![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
2 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello John Evans,
Thank you for posting in Q&A forum.
Based on the description "I need to migrate an existing Windows Server from one domain to another", do you mean migrate an existing Domain Controller server (Windows server) from one domain to another different domain in different forests?
Or you want to migrate an existing file server (Windows server) from one domain to another different domain in different forests?
Migrating a server to a new domain involves more than just “recreating” share permissions manually, especially if you want to maintain the original security settings without disruption.
Here are some key points to consider:
- Security Identifiers (SIDs):
Sharing permissions and NTFS permissions are based on SIDs rather than just the account or group names. When you move to the new domain, the user and group accounts have different SIDs. This means the existing permissions won’t automatically “match” new domain accounts even if the names are the same. Simply recreating the names might lead to permission mismatches and loss of inherited access rights.
- SID History and Migration Tools:
One common approach is to migrate users and groups while preserving SID History, so that the system can recognize the previous SIDs. If that option isn’t available or won’t work for your scenario, you might need to use a security translation tool (for example, Active Directory Migration Tool [ADMT] with the security translation wizard) that can walk through file system permissions and update the ACLs (Access Control Lists) to map the old SIDs to the new ones.
- Manual Recreation vs. Automated Translation:
Recreating permissions manually can be prone to mistakes, particularly for servers that have many shares or complex permission structures. Automated tools ensure that the migration is both consistent and complete.
- Testing Before in Production:
Please test the migration in a controlled environment. Verify that the new domain accounts have the same access to the shares as intended. This step will help you avoid potential downtime or security issues after the migration.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.