Migrate File server from domain A to Domain B

Posted on 2015-01-27
Last Modified: 2015-02-02
Our company just acquire another company.  We are in the process of connecting the sites together and creating a trust relationship (be-directional).

Domain A Primary domain (Windows 2012) Forest and Domain functionality 2003
Domain B acquired company (Windows 2003) Forest and Domain functionality 2003

The goal is to migrate all server from Domain B into domain A and get rid of Domain B.  I have create new user in Domain A for every user in Domain B.  We do not want to migrate the user as is.  The naming convention is different.  

My question is more related to the file server.  Once the trust is in place, We are going to replicate the date from the Domain B file server to Domain A file server using Robocopy.  I know robocopy well and how to use it.  Once the data is replicated, I would like to create permission for the Domain A users base on the equivalent user of Domain B using a mapping file.  What is the best way to do this?

Thank you,
Question by:pharmascience
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40573228
You are going about this the hard way.  What you should do is use ADMT (Active Directory Migration Tools) and migrate users from the source domain (newly acquired company) to the target domain (your existing AD).  As this will allow migration of SIDs, you can then use Robocopy and it will allow copy the permissions (users in both domains will have same SID and permission).  This will facilitate your move.

Author Comment

ID: 40573390
If using ADMT, will the user move from the source the the target domain keep the same name?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573409
ADMT is usually used in situations like this where you want to trasnfer resources/users and other Active Directory objects from one domain to another. However since you have already created new domain accounts for everyone in Domain B why copy the data using robocopy?

Personally, you have to re-apply all of the permissions etc, why not just remove the file server from Domain B and add it do Domain A. Create the Shares and add the appropriate permissions etc.

Don't copy all of the data over will take too long.

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Author Comment

ID: 40573417
I will just use robocopy for the final replication.  Both server are VMs running under vmware.  I will just copy the .vmdk from the source and attached it to the file server on the target side.  Then use robocopy to replicate the change.  The file server is about 1TB in size and there is a lot of folders with different permissions.  I want this to be as transparent as possible and I dont feels like going in every folder/subfolder and recreate the permissions.
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573428
You could also use File Server Migration Wizard as well to accomplish this.
File Server Migration Wizard (download)


Author Comment

ID: 40573461
I was thinking about using something similar to this:

    The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
        Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
        Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
        Press ENTER.

As the trust is not in place, I cannot test this yet.  But will this work.  As for the mapping file, I assume I will need a line for each user?
user1 domain 1 = user1 domain 2
user2 domain 1 = user1 domain 2

What about the security group?  Will this command replicate the NTFS permission for the group too?

Author Comment

ID: 40573463
I mean this.

user1 domain 1 = user1 domain 2
user2 domain 1 = user2 domain 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 40573464
All permissions will be trasnferred.


Author Comment

ID: 40573470
Do I need to include the group in the mapping file?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573500
Yes that is correct. This is so that the permissions can be mapped to the directories/shares.

LVL 37

Accepted Solution

Mahesh earned 250 total points
ID: 40575835
The correct format of map file would be:
domain admins=domain admins
domain users=domain users

Open in new window

Also correct syntax:
Subinacl /noverbose /subdirectories <folder Path> /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Replace sourcedomain and targetdomain with NetBIOS name of respective domains
Also I would suggest to take share folder local path instead of taking entire drive, its not required, your major concern is shared folders only I believe

For Ex:
The below command will replace permissions on D:\Userdata folder root only 
Subinacl /noverbose /Subdirectories D:\Userdata /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes

The below command will replace permissions on D:\Userdata folder and all subfolders and files
Subinacl /noverbose /Subdirectories D:\Userdata\ /changedomain=sourcedomain=targetdomain=C:\mapfile.txt
If folder name contain spaces, put folder in double quotes, for ex:
Subinacl /noverbose /Subdirectories "D:\User data\*" /changedomain=sourcedomain=targetdomain=C:\mapfile.txt

Open in new window

If you face any permissions issue, 1st take entire folder ownership and add administrators group full control with below commands
Subinacl /noverbose /subdirectories D:\user data /setowner=administrators
If Contain space:
Subinacl /noverbose /subdirectories "D:\user data" /setowner=administrators
Above command will take ownership of root folder
Subinacl /noverbose /subdirectories D:\userdata\ /setowner=administrators
If contain space:
Subinacl /noverbose /subdirectories "D:\user data\*" /setowner=administrators
Above command will take ownership of all sub folders

Then grant administrators group full control permissions on root folder
Subinacl /noverbose /subdirectories D:\userdata /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data" /grant=administrators=F
Grant administrators group full control permissions on all sub folders and files
Subinacl /noverbose /subdirectories D:\userdata\ /grant=administrators=F
If Contain spaces:
Subinacl /noverbose /subdirectories "D:\user data\*" /grant=administrators=F

Open in new window

You can run Subinacl /help /Subdirectories
Subinacl /help /ChangeDomain for more information
LVL 37

Expert Comment

ID: 40576041
One another way to do this migration is SetAcl command line tool v 3.0

download tool from below location

add your source domain and target domain users and groups in csv file as below
Contoso\domain admins,trey\domain admins
Contoso\domain users,trey\domain users

Open in new window

Then run command:
SetAcl -on <folder path> -ot file -actn trustee -trst csv:C:\mapping.csv;ta:repltrst -rec cont_obj

Replace folder path with yours
the command will replace source users and groups with target users on root folder and all sub folders and files

Open in new window

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question