File Migration to new Domain

drumdogg · 19 Nov 2014 at 09:46

Hi Guys,

I am preparing for a migration of some files onto a new server on a new domain.

Basically i was wanting to copy these folders and files with the same security groups as on the current domain they are on. So was planning on using Robocopy to copy files across as is. I was planning on recreating the same security groups on the new domain so that the same access would be the same on the new server and domain.

Then it clicked with me that the folder i copy across to the new domain will have Domain1\SecurityGroup1 added to a folder when it should be Domain2\SecurityGroup1. So therefore it will be looking for a security group on the old domain instead on the new domain.. If you know what i mean.

First time im doing a migration so not sure what the best practice is.

Any thoughts would be great thanks.

anything I don't mind · 19 Nov 2014 at 11:36

Why are you creating a new domain?

What you are doing does not sound correct to be honest.

tribz · 19 Nov 2014 at 11:50

If you recreate the users and security groups, they still wont have the same SID as the original domain.

CleverBalls · 19 Nov 2014 at 11:53

Stop what you are doing.

Don't mess around with a domain migration until you are SURE you know what you are doing.

You need to use the ADMT Tool provided by microsoft for this specific purpose.

Here is a link to a guide: http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx

And here is a link to the download: http://www.microsoft.com/en-us/download/details.aspx?id=19188

Read, read, read and then execute.

Good luck.

drumdogg · 19 Nov 2014 at 13:28

Thanks for the Info CleverBalls, will have a look into this.

Ok Basically we are moving certain users onto a new server and new Domain.
As far as the file transer goes, i thought i could copy permissons as is on folders and create the same security groups on the new domain and would work ok.

But now i have realised that the SID will be different between the domains.

On the upside there are only a handful of users and folders that are to be moved so re-creating security groups and applying permissons to folders wont to a huge task.

anything I don't mind · 19 Nov 2014 at 13:39

Why are you moving users on to a new domain?

If you have a security group on acl list that no longer exists, it will just show up as the uid of the group and you can remove it then add the group from the new domain.

However i highly doubt that you would need to make a new domain.

CleverBalls · 19 Nov 2014 at 13:41

drumdogg said:
Thanks for the Info CleverBalls, will have a look into this.

Ok Basically we are moving certain users onto a new server and new Domain.
As far as the file transer goes, i thought i could copy permissons as is on folders and create the same security groups on the new domain and would work ok.

But now i have realised that the SID will be different between the domains.

On the upside there are only a handful of users and folders that are to be moved so re-creating security groups and applying permissons to folders wont to a huge task.

No worries bud, sorry if I sounded a bit heavy handed - send us a message if you need any assistance.

Caged · 19 Nov 2014 at 13:49

anything I don't mind said:
Why are you moving users on to a new domain?

drumdogg · 19 Nov 2014 at 15:18

Why are you moving users on to a new domain?

Its a subsidiary part of the company that are moving off onto their own domain.

No worries bud, sorry if I sounded a bit heavy handed - send us a message if you need any assistance

Cheers, there could be a few questions in the near future.

Caged · 19 Nov 2014 at 15:37

Just create a two-way trust and be done with it.

Battery! · 20 Nov 2014 at 00:08

tribz said:
If you recreate the users and security groups, they still wont have the same SID as the original domain.

This.

You need to use a migration tool so the SID history is carried over.

drumdogg · 20 Nov 2014 at 10:07

Just create a two-way trust and be done with it.

Think i will have to do this as well as users may need to use printers on the old domain from the new one. We have some users that will be onsite on the new domain which will have to use printers on the old domain.

drumdogg · 20 Nov 2014 at 10:41

Also guys i could you clarify if Robocopy will work to copy files to a remote server??

Have tested it between server on the same LAN and it works.

As long as i can ping to remote server robocopy should work??

So using something like:

robocopy "\\OldServerName\SourceDirectory" "\\NewServerName\DestinationDirectory"

and of course adding the appropriate switches in.

Swarfega · 20 Nov 2014 at 10:47

Yes robocopy will work. Just be sure files are not in use during the copy or changed once the copy has completed. Consider making the share read only.

ASE001 · 20 Nov 2014 at 11:34

Swarfega said:
Yes robocopy will work. Just be sure files are not in use during the copy or changed once the copy has completed. Consider making the share read only.

If the folder/files are being move to a new domain then you can use ICACLS to re-permission to the new/migrated domain accounts. You may have to put a script around it if you have large number of users, reading the users from a text file? I'm sure if you Google you will find plenty of examples out there?

see http://technet.microsoft.com/en-us/library/cc753525.aspx

drumdogg · 20 Nov 2014 at 11:42

Yes robocopy will work. Just be sure files are not in use during the copy or changed once the copy has completed. Consider making the share read only.

Thanks Swarfega, just wanted to double check

If the folder/files are being move to a new domain then you can use ICACLS to re-permission to the new/migrated domain accounts. You may have to put a script around it if you have large number of users, reading the users from a text file? I'm sure if you Google you will find plenty of examples out there?

see http://technet.microsoft.com/en-us/l.../cc753525.aspx

Cheers, will have a look at this

Little_Crow · 20 Nov 2014 at 14:01

ASE001 said:
you can use ICACLS to re-permission to the new/migrated domain accounts. You may have to put a script around it if you have large number of users, reading the users from a text file?

I'm sure it's best practice regardless of the number of users, but don't give folder permissions to users directly, give it to groups, and then assign the users to the group.

If it's feasible then you may be able to setup an empty structure of the folders in the new location and have them already permissioned.
That way you can copy the folder contents in and have them inherit the permissions immediately, rather than having to run a script after the copy to set the rights.

As evidenced by this thread, there is no right answer anyone can give you. How you approach it very much depends on downtime availablity, number/size of files, number of users, and a whole host of other factors.

Hellsmk2 · 20 Nov 2014 at 23:17

Use the File Server Migration Tool instead of robocopy. It's far better and works with domains where a trust has been established. Why script it with robocopy when Ms have tools designed for stuff like this - disaster waiting to happen.

If there is no trust, then ADMT is the way to go as previously mentioned.

CleverBalls · 1 Dec 2014 at 18:36

Hey bud, like caged has suggested the best solution is to create a two way trust, it'll mean the smallest foot print and has less chance of ****ing everything up.

drumdogg · 8 Dec 2014 at 16:41

If i am to use robocopy to move file to a new server on a new domain what permissons do i need in place??

Domain1 will have its credentials and domain 2 will have its credentials. Will this cause an issue when i go to start my script??

Read somewhere about using "net use" to map drive and allow permissons first. Would this be correct??