Solved

Transfer fie and folde permissions on iSCSI attached shared folders

Posted on 2011-03-22
20
1,488 Views
Last Modified: 2012-05-11
We are performing an upgrade of our file server hardware and OS, from Server 2003 to 2008 R2. This file server has an iSCSI connection to an Equallogic SAN, which is shared via Windows for use with roaming profiles, shared folders, etc and has NTFS permissions applied.

The new 2008 server will connect to the same iSCSI volumes with the same IP and hostname, and be used for the exact same purpose.

My question is - how do I transfer all of the file and folder permissions from the 2003 server to the new 2008 server?

Thanks!
0
Comment
Question by:LeeTech_Admin
  • 8
  • 4
  • 4
  • +2
20 Comments
 
LVL 11

Expert Comment

by:willettmeister
ID: 35193441
The permissions are stored in the filesystem not in the OS so you shoudln't need to transfer permissions.  Just mount the volume on the new server as.  

Now group access is a different beast.  Are these servers in a domain?
0
 
LVL 76

Expert Comment

by:arnold
ID: 35193544
Make sure you are using domain based permissions versus server based permissions
domain\administrator full access versus server\administrators of which domain\administrators are members when joined in AD.
You would have to go through each to check what the settings are to adjust them.
Default server\administrators etc. will be seen as newserver\administrators the only issue you may have is if you created individual local groups which will not match because of the GUID.
0
 

Author Comment

by:LeeTech_Admin
ID: 35193553
Yes these servers are on a domain and some Security Groups are being used. Is this the type of group access that you are refering to?
0
 
LVL 11

Expert Comment

by:willettmeister
ID: 35193583
Yes.  If you have any groups that local to the server as opposed domain groups they will not transfer.  One common example is the local administrators group.
0
 

Author Comment

by:LeeTech_Admin
ID: 35193599
The NTFS volume on the server is shared, with Exeryone having Full Control permissions.

Within this volume are all of the tsprofiles, mydocs, network shares, everything, all with granular share permissions.

Would Permcopy be the solution here, or will all these settings be retained on the SAN volumes?
0
 
LVL 5

Expert Comment

by:xylog
ID: 35193602
You can use robocopy to copy permissions.
0
 
LVL 76

Expert Comment

by:arnold
ID: 35193611
Yes.
Administrator, Remote Desktop User, etc. will transfer since their GUID Is common.
But if you added local group1 and added domain\group1 etc.
the local group1 will be unknown on the new server even if you created one because the GUID is "randomly" assigned.
with this in mind, local\group1 permissions will not be validated on the new server.
0
 

Author Comment

by:LeeTech_Admin
ID: 35193631
We are not using any Local Groups on the server, just Domain Security Groups and User accounts in AD.

with this being the case, are you saying that I do not need to transfer share permissions to the Server 2008 server, say with Permcopy or the FSMT?

It seems like you would need to setup these permissions in Windows again but Im not sure.
0
 

Author Comment

by:LeeTech_Admin
ID: 35193664
One problem I have here with using permcopy or robocopy is that the new server will be replacing the old, with both IP and Hostname. I have to bring one down to bring up the other, and I cannot have both connected to the SAN volume at the same time. I believe these CLI tools require a source and destination server and I dont see how I can do that.
0
 
LVL 76

Expert Comment

by:arnold
ID: 35193716
You would need to copy the current share settings since they are part of the OS, the security settings on the directories/files are stored within the filesystem and these you will not need to copy.
0
 

Author Comment

by:LeeTech_Admin
ID: 35193730
Any advice for how to accomplish this since I cannot have both the old and new servers connected to the SAN volume at the same time?
0
 
LVL 11

Expert Comment

by:willettmeister
ID: 35193762
The shares are stored in the registry you can export the registry entries for them and then import them into the new server.

Unfortunately I can't put my hands on teh exact location atm.  
0
 

Author Comment

by:LeeTech_Admin
ID: 35193872
Does this look right? Would this be all I need to do as far as permissions?


To save only the existing share names and their permissions on Windows follow these steps.

Note This procedure applies only to NetBIOS shares and not to Macintosh volumes.
On the existing Windows installation that contains the share names and permissions that you want to save, start Registry Editor (Regedt32.exe).
From the HKEY_LOCAL_MACHINE subtree, go to the following key:
SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
Save or export the registry key.
For Windows NT and Windows 2000, click Save Key on the Registry menu.
For Windows Server 2003, click Export on the File menu.
Type a new file name (a file extension is not necessary), and then save the file to a floppy disk.
Reinstall Windows.
Run Registry Editor (Regedt32.exe).
From the HKEY_LOCAL_MACHINE subtree, go to the following key:
SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
Restore or import the registry key.
For Windows NT and Windows 2000, click Restore on the Registry menu.
For Windows Server 2003, click Import on the File menu.
Type the path and file name of the file that you saved in steps 3 and 4.

Caution This step overrides the shares that already exist on the Windows computer with the share names and permissions that exist in the file you are restoring. You are warned about this before you restore the key.
Restart the server.
0
 
LVL 5

Expert Comment

by:xylog
ID: 35194407
You can use setacl or security explorer to make a backup file with file system permissions.
0
 
LVL 76

Expert Comment

by:arnold
ID: 35194720
net share will list all the shares.  There is a similar question EE's knowlegebase, but I do not recall which question it was. There is a script floating on the net as well that can copy share settings:
Presumably you've seen this
http://support.microsoft.com/kb/174273
Using support tools:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Network/RestoreorcopyShareDefinitionsToAnotherServer.html
http://msadmin.net/CInetpubmsadmin.net/archive/2007/07/09/13.aspx
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22414739.html
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35195210
The registry related steps posted by LeeTech_Admin are all you need to do. You don't need robocopy or any other tools. That, and make sure that when you mount the iSCSI volumes on the new server to use the same drive letters. Since you are keeping the same server name, this is a pretty straightforward operation. You don't need to backup or document NFTS or share settings. I have done it several times. using EqualLogic storage.

You can always take a snapshot of your volumes using the EqualLogic GUI when the servers are offline. Also, don't forget to remove the ACL on the volumes for the old server and add the new server.
0
 

Author Comment

by:LeeTech_Admin
ID: 35195691
@kevinhsieh

Thanks I pretty much have this completed. One thing though. What do you mean by "don't forget to remove the ACL on the volumes for the old server and add the new server. "

The registry import gave me my share permissions, by my mapped network drives are now giving errors "the local device name is already in use" from clients, and the server itself is being prompted to log into its won share.
0
 

Author Comment

by:LeeTech_Admin
ID: 35195698
When I try to browse to shares on this new server, I now get "You were not connected because a duplicate name exists on the network. Go to System in Control Pane; to change the computer name"
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35196060
Did you shut down the old server? You may need to give the new server a reboot.

In the EqualLogic GUI, go to the volume(s) attached to the server. Click onthe Access tab. There should only be entries for your active server and possibly your backup server for snapshots only.
0
 
LVL 11

Accepted Solution

by:
willettmeister earned 500 total points
ID: 35206136
Try disabling strict name checking in the registry of the server.  

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
> Add Value > Value name: DisableStrictNameChecking > Data type: REG_DWORD >
Radix: Decimal > Value: 1 then reboot.

0

Join & Write a Comment

Suggested Solutions

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Resolve DNS query failed errors for Exchange
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now