Migrate File server from domain A to Domain B

Posted on 2015-01-27
Medium Priority
Last Modified: 2015-02-02
Our company just acquire another company.  We are in the process of connecting the sites together and creating a trust relationship (be-directional).

Domain A Primary domain (Windows 2012) Forest and Domain functionality 2003
Domain B acquired company (Windows 2003) Forest and Domain functionality 2003

The goal is to migrate all server from Domain B into domain A and get rid of Domain B.  I have create new user in Domain A for every user in Domain B.  We do not want to migrate the user as is.  The naming convention is different.  

My question is more related to the file server.  Once the trust is in place, We are going to replicate the date from the Domain B file server to Domain A file server using Robocopy.  I know robocopy well and how to use it.  Once the data is replicated, I would like to create permission for the Domain A users base on the equivalent user of Domain B using a mapping file.  What is the best way to do this?

Thank you,
Question by:pharmascience
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40573228
You are going about this the hard way.  What you should do is use ADMT (Active Directory Migration Tools) and migrate users from the source domain (newly acquired company) to the target domain (your existing AD).  As this will allow migration of SIDs, you can then use Robocopy and it will allow copy the permissions (users in both domains will have same SID and permission).  This will facilitate your move.

Author Comment

ID: 40573390
If using ADMT, will the user move from the source the the target domain keep the same name?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573409
ADMT is usually used in situations like this where you want to trasnfer resources/users and other Active Directory objects from one domain to another. However since you have already created new domain accounts for everyone in Domain B why copy the data using robocopy?

Personally, you have to re-apply all of the permissions etc, why not just remove the file server from Domain B and add it do Domain A. Create the Shares and add the appropriate permissions etc.

Don't copy all of the data over will take too long.

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

ID: 40573417
I will just use robocopy for the final replication.  Both server are VMs running under vmware.  I will just copy the .vmdk from the source and attached it to the file server on the target side.  Then use robocopy to replicate the change.  The file server is about 1TB in size and there is a lot of folders with different permissions.  I want this to be as transparent as possible and I dont feels like going in every folder/subfolder and recreate the permissions.
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573428
You could also use File Server Migration Wizard as well to accomplish this.
File Server Migration Wizard (download)


Author Comment

ID: 40573461
I was thinking about using something similar to this:

    The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
        Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
        Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
        Press ENTER.

As the trust is not in place, I cannot test this yet.  But will this work.  As for the mapping file, I assume I will need a line for each user?
user1 domain 1 = user1 domain 2
user2 domain 1 = user1 domain 2

What about the security group?  Will this command replicate the NTFS permission for the group too?

Author Comment

ID: 40573463
I mean this.

user1 domain 1 = user1 domain 2
user2 domain 1 = user2 domain 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1000 total points
ID: 40573464
All permissions will be trasnferred.


Author Comment

ID: 40573470
Do I need to include the group in the mapping file?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573500
Yes that is correct. This is so that the permissions can be mapped to the directories/shares.

LVL 37

Accepted Solution

Mahesh earned 1000 total points
ID: 40575835
The correct format of map file would be:
domain admins=domain admins
domain users=domain users

Open in new window

Also correct syntax:
Subinacl /noverbose /subdirectories <folder Path> /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Replace sourcedomain and targetdomain with NetBIOS name of respective domains
Also I would suggest to take share folder local path instead of taking entire drive, its not required, your major concern is shared folders only I believe

For Ex:
The below command will replace permissions on D:\Userdata folder root only 
Subinacl /noverbose /Subdirectories D:\Userdata /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes

The below command will replace permissions on D:\Userdata folder and all subfolders and files
Subinacl /noverbose /Subdirectories D:\Userdata\ /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes, for ex:
Subinacl /noverbose /Subdirectories "D:\User data\*" /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Open in new window

If you face any permissions issue, 1st take entire folder ownership and add administrators group full control with below commands
Subinacl /noverbose /subdirectories D:\user data /setowner=administrators
If Contain space:
Subinacl /noverbose /subdirectories "D:\user data" /setowner=administrators
Above command will take ownership of root folder
Subinacl /noverbose /subdirectories D:\userdata\ /setowner=administrators
If contain space:
Subinacl /noverbose /subdirectories "D:\user data\*" /setowner=administrators
Above command will take ownership of all sub folders

Then grant administrators group full control permissions on root folder
Subinacl /noverbose /subdirectories D:\userdata /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data" /grant=administrators=F
Grant administrators group full control permissions on all sub folders and files
Subinacl /noverbose /subdirectories D:\userdata\ /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data\*" /grant=administrators=F

Open in new window

You can run Subinacl /help /Subdirectories
Subinacl /help /ChangeDomain for more information
LVL 37

Expert Comment

ID: 40576041
One another way to do this migration is SetAcl command line tool v 3.0

download tool from below location

add your source domain and target domain users and groups in csv file as below
Contoso\domain admins,trey\domain admins
Contoso\domain users,trey\domain users

Open in new window

Then run command:
SetAcl -on <folder path> -ot file -actn trustee -trst csv:C:\mapping.csv;ta:repltrst -rec cont_obj

Replace folder path with yours
the command will replace source users and groups with target users on root folder and all sub folders and files

Open in new window


Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question