Migrate File server from domain A to Domain B

Our company just acquire another company.  We are in the process of connecting the sites together and creating a trust relationship (be-directional).

Domain A Primary domain (Windows 2012) Forest and Domain functionality 2003
Domain B acquired company (Windows 2003) Forest and Domain functionality 2003

The goal is to migrate all server from Domain B into domain A and get rid of Domain B.  I have create new user in Domain A for every user in Domain B.  We do not want to migrate the user as is.  The naming convention is different.  

My question is more related to the file server.  Once the trust is in place, We are going to replicate the date from the Domain B file server to Domain A file server using Robocopy.  I know robocopy well and how to use it.  Once the data is replicated, I would like to create permission for the Domain A users base on the equivalent user of Domain B using a mapping file.  What is the best way to do this?

Thank you,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You are going about this the hard way.  What you should do is use ADMT (Active Directory Migration Tools) and migrate users from the source domain (newly acquired company) to the target domain (your existing AD).  As this will allow migration of SIDs, you can then use Robocopy and it will allow copy the permissions (users in both domains will have same SID and permission).  This will facilitate your move.
pharmascienceAuthor Commented:
If using ADMT, will the user move from the source the the target domain keep the same name?
Will SzymkowskiSenior Solution ArchitectCommented:
ADMT is usually used in situations like this where you want to trasnfer resources/users and other Active Directory objects from one domain to another. However since you have already created new domain accounts for everyone in Domain B why copy the data using robocopy?

Personally, you have to re-apply all of the permissions etc, why not just remove the file server from Domain B and add it do Domain A. Create the Shares and add the appropriate permissions etc.

Don't copy all of the data over will take too long.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

pharmascienceAuthor Commented:
I will just use robocopy for the final replication.  Both server are VMs running under vmware.  I will just copy the .vmdk from the source and attached it to the file server on the target side.  Then use robocopy to replicate the change.  The file server is about 1TB in size and there is a lot of folders with different permissions.  I want this to be as transparent as possible and I dont feels like going in every folder/subfolder and recreate the permissions.
Will SzymkowskiSenior Solution ArchitectCommented:
You could also use File Server Migration Wizard as well to accomplish this.
File Server Migration Wizard (download)

pharmascienceAuthor Commented:
I was thinking about using something similar to this:

    The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
        Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
        Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
        Press ENTER.

As the trust is not in place, I cannot test this yet.  But will this work.  As for the mapping file, I assume I will need a line for each user?
user1 domain 1 = user1 domain 2
user2 domain 1 = user1 domain 2

What about the security group?  Will this command replicate the NTFS permission for the group too?
pharmascienceAuthor Commented:
I mean this.

user1 domain 1 = user1 domain 2
user2 domain 1 = user2 domain 2
Will SzymkowskiSenior Solution ArchitectCommented:
All permissions will be trasnferred.

pharmascienceAuthor Commented:
Do I need to include the group in the mapping file?
Will SzymkowskiSenior Solution ArchitectCommented:
Yes that is correct. This is so that the permissions can be mapped to the directories/shares.

The correct format of map file would be:
domain admins=domain admins
domain users=domain users

Open in new window

Also correct syntax:
Subinacl /noverbose /subdirectories <folder Path> /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Replace sourcedomain and targetdomain with NetBIOS name of respective domains
Also I would suggest to take share folder local path instead of taking entire drive, its not required, your major concern is shared folders only I believe

For Ex:
The below command will replace permissions on D:\Userdata folder root only 
Subinacl /noverbose /Subdirectories D:\Userdata /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes

The below command will replace permissions on D:\Userdata folder and all subfolders and files
Subinacl /noverbose /Subdirectories D:\Userdata\ /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes, for ex:
Subinacl /noverbose /Subdirectories "D:\User data\*" /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Open in new window

If you face any permissions issue, 1st take entire folder ownership and add administrators group full control with below commands
Subinacl /noverbose /subdirectories D:\user data /setowner=administrators
If Contain space:
Subinacl /noverbose /subdirectories "D:\user data" /setowner=administrators
Above command will take ownership of root folder
Subinacl /noverbose /subdirectories D:\userdata\ /setowner=administrators
If contain space:
Subinacl /noverbose /subdirectories "D:\user data\*" /setowner=administrators
Above command will take ownership of all sub folders

Then grant administrators group full control permissions on root folder
Subinacl /noverbose /subdirectories D:\userdata /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data" /grant=administrators=F
Grant administrators group full control permissions on all sub folders and files
Subinacl /noverbose /subdirectories D:\userdata\ /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data\*" /grant=administrators=F

Open in new window

You can run Subinacl /help /Subdirectories
Subinacl /help /ChangeDomain for more information

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
One another way to do this migration is SetAcl command line tool v 3.0

download tool from below location

add your source domain and target domain users and groups in csv file as below
Contoso\domain admins,trey\domain admins
Contoso\domain users,trey\domain users

Open in new window

Then run command:
SetAcl -on <folder path> -ot file -actn trustee -trst csv:C:\mapping.csv;ta:repltrst -rec cont_obj

Replace folder path with yours
the command will replace source users and groups with target users on root folder and all sub folders and files

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.