Migrate IIS sites from one Hosting Provider to another Hosting Provider on different Active Directories.

Posted on 2016-11-04
Last Modified: 2016-11-30
Hi all,
I have a web hosting customer that is moving from their current Hosting Provider to another Provider.  Their VM's are:
Windows 2012R2 = WEB2012, running IIS 8.5
Windows 2012R2 = SQL2012, running SQL 2012
Windows 2012R2 = DEV2012 (development server running IIS 8.5 and SQL 2012)
Windows 2012R2 = MAN2012 (management server running DNS and AD)

All servers are joined to the Domain (, running AD off the server called MAN.

The customer has had a new network built with a completely different Domain Name.  Their VM's are:
Windows 2012R2 = WEB, running IIS 8.5
Windows 2012R2 = SQL, running SQL 2016
Windows 2012R2 = DEV (development server running IIS 8.5 and SQL 2016)
Windows 2012R2 = MAN (management server running DNS and AD)

All servers are joined to the different Domain (, running AD off the server called MAN.

My question is can ms webdeploy work in this configuration without having file permissions because the SID's don't match up.  There are almost 100 users so I would rather not make each individual one on the new Domain unless I have to.

Do I need to setup some sort of VPN between the existing Provider and the new Provider, then join the new servers into the existing domain. Transfer all the fsmo roles to the new servers and demote the existing DCs etc?

Thanks for your help!
Question by:Stace Hema
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
LVL 28

Expert Comment

by:Dan McFadden
ID: 41873604
I believe Web Deploy (version 3.5 is the latest) will work for you in this situation, but not in the way one would normally use the tool inside of an AD Domain.

In your case, you could use Web Deploy on the old servers to package the existing site up (exporting the app).  You would then move this deployment package to the new server and import the package.  You would then have to remediate the app on the new servers to check for credential issues and access permissions.

There is some decent  documentation on Web Deploy on exporting and importing deploy packages.




Author Comment

by:Stace Hema
ID: 41874291
Thanks Dan for the feedback.  Web deploy is assuming the Source machine is on the same network as the Destination machine despite very clear documentation that you can easily package up from one location and drop into another.  This is certainly not the case for me.
LVL 28

Expert Comment

by:Dan McFadden
ID: 41874313
Web Deploy can create a ZIP package that can be moved to a destination server and then imported using Web Deploy installed on that device.

In the first article, last point:

16. The wizard will now complete the packaging process and save the package to disk. When it is complete, you will see a Summary page that gives you an overview of what actions were performed.

At this point you can FTP the package to wherever.

I've used Web Deploy in this capacity in the past.

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Author Comment

by:Stace Hema
ID: 41874317
But what happens when it imports?  I mean when you say remediate, what exactly are the issues I'm likely to be faced with?
LVL 28

Expert Comment

by:Dan McFadden
ID: 41876697
When the import runs, it brings in all the IIS and application configuration that existed on the source server.  What the import does not do/know... is that the AD Domain is different.

When I say remediation, I mean that any domain specific accounts (service accounts) would need to be updated to function with the new AD Domain.

This could be domain-based service accounts for Application Pools in IIS to SQL Server credentials used for data access.


Author Comment

by:Stace Hema
ID: 41876747
Hi Dan,
Roger that.
I think we have over 120 AD accounts that are linked to a folder on the IIS server called 'HostingClients', in which each clients info is stored.  I believe this was originally setup because this customer previously had ASP running.  They do not now so I wonder if I can just continue to use Web Deploy to export IIS and then import that to the new server while at the same time robocopy the 'HostingClients' folder to the new server as well.

Reset permissions to the defaul:

Then it should work?

LVL 28

Expert Comment

by:Dan McFadden
ID: 41876781
I see no reason to not use Web Deploy to move the sites.

One of the main things that I would look out for:  are AppPools setup to use custom domain accounts.  I would investigate why they are so configured.  Also, watch out for AppPools running with old-mode identities.  Under 8.5, unless necessary, AppPools should run with the "ApplicationPoolIdentity."

If file level (NTFS) permissions are request for an AppPool, then you can use the IIS_IUSRS group to manage access.  Custom groups also function in this case, especially where multiple sites require file access permissions.  Using a single group can be risky.

In the case of the HostClients directory... robocopy is useless in this situation because the new server will not know who/what the old SIDs are, you will wind up with 120 "Unknown Account" ACLs on the directory.

If you want to maintain the ACL (which is why you would use robocopy instead of a plain copy), you will need to do some work in PowerShell to export the account info that has access, then in the new domain, use PowerShell to create those new accounts, the use some PowerShell to recreate the NTFS permissions.


Author Comment

by:Stace Hema
ID: 41881611
Ok thanks Dan.

I'll see how I go with your suggestions.

LVL 28

Expert Comment

by:Dan McFadden
ID: 41900158
Any additional info on this question?


Accepted Solution

Stace Hema earned 0 total points
ID: 41901907
Sorry for the delay!
So what I had to do was remove AD from the role of my new network, join my MAN2012 to the original network via VPN, promote MAN2012 to be the new PDC then join the other new servers to the network. I had to then have the original servers to MAN2012 to. Run Webdeploy from the original IIS to the new one, robocopy data, set permissions, powershell search/replace on a bunch of stuff. Then migrate SQL by exporting all the old db's to .bak and then on the new SQL2012 import the .bak files. Disjoin all the original servers from the new MAN2012 box. Dump the VPN and finish tweaking a few things.

From here we are looking good!

We have migrated a bunch of sites and apart from Objects and Plugins etc to install its all looking fine.

Just need to find a way to get my head around all of these Microsoft IIS warnings and the odd errors in event log. I'm a Linux guy using cPanel and that's basically easy to move sites from isp to isp, click Transfer and go go go.

So Dan if I look at your method yes you can use Webdeploy from isp to isp but in my circumstances that's not the way forward because my db's and IIS users would not come over so it would have been a nightmare... lol

Cheers again.

Author Comment

by:Stace Hema
ID: 41901911
Really appreciate the help offered.

Author Closing Comment

by:Stace Hema
ID: 41906983
My original question outlined all of the current servers and old servers. That should re-flag the fact that the Microsoft program called Webdeploy wouldn't work in the case Dan suggested.

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MS SQL Sever Import/export problem 7 69
Show MP4 file and close (HTA) 3 43
HIghlights of SSIS? 3 45
SSIS Package Not Running in Batch File 3 15
There’s a good reason for why it’s called a homepage – it closely resembles that of a physical house and the only real difference is that it’s online. Your website’s homepage is where people come to visit you. It’s the family room of your website wh…
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question