Unsolved
This post is more than 5 years old
5 Posts
2
3676
AD Migration
Hey .. I'd like to get some opinions on how to handle an AD migration.
Currently I have several cifs servers with hundreds of shares for user home directories, etc .... Everything in our current domain will move to a totally new domain, including individual user and group accounts.
Un-joining the cifs servers from the old domain, and joining the new domain won't be an issue
But, how should I go about updating the user's access to their home directories? Currently they are permissioned to the user accounts in the old domain which will be going away. Is there a way to easily permission all of the shares to the accounts/groups in the new domain?
I'd rather not have to update permissions on each individual share with the new domain accounts.
Any help is appreciated.
Thanks
Currently I have several cifs servers with hundreds of shares for user home directories, etc .... Everything in our current domain will move to a totally new domain, including individual user and group accounts.
Un-joining the cifs servers from the old domain, and joining the new domain won't be an issue
But, how should I go about updating the user's access to their home directories? Currently they are permissioned to the user accounts in the old domain which will be going away. Is there a way to easily permission all of the shares to the accounts/groups in the new domain?
I'd rather not have to update permissions on each individual share with the new domain accounts.
Any help is appreciated.
Thanks
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
2
August 6th, 2009 20:00
"SetACL.exe -on -ot file -actn ace -ace "n:microsoft\billgates;p:change"
http://setacl.sourceforge.net/
Since you are doing this big migration have you thought about using ABE (access based enumeration). Don't need to create share of user user's home directory, simply share root home directory and set abe on that share. Users will connect to \\CIFS-Server\HOME and the only thing they will see is the folder they have NTFS permissions to. It will make it so much easier for your help desk provision new accounts. Just a thought.
Rainer_EMC
8.6K Posts
1
August 7th, 2009 03:00
If you have the many servers it might make sense to invest in a special tool for this.
For example from Quest http://www.quest.com/migration/ or Scriptlogic http://www.scriptlogic.com/products/security-explorer/ or Hyena http://www.systemtools.com/hyena/index.html
eemjay
5 Posts
0
September 30th, 2009 09:00
I'm having issues joining the cifs servers to our new domain after unjoining them from the current domain. I copied a log below. I've verified that the date and time are correct on the datamover.
Also, does anyone know why the domain in Celerra Manager doesn't change to none after I unjoin a cifs server from the domain? Do I have to delete and re-add the server with the new domain for this to change? What happens to the shares hosted on that cifs if I do that?
2009-09-29 17:49:57: SMB: 3: saveAccountPassword: Domain name mistmatch between 'cifs -add' and cifs -J' commands: DS.xxxxxx.COM - DS.xxxxxxx.COM
2009-09-29 17:49:57: SMB: 3: DomainJoin::DJ_setServerPassword: - Failed to update kerberos file for compname=simfs001
2009-09-29 17:49:57: SMB: 3: DomainJoin::reuseAccount Unable to set password for CN=simfs001,OU=emc celerra,OU=Servers,OU=Stock,DC=ds,DC=xxxxxx,DC=com
Message was edited by:
eemjay
eemjay
5 Posts
0
September 30th, 2009 09:00
server_cifs server_x -Migrate should take care of ACL during the migration right?
Then server_cifs server_x -Replace should be ran before the domain trust is broken?
Thanks!!!!!
eemjay
5 Posts
0
October 19th, 2009 08:00
Once you unjoin a cifs server from its current domain, delete it from the datamover, recreate under the new domain, and join the new domain .....
All of the share permissions, and folder security for the filesystems on the datamovers pick up the SIDs from the new domain automatically.
In this case the trust is still in place between old and new domains.
csanchezgonzale
11 Posts
0
August 24th, 2010 07:00
Hello eemjay,
Did you need to run the "server_cifs -Replace" command? (after doing the join command to the new domain).
Last week we tried to do a Celerra domain migration (from W2003 to W2008) and we did the same steps that you indicates (unjoin a cifs server from its current domain, delete it from the datamover, recreate under the new domain, and join the new domain) but the SIDs were not updated automatically as you indicate in your environment. We didn't use -Replace option because we were not sure about this.
About the domains:
- There is a trust between them
- The SID History options is enabled
- The user/groups, etc. were migrated previously between domains (we don't know exactly which tool they implemente to do this)
I think that the procedure is easy but we have the doubt about the replace option (we are not sure about its use).
Thank you very much in advance!!!
michaelha1
1 Message
0
August 21st, 2013 09:00
ok so i am trying to use the server_cifs server_x -Migrate however i can not get it to work i am missing something i am sure
server_cifs server_2 -Migrate stm_celerra_test -acl xxx.biz:if=test_migrate xxx.biz:if=test_migrate
i get
server_2 :
Error 2213: server_2 : stm_celerra_test : invalid name specified
Rainer_EMC
8.6K Posts
0
August 22nd, 2013 03:00
Is stm_celerra_test a valid file system name ?
Any errors in the data mover log ?
gabrielle21
1 Message
0
July 24th, 2017 11:00
HVR software at https://www.hvr-software.com/solutions/migrations/ is another possible solution.
There's also the Best Practices Guide to Migrations that you can download from http://www.hvr-software.com/resource/extend-timeframe-critical-migrations/ with instructions on how to do a migration.