Solved

Backing up and restoring just ACL

Posted on 2011-03-01
12
1,129 Views
Last Modified: 2012-05-11
I have all my schools shared folders/home directories/files on a Dell MD3000i san with a Windows 2008 server host machine attached.  I really need to wipe and rebuild the host server.  I'm told by Dell that once the host server is disconnected, the ACLs on all the folders/files will be stripped.

Is there a way to backup just the ACLs of these items, then restore them later?

Thanks!
0
Comment
Question by:ejcrist
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 8

Expert Comment

by:devinnoel
ID: 35008577
How is the SAN configured? Are you mounting iSCSI volumes or is the SAN itself serving up file shares?

If you have a NTFS formatted volume, the permissions won't just vanish if you rebuild the server mounting the volume. However the accounts themselves & their associated SID's may vanish. Do you have a domain controller providing centralized user accounts? If not when you rebuild the server, all the user accounts & SID's will be deleted. Even if you re-create a new account with the same exact name after you rebuild the server, it will have a different SID and it won't matter if you backed up the ACL's or not, the SID the ACL is based on will be gone forever.
0
 

Author Comment

by:ejcrist
ID: 35008703
The host server is using iSCSI to mount the volumes from the SAN.  I have a Windows 2008 R2 domain with 3 controllers (the host is not a DC)
0
 
LVL 8

Expert Comment

by:devinnoel
ID: 35008845
If the file system will stay intact & the user accounts will be staying intact via the DC's you should have no problems. I've never seen ACL's disappear on a NTFS filesystem. Unless Dell does something VERY non-standard and unusual your iSCSI LUN should not be tampered with in any way.

Even if your user accounts disappeared, the ACL's would still be there, they would just have a 20ish digit alpha-numeric number instead of the username & no really be useful anymore.

The other answer is don't you perform regular backups of the SAN anyway? A SAN is usually pretty robust, but not immune to crashing & loosing data (users deleting files doesn't even need the SAN to have problems). I'd perform a full backup with your existing backup software prior to the maintenance so you can restore files & ACL's in the unlikely event of a problem. If you don't have an existing backup system, I would get one ASAP.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ejcrist
ID: 35008983
I use a Baracuda backup appliance.  Backups every night with off site so I'm good there.

I asked my Dell SAN tech rep "When I disconnect my host server from the MD3000i, will the folders/files on the unit retain their ACL’s?"

His response...."No I do not believe so, the permissions will be stripped.  There are some applications that can attempt to preserve the ACL like robocopy.  If you do a search for something like “backup ACL” you may be able to save a copy of your ACL, but by default it will not preserve it. "
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 83 total points
ID: 35009058
You were misled by Dell or misunderstood what they said. The files and NTFS permissions will remain. You export the lanmanserver section of the registry under services. It contains all of the shares and share permissions, so you can restore that section of the registry and get all of your shares back without recreating them manually.

If you have the spare hardware (or VM) you can build a new server and then attach the iSCSI volumes to the new server, which has less downtime and has less risk than wiping your server and hoping you get everything back up in time.

If you are mapping users directly to the server, now is a fantastic time to consider mapping everything to a domain DFS namespace. The advantage is that the names of the servers with the files can change but the network paths will remain the same, so no more trying to change drive mappings, shortcuts, and profiles when you change file servers.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 35009097
> You export the lanmanserver section of the registry under services. It contains all of the shares and share permissions, so you can restore that section of the registry and get all of your shares back without recreating them manually.

HI Kevinhsieh, just to be doubly sure that the situation is understood to avoid any loss. As far as i can tell the 'OP'  has a non domain connected device. Even by doing as you suggest to maintain the ACL's he will be rebuilding the server and thus the users will be re-created with new iD's - the maintained ACL's in that cause will be useless no ?

If its a domain connected system its a lot easier as the ID is stored in AD and you can migrate the ACL's but from what i understand at least the system is isolated ?

@ejcrist - can you confirm if your server is in a domain or not ?
0
 

Author Comment

by:ejcrist
ID: 35009161
The host server is a member of the domain, yes.
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 83 total points
ID: 35009201
Ahh then that makes it MUCH easier. You can rebuild the server without fear of your actual users being removed.

http://support.microsoft.com/kb/125996 this article confirms what @kevinhsieh said above in that you can export your shares and ACL settings on the shares.

Where are your permissions set btw ? on the NTFS share permissions or on the share ?
0
 

Author Comment

by:ejcrist
ID: 35009347
NTFS
0
 
LVL 8

Accepted Solution

by:
devinnoel earned 84 total points
ID: 35009778
woolnoir is right on the share permissions stuff. I was only thinking about NTFS. Personally I always set all shares to Administrators: Full Control, Authenticated Users: Change. Then I control everything through NTFS permissions.

You can't really export the NTFS permissions though, they are tied to the filesystem. Leaving the file system intact & untouched while rebuilding the server, then re-attaching to the filesystem after the server is rebuild should be fine. I always perform backups in situations like that, just to be safe.
0
 

Author Closing Comment

by:ejcrist
ID: 35009809
Thanks, folks....great info as usual!!
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 35009814
So to summarise what should work ok.

1) backup the shares and permissions on those as @kevinhsieh suggested.
2) seperate the filesystem from the host (consider a full system backup at this point).
3) rebuild the host box and re-attach it to the domain
4) re-attach the file system
5) import the SHARE and share ACL configuration.
6) also consider migrating your users to DFS as @kevinhsieh also suggested.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question