RE: Data migration without trusts
- From: v-morche@xxxxxxxxxxxxxxxxxxxx (Morgan che(MSFT))
- Date: Mon, 28 Jan 2008 10:54:22 GMT
Dear James,
Thanks for posting here.
After viewing this post, I am a bit unclear about what kind of date you are
planning to migrate to the new created domain without establishing trust
relationship between old and new Domain Controller?
Analysis:
=======
1. Each user account has a unique SID, and the NTFS authorization is based
on ACL (Access Control List) as we know. ACL includes many ACEs (Access
Control Entry) to realize authorization, which mainly consists of SID
(Security Identifier) and specific permissions that user or system has.
Please note that SIDs are not the user display names, but the strung, like
"S-1-5-21...".
2. Why in most cases we see the user accounts' friendly display names but
not their SIDs directly when viewing the NTFS permissions? This is because
Windows system "translates" the SIDs to their corresponding user account
names.
Suggestion:
========
Based on the above analysis, if trust relationship is not allowed to make,
we can't migrate user account firstly. Thus, the coming-up file (like
files, user profiles) migration may fail, because the system will lose the
file permission.
Normally, we recommend to firstly migrate user account by ADMT (Active
Domain Migrate Tool). Subsequently, migrate Computer account and Security
(like NTFS permission, Share permission etc).
In addition, as for user profile, the USFT (User State Migration Tool) is
good choice. USMT helps the system administrator easily migrate and
consolidate user profiles between different computers in a domain. The User
State Migration Tool consists of two executable files, ScanState.exe,
LoadState.exe, and four migration rule information files Migapp.inf,
Migsys.inf, Miguser.inf, and Sysfiles.inf.ScanState.exe collects user data
and settings based on the information contained in Migapp.inf, Migsys.inf,
Miguser.inf and Sysfiles.inf. LoadState.exe deposits this user state data
on a target computer.
More information:
================
For the more information about USFT, please refer to:
http://technet.microsoft.com/zh-cn/library/bb457090(en-us).aspx
Step-by-Step Guide to Migrating Files and Settings
http://technet.microsoft.com/zh-cn/library/bb457074(en-us).aspx
The above ADMT v3 Migration Guide could be downloaded here:
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-
A8BC-01E9F7EF7342&displaylang=en
You could download ADMT v3 tool from the follow link:
http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-
A8E8-AFF85AD3D212&displaylang=en
I hope this helps. If anything is unclear, please feel free to let me know.
Thanks.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
--->From: james_c <james_c.33srjd@xxxxxxxxxxxxx>
--->Subject: Data migration without trusts
--->Date: Sat, 26 Jan 2008 19:34:53 +0530
--->Message-ID: <james_c.33srjd@xxxxxxxxxxxxx>
--->Organization: Computer Help - http://forums.techarena.in
--->User-Agent: vBulletin USENET gateway
--->X-Newsreader: vBulletin USENET gateway
--->X-Originating-IP: 81.132.154.9
--->Newsgroups: microsoft.public.windows.server.migration
--->NNTP-Posting-Host: hostname.techarena.in 207.58.143.175
--->Lines: 1
--->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.migration:2910
--->X-Tomcat-NG: microsoft.public.windows.server.migration
--->
--->
New to some of this, but we are currently setting up a new IT system for
a demerged company and as daft as it sounds we are not allowed to create
trusts between the two AD domains...!
--->
--->We've looked into some tools, but would all take great expense and time
to setup and run.
--->
--->I've done a little reading about, but would like to understand if
anyone else has had any joy in a similar situation.
--->
--->Although I have not tested out this theory yet, wouldn't something like
migrating the data and using SubinACL to change the permissions work.
The target AD domain has been built on an extract of the source, but no
SID history was taken.
--->
--->Any thoughts greatly appreciated.
--
james_c
------------------------------------------------------------------------
james_c's Profile: http://forums.techarena.in/member.php?userid=40376
View this thread: http://forums.techarena.in/showthread.php?t=901205
http://forums.techarena.in
--->
.
- References:
- Data migration without trusts
- From: james_c
- Data migration without trusts
- Prev by Date: RE: Migrate SBS 2003 to Server 2003 R2 64x
- Next by Date: RE: Problem copying a domain user profile to a local user profile
- Previous by thread: Data migration without trusts
- Next by thread: RE: Data migration without trusts
- Index(es):
Relevant Pages
|
