although SUBINACL does have the ability to what I mentioned, ADMTv3 is a better option... my apologies for the "quick" information lets try this again ;-)
File based data ACLs -> ADMTv3
Print services ACLs-> ADMTv3
Services ACLs-> SUBINACL (only needed when ACEs set manually or through a GPO)
Services Accounts-> ADMTv3 (make sure you identify the custom service accounts
FIRST on each server to be migrated. This also prevents the option "change
password at next logon" being set as the user account is migrated. All accounts
NOT identified as service accounts will have the option set. If needed you can
revert this afterwards with ADMOD/ADModify)
Shares ACLs-> ADMTv3
Registry ACLs-> ADMTv3
IIS -> third party
SQL -> third party
Citrix -> don't know
REMARK: if you have migrated users/groups WITH sIDHistory it may look like
permissions have been translated. These are really translated when the actual
translation task has been started/executed.
When the translation task had not been executed (yet), you will see that
permissions may show as <TARGET>\<SEC PRINC> instead of <SOURCE>\<SEC PRINC>.
This is because of the use of sIDHistory within the target domain. The system
translates this to the TARGET ACCOUNT NAME. In reality, when digging you will
still see the SID of the source sec. principals. Just something to be aware of.
This applies to everything that uses sIDs after migrating objects while data
has not been translated yet
For example:
* looking at the ACL of the DNS service after the migration of the computer
(which I changed prior to the migration of the computer account using an
account of the source domain)
subinacl /service \\w2k3r2srv\dns /display=dacl
/pace =ad\jorgegroup ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =ad\jorgeuser ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
subinacl /service \\w2k3r2srv\dns /display=sddl
+Service dns
/sddl=O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;
;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-101
9)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-1020)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
S-1-5-21-1153913138-43527854-1722840164-1019 = NT4\jorgegroup
S-1-5-21-1153913138-43527854-1722840164-1020 = NT4\jorgeuser
looking with LDP into the objects
>> Dn: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN
2> objectClass: top; group;
1> cn: JORGEGROUP;
1> distinguishedName: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN;
1> objectGUID: 7c333aeb-589d-4da2-ad97-13c3f10a4e50;
1> objectSid: S-1-5-21-3495709831-2249124843-3216744473-8997;
1> sAMAccountName: JORGEGROUP;
1> sAMAccountType: 268435456;
1> sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1019;
<<<<<<<+++++++++++++++++++++++++++OLD SID
1> groupType: 0x80000002 = ( GROUP_TYPE_ACCOUNT_GROUP |
GROUP_TYPE_SECURITY_ENABLED );
1> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=LAN;
Dn: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN
4> objectClass: top; person; organizationalPerson; user;
1> cn: JORGEUSER;
1> distinguishedName: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN;
1> name: JORGEUSER;
1> objectGUID: d719eb60-369a-448e-9554-96af1fae20b9;
1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD
);
1> objectSid: S-1-5-21-3495709831-2249124843-3216744473-8998;
1> sAMAccountName: JORGEUSER;
1> sAMAccountType: 805306368;
1> sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1020;
<<<<<<<+++++++++++++++++++++++++++OLD SID
1> userPrincipalName: [EMAIL PROTECTED];
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=LAN;
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Tue 2006-11-07 19:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
ADMT3 can replace subinacl...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, November 07, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
if you just want to migrate the servers from one domain to the other, you can
use ADMT. However... if you also need to translate data, that is another story.
File based data -> ADMT
Print services -> SUBINACL
Services -> SUBINACL
Shares -> SUBINACL
Registry -> SUBINACL
IIS -> third party
SQL -> third party
Citrix -> don't know
PS.: SUBINACL is in the resource kit, but make sure to download the latest
version
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Danny
Sent: Tue 2006-11-07 18:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
Thanks to advice from the ActiveDir community (this mailing list) and
Microsoft's ADMT and ExMerge, we have successfully completed an interforest
migration - of users, computers, and mailboxes. Next up: the servers, 12 of
them. Two DC's, the rest are made up of file, print, Exchange, MS SQL
(integrated auth), Citrix, and backup. The source forest will no longer be
necessary in a few weeks. Would you recommend using ADMT for the servers as
well? I know that the DC's and Exchange server will be done manually..
Thanks,
...D
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
<<winmail.dat>>
