emcopy version 4.17 supports converting old historical SID to new SID using sidmapfile switch, This is a great feature for CIFS/SMB migration especially that we can now convert all the old broken SID’s to new active SID’s while we are executing the emcopy file migration. In this exercise we will demonstrate how to construct the sidmap file and execute the emcopy command using the SIDmapfile switch.

sidmapfile format:

Below is the help file that is attached with the sidmapfile:

Anything that starts with “#” is a comment
#this file is read by emcopy when option /sidmapfile is specified
#each line is a single mapping record which leads emcopy to replace the sid source by the specified sid

#There are four different types of record supported:

#SID_TO_SID, record format is:
<SID source>:<SID target>
 

#HSID_TO_HSID, record format is:
<SID source in hexa>:<SID target in hexa>
 

#ENUMTYPE, record format is:
“<server name>”,”<account type>”,”<account name on source>”,”<SID on target>”
Note:  <server_name> and <account type> are not used by emcopy.
 

#ISI_RECORD, record format is:
<source server name>,{SID|HSID|GROUP|USER|NAME}:<value>,<destination server name>,{SID|HSID|GROUP|USER|NAME}:<value>
 

#There is no limitation of record type directive
#A record type directive can be followed by several records

SID_TO_SID
S-1-5-21-1643508158-2780356154-507200429-1000:S-1-5-21-3787548895-340410874-2009791390-1006
 

HSID_TO_HSID
S-1-5-15-61F5F1BE-A5B8DE3A-1E3B43AD-3E8:S-1-5-15-6112CBD5-8F6E3909-A3DF4B75-3E8
 

ENUM_TYPE
“ISILON1″,”User”,”localuser1″,”S-1-5-21-3787548895-340410874-2009791390-1005″
“ISILON1″,”group”,”localgroup3″,”S-1-5-21-3787548895-340410874-2009791390-1004″
 

ISI_RECORD
WSJDO,NAME:USER1,ISILON1,NAME:USER2
WSJDO,HSID:S-1-5-15-47AF4AC5-451AE0F4-A4519B61-3E8,ISILON1,HSID:S-1-5-15-47AF4AC5-451AE0F4-A4519B61-3EF
JOE,”SID”:S-1-5-21-1643508158-2780356154-507200429-1010,ISILON1,SID:”S-1-5-21-3787548895-340410874-2009791390-1002″
 

# the following lines indicates a revoked SID

S-1-5-15-61F5F1BE-A5B8DE3A-1E3B43AD-1F5:REVOKED
“ISILON1″,”group”,”guests”,REVOKED
JOE,”SID”:S-1-5-21-1643508158-2780356154-507200429-1010,REVOKED
 

#next line will be discarded

This is a Bad record

Steps to construct the sidmapfile:

In this exercise we will construct an SIDmap file that will transfer all the Windows “Local Administrator Group” to an Active Directory “Global Group” The following scenario will be used:

Migrate an SMB directory called d:\migrationdirectory01 from a local windows machine called “WindowsHost01” to a new Isilon Cluster called “IsilonCluster01”.

  • Local Machine Name: WindowsHost01
  • Directory to migrate: D:\migrationdirectory01
  • NTFS permissions on the D:\migrationdirectory01 directory
    • Administrators (Local Group)
    • System
    • Owner rights
  • change the “Local Administrators” group to new Active Directory domain global group called “Isilon_Global_Group”

First we need three variables for the SIDmap file

  1. The old “Local Administrator Group” SID, this group will not be transferred to the new file server
  2. The new “Active Directory Global Group” SID that will replace the old Local Administrator Group SID
  3. The old local host name

First step: (Identify the local and global groups SID)

  • Local Group SID

Open powershell in local windows machine and type the following:

PS C:\Users> $AdObj = New-Object System.Security.Principal.NTAccount(“Administrators”)
PS C:\Users> $strSID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
PS C:\Users> $strSID.

Value S-1-5-32-522

  • Global Group SID

Open powershell in any server joined to the AD domain and type the following:

PS C:\Users> $AdObj = New-Object System.Security.Principal.NTAccount(“Isilon_Global_Group”)
PS C:\Users> $strSID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
PS C:\Users> $strSID.

Value S-1-5-21-25434348-1734817535-1031410982-67629

Second step: (Capture the local windows machine name)

Local machine name is: WindowsHost01

Third step: (Construct the emcopy SIDmap file)

Create a text file with the name SIDWindowsHost01.txt
Edit the file and add the following two lines:

ENUM_TYPE
“WindowsHost01″,”group”,”Administrators”,”S-1-5-21-25434348-1734817535-1031410982-67629″

Forth step: (run emcopy with /sidmapfile switch)

execute the following emcopy command from WindowsHost01:

emcopy64 d:\migrationdirectory01 \\IsilonCluster01\migrationdirectory01/o /s /de /sd /sdd /sidmapfile SIDWindowsHost01.txt /purge /stream /th 16 /secforce /c /r:1 /w:1 /log:c:\emcopy\logs\SIDWindowsHost01.log

The above command line will replace every ACL record with built-in “Local Administrators” group to new SID  “Isilon_Globl_Group”

Automating the batch file

 To make the script more automated and run emcopy several times incremental without keep changing the name of the log file for each run, edit the batch file and add the following:

@echo off
for /f “tokens=2,3,4 delims=/ ” %%i in (‘date /t’) do set vardate=%%k_%%i_%%j
for /f “tokens=1,2 delims=: ” %%i in (‘time /t’) do set vartime=%%i_%%j
set varlog= SIDWindowsHost01log_%vardate%_%vartime%.log

emcopy64 d:\migrationdirectory01 \\IsilonCluster01\migrationdirectory01/o /s /de /sd /sdd /sidmapfile SIDWindowsHost01.txt /purge /stream /th 16 /secforce /c /r:1 /w:1 /log:c:\emcopy\logs\%varlog%