Introduction:
Evergreen SMB File migration project sometimes have to deal with data file migration that contains historical SID’s This kind of migration require additional planning and pre-work as we need to identify old AD SID history and create an SID map file to replace all the old SID with new active ones from the domain. Old SIDs are mostly old user or group accounts that where created at one stage in the past and deleted, but the file system ACLs where never cleaned and the account SID is still being used in the file Access Control lists (ACLs). The following steps can be done to identify all the old SID accounts using “dsquery“, then later in this exercise will demonstrate how to construct the SID map file to convert all the old historical SID to new active AD account and the final step will be to demonstrate how to run EMCopy with SIDMapFile switch to migrate all the old SID’s to new one.
Pre/Post Migration Procedure:
Identify old Historical SIDs
- Log in to a Windows client with administrator permissions or with account permissions for the dsquery.
- Click Start > Run.
- Type cmd and then ENTER.
- Run the following DOS commands:
- dsquery * dc=lab,dc=isilon,dc=net -filter “(&(objectClass=Group)(sIDHistory=*))” -attr sIDHistory ObjectSID -limit 10000 > Lab-Group-Sidmapping.txt
- dsquery * dc=lab,dc=isilon,dc=net -filter “(&(objectClass=User)(sIDHistory=*))” -attr sIDHistory ObjectSID -limit 10000 > Lab-User-Sidmapping.txt Note: In the above example we used lab.isilon.net as the test AD also the syntax for both dsquery command is limited to 10,000 objects (users and groups)
Two text files will be created from running both commands above (Lab-Group-Sidmapping.txt and Lab-User-Sidmapping.txt).
Construct EMCopy SID Map file
- Merge the content of both files into a new text file call it for this exercise sidmap.txt.
- Insert a new first line in the file with the following text: SID_TO_SID
- Edit the remaining text to resemble the following example SID syntax:
Old SID generated from the dsquery : new SID from the active directory
Example:
SID_TO_SID
S-1-5-21-3487376569-527436959-1009586214-84324:S-1-5-21-861567501-448539723-725345543-12270
Execute EMCopy with SIDMapFile switch to convert old historical SID to new Active SID
- Execute of the following emcopy switches:
- This will set the following Emcopy command-line interface switches for all future incremental copy operations:
- /secfix
- /o
- /sidmap.txt, where is the name of the merged SID mapping file you created.
- This will set the following Emcopy command-line interface switches for all future incremental copy operations:
Example:
c:\emcopy_4_17\emcopy64.exe “\\oldNAS\UserData” “\\Isilon\UserData” /ignoredhsm /secfix /o /sidmapfile sidmap.txt /sd /s /de /th 64 /purge /c /r:1 /w:1 /log+:”d:\logs\migration_sid.log”
Note: When creating the share for Migration in Isilon cluster make sure to:
- DO NOT check “Apply Default ACL” option when creating the share
- Make sure to give the Migration account “run as root” access in Isilon share
