On 11/7/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]
> wrote:
although SUBINACL does have the ability to what I mentioned, ADMTv3 is a better option...
my apologies for the "quick" information
lets try this again ;-)
File based data ACLs -> ADMTv3
Print services ACLs-> ADMTv3
Services ACLs-> SUBINACL (only needed when ACEs set manually or through a GPO)
Services Accounts-> ADMTv3 (make sure you identify the custom service accounts FIRST on each server to be migrated. This also prevents the option "change password at next logon" being set as the user account is migrated. All accounts NOT identified as service accounts will have the option set. If needed you can revert this afterwards with ADMOD/ADModify)
Shares ACLs-> ADMTv3
Registry ACLs-> ADMTv3
IIS -> third party
SQL -> third party
Citrix -> don't know
REMARK: if you have migrated users/groups WITH sIDHistory it may look like permissions have been translated. These are really translated when the actual translation task has been started/executed.
When the translation task had not been executed (yet), you will see that permissions may show as <TARGET>\<SEC PRINC> instead of <SOURCE>\<SEC PRINC>. This is because of the use of sIDHistory within the target domain. The system translates this to the TARGET ACCOUNT NAME. In reality, when digging you will still see the SID of the source sec. principals. Just something to be aware of. This applies to everything that uses sIDs after migrating objects while data has not been translated yet
For example:
* looking at the ACL of the DNS service after the migration of the computer (which I changed prior to the migration of the computer account using an account of the source domain)
subinacl /service \\w2k3r2srv\dns /display=dacl
/pace =ad\jorgegroup ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =ad\jorgeuser ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
subinacl /service \\w2k3r2srv\dns /display=sddl
+Service dns
/sddl=O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;
;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-101
9)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-1020)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
S-1-5-21-1153913138-43527854-1722840164-1019 = NT4\jorgegroup
S-1-5-21-1153913138-43527854-1722840164-1020 = NT4\jorgeuser
looking with LDP into the objects
>> Dn: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN
2> objectClass: top; group;
1> cn: JORGEGROUP;
1> distinguishedName: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN;
1> objectGUID: 7c333aeb-589d-4da2-ad97-13c3f10a4e50;
1> objectSid: S-1-5-21-3495709831-2249124843-3216744473-8997;
1> sAMAccountName: JORGEGROUP;
1> sAMAccountType: 268435456;
1> sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1019; <<<<<<<+++++++++++++++++++++++++++OLD SID
1> groupType: 0x80000002 = ( GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED );
1> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=LAN;
Dn: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN
4> objectClass: top; person; organizationalPerson; user;
1> cn: JORGEUSER;
1> distinguishedName: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN;
1> name: JORGEUSER;
1> objectGUID: d719eb60-369a-448e-9554-96af1fae20b9;
1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
1> objectSid: S-1-5-21-3495709831-2249124843-3216744473-8998;
1> sAMAccountName: JORGEUSER;
1> sAMAccountType: 805306368;
1> sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1020; <<<<<<<+++++++++++++++++++++++++++OLD SID
1> userPrincipalName: [EMAIL PROTECTED];
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=LAN;
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Tue 2006-11-07 19:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
ADMT3 can replace subinacl...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, November 07, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
if you just want to migrate the servers from one domain to the other, you can use ADMT. However... if you also need to translate data, that is another story.
File based data -> ADMT
Print services -> SUBINACL
Services -> SUBINACL
Shares -> SUBINACL
Registry -> SUBINACL
IIS -> third party
SQL -> third party
Citrix -> don't know
PS.: SUBINACL is in the resource kit, but make sure to download the latest version
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Danny
Sent: Tue 2006-11-07 18:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually..
Thanks,
...D
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer