detailed response.  However I am afraid I may need a bit more detail.  I have never established a trust between domains before and there is another issue that I forgot to put into my original post...name resolution and DHCP are currently being handled by 2 Debian Linux boxes.  The file server is running Active Directory and that's it.  Here is a more visual look:

File Server --> Active Directory (olddomain.com)
Linux Box 1 --> DNS Server
Linux Box 2 --> DHCP Server

Can I still establish a trust between old and new domain controllers and just forget about the Linux boxes?  They have nothing to do with permissions so it seems as though that would be allright.

Also, do I need to involved my secondary (new) domain controller in this or leave it alone?

I apologize for throwing that in at the last minute but I realized that issue when I was researching how to establish a trust between domains...

Thanks again for your help!
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.


Expert Comment

ID: 29116273
To make your life alot easier...  What you have to remember is that when the users logon to the new domain, they're going to get totally new profiles.  If you can keep the old domain name without any issues I would demote both new domain controllers and join them to the existing domain then promote them, transfer roles, remove dc role from file server which would be alot easier.  If you need to use the new domain name then check out the links below.  Make sure you run all services from the domain controllers, all microsoft (dns,dhcp,etc).  ADMT will migrate all users,groups, and workstations from the old domain to the new one.  As far as the rights on the file server, you have to redo those but the groups will all be there with all the users intact.

LVL 18

Expert Comment

ID: 29120672
If all server are basically on the same networks without worry about firewall rules in place, you can use the existing Linux Box for your DNS and DHCP, it really doesn't matter what DNS or DHCP you use technically. All you need to be sure is that on your old domain controller, you need to be able to ping and nslookup the new domain controller and the domain name(ie, server1 and newdomainname.com) and be able to do the same from your new domain controller to ping and nslookup the new domain controller and domain name. It will be also very clean if you can also do the same on both side to resolve IP to name as well before you create the trust.
Now, if you want the DNS as a part of the Active Directory, you can also migrate your Linux DNS to Microsoft DNS. Otherwise, either DNS should work if configured properly.
LVL 18

Expert Comment

ID: 29121013
yes, definitely would be easier if you can keep the old domain name and just promote the new sever as Domain controller and demote the old domain controller to simple a member server as is, if your intension is basically want to have file server in member server and domain controller as controller. If you plan to migrate your DNS and DHCP to Microsoft then they all can be in the domain controller.

Expert Comment

ID: 29125855
What you could do is since you already have the new domain setup is:
Setup a new domain controller on the old domain, this can be a virtual or physical desktop pc.
Transfer all the roles to this server.
Demote the file server, Note: all the security settings would still be intact since you have another DC.
Use ADMT to migrate all users, groups, and domain computer accounts which will include the file server which is no longer a Domain Controller.
Since the file server is technically now a regular computer account and all the users and groups would have been migrated, you'll have preserved the state of the file servers security settings on the files and folders.
Now this might be a little more than you may want to do but it's an option.

If you decide to use ADMT, it might be wise to move the DNS to the existing domain controller on the old domain and make sure to use DNS and DHCP on the new domain.  I don't know what results you have using ADMT with linux DNS.

Author Comment

ID: 29368884
Thanks to everyone so far for their suggestions.  I know this whole setup is a mess to deal with, that is why I have been taking my time to really think about each of the paths that have been suggested.  It is also difficult sometimes when you are the only IT person and do not have anyone else to bounce ideas off of...

The old network was pieced together using whatever means were available at the time (a consequence of a previous IT person and being a non-profit organization).  I have been able to use some newer resources, such as Tech Soup, and others, to obtain the materials I need to standardize this network.  The scope of this project has quickly ballooned from a simple active directory migration to creating a brand-new active directory (with DNS and DHCP and Group Policy), adding an Exchange 2007 environment and integrating SharePoint 3.0 as an all-inclusive upgrade to our current state.  I am also wanting to let go of all of our Linux boxes.  (I am not a Linux guy and I would rather learn it first in a testing environment than not be able to fully support it in a production environment.)

I need to change the domain name as it is currently not accurate in my view.  I also want to change our AD and email accounts from "firstname_lastname" to "firstinitiallastname".  On top of that, I need to migrate all the local users' profiles to the new domain and maintain the access to the file server.  I wanted to do a phased project but it is looking more and more like I am going to have to do the old band-aid removal and switch everything all at once.  I would like to not have to undo and redo all of my prep work on the new domain environment (if possible).  In everyone's opinion, what would be the most pain-free way of making this work while retaining the changes that I want to make?  Would I be ahead to use pedronivera's last suggestion and then later rename all the user's AD accounts, or would another method be more beneficial?

Thanks so much to everyone for your thoughts on this issue.  I do sincerely appreciate your input.
LVL 18

Accepted Solution

Americom earned 1000 total points
ID: 29371683

If you can retain the old domain name then adding additional domain controllers to it would be the least works for you.
This involve the following steps af far as the domain is concern:
1)Stop doing anything on the new domain controllers
2)Demote and remove them from a domain controllers
3)Promote them into the existing old domain as additional domain controllers
4)Transfer all the FSMO roles to one of the newly promoted domain controllers.
 Now you have three domain controllers. You can demote and remove the domain role off the original domain controller and leave it as a file server only.

If you plan to move away from the Linux DNS, the you should probably do this even befor the above steps, althought trchnically you can do it before and after.
Here are the step to migrate the DNS over:
1) Take one domain controller and install DNS service
2) Create a secondary zone with the same name as your domain(you should have such zone in your Linux DNS)
3) Be sure to configure your Linux DNS to allow zone transfer to the above domain controller
4) On the created secondary zone make sure it get from the master dNS of your Linux box
5) Then, you can replicate the zone over from Linux to your DC
6) Once that is done, verify you systems can resolve from your AD DNS
7) Convert your DNS to Active directory integrated DNS instead of secondary.
8) Install DNS service to the orther DC and restart DNS service and Netlogon services and you should have the DNS in all your DCs as Microsoft DNS

Note, remember to point your DC's DNS to its own IP. But preferably point the other DC as preferred and local IP as alternate and do the same for other DC.

Assisted Solution

pedronrivera earned 1000 total points
ID: 29387382
I need to change the domain name as it is currently not accurate in my view. -
"More work only if you don't plan right.  ADMT"

I also want to change our AD and email accounts from "firstname_lastname" to "firstinitiallastname". "This step is not crucial right now, do this later"

I need to migrate all the local users' profiles to the new domain and maintain the access to the file server.  
"Are your users logging into the domain right now? If so, if  you decide to migrate using ADMT, all the user profiles will be preserved when you migrate the workstations, read the ADMT docs."

I wanted to do a phased project but it is looking more and more like I am going to have to do the old band-aid removal and switch everything all at once.  
"You don't need to switch all at once. Do what Americom said and remove the Linux boxs first. Install dhcp, dns and wins on the old domain controller and move those services first.  That should be phase one of your whole project.

In everyone's opinion, what would be the most pain-free way of making this work while retaining the changes that I want to make?  Pain-free means reading alot of the documentation: RTM my friend!  And even then things can go wrong.  Don't avoid pain, it's good for you.

This is  really not as complicated.  I would migrate only because it will allow you to learn a little more.  ADMT is really easy to use.  The documentation takes you through all the steps but I would get rid of the linux boxes first no matter what route you decide to take.

Good Luck man!!!!

Author Comment

ID: 29461733
Ok, I think the picture is starting to come together.  Between Americom and pedronivera's last comments I may have myself a plan.

I will need to do a few things to get the Linux boxes out of the way.  They are also handling some web services and Samba file access.  I have been meaning to move the sites they are hosting over to GoDaddy anyway, and the files shared on the other server really ought to be on the file server...novel idea, right?

After that, I will need to raise the domain level to 2003 (as it is currently 2000 native) and then I can rename it to a name that corresponds to the organization.  I will then get DNS and DHCP up and running on the old DC.  At this point though, I want to double-check something with the both of you.

Scenario:  All of my user workstations are in peer to peer mode (workgroups) and their local accounts each have a corresponding domain account on the old DC allowing them access to the file server.  If I use ADMT to get a new DC up and running and demote the old DC, that will break those users off from file server access, correct?  Then I will need to join them to the domain and move their local profile over to their domain profile (to retain settings and such).  Later down the road I can then rename their AD accounts and get Exchange going.  Does that seem as though I am on the right track?

I truly appreciate the assistance!
LVL 18

Expert Comment

ID: 29811577
I'm a bit confuse when you said "All of my user workstations are in peer to peer mode(workgroups)...".
If your workstations are not a memeber of any domain, that means your users are logging on to it with a local account and not a domain account. Then how are you letting the users to access your file server?? The only way I can think of is that the local account has the same account name and password as the domain account created in your old DC. But what I don't understand is why even use a local account if you have a domain account? and why not put those workstation in the domain as members??
So, does your user logon to the workstation with domian account at all? if not, there is no profile you can migrate over with ADMT as it not in the domain. If you need to retain local user profile regardless if the computer is in the domain or a domain user, you can use 3rd party tool to do the migration, tool such as profile transfer wizard(www.forensit.com), or if you are going to use Win7, there is also an Easy profile transfer tool as well.

Author Closing Comment

ID: 31707754
Ahh, now you are starting to see what I have been dealing with!  When I came into this position that is same question I asked myself.  "Why are the users set up using local accounts when there is a nice Active Directory to use?"  I have not been able to answer that question.  The local accounts do match the domain accounts.  Computers are in workgroup mode.

I really just needed the input Americom and pedronrivera have provided to help me sort out my "order of operations".  At this point I think we have pretty much exausted the question.  Because my series of steps are more customized than just a standard migration I am not sure if it would do much good for others to put my steps down, but I may anyway.  I would like to award both of you 500pts each but I am afraid you will have to split the bounty!

Thank you BOTH for your help with this.  

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question