Domain Migration SubinACL /Migratetodomain How To:

Caution: DO NOT run this on Domain Controller C:\ and only run on roaming profiles folders, or my docs shares day of migration to avoid ownership change issues.

Confirm Domain trust is in place and users and groups have been migrated

Test ping of olddomain.org from new domain
Test ping of newdomain.org from olddomain

Add newdomain.org domain controller host records to olddomain.org including reverse DNS records

Confirm the user running the app is a domain admin in BOTH domains

Download SubinACL here:

http://www.microsoft.com/en-us/download/details.aspx?id=23510

/Migratetodomain- command will add the permissions of the new user to the old files and folders for example if jimbob@olddomain.org was migrated to the new domain jimbob@newdomain.org and you run the command below any file or folder in that path that has jimbob@olddomain.org will add Jimbob@newdomain.org with the exact same permissions. This is a safer way to migrate by keeping the old and new permissions intact while allowing you time to move the data and users. You can clean up the olddomain permissions after the migration.

To run a pretest from admin command prompt use /testmode command as shown in example below:

Subinacl /outputlog=subinacle_CTest.log /Subdirectories C:\Printe~1\*.* /migratetodomain=olddomain.org=newdomain.org /testmode

To run actual permissions additions to the subdirectories from admin command prompt see example below:

Subinacl /outputlog=subinacle_CPrint.log /Subdirectories C:\Printe~1\*.* / migratetodomain=olddomain.org=newdomain.org

Note: the directory name is c:\printe~1 instead of c:\printer drivers, if working with any path spaces in root commands use 8 character short name in command line.

Note: for root directory permissions you may have to run the script a second time as shown below without the “*.*” for it to add permissions to itself as well

To run actual permissions additions to the directories from admin command prompt see example below:

Subinacl /outputlog=subinacle_CPrintroot.log /Subdirectories C:\Printe~1 / migratetodomain=olddomain.org=newdomain.org

Note: Please be sure to change the output log filename with each run so you have a historical log to reference as I did in the examples above

Real world: “Error when checking arguments- path” is a vague error that makes you think the problem is the path but it is likely a problem with your old and new domain settings.

In my last case I was changing from a test lab domain similar to KOppihle3.local to KOppihle3.com My trust was working fine. When I would ping they resolved, however I was getting the “error when checking arguments” when I would run the following command:

Subinacl /outputlog=subinacle_CTest.log /Subdirectories C:\Printe~1\*.* /migratetodomain=koppihle3.local=koppihle3.com /testmode

The fix was to use the (pre-Windows 2000) netbios Domain name of the 2 Domains instead as shown below:

Subinacl /outputlog=subinacle_CTest.log /Subdirectories C:\Printe~1\*.* /migratetodomain=koppihle3 =ko /testmode

The rest of the story: Initially I quickly spun up a new test lab domain Koppihle3.com and clicked a little too fast without thinking. When I had the new domain up and tried to create the trust from Koppihle3.local to Koppihle3.com it failed because I used the same netbios domain name of Koppihle3 for both domains. I quickly reloaded my “new” test domain and gave it the netbios name KO with the old still using koppihle3 and I was able to create the trust. Then I worked through the scenario above.

Comments

  1. This is brilliant time saver for domain migrations. I am on the verge of doing a migration from one forest to another. The script above saved me tons of time and hassle to migrate a 12TB file server. Thank you

    ReplyDelete
  2. I needed to use good old subinacl at a customer and hit the same issue described above. Thanks for taking the time to write up this articel. BTW, it also appears that subinacl will try to use single label dns names when contacting Domain Controllers in the destination forest. For that purpose, I also needed to add an extra DNS suffix in the adapter settings.

    ReplyDelete

Post a Comment

Popular posts from this blog

FRS to DFSR Post Cleanup “File Replication NtFrs Stopped”

How to configure HP LaserJet Printer IPsec Encryption