File server migration

Copy data to another server including NTFS authorizations

Data migration

The easiest way to move data to another server, e.g. because a server upgrade is due, would be the following procedure:

  1. Transfer root permissions of the drive to the target drive
  2. Create folder structure on the target drive including NTFS permissions (improves performance)
  3. Export shares from the source and import them on the target
  4. Start copying using RoboCopy
  5. Start synchronization using RoboCopy

At 1)

Transfer root permissions of the drive to the target drive

At 2)

robocopy “\\ ServerAlt \ d $” “\\ ServerNeu \ d $” / e / z / SEC / xf *
robocopy “D: \ DATA \ DESKTOP” “S: \ DATA \ DESKTOP” / e / z / SEC / xf *

At 3)

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Shares

Export shares from the source and import them on the target

At 4)

start robocopy “\\ ServerAlt \ d $ \ _ Templates_Serienbriefe” “\\ ServerNeu \ d $ \ _ Templates_Serienbriefe” /LOG:habenC:\Migration\2020_01_10_Vorlagen_Serienbriefe_Copy.log ”/ COPY: DAT / DCOPY: T / PURGE / UNICODE / E / V / MT: 16 / XO / ZB / TEE / R: 0 / W: 0 / XF “~ $ *” “thumbs.db” “~ DFSINFO *”

At 5)

start robocopy “\\ ServerAlt \ d $ \ _ Templates_Serienbriefe” \\ ServerNeu \ d $ \ _ Templates_Serienbriefe ”/LOG:habenC:\Migration\2020_01_10_Vorlagen_Serienbriefe_Sync.log” / MIR / R: 10 / W: 5 / V / ETA / XF “~ $ *” “Thumbs.db” “~ DFSINFO *”

Optional Copy NTFS permissions only

robocopy “\\ ServerAlt \ d $ \ _ Template_Serial Letters” “\\ ServerNeu \ d $ \ _ Template_Serial Letters” / COPY: S / SECFIX

Terminology

DACL - Discretionary Access Control List

DACL is the set of NTFS permissions that indicate which account or group has which permissions.

SACL - System access control list

SACL is the set of auditing rules that apply to a file or folder

ACL - Access control list

This table contains all the security properties for a file or folder including the DACL and SACL, owner, etc.
Read, Execute, Write, Full Access

ACE - Access control entry

Stands for a rule entry (allow or deny) in the DACL and SACL

File right

File rights are security settings that are assigned to a file object

Sharing rights

Release rights are authorizations that are assigned to a release

Access token

When a user logs on to a system, he receives an access token from the system. The access token contains information about the user account, the default ACL, user groups, privileges, etc. This means that the user identifies himself against other resources in a network.

AGLP - Account-Global-Local-Permission

Stands for the basic principle in the administration (management) of resource access. An account is a member of a global group, which in turn is a member of a local group and the rights to be assigned are set for this group. There are other strategies such as

  • AGP
  • A DL P
  • AG DL P
  • AGU DL P

NTFS (New Technology File System) properties

  • File entries are saved in a tree structure
  • NTFS logs changes in real time, thus minimizing the loss of data
  • Security attributes are inheritable
  • UNICODE is supported in file names
  • The MFT is centered #
  • Data is saved in such a way as to avoid unnecessary fragmentation
  • Supports alternative data streams
  • Contingent management
  • Monitoring of accesses (file system journaling)
  • Encryption supported
  • Supports compression
  • Setting of security attributes
  • NTFS file repair
  • Maximum hard drive size 256 TB
  • Maximum file size 256 TB
  • Maximum number of files 4.294.967.295
  • Maximum number of folders 4.294.967.295

Set up and secure file servers with the Powershell

Server 2012 R2 - Fileserver Migration