Migration of File Server and local group

 

I would like to share on my recent work where migrating a file server to a new hardware. Actually, it should be straight forward migration, however, the folder permission was configured with local group (not domain group), thus this make the permission invalid when migrated to the new server, due to the local group SID (Security Identifier). You can find more info of SID at http://en.wikipedia.org/wiki/Security_Identifier

OK, now let go into the topic, there are several handy tools that required for this migration:

1.       Addusers.exe (from Windows 2000 resource kit – Attached in this blog also)

2.       SubinACL (http://www.microsoft.com/en-us/download/details.aspx?id=23510)

3.       Getsid.exe (from Windows 2000 resource kit – Attached in this blog also)

4.       Robocopy (should be come with current OS – eg: Windows 2008)

5.       Beyond Compare 3 (optional – this will be use for folder comparison only)

Let run thru overview of those tools:

1.       Addusers.exe

a.       This will be use to export the local group info and then import the group info into the new server.

2.       SubinACL

a.       We need this primarily to replace the existing group SID with new SID on the new server.

b.      This also comes handy when we need to fix some access denied issue when we want to copy file/folder into new server.

3.       Getsid.exe

a.        This is to dump the local group SID on existing server and new server. Then we will use SubinACL to do the SID replacement.

4.       Robocopy

a.       Use to copy files/folders together with NTFS permission.

5.       Beyond Compare 3

a.       This is an optional item, where I use it to do folder comparison after copying using robocopy. You can use other alternative tools as well that perform the same job, which is comparing folder between existing server and new server.

Basically, I divided into several part’s:

Part 1:  Let “copy” the local group from existing server to new server 

ServerA = existing old server (source)

ServerB = New server (destination)

1.       1. Go to Server A, run “addusers \\ServerA /d myGroupSource.txt”

a.       It will dump all the local group/users information into a file called myGroupSource.txt

2.       2. Open and edit the myGroupSource.txt, you should able to see there is 3 section’s:

a.       [User]

b.      [Global]

c.       [Local]

3.       As we want to only copy the local group into new server, thus please remove whole section of [User] and [Global]. As per screenshot below, removed those inside the red color box.

4.        

      3. Once edited, your first line of myGroupSource.txt, should be started with “[Local]”.

5.       4. Edit the myGroupSource.txt again, this time we want to remove those built-in group. Eg: Administrators, Backup Operators, Power Users, etc. Remember each group is per line, thus remove the whole line and not just the word “administrators” :P

6.       5. Once it is tidy up, copy the myGroupSource.txt to Server B (new server) and run below command, this will import/create the local group based on the “myGroupSource.txt” info.

a.       addusers \\ServerB /c myGroupSource.txt

7.      6. Now, go to manage computer à Local users & Group, you should able to see newly created group with membership based on the “myGroupSource.txt”

Note: This only create new local group (new group SID) and it group members and will NOT migrate the users. Thus if the group members contain local User ID of server A, it will become invalid, and you should only see those SID string and not username.

Part 2:  It is time to do some massive data migration…. :P

Simple tasks for those used robocopy before, just type some switches and viola…..

1.       1. On the Server B, type below sample command

a.       robocopy \\ServerA\D$\mydata d:\mynewdata /E /ZB /COPYALL

                                                               i.      robocopy <source of the data> <destination> <Option>

                                                             ii.      For more details, you can look at robocopy /?,  in fact, you can do more advance this with those option available, eg: mirroring, monitoring, logging, etc

2.       2. If your file server is large enough (eg: TB in size), this will take some times, for me, I’ll run multiple   robocopy session against multiple different folder.

3.       3. Once copied, use the BeyondCompare tools or similar tool to do folder comparison, as we want to make sure we copied all the files/Folders.

Part 3:  Prepare the SID matching file and fix the folder/file permission.

As every user or group created in a server, it will assign a SID and it is unique on every creation and server even with the same name. Example, a local group called “FinanceDept” in Server A is NOT the same as “FinanceDept” local group created in Server B. As both groups contain different SID.

 Thus, if the file NTFS permission was granted Read permission for a Local group (eg: FinanceDept) in Server A, when you migrate the file and file permission to Server B, the permission of “FinanceDept” will become invalid. Reason being the SID of “FinanceDept” is simply not recognized by Server B.

So, as we already created the local group in Server B (as stated in Part 1), a new SID was assign to the newly created group. Thus, we need to prepare a SID matching file and use SubinACL to replace those ServerA SID with ServerB SID. So that domain user ID resides in that group will able to access to the shared folder when you migrate file server into the new server.

1.       1. First you need to create a test file where the content will list out all the group that you want to do the matching and replacement. Each line will represent each group, name the file as Localgroup.txt

2.       2. Create 3 batch files with the following content and file name:

a.       Filename: ListSID.bat

echo off

cls

if exist groupssid.txt del groupssid.txt

for /F "tokens=1" %%a in (localgroup.txt) do call listsid1.bat %%a

b.      Filename: ListSID1.bat

getsid \\ServerA %1 \\ServerB %1 >sid1.txt

for /F "skip=1 tokens=5,7" %%a in (sid1.txt) do call listsid2.bat %%a %%b

                               

Note:  \\ServerA = The source server name (existing file server)

                \\ServerB = The Destination server name (new file server)

c.       ListSID2.bat

echo %1 %2 >>groupssid.txt

3.       3. Save all the file/batch file created in part 3 stated above into a same folder as GetSID.exe

4.       4. Use command prompt, run the ListSID.bat

5.       5. Once it completed, an output file called groupSSID.txt will be created. Open the file and you will see similar content

6.       6. Now edit the content so that it is only contain SID info with this format:

a.       <ServerA Group SID>     <ServerB Group SID>

7.       7. Now the matching file is ready, assuming your file copy using robocopy is completed (must wait till it completed), next we will run SubinACL to read the matching file and do the permission (SID) replacement.

8.       8. Create 2 batch files with following:

a.       Filename: ReplaceMe.bat

for /F "tokens=1,2" %%a in (groupssid.txt) do ReplaceMe2.bat %%a %%b

b.      Filename: ReplaceMe2.bat

subinacl /subdirectories D:\SharedFolder1\*.* /replace=%1=%2

9.       9. Make sure the file above are saved in the same directories as SubinACL.exe

    

            10. At command prompt, run ReplaceMe.bat

Note: You may need to run the command prompt with Administrator Elevated privilege.

      11. Once you run the same batch file against all your folders, then you are Good to Go..! and ready to cut over the new file server as production. 

Hope above steps able to assist you on your File migration… Any suggestion or idea to do the same thing is welcome…

More Details Resources:

You cannot resolve local groups when you migrate files between member servers of different domains

http://support.microsoft.com/kb/250267