Migrate File server from domain A to Domain B

Posted on 2015-01-27
Last Modified: 2015-02-02
Our company just acquire another company.  We are in the process of connecting the sites together and creating a trust relationship (be-directional).

Domain A Primary domain (Windows 2012) Forest and Domain functionality 2003
Domain B acquired company (Windows 2003) Forest and Domain functionality 2003

The goal is to migrate all server from Domain B into domain A and get rid of Domain B.  I have create new user in Domain A for every user in Domain B.  We do not want to migrate the user as is.  The naming convention is different.  

My question is more related to the file server.  Once the trust is in place, We are going to replicate the date from the Domain B file server to Domain A file server using Robocopy.  I know robocopy well and how to use it.  Once the data is replicated, I would like to create permission for the Domain A users base on the equivalent user of Domain B using a mapping file.  What is the best way to do this?

Thank you,
Question by:pharmascience
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40573228
You are going about this the hard way.  What you should do is use ADMT (Active Directory Migration Tools) and migrate users from the source domain (newly acquired company) to the target domain (your existing AD).  As this will allow migration of SIDs, you can then use Robocopy and it will allow copy the permissions (users in both domains will have same SID and permission).  This will facilitate your move.

Author Comment

ID: 40573390
If using ADMT, will the user move from the source the the target domain keep the same name?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573409
ADMT is usually used in situations like this where you want to trasnfer resources/users and other Active Directory objects from one domain to another. However since you have already created new domain accounts for everyone in Domain B why copy the data using robocopy?

Personally, you have to re-apply all of the permissions etc, why not just remove the file server from Domain B and add it do Domain A. Create the Shares and add the appropriate permissions etc.

Don't copy all of the data over will take too long.

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.


Author Comment

ID: 40573417
I will just use robocopy for the final replication.  Both server are VMs running under vmware.  I will just copy the .vmdk from the source and attached it to the file server on the target side.  Then use robocopy to replicate the change.  The file server is about 1TB in size and there is a lot of folders with different permissions.  I want this to be as transparent as possible and I dont feels like going in every folder/subfolder and recreate the permissions.
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573428
You could also use File Server Migration Wizard as well to accomplish this.
File Server Migration Wizard (download)


Author Comment

ID: 40573461
I was thinking about using something similar to this:

    The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
        Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
        Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
        Press ENTER.

As the trust is not in place, I cannot test this yet.  But will this work.  As for the mapping file, I assume I will need a line for each user?
user1 domain 1 = user1 domain 2
user2 domain 1 = user1 domain 2

What about the security group?  Will this command replicate the NTFS permission for the group too?

Author Comment

ID: 40573463
I mean this.

user1 domain 1 = user1 domain 2
user2 domain 1 = user2 domain 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 40573464
All permissions will be trasnferred.


Author Comment

ID: 40573470
Do I need to include the group in the mapping file?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573500
Yes that is correct. This is so that the permissions can be mapped to the directories/shares.

LVL 37

Accepted Solution

Mahesh earned 250 total points
ID: 40575835
The correct format of map file would be:
domain admins=domain admins
domain users=domain users

Open in new window

Also correct syntax:
Subinacl /noverbose /subdirectories <folder Path> /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Replace sourcedomain and targetdomain with NetBIOS name of respective domains
Also I would suggest to take share folder local path instead of taking entire drive, its not required, your major concern is shared folders only I believe

For Ex:
The below command will replace permissions on D:\Userdata folder root only 
Subinacl /noverbose /Subdirectories D:\Userdata /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes

The below command will replace permissions on D:\Userdata folder and all subfolders and files
Subinacl /noverbose /Subdirectories D:\Userdata\ /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes, for ex:
Subinacl /noverbose /Subdirectories "D:\User data\*" /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Open in new window

If you face any permissions issue, 1st take entire folder ownership and add administrators group full control with below commands
Subinacl /noverbose /subdirectories D:\user data /setowner=administrators
If Contain space:
Subinacl /noverbose /subdirectories "D:\user data" /setowner=administrators
Above command will take ownership of root folder
Subinacl /noverbose /subdirectories D:\userdata\ /setowner=administrators
If contain space:
Subinacl /noverbose /subdirectories "D:\user data\*" /setowner=administrators
Above command will take ownership of all sub folders

Then grant administrators group full control permissions on root folder
Subinacl /noverbose /subdirectories D:\userdata /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data" /grant=administrators=F
Grant administrators group full control permissions on all sub folders and files
Subinacl /noverbose /subdirectories D:\userdata\ /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data\*" /grant=administrators=F

Open in new window

You can run Subinacl /help /Subdirectories
Subinacl /help /ChangeDomain for more information
LVL 37

Expert Comment

ID: 40576041
One another way to do this migration is SetAcl command line tool v 3.0

download tool from below location

add your source domain and target domain users and groups in csv file as below
Contoso\domain admins,trey\domain admins
Contoso\domain users,trey\domain users

Open in new window

Then run command:
SetAcl -on <folder path> -ot file -actn trustee -trst csv:C:\mapping.csv;ta:repltrst -rec cont_obj

Replace folder path with yours
the command will replace source users and groups with target users on root folder and all sub folders and files

Open in new window

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question