Hello, I am working on a plan for a forest migration. I am planning to use ADMT and migrate users with SIDHistory. I thought one "easier" aspect of the migration would be related to data migration of simple files/folders used in a file server environment. I was told that I could use either xcopy or Robocopy and copy the files/folders over to new storage and preserve the ACLs. Well, I have been testing this out various ways for a while now and can't seem to get any ACLs to move. It appears that the file ownership will transfer properly, but the files/folders just simply inherit the permissions of their parent (share) over in the target domain. So far, I have tried xcopy and RichCopy (successor to RoboCopy GUI) and neither of them have preserved the ACLs to the files/folders that I've copied over.Can somebody help me understand what I'm missing here? Keep in mind that I am copying the files across forests with trusts between. Shouldn't Active Directory be able to resolve the SIDs?The source is a 2003 cluster and the target is a 2008 R2 cluster.I will be happy to provide more information and perform any tests. Thanks so much, it's great to have a forum like this one for these kinds of questions.

Also, the two forests have an external trust. I am wondering if possibly it should be a forest trust?

Hello,to migrate SID history and ACL for files/folders, you need to first migrate the users, then migrate the files. Robocopy can do this for you perfectly..If you are not familiar with the robocopy syntax, you can use the GUI versionMore info on robocopy herehttp://technet.microsoft.com/en-us/magazine/2006.11.utilityspotlight.aspxIsaac Oben MCITP:EA, MCSE

I am now testing with a user account that I have migrated to the target domain using ADMT v3.1. I have checked the user object in the target domain and verified the value of sIDHistory with the SID value of the same account in the source domain. They are identical.I have used Robocopy with various switch combinations to attempt to copy the data over and preserve the SIDs from the source (i.e. trusting) domain. I will step back a moment and explain what I'm trying to do. I am trying to copy files/folders from a source forest into a new forest (new storage device, etc, etc) and have the destination forest recognize the SIDs from the source forest.My overall goal is for this work properly on the robocopy operation so that I don't have to manually reassign any permissions. For an example, let's say that I have a share on the destination forest named \\serverB\shareB. Now, I also have a share in the source forest called \\serverA\shareA.For the sake of illustration, let's say these are user directories (i.e. home folders) in the source. My user is User1, for example and the name of the source domain is "domainA" and the target domain is domainB.I want to copy the folder "User1" from the folder \\serverA\shareA\User1 over to \\serverB\shareBOnce it gets there to the destination domain, I want the security to look like this for the folder "User1":Full Control: domainA\User1Now, User1 has already been migrated over to the target domain. So, his real identity in the target domain is domainB\User1. However, his sIDHistory contains the SID for domainA\User1.The question at hand is: Is this possible? How can I migrate all of this data from one forest to the other and not have to manually re-apply permissions to reflect accounts in the target forest?One follow-up: As I mentioned, the trust is an external trust. I am wondering if possibly I need to turn OFF SID Filter quarantining. This article is the reference:http://technet.microsoft.com/en-us/library/cc755427(WS.10,printer).aspxThanks very much for your continued support.

HelloDid you migrate the SID History following this KB http://support.microsoft.com/kb/322970Isaac Oben MCITP:EA, MCSE

I went through the same excercise but in my scnario useraccoutns were already there in the target domain. WE used the sid history attribute. one thing you have to be sure of is to enable sid quarantine between domains. by default sids looksups between 2 domains/forest is disabled. you have to list that by netdom command. 1 thing I learned was when migrating computers make sure windows firewall is disabled else admt will fail. We performd data migration through secure copy its worked like a charm we redid allthe security on the target domian and created new security groups. Cheeers...

Hi heatfan - did you resolve this in the manner you explained? I am in the exact same situation - not wanting to re-permission everything. I am using ADMT too. thanks

Just for anyone else reading this... I discovered that the permissions were not copying across from the source domain using Robocopy because /enableSIDhistory had to be enabled on the trust between the forests. netdom trust destination.domain /domain:source.domain /userD:administrator /passwordD:****** /enablesidhistory:yes /userO:administrator /password:******* the userD PasswordD userO and PasswordO are not spelling mistakes. Hope this helps someone.