JP42
asked on
Transfer File Permission to new domain
I am looking to move equipment to a new domain. I have the new server setup (DC) and I have already been migrating workstations.
I have three file and print servers to migrate though, which means, once I migrate to the new domain all of the NTFS and share permissions will be lost.
I cannot create a trust between the two DC's.
Is there a way I can change the permissions from one domain to the new domain and automate it?
All the users in both domains are the same.
I.e. change domain1\user1 >> domain2\user1
Thanks in advance.
I have three file and print servers to migrate though, which means, once I migrate to the new domain all of the NTFS and share permissions will be lost.
I cannot create a trust between the two DC's.
Is there a way I can change the permissions from one domain to the new domain and automate it?
All the users in both domains are the same.
I.e. change domain1\user1 >> domain2\user1
Thanks in advance.
Why can't you create a trust? Is SBS involved?
Anyway, to start with, make sure the LOCAL(!) Administrators group on the current file server has Full Access to the complete structure
Then you can use robocopy to copy the files including their current NTFS permissions to the new domain.
Some hints:
- robocopy will *by* *default* only copy files that aren't in the target already.
- If you want to do several sync runs, you can use /mir to delete files in the target that aren't in the source anymore.
- You might want to set /r (retry) and /w (wait) to something more useful in a LAN, like /r:2 /w:1.
- use /copyall to copy NTFS permissions as well.
- Check robocopy.doc in the ResKit installation folder (to run it, you actually only need robocopy.exe), it's a very useful documentation.
- You can safely use /nfl (no file list) and /ndl (no directory list) to reduce the log file size; errors will still be logged.
- Use /np if you're logging to a text file, otherwise the log will be filled with control characters.
- If you're migrating to W2k8, robocopy's already included.
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
GUI wrappers are available, too:
RoboCopy GUI 1.0.0.24
http://www.softpedia.com/get/System/OS-Enhancements/RoboCopy-GUI.shtml
Utility Spotlight Robocopy GUI
http://technet.microsoft.com/en-us/magazine/2006.11.utilityspotlight.aspx
Once you have the files on the new machine, you can use subinacl.exe (use the download linked below, NOT the v4 that's included in the ResKit) to change the permissions. You can use the ResKit help for subinacl examples.
/alternatesamserver could perhaps work (with an existing \\olddc\ipc$ connection with an administrative user); otherwise check whether /offlinesam helps you any.
For starters, I'd copy only a single folder tree without files over (use /XF *.* in the command line). Then start testing with subinacl on that structure.
Once you have the necessary subinacl commands at hand, I'd do the following (assuming you don't have to care about file permissions, only folder):
1. Copy the complete folder tree with permissions (/COPY:DATS), but without files (/XF *.*)
2. Make it known that from this moment on, and until the file server migration is complete, there will be no more changes to the permissions.
3. Change the permissions in the folder structure (which should be comparatively fast)
4. Copy the files into the folder structure WITHOUT permissions.
5. Repeat step 4 daily with /MIR until you're ready to go online with the new server.
SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
Helpful tool to analyze permissions: DumpSec
http://www.systemtools.com/somarsoft/index.html
Rant32,
the ADMT requires a trust between the domains.
Anyway, to start with, make sure the LOCAL(!) Administrators group on the current file server has Full Access to the complete structure
Then you can use robocopy to copy the files including their current NTFS permissions to the new domain.
Some hints:
- robocopy will *by* *default* only copy files that aren't in the target already.
- If you want to do several sync runs, you can use /mir to delete files in the target that aren't in the source anymore.
- You might want to set /r (retry) and /w (wait) to something more useful in a LAN, like /r:2 /w:1.
- use /copyall to copy NTFS permissions as well.
- Check robocopy.doc in the ResKit installation folder (to run it, you actually only need robocopy.exe), it's a very useful documentation.
- You can safely use /nfl (no file list) and /ndl (no directory list) to reduce the log file size; errors will still be logged.
- Use /np if you're logging to a text file, otherwise the log will be filled with control characters.
- If you're migrating to W2k8, robocopy's already included.
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
GUI wrappers are available, too:
RoboCopy GUI 1.0.0.24
http://www.softpedia.com/get/System/OS-Enhancements/RoboCopy-GUI.shtml
Utility Spotlight Robocopy GUI
http://technet.microsoft.com/en-us/magazine/2006.11.utilityspotlight.aspx
Once you have the files on the new machine, you can use subinacl.exe (use the download linked below, NOT the v4 that's included in the ResKit) to change the permissions. You can use the ResKit help for subinacl examples.
/alternatesamserver could perhaps work (with an existing \\olddc\ipc$ connection with an administrative user); otherwise check whether /offlinesam helps you any.
For starters, I'd copy only a single folder tree without files over (use /XF *.* in the command line). Then start testing with subinacl on that structure.
Once you have the necessary subinacl commands at hand, I'd do the following (assuming you don't have to care about file permissions, only folder):
1. Copy the complete folder tree with permissions (/COPY:DATS), but without files (/XF *.*)
2. Make it known that from this moment on, and until the file server migration is complete, there will be no more changes to the permissions.
3. Change the permissions in the folder structure (which should be comparatively fast)
4. Copy the files into the folder structure WITHOUT permissions.
5. Repeat step 4 daily with /MIR until you're ready to go online with the new server.
SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
Helpful tool to analyze permissions: DumpSec
http://www.systemtools.com/somarsoft/index.html
Rant32,
the ADMT requires a trust between the domains.
ASKER
Ok so let me clarify a bit...
I cannot create a trust because of political reasones between the company we are splitting off of.
The file server is just moving to the new domain, so I will not need to copy files to another file server.
I like your idea about using SUBINACL, just not sure how the procedure would go.
NOTE: Both domains are on the same subnet and I have established local admin accounts to all devices.
Do i migrate the file server to the new domain first and then use SUBINACL with the /offlinesam option?
How do I accquire the offlinesame file? What format?
I would hate to migrate the server first, lose my permissions and then find that I can't get SUBINACL to work. Suggestions?
Thanks for dumpsec, I like that.
I cannot create a trust because of political reasones between the company we are splitting off of.
The file server is just moving to the new domain, so I will not need to copy files to another file server.
I like your idea about using SUBINACL, just not sure how the procedure would go.
NOTE: Both domains are on the same subnet and I have established local admin accounts to all devices.
Do i migrate the file server to the new domain first and then use SUBINACL with the /offlinesam option?
How do I accquire the offlinesame file? What format?
I would hate to migrate the server first, lose my permissions and then find that I can't get SUBINACL to work. Suggestions?
Thanks for dumpsec, I like that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Could you provide an example of subinacl to convert the permissions from one domain to another?
I am converting a file and print server so permissions will need to be changed for shares, file security, printers, and services.
THanks.
I am converting a file and print server so permissions will need to be changed for shares, file security, printers, and services.
THanks.
The "Security Translation Wizard" is able to amend the ACL on existing objects in the old domain, so BOTH entries from the old domain and target domain exist in the ACL.
After you move the resources to a new domain (or move the file server to a new domain), use ADMT again in Remove mode to remove the SIDs from the old domain.
Q: Is the file server a member server?
Q: Are you using local security groups to assign permissions?
Q: Are you completely re-installing a new fileserver and moving the files, or are you removing/adding the existing server to a new domain?