I would like to share on my recent work where migrating a
file server to a new hardware. Actually, it should be straight forward
migration, however, the folder permission was configured with local group (not
domain group), thus this make the permission invalid when migrated to the new
server, due to the local group SID (Security Identifier). You can find more
info of SID at http://en.wikipedia.org/wiki/Security_Identifier
OK, now let go into the topic, there are several handy tools
that required for this migration:
1.
Addusers.exe (from Windows 2000 resource kit –
Attached in this blog also)
2.
SubinACL (http://www.microsoft.com/en-us/download/details.aspx?id=23510)
3.
Getsid.exe (from Windows 2000 resource kit –
Attached in this blog also)
4.
Robocopy (should be come with current OS – eg:
Windows 2008)
5.
Beyond Compare 3 (optional – this will be use
for folder comparison only)
Let run thru overview of those tools:
1. Addusers.exe
a.
This will be use to export the local group info
and then import the group info into the new server.
2. SubinACL
a.
We need this primarily to replace the existing
group SID with new SID on the new server.
b.
This also comes handy when we need to fix some
access denied issue when we want to copy file/folder into new server.
3. Getsid.exe
a.
This is
to dump the local group SID on existing server and new server. Then we will use
SubinACL to do the SID replacement.
4. Robocopy
a.
Use to copy files/folders together with NTFS
permission.
5. Beyond Compare 3
a.
This is an optional item, where I use it to do
folder comparison after copying using robocopy. You can use other alternative
tools as well that perform the same job, which is comparing folder between
existing server and new server.
Basically, I divided into several part’s:
Part 1: Let “copy” the local group from existing
server to new server
ServerA = existing old server (source)
ServerB = New server (destination)
1.
1. Go to Server A, run “addusers \\ServerA /d
myGroupSource.txt”
a.
It will dump all the local group/users
information into a file called myGroupSource.txt
2.
2. Open and edit the myGroupSource.txt, you should
able to see there is 3 section’s:
a.
[User]
b.
[Global]
c.
[Local]
3.
As we want to only copy the local group into new
server, thus please remove whole section of [User] and [Global]. As per
screenshot below, removed those inside the red color box.
4.
3. Once edited, your first line of myGroupSource.txt,
should be started with “[Local]”.
5.
4. Edit the myGroupSource.txt again, this time we
want to remove those built-in group. Eg: Administrators, Backup Operators,
Power Users, etc. Remember each group is per line, thus remove the whole line
and not just the word “administrators” :P
6.
5. Once it is tidy up, copy the myGroupSource.txt
to Server B (new server) and run below command, this will import/create the
local group based on the “myGroupSource.txt” info.
a.
addusers \\ServerB /c myGroupSource.txt
7. 6. Now, go to manage computer à Local users &
Group, you should able to see newly created group with membership based on the
“myGroupSource.txt”
Note: This only create new local group (new
group SID) and it group members and will NOT migrate the users. Thus if the
group members contain local User ID of server A, it will become invalid, and
you should only see those SID string and not username.
Part 2: It is time to do some massive data
migration…. :P
Simple tasks for those used robocopy before, just type some
switches and viola…..
1.
1. On the Server B, type below sample command
a.
robocopy \\ServerA\D$\mydata d:\mynewdata /E /ZB
/COPYALL
i.
robocopy <source of the data>
<destination> <Option>
ii.
For more details, you can look at robocopy
/?, in fact, you can do more advance
this with those option available, eg: mirroring, monitoring, logging, etc
2. 2. If your file server is large enough (eg: TB in
size), this will take some times, for me, I’ll run multiple robocopy session
against multiple different folder.
3.
3. Once copied, use the BeyondCompare tools or
similar tool to do folder comparison, as we want to make sure we copied all the
files/Folders.
Part 3: Prepare the SID matching file and fix the
folder/file permission.
As every user or group created in
a server, it will assign a SID and it is unique on every creation and server
even with the same name. Example, a local group called “FinanceDept” in Server
A is NOT the same as “FinanceDept” local group created in Server B. As both
groups contain different SID.
Thus, if the file NTFS permission was granted
Read permission for a Local group (eg: FinanceDept) in Server A, when you
migrate the file and file permission to Server B, the permission of “FinanceDept”
will become invalid. Reason being the SID of “FinanceDept” is simply not
recognized by Server B.
So, as we already created the
local group in Server B (as stated in Part 1), a new SID was assign to the
newly created group. Thus, we need to prepare a SID matching file and use
SubinACL to replace those ServerA SID with ServerB SID. So that domain user ID resides
in that group will able to access to the shared folder when you migrate file
server into the new server.
1.
1. First you need to create a test file where the
content will list out all the group that you want to do the matching and
replacement. Each line will represent each group, name the file as
Localgroup.txt
2. 2. Create 3 batch files with the following content
and file name:
a.
Filename: ListSID.bat
echo
off
cls
if
exist groupssid.txt del groupssid.txt
for
/F "tokens=1" %%a in (localgroup.txt) do call listsid1.bat %%a
b.
Filename: ListSID1.bat
getsid
\\ServerA
%1 \\ServerB %1 >sid1.txt
for
/F "skip=1 tokens=5,7" %%a in (sid1.txt) do call listsid2.bat %%a %%b
Note: \\ServerA = The source server name (existing file
server)
\\ServerB
= The Destination server name (new file server)
c.
ListSID2.bat
echo %1 %2 >>groupssid.txt
3.
3. Save all the file/batch file created in part 3 stated
above into a same folder as GetSID.exe
4.
4. Use command prompt, run the ListSID.bat
5.
5. Once it completed, an output file called
groupSSID.txt will be created. Open the file and you will see similar content
a.
<ServerA Group SID> <ServerB Group SID>
7.
7. Now the matching file is ready, assuming your
file copy using robocopy is completed (must wait till it completed), next we
will run SubinACL to read the matching file and do the permission (SID)
replacement.
8. 8. Create 2 batch files with following:
a.
Filename: ReplaceMe.bat
for /F "tokens=1,2" %%a in (groupssid.txt) do ReplaceMe2.bat
%%a %%b
b.
Filename: ReplaceMe2.bat
subinacl /subdirectories D:\SharedFolder1\*.* /replace=%1=%2
9.
9. Make sure the file above are saved in the same
directories as SubinACL.exe
10. At command prompt, run ReplaceMe.bat
Note: You may need to run the command prompt with Administrator Elevated
privilege.
11. Once you run the same batch file against all
your folders, then you are Good to Go..! and ready to cut over the new file
server as production.
Hope above steps able to assist you on your File migration… Any
suggestion or idea to do the same thing is welcome…
More Details Resources:
You cannot
resolve local groups when you migrate files between member servers of different
domains