locked
Migrate File Server to new domain and export NTFS permission RRS feed

  • Question

  • Hi,

    I am migrating a file server from old domain and new domain.  Noted these two domains do not have trust relationship, and each of them have isolated AD users. Both domains having the same user list and group name, however the SIDs are different.   Is there a way that I to new AD user, and import it back to apply new NTFS settings?

    For eg, before migration - NTFS permission for a folder is (OLDDOMAIN\users1 - write & write) 

                after migration    - NTFS permission for a folder is (NEWDOMAIN\users1 - write & write) 

    Please help as wo do not wish to apply back the NTFS permission one by one.

    Thanks & Regards,
    Lih Ping

    Thursday, March 15, 2012 10:37 AM

Answers

  • You don't need a trust relationship to accomplish this, however you will need a mapping of your users. Since they're all the same name, this shouldn't be difficult. Look at using the free SubInACL tool, combined with a mapping file, to append the necessary permissions to the source file server. Migrate the server to the new domain. Once you verify the users in the target can still access the shares/folders, use SubInACL again to remove the entries for the source users. 

    It's a pretty simple process. Help on SubInACL can be found here:

    download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510

    syntax: http://www.ponx.org/download/CD/Outils-Win/subinacl.htm

    example of SubInACL's /migratetodomain switch:

    /migratetodomain

    • The task in this example is to leave intact each ACE on every file on the C: drive that has an SID from Domain1, and create a new ACE with the same user from Domain2. Type the following at the command line:

      subinacl /subdirectory C:\*.* /changedomain=domain1=domain2

      Press ENTER.

    • The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
      1. Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
      2. Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
      3. Press ENTER.

    • Marked as answer by Aiden_Cao Friday, March 23, 2012 1:36 AM
    Monday, March 19, 2012 8:50 PM
  • Hi,

    Thanks for your post.

    Firstly, we need to establish the trusted relationship between the two domains if they have the different domain name. After that, we use ADMT perform the security translation, which can translate user account SID from domain1 to domain2.

    For more information about how to use ADMT, please refer to the following article:

    ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19188

    Active Directory Migration Tool version 3.1
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17918

    Active Directory Migration Using ADMT 3.1
    http://www.sivarajan.com/admt.html
     

    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by John D. Manley Monday, March 19, 2012 8:50 PM
    • Marked as answer by Aiden_Cao Friday, March 23, 2012 1:36 AM
    Monday, March 19, 2012 2:28 AM

All replies

  • Hi,

    Thanks for your post.

    Firstly, we need to establish the trusted relationship between the two domains if they have the different domain name. After that, we use ADMT perform the security translation, which can translate user account SID from domain1 to domain2.

    For more information about how to use ADMT, please refer to the following article:

    ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19188

    Active Directory Migration Tool version 3.1
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17918

    Active Directory Migration Using ADMT 3.1
    http://www.sivarajan.com/admt.html
     

    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by John D. Manley Monday, March 19, 2012 8:50 PM
    • Marked as answer by Aiden_Cao Friday, March 23, 2012 1:36 AM
    Monday, March 19, 2012 2:28 AM
  • You don't need a trust relationship to accomplish this, however you will need a mapping of your users. Since they're all the same name, this shouldn't be difficult. Look at using the free SubInACL tool, combined with a mapping file, to append the necessary permissions to the source file server. Migrate the server to the new domain. Once you verify the users in the target can still access the shares/folders, use SubInACL again to remove the entries for the source users. 

    It's a pretty simple process. Help on SubInACL can be found here:

    download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510

    syntax: http://www.ponx.org/download/CD/Outils-Win/subinacl.htm

    example of SubInACL's /migratetodomain switch:

    /migratetodomain

    • The task in this example is to leave intact each ACE on every file on the C: drive that has an SID from Domain1, and create a new ACE with the same user from Domain2. Type the following at the command line:

      subinacl /subdirectory C:\*.* /changedomain=domain1=domain2

      Press ENTER.

    • The task in this example is to create a new ACE with the SID of Domain2\User2 for each ACE on every file on the C: drive that has an SID from Domain1\User1. Use a mapping file:
      1. Create a mapping file containing only the line USER1=USER2 and save this file as Mapfile.txt.
      2. Type the following at the command line:
        subinacl /subdirectory C:\*.* /changedomain=domain1=domain2=mapfile.txt
      3. Press ENTER.

    • Marked as answer by Aiden_Cao Friday, March 23, 2012 1:36 AM
    Monday, March 19, 2012 8:50 PM
  • Hi John,

    i have the same case a Lih above, i have some quenstions for your solution,

    when use say " Migrate the server to the new domain" you mean with ADMT? or just copy using robocopy the file share to a new file server on the target domain?

    i my case i have different domain accounts on the target domain, is possible using the same method with a mapping file to apply the the permssions?

    what kind of format the mapfile.txt must have?

    Lih? what solution did you apply for the migration?

    i am working on a similar case on that topic

    http://social.technet.microsoft.com/Forums/en-us/winserverMigration/thread/84742901-099a-4530-ad37-afddf89c1720

    thank you all

    Thursday, May 31, 2012 8:13 AM
  • Hi, 

    I have the same problem, to migrate from a domain to another one with no trust between them. 

    The problem is that i have also different SamAccountNames. 

    What should i do in this case ? write in the mapfile.txt the mapping for all the users ? 

    EX:   rfarcas=CG34567

            ccovaciu=CG57739

    Thank you very much ! 

     

    Tuesday, August 20, 2019 11:48 AM