Data Migration between 2 Untrusted domains (Subinacl)

Print Friendly, PDF & Email

In some not very frequent cases we find domain migrations in which we do not have permissions to manage the current domain completely and only access to OUs where we manage only the users within them. In the event that we need “Becoming independent” and migrate the data to a new domain, we will not be able to use Microsoft's common tools such as FSMT since they require a trust relationship to be able to pass the permissions.

The first thing we must have is to create the same users and groups on the new server. To do this, we have two options: Create them by hand or use a tool such as Diffuse that will allow us to export them from the OUs that we have permissions to a text file and import them into the new domain.

As there is no trust relationship, we will not have the same SIDs in the users of the domain 1 and mastery 2 so when performing a file migration it will not maintain the original permissions.

To do this, we will carry out the following steps:

On the destination server we map the data directory we want to migrate. In this case Z:

We perform a robocopy of the data from the source drive to the destination.

Once the data has been copied, we can see how in the properties of any file the users of the previous domain do not recognize us. From now on this is what we must solve with the subinacl tool.

We install the microsoft tool subinacl from here both on the source and destination data server.

We run subinacl on the source server to export the permissions of the data to a text file. This will result in a file that contains a list of file and user permissions.

Run: subinacl /noverbose /outputlog=C:archivo.txt /subdirectories path*.* /display

We pass the txt file resulting from the subinacl from the source server to the destination and then inject it.

What we must do is the following:

-We replace the old domain name with the new one in the txt file resulting from subinacl.

-We replace the path of the files with the new path where they are on the destination server

The resulting file is the one we must use to inject the permissions.

Once the replacement is finished, we inject the permissions into the new server with: subinacl /playfile rutaarchivo.txt

Here we can see how it injects the permits.

And this is the result of importing the permits.


Recommended Posts

Report on the consumption of each user in Nextcloud
Read
A podcast for IT – How to enable remote work in the company
Read
Exploiting our Citrix farm with Grafana
Read
A Podcast for IT - Auditing the Active Directory
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Installing SQL Server 2008 in Windows cluster 2008 R2

16 December 2010

Veeam: Free NFR licenses for certificates

20 December 2010