Solved

Migrate File server from domain A to Domain B

Posted on 2015-01-27
12
747 Views
Last Modified: 2015-02-02
Our company just acquire another company.  We are in the process of connecting the sites together and creating a trust relationship (be-directional).

Domain A Primary domain (Windows 2012) Forest and Domain functionality 2003
Domain B acquired company (Windows 2003) Forest and Domain functionality 2003

The goal is to migrate all server from Domain B into domain A and get rid of Domain B.  I have create new user in Domain A for every user in Domain B.  We do not want to migrate the user as is.  The naming convention is different.  

My question is more related to the file server.  Once the trust is in place, We are going to replicate the date from the Domain B file server to Domain A file server using Robocopy.  I know robocopy well and how to use it.  Once the data is replicated, I would like to create permission for the Domain A users base on the equivalent user of Domain B using a mapping file.  What is the best way to do this?


Thank you,
0
Comment
Question by:pharmascience
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40573228
You are going about this the hard way.  What you should do is use ADMT (Active Directory Migration Tools) and migrate users from the source domain (newly acquired company) to the target domain (your existing AD).  As this will allow migration of SIDs, you can then use Robocopy and it will allow copy the permissions (users in both domains will have same SID and permission).  This will facilitate your move.
0
 

Author Comment

by:pharmascience
ID: 40573390
If using ADMT, will the user move from the source the the target domain keep the same name?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573409
ADMT is usually used in situations like this where you want to trasnfer resources/users and other Active Directory objects from one domain to another. However since you have already created new domain accounts for everyone in Domain B why copy the data using robocopy?

Personally, you have to re-apply all of the permissions etc, why not just remove the file server from Domain B and add it do Domain A. Create the Shares and add the appropriate permissions etc.

Don't copy all of the data over will take too long.

Will.
0
 

Author Comment

by:pharmascience
ID: 40573417
I will just use robocopy for the final replication.  Both server are VMs running under vmware.  I will just copy the .vmdk from the source and attached it to the file server on the target side.  Then use robocopy to replicate the change.  The file server is about 1TB in size and there is a lot of folders with different permissions.  I want this to be as transparent as possible and I dont feels like going in every folder/subfolder and recreate the permissions.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573428
You could also use File Server Migration Wizard as well to accomplish this.
File Server Migration Wizard (download)

Will.
0
 

Author Comment

by:pharmascience
ID: 40573461
I was thinking about using something similar to this:


    The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
        Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
        Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
        Press ENTER.


As the trust is not in place, I cannot test this yet.  But will this work.  As for the mapping file, I assume I will need a line for each user?
user1 domain 1 = user1 domain 2
user2 domain 1 = user1 domain 2
...

What about the security group?  Will this command replicate the NTFS permission for the group too?
0
 

Author Comment

by:pharmascience
ID: 40573463
I mean this.

user1 domain 1 = user1 domain 2
user2 domain 1 = user2 domain 2
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 40573464
All permissions will be trasnferred.

Will.
0
 

Author Comment

by:pharmascience
ID: 40573470
Do I need to include the group in the mapping file?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573500
Yes that is correct. This is so that the permissions can be mapped to the directories/shares.

Will.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
ID: 40575835
The correct format of map file would be:
sourceuser1=targetuser1
sourceuser2=targetuser2
domain admins=domain admins
domain users=domain users

Open in new window


Also correct syntax:
Subinacl /noverbose /subdirectories <folder Path> /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Replace sourcedomain and targetdomain with NetBIOS name of respective domains
Also I would suggest to take share folder local path instead of taking entire drive, its not required, your major concern is shared folders only I believe

For Ex:
The below command will replace permissions on D:\Userdata folder root only 
Subinacl /noverbose /Subdirectories D:\Userdata /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes

The below command will replace permissions on D:\Userdata folder and all subfolders and files
Subinacl /noverbose /Subdirectories D:\Userdata\ /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes, for ex:
Subinacl /noverbose /Subdirectories "D:\User data\*" /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Open in new window


If you face any permissions issue, 1st take entire folder ownership and add administrators group full control with below commands
Subinacl /noverbose /subdirectories D:\user data /setowner=administrators
If Contain space:
Subinacl /noverbose /subdirectories "D:\user data" /setowner=administrators
Above command will take ownership of root folder
AND
Subinacl /noverbose /subdirectories D:\userdata\ /setowner=administrators
If contain space:
Subinacl /noverbose /subdirectories "D:\user data\*" /setowner=administrators
Above command will take ownership of all sub folders

Then grant administrators group full control permissions on root folder
Subinacl /noverbose /subdirectories D:\userdata /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data" /grant=administrators=F
AND
Grant administrators group full control permissions on all sub folders and files
Subinacl /noverbose /subdirectories D:\userdata\ /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data\*" /grant=administrators=F

Open in new window


You can run Subinacl /help /Subdirectories
AND
Subinacl /help /ChangeDomain for more information
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40576041
One another way to do this migration is SetAcl command line tool v 3.0

download tool from below location
https://helgeklein.com/download/

add your source domain and target domain users and groups in csv file as below
Contoso\domain admins,trey\domain admins
Contoso\user1,trey\user1
Contoso\domain users,trey\domain users

Open in new window


Then run command:
SetAcl -on <folder path> -ot file -actn trustee -trst csv:C:\mapping.csv;ta:repltrst -rec cont_obj

Replace folder path with yours
the command will replace source users and groups with target users on root folder and all sub folders and files

Open in new window


https://helgeklein.com/blog/2012/07/howto-reacling-a-file-server-in-a-domain-migration-with-setacl-3-0/
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now