Backing up and restoring just ACL

How is the SAN configured? Are you mounting iSCSI volumes or is the SAN itself serving up file shares?

If you have a NTFS formatted volume, the permissions won't just vanish if you rebuild the server mounting the volume. However the accounts themselves & their associated SID's may vanish. Do you have a domain controller providing centralized user accounts? If not when you rebuild the server, all the user accounts & SID's will be deleted. Even if you re-create a new account with the same exact name after you rebuild the server, it will have a different SID and it won't matter if you backed up the ACL's or not, the SID the ACL is based on will be gone forever.

The host server is using iSCSI to mount the volumes from the SAN.  I have a Windows 2008 R2 domain with 3 controllers (the host is not a DC)

If the file system will stay intact & the user accounts will be staying intact via the DC's you should have no problems. I've never seen ACL's disappear on a NTFS filesystem. Unless Dell does something VERY non-standard and unusual your iSCSI LUN should not be tampered with in any way.

Even if your user accounts disappeared, the ACL's would still be there, they would just have a 20ish digit alpha-numeric number instead of the username & no really be useful anymore.

The other answer is don't you perform regular backups of the SAN anyway? A SAN is usually pretty robust, but not immune to crashing & loosing data (users deleting files doesn't even need the SAN to have problems). I'd perform a full backup with your existing backup software prior to the maintenance so you can restore files & ACL's in the unlikely event of a problem. If you don't have an existing backup system, I would get one ASAP.

I use a Baracuda backup appliance.  Backups every night with off site so I'm good there.

I asked my Dell SAN tech rep "When I disconnect my host server from the MD3000i, will the folders/files on the unit retain their ACL’s?"

His response...."No I do not believe so, the permissions will be stripped.  There are some applications that can attempt to preserve the ACL like robocopy.  If you do a search for something like “backup ACL” you may be able to save a copy of your ACL, but by default it will not preserve it. "

> You export the lanmanserver section of the registry under services. It contains all of the shares and share permissions, so you can restore that section of the registry and get all of your shares back without recreating them manually.

HI Kevinhsieh, just to be doubly sure that the situation is understood to avoid any loss. As far as i can tell the 'OP'  has a non domain connected device. Even by doing as you suggest to maintain the ACL's he will be rebuilding the server and thus the users will be re-created with new iD's - the maintained ACL's in that cause will be useless no ?

If its a domain connected system its a lot easier as the ID is stored in AD and you can migrate the ACL's but from what i understand at least the system is isolated ?

@ejcrist - can you confirm if your server is in a domain or not ?

The host server is a member of the domain, yes.

NTFS

Thanks, folks....great info as usual!!

So to summarise what should work ok.

1) backup the shares and permissions on those as @kevinhsieh suggested.
2) seperate the filesystem from the host (consider a full system backup at this point).
3) rebuild the host box and re-attach it to the domain
4) re-attach the file system
5) import the SHARE and share ACL configuration.
6) also consider migrating your users to DFS as @kevinhsieh also suggested.