Solved

Migrate IIS sites from one Hosting Provider to another Hosting Provider on different Active Directories.

Posted on 2016-11-04
12
16 Views
Last Modified: 2016-11-30
Hi all,
I have a web hosting customer that is moving from their current Hosting Provider to another Provider.  Their VM's are:
Windows 2012R2 = WEB2012, running IIS 8.5
Windows 2012R2 = SQL2012, running SQL 2012
Windows 2012R2 = DEV2012 (development server running IIS 8.5 and SQL 2012)
Windows 2012R2 = MAN2012 (management server running DNS and AD)

All servers are joined to the Domain (hosted.wobblyboot.com), running AD off the server called MAN.

The customer has had a new network built with a completely different Domain Name.  Their VM's are:
Windows 2012R2 = WEB, running IIS 8.5
Windows 2012R2 = SQL, running SQL 2016
Windows 2012R2 = DEV (development server running IIS 8.5 and SQL 2016)
Windows 2012R2 = MAN (management server running DNS and AD)

All servers are joined to the different Domain (hosting.wobblyboot.com), running AD off the server called MAN.

My question is can ms webdeploy work in this configuration without having file permissions because the SID's don't match up.  There are almost 100 users so I would rather not make each individual one on the new Domain unless I have to.

Do I need to setup some sort of VPN between the existing Provider and the new Provider, then join the new servers into the existing domain. Transfer all the fsmo roles to the new servers and demote the existing DCs etc?

Thanks for your help!
Staceman
0
Comment
Question by:Stace Hema
  • 7
  • 5
12 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
I believe Web Deploy (version 3.5 is the latest) will work for you in this situation, but not in the way one would normally use the tool inside of an AD Domain.

In your case, you could use Web Deploy on the old servers to package the existing site up (exporting the app).  You would then move this deployment package to the new server and import the package.  You would then have to remediate the app on the new servers to check for credential issues and access permissions.

There is some decent  documentation on Web Deploy on exporting and importing deploy packages.

Links:

1. https://www.iis.net/learn/publish/using-web-deploy/export-a-package-through-iis-manager
2. http://www.sherweb.com/blog/how-to-migrate-all-your-sites-using-web-deploy/
3. https://blogs.msdn.microsoft.com/ericparvin/2014/09/12/migration-from-iis-6-to-iis-7-x-8-x/

Dan
0
 

Author Comment

by:Stace Hema
Comment Utility
Thanks Dan for the feedback.  Web deploy is assuming the Source machine is on the same network as the Destination machine despite very clear documentation that you can easily package up from one location and drop into another.  This is certainly not the case for me.
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Web Deploy can create a ZIP package that can be moved to a destination server and then imported using Web Deploy installed on that device.

In the first article, last point:


16. The wizard will now complete the packaging process and save the package to disk. When it is complete, you will see a Summary page that gives you an overview of what actions were performed.

At this point you can FTP the package to wherever.

I've used Web Deploy in this capacity in the past.

Dan
0
 

Author Comment

by:Stace Hema
Comment Utility
But what happens when it imports?  I mean when you say remediate, what exactly are the issues I'm likely to be faced with?
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
When the import runs, it brings in all the IIS and application configuration that existed on the source server.  What the import does not do/know... is that the AD Domain is different.

When I say remediation, I mean that any domain specific accounts (service accounts) would need to be updated to function with the new AD Domain.

This could be domain-based service accounts for Application Pools in IIS to SQL Server credentials used for data access.

Dan
0
 

Author Comment

by:Stace Hema
Comment Utility
Hi Dan,
Roger that.
I think we have over 120 AD accounts that are linked to a folder on the IIS server called 'HostingClients', in which each clients info is stored.  I believe this was originally setup because this customer previously had ASP running.  They do not now so I wonder if I can just continue to use Web Deploy to export IIS and then import that to the new server while at the same time robocopy the 'HostingClients' folder to the new server as well.

Reset permissions to the defaul: https://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

Then it should work?

Staceman
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
I see no reason to not use Web Deploy to move the sites.

One of the main things that I would look out for:  are AppPools setup to use custom domain accounts.  I would investigate why they are so configured.  Also, watch out for AppPools running with old-mode identities.  Under 8.5, unless necessary, AppPools should run with the "ApplicationPoolIdentity."

If file level (NTFS) permissions are request for an AppPool, then you can use the IIS_IUSRS group to manage access.  Custom groups also function in this case, especially where multiple sites require file access permissions.  Using a single group can be risky.

In the case of the HostClients directory... robocopy is useless in this situation because the new server will not know who/what the old SIDs are, you will wind up with 120 "Unknown Account" ACLs on the directory.

If you want to maintain the ACL (which is why you would use robocopy instead of a plain copy), you will need to do some work in PowerShell to export the account info that has access, then in the new domain, use PowerShell to create those new accounts, the use some PowerShell to recreate the NTFS permissions.

Dan
0
 

Author Comment

by:Stace Hema
Comment Utility
Ok thanks Dan.

I'll see how I go with your suggestions.

Thanks,
Staceman
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Any additional info on this question?

Dan
0
 

Accepted Solution

by:
Stace Hema earned 0 total points
Comment Utility
Sorry for the delay!
So what I had to do was remove AD from the role of my new network, join my MAN2012 to the original network via VPN, promote MAN2012 to be the new PDC then join the other new servers to the network. I had to then have the original servers to MAN2012 to. Run Webdeploy from the original IIS to the new one, robocopy data, set permissions, powershell search/replace on a bunch of stuff. Then migrate SQL by exporting all the old db's to .bak and then on the new SQL2012 import the .bak files. Disjoin all the original servers from the new MAN2012 box. Dump the VPN and finish tweaking a few things.

From here we are looking good!

We have migrated a bunch of sites and apart from Objects and Plugins etc to install its all looking fine.

Just need to find a way to get my head around all of these Microsoft IIS warnings and the odd errors in event log. I'm a Linux guy using cPanel and that's basically easy to move sites from isp to isp, click Transfer and go go go.

So Dan if I look at your method yes you can use Webdeploy from isp to isp but in my circumstances that's not the way forward because my db's and IIS users would not come over so it would have been a nightmare... lol

Cheers again.
Stace
0
 

Author Comment

by:Stace Hema
Comment Utility
Really appreciate the help offered.
0
 

Author Closing Comment

by:Stace Hema
Comment Utility
My original question outlined all of the current servers and old servers. That should re-flag the fact that the Microsoft program called Webdeploy wouldn't work in the case Dan suggested.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

In couple weeks ago, I encountered an extremely difficult problem while deploying 2008 SSIS packages to a new environment (SQL Server 2014 standard).  My scenario is: We have one C# application that is calling 2008R2 SSIS packages to load text fi…
"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now