Howto: Migrate file shares, permissions, and user profiles paths in a Windows 2003 domain


I’m in the process of migrating from serv1, a Windows 2003 Domain Controller (DC) to serv2, a new Windows 2003 DC.  Serv1 has approximately 185 student accounts and 5 staff accounts.  Each user has their own shared folder on the server which is defined in Active Directory Users and Computers (ADU&C) user account profile path.  There are a handfull of other shares that need to be migrated as well. 

I decided on the following requirements and stipulations for my migration solution in this particular scenario:

1)  Make an effort to use only freeware or shareware tools whenever possible.

2)  The user home directories (defined by the user profile path) needed to be copied to the new server, but the data inside their home directories was not to be retained on the new server.

3)  I was not going to reshare each folder once it was migrated, so I needed some other method of redefinng the shares on serv2.  I needed the share permissions migrated as well

4)  Existing NTFS  permissions for user home directories needed to applied on serv2.

5)  The user profile path had to be updated in ACU&C from \\serv1\users\%username% to \\serv2\users\%username%

6)  The drive letter location of all the user’s home directories was being changed from c:\users\%username% (on serv1) to e:\users\%username% (on serv2).

I took the time to come up with this methodology since I have to do this type of server migration all the time.  This should also work for migrating from Windows 2000 to Windows 2003.  Here’s my solution:

I initially planned on using the Microsoft File Server Migration Toolkit to migrate from serv1 to serv2, but I found it to be very clunky and not very configurable.  It kind of seemed like it was a migration tool for dummies without any advanced options that would confuse Joe Admin.  I played around with it for about an hour before detrmining it was not the solution for me.

The next path I wandered down was to use Robocopy (with the optional GUI) to copy my \\serv1\users directory to \\serv2\users.  Robocopy is a part of the Windows 2003 Resource Kit Tools, and Robocopy GUI is available from the Technet Magazine November 2006 Utility Spotlight.

Robocopy has a ton of options available, which is why the GUI comes in handy.  I originally planned to copy the \\serv1\users data to \\serv2\users using the syntax found in KB323275, but it never behaved quite as expected.

I tried to execute Robocopy in the following manner (type on all one line), expecting the directory tree structure to copy one folder down (LEV:1) from \\serv1\users, but it only copied the files located in \\serv1\users, but no directories. 

robocopy.exe \\serv1\users \\serv2\users /COPYALL /LEV:1 /ZB /V /FP /W:5 /R:5 /LOG:copy.log

So I changed /LEV:1 to /LEV:2, and it copied the directory structure \\serv1\users\%username%, plus the data in the %username% folder, which was not what I wanted (again, type as one line)

robocopy.exe \\serv1\users \\serv2\users /COPYALL /LEV:2 /ZB /V /FP /W:5 /R:5 /LOG:copy.log

Robocopy frustrated the hell out of me, so I moved on to try xxcopy.exe, which is very similar to Robocopy.  I briefly perused the author’s web site and saw “freeware version”, so I started working with it.  Not until I received error messages about copying between remote shares did I notice the freeware version of xxcopy.exe was for personal property use only – since I don’t own this network, I was not allowed to use the free version per their licensing agreement – so I needed a new direction once again.

I finally resorted to using the good ole Windows xcopy.exe (see KB 289483 and KB 323007 for usage and options) to copy my directory structure from within the source users directory to the destination users directory:

xcopy *.* /T y:\users

This worked too well – it copied all subdirectories, which is definitely not what we wanted.

I was frustrated with my lack of progress, so I went back to my second robocopy, which copied the correct directory structure, but also copied the files within the directories.

robocopy.exe \\serv1\users \\serv2\users /COPYALL /LEV:2 /ZB /V /FP /W:5 /R:5 /LOG:copy.log

Next I used del.exe from within the \\serv2\users in order to delete all the files (but not folders) within the \\serv2\users\%username% structure:

del.exe *.* /f /s /q

This worked great, but did not remove hidden files.  In order to remove the hidden files, I had to do the following:

del.exe *.* /f /s /q /ah

Now I finally had the correct directory structure on \\serv2\users.  I could move on to copying the share permissions, since Robocopy.exe had copied the folder permissions for me when I used the  /copyall option.

Microsoft’s official method of migrating shares from one server to another is documented in KB125996, which requires a export of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Shares from \\serv1, and the importing of that resultant .reg file into \\serv2.

That process works great as long as the same drive letters are used on both servers.  In my case, c:\users was the source on \\serv1, which e:\users would be the share location on the destination \\serv2.  If you look at the exported .reg file, it’s not in a human readable format, its a bunch of hex numbers.  I hoped I could do a find and replace using a hex editor to change c:\users to e:\users in my exported .reg file, but that was another huge waste of time.

Finally I came across jv16 Powertools 2007, which I installed on \\serv2.  I imported the .reg file from \\serv1 into \\serv2, then ran the Registry Find and Replace utility, and replaced all instances of c:\users\ with e:\users\.  I rebooted \\serv2, and my 190 (or so) shared folders magically appeared!  Finally, I was making progress!

(As a side note, I recommend supporting the developer of this utility, and will be purchasing the $59 commercial license.  Personal licenses are $29.95.  I will gladly pay the $59 rather than have to recreate each share on \\serv2 by hand.)

Finally, I needed to change each of the user’s profile paths in Active Directory Users and Computers from  \\serv1\users\%username% to \\serv2\users\%username%.  I had no desire to edit each account by hand, so I searched for a solution and came up with ADModify.net, which I was faintly familiar with as an Exchange tool.

ADModify is very intuitive to use.  You’ll need to select the domain and source DC, then make sure the “show only users” check box is selected and “show containers only” in de-selected.  Click the green arrow box and expand your domain, and the list of OUs are displayed.  Expand the OU your users reside in and highlight the users whose profile path you’d like to modify.  The only slight roadblock I came acrosss using this utility was that I had to select my users once again from the right most pane before I could press next.

Once you press next, the familiar ADU&C interface appears.  I went to the Profiles tab, and selected the Profile Path check box, then entered \\serv2\users\%username% as the path to the profile.  I pressed the Go button, and all of my user’s profile paths were changed!  My migration was finally complete.

[update 11-09-2007]

KB 310316 describes a registry modification that can be made to modify how Windows Explorer handles permissions when objects are copied or moved to another NTFS volume. When you copy or move an object to another volume, the object inherits the permissions of its new folder. If you want to modify this behavior to preserve the original permissions, follow the instructions to modify the registry.

KB 174273 describes how to use scopy.exe to copy NTFS files or directory structures while maintaining NTFS permissions and restoring Share Level permissions. This method includes copying between partitions, hard drives, or computers.  It also briefly mentions using PermCopy.exe, a command-line utility that copies share-level permissions (access control lists [ACLs]) from one share to another.

If you’re using scopy to copy local group permissions to other domains, read KB 168470 regarding potential access problems with the trusting domain.

If you use some other solution to copy your data to it’s new location but still want to copy NTFS file system access control lists (ACLs), check out KB 323275 for how to do this with Robocopy.

13 Responses to “Howto: Migrate file shares, permissions, and user profiles paths in a Windows 2003 domain”

  1. Howto: Change passwords for all users in an OU in a Windows 2003 domain « the back room tech Says:

    […] OU in a Windows 2003 domain August 29th, 2007 — Julie Yesterday I wrote about how to migrate user data and profiles to a new Windows 2003 domain controller.  Today I’ll show you how to bulk change passwords […]

  2. Steven Says:

    I used to use all these tools like fsmt, robocopy, xcopy, xxcopy and etc… Yes, they are handy in some easy cases but none of them are suitable for easy server migration. Every time you need to use some extra tools to finish the migration. But I suppose there is a solution. Last migration to a new server hardware we’ve sucessfully perfomed with the only one tool – secure copy. It’s a gui tool and it has very useful interface. During the migration – all permissions, shares and share permissions were recreated sucessfully. The process of data transfering was quite fast. And the files that were locked (in use) were automatically rescheduled for more copying attempts.

  3. Julie Says:

    I agree, Secure Copy is a great product. But I just can’t justify the pricing on this particular project. For a 30 day license that allows me to copy between two servers, it’s over $650.00.

    https://shop.scriptlogic.com/ShowProductPricing.aspx?pid=2

    You’ll need to shell out over $1,000.00 to purchase the software outright with 1 year of support. For large companies this is chump change, but from my perspective I need to keep the costs reasonable for my clientele,which translates into sometimes forgoing nifty products such as this in favor of engineering a solution.

    On another note, if I was going to fork out some cash that would help solve someof the technical challenges I face daily in my business, it would be for the SBS Swing Migration Kit.

    http://www.sbsmigration.com/

    Awesome stuff, reasonably priced, saves hours on SBS migrations.

  4. andre Says:

    really interesting.although for the shares,i export them from the registry.for the printers i use microsoft’s print migration tool.for the datacopying,wel,i am still looking for a good tool

  5. Rich Says:

    You should try using Hyena (systemtools.com). Copying shares is no problem and it is licensed per administrator so is cheap to use.

  6. Jeff Middleton Says:

    I’m Jeff Middleton (SBS-MVP) and I operate http://www.SBSmigration.com to assist people who want to replace SBS servers or similar servers in a convenient process. “Swing Migration” is that approach that provides a clean new server installation that can be transparently moved into use for the original server.

    I want to thank Julie for mentioning SBSmigration.com in her comment above. I got pointed to this blog by someone else asking a question, and I was surprised that Julie therefore didn’t mention one of the tools that comes with the Technician Kit I offer: ShareMig. It does what is being discussed here quite elegantly.

    The ShareMig tool is one of the tools in the Technician Kit, but the Technician Kit overall addresses a substantially larger scope of project than just data migration. I’ll explain ShareMig in just a moment, but I think it helps to get the larger picture context first.

    The Kit is primarily a documentation solution to replace a DC/Exchange server that may also be a file server or Sharepoint or SQL server as typical for an SBS. The custom tools included do useful tasks such as I described below with Sharemig. The majority of the construction of a new server is related to the migration of the Active Directory, Exchange Server, and any other applications. Note that you will have to install the new server from scratch in order to preserve your domain as required. The technician Kit describes how you can build a new machine from scratch, preserve the domain, and have a cleaner new server than the one it replaces. More importantly, you can replace the server with one running different platform, versions, or combinations of applications.

    The Technician Kit for $200 provides you with a license to use the Kit on as many different projects, servers, domains or customers as you want forever. In addition, the Kit provides you with the opportunity on your _first project_ to get unlimited support by email for 90 days. Therefore, you are not limited in the number of times you can use the kit or the tools, only in the number of projects you obtain prepaid for unlimited support. You are welcome to work independently on more projects, or you can come back to SBSmigration.com to obtain support separately paid by the hour, or with another project kit, or through options available to our subscribers.

    To the main point on this blog thread, moving/restoring the data files from one server to another is only an element in a project. Most people wouldn’t buy a new car in order to get a spare tire and a scissors jack, but if you wanted ShareMig enough to buy the Technician Kit, I suppose that might be an option. It’s a lot less expensive than what was discussed as alternatives.

    Regarding the specifics to move userfiles from one machine to the other, this is handled quite simply with the ShareMig a two step operation. Step one is restore the data with all NTFS permissions, step 2 is re-establish the shared folder resource definitions.

    Step 1 is to use your preferred method to backup and restore the file/folder tree to a new machine. The most common approach is to use NT Backup to “backup to file” on a USB drive, and then restore it on the new machine partitions with the option to preserve all security. If you prefer drive imaging or some other method, that’s fine. (Note: In the larger context of how Swing Migration logic works, you can’t connect the two servers together for a direct file copy, so that doesn’t apply unless you wanted to do that twice…moving across external media like a USB drive.)

    Step 2 is to use the ShareMig tool that comes with the Kit which you run once on the original server to create a pair of reference files. You then take those two reference files (they are trivial in size) plus the tool and run it again now on the new server. The tool will review the reference files and the data folder tree condition of the new server. It then will reestablish all the previously defined shared folder references while it validates that the path and location of the folders exists (what NT Backup created for you in the restore of the files). Sharemig produces audit logs of what it does, what shares already are defined, what shares can’t be created because the folder path doesn’t exist, etc. You can use it’s logs for historical documentation or troubleshooting.

    Part of the ShareMig process is to intelligently restore the security ACLs without modification. That means you get exactly what it was before, ShareMig is automatically handling the practical steps of ensuring that you are not leaving shares out, changing ones that already were defined earlier in construction, or attempting to create a share to a phantom folder.

    As for customization, if you want the new server to have different partition letters, or different paths for the shared folders, that’s not a big deal. One of the reference files is a text readable format (easily understood by humans) that you can edit anything in the paths, names, or descriptions you want. You can omit specific shares as well. It’s not complex, it’s not risky, you are editing a text file, not the registry and not a registery file export. All of this information is stored separately from the configuration file for the security (which itself is technically a binary .REG file). ShareMig does a far better job than what the MS KB identifies, but it uses similar logic. It’s an encapsulated VBscript file so it’s under 30K in size.

    ShareMig is simple and reliable, it’s while not sold as a separate tool, it’s part of a normal project step in Swing Migration. If you are not using a Windows Domain for your servers, this solution is not likely your best answer unless the price and the tool match your needs. Just keep in mind that you must still have the same domain in order for the ACLs to have any meaning.

    – Jeff Middleton SBS-MVP
    YCST@SBSmigration.com

  7. Julie Says:

    Hi Jeff,

    Thanks for the comment – I think the Swing Migration is a wonderful thing, but I try highlight free tools and methods whenever possible here at the back room tech. I did have a co-worker have a SBS 2003 migration bomb on him this weekend, so maybe he’ll be your next customer purchasing the Technician kit!

    On another note, I received the Advanced Windows Small Business Server 2003 Best Practices book for Christmas, and I am looking forward to reading your chapters on Disaster Recovery and Migration, where I see you mention in detail the Swing Migration.

    Thanks again for your comments, hope to hear from you again soon.

    Julie Smith

  8. ME Says:

    Jeff, I love your kit. I am just waiting for the day when you combine all tools and migration process into a couple of wizards.

    Thanks

    Regards

  9. Dave Says:

    Hi,
    A little precision, if you just want the directories, you can use the /XF *.* with your robocopy command. It excludes all the files but not the directories.

    The command line is:
    robocopy \\srv1\share \\srv2\share /E /LEV:2 /SEC /XF *.*

    Dave.

  10. Victor S. Says:

    The Active Directory Users and Computers console can be used to set/change home directories for multiple users at once. If you highlight the users you want to change (e.g., highlight everyone in an OU then use CTRL-click to deselect any you don’t want to change), you can right-click and select Properties. If you change the home folder to \\serv2\users\%username%, %username% will be replaced with each users’ logon name. I believe this was added to ADU&C in Windows 2003.

    Another option that I find myself using quite often is dsquery/dsget/dsmod. These command line tools can be used to modify Active Directory objects and are particularly useful when you pipe the output of dsquery into dsmod (e.g., update home directories for everyone in a particular OU). I also use concatenation in Excel to generate batch files using dsmod.

    I also wanted to comment on Robocopy. A couple advantages of Robocopy over some of the other tools are:
    – Ability to use Backup rights to migrate data you don’t normally have access to
    – Uses a couple different modes to try to copy open files
    – Can automatically retry copying files for x times after waiting y minutes
    – Very efficient when syncing files
    – Can choose what NTFS metadata to copy (e.g., ACLs, Owner)
    – Can throttle bandwidth usage so copying during business hours will not impact users
    – Ability to sync deletions

    This last one is why I use Robocopy most of the time. I can perform an initial sync of the data (which might take hours or days), then do a final sync just before cutting over to a new server. Even file deletions are synced and since only changes are synced, the final copy time is relatively short.

  11. john hope Says:

    hi i have found a good soloution that works fantastically and flawlsley it is called xenserver by citrix there is an open source version as well it is owned and created by citrix and unlike any other virtual server software ie vmware which hogs tons of memory and processor. xensever doesnt use very much ram because it can run directly off the processer saving up memory that can be working with the os. the best part about xenserver by cytrix is that it offers live migration ie you could have a redundent server box with xenserver on it, and say u needed to take a server down for maintanence for instants you can use xenserver and it will migrate the whole os an settings to the other server live without upsetting end users they continue their work with no server downtime at all. best of all all your xenservers can be managed from one easy to use interface which can be accessed from any machine it will even manage your physical machines as well as virtual ones to. i do advise you have a gigabit backbone as you can imagin copying a complete os live would be pretty hefty. but the best method would be to house all the roming profiles and redirection shares on a nas storage so that when you do the migration all it has to copy is the server os with all server rolls user profile paths and permissions and coz user data is on nas storage it doesnt have to copy tahat allthough it will if you want it to the opensource freeware version wont let you do live migration but will alllow migration of os but server requires downtime where as with full version you have live migration. just imagin no server or end user node downtime the only thing that would then pertently cause downtime would be if a router or switch were to packup and it happens aspesally if its the switch that the severs are connected to in the backbone if they go down then end user nodes wont be able to talk to the server ocasionally can happen. but then you no that your servers are safe with xenserver all the hastle is taken out of migrating servers u can migrate and still have orignal and run replica servers or even load balancers. i am new to xen but tried it the otherday and was truley amazed what a very powerful and cost affective way to run and manage a network. think of the hours saved by pressing 5 or 6 buttons and job done or manually spend ages by rebuilding another server configuring users profiles and ntfs rights recreating bat logon scripts and manually setting up users profile path or just migtrate with a couple of clicks and it migrates users profiles live ie u could do the migrate before everyone goes home as ur have started the migration process it starts moving everything and then all the users decied to log off they hav no fear that there roming profiles are going to ars up or even get a message like cant find roming profile data not saved or when trying to logon cant find domain. coz as u are migrating everything stays live and working i will be fully implementing it into our network at work it will save me alot of time. u can even use it to unload servers with lots of server rolls. i hope i havent board you all but if ur interested look on citrix website http://www.citrix.com/English/ps2/products/feature.asp?contentID=1687093 i would be intrested to here any comments you have please email me at jhope46@gmail.com would love to here from you.

  12. Yuriy Says:

    Migrating from Small Business Server 2003 to Exchange 2003 Standard. Free. Worked for me.

    http://www.msexchange.org/tutorials/Migrating-Small-Business-Server-2003-Exchange-Standard-Part1.html

  13. Thomas Says:

    Hi,

    I am looking for an easy way to migrate our servers shares, user and group accounts. Is there any alternative to securecopy?

    I already tried robocopy but it won’t copy the shares and accounts.

    t.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 32 other followers

%d bloggers like this: