File Server in-place Domain Migration
When migrating to a new domain a major part is the file server, especially if there are a lot of data and different permissions.
Thankfully Microsoft has a very helpful tool called SubInACL. This tool can be used to read and update security permissions and is much helpful for file server in-place domain migration. The tool can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=23510
But after searching a lot there is not a specific guide that someone has followed and worked. So I started testing and came up with the following steps that worked for me:
- Open an elevated Command Prompt window and navigate to the folder containing the subinacl.exe
- Export the permissions of the drive’s root:
subinacl /noverbose /output=C:permissionsE.txt /file E:
- Export the permissions of the all subfolders and files:
subinacl /noverbose /output=C:permissionsEsub.txt /subdirectories E:
- Copy the contents of the “permissionsE.txt” to the start of the “permissionsEsub.txt” file.
- Open the “permissionsEsub.txt” file and replace the old domain name with the new domain name.
- View the shares:
net view computername
- Export the shares’ permissions:
subinacl /noverbose /output=C:shares.txt /share \computernamefileshare
- Disjoin and join the Server to the new domain
- Import the NTFS permissions
Subinacl /playfile C:permissionsEsub.txt
- Import the shares’ permissions:
Subinacl /playfile C:shares.txt
Some commends from the field
The export process is very fast but the import process takes much longer time.
The subinacl process is single threaded (uses only one core) so in order to speed up the whole process you can split the permissions file and run it multiple times on different command prompt windows. Every subinacl.exe will create a single process that will use one core so if you have four cores create four processes.
The import process completely removes the permissions and applies the new ones. So no User IDs will stay at the files/folders.