× Search
Monday, July 22, 2024

Synology® Active Directory Migration

Find out how to migrate Active Directory objects & file resources from Windows® to Synology® NAS domain controllers across domain boundaries.

Synology® Active Directory Migration

This video demonstrates how to use CopyRight2 to migrate from a Windows® 2008 R2 Active Directory domain controller of domain A to a Synology® NAS running as domain controller of domain B. It shows how to migrate domain users, local and global groups along with file shares, file share permissions, files, folders and NTFS permissions.



The source system "WIN2K8R2" in this migration scenario is running Windows® 2008 R2 and is configured as a file server and domain controller of the domain "DomainA.Com".

The target "SYNOLOGY" is a Synology® NAS configured as domain controller of the domain "MyDomain.Com". It has the Active Directory and the DNS packages installed and configured. You can find a video explaining how to setup AD & DNS on a Synology® in this video.

There are local and global domain groups and users in the source Active Directory. Users are members of global groups, the global groups are members of domain local groups and the domain local groups are used in share level and NTFS permissions (AGDLP principle).

There are two file shares, "Sales$" and "Support$" that will get migrated to the NAS system, including all users, groups, file shares, share permissions, files, folders and NTFS permissions.

The migration is performed in two steps in this example, first the user and group accounts using a "User and Group Migration" type of job and then the data using a "Data Migration" job.


To correctly identify the target as a Synology NAS, you can either create a "Domain.Ini" file in the CopyRight2 installation folder, with the content below, or alternatively use the GUI's options dialog to define the target as a Synology having the domain controller role:


Options Dialog:
Add Synology as Domain Controller Dialog

Mapping File (Mapping.Map)

Unfortunately the local administrators group on the Synology does not use the proper well-known SID. Therefore we need to create a mapping file to map the Windows administrators group of the source domain to some other group. In this example we simply map it to the "Domain Admins" group. We could alternatively create a custom groups, called "Admins" for example. The mapping file can be stored in the CopyRight2 installation folder for example. We will later assign the mapping file during the definition of the data migration job.

Mapping.Map file content:
domaina\administrators;mydomain\domain admins

Settings (User and Group Migration)

Job Type
User and Group Migration

Name and Description Page
Name: User and Group Migration

Source and Destination Page
Source Computer: WIN2K8R2
Destination Computer: SYNOLOGY

User and Group Migration Page

OU Account Name Account Type
Sales e.hairston User
Sales s.zacharias User
Sales G_Sales Global Group
Sales L_Sales Domain Local Group
Support m.fleischer User
Support w.mcvey User
Support G_Support Global Group
Support L_Support Domain Local Group

Filter Page
User accounts: Enabled (Add/Remove)
Local groups: Enabled (Add/Remove)
Global groups: Enabled (Add/Remove)

Settings Page
Local group memberships: Enabled (Add/Remove)
Global group memberships: Enabled (Add/Remove)
Migrate members (Local Group): Enabled (Add/Remove)
Migrate members (Global Group): Enabled (Add/Remove)
Do not migrate any accounts indirectly that are not selected: Enabled

Settings (Data Migration)

Job Type
Data Migration

Name and Description Page
Name: Data Migration

Source and Destination Page

Source Destination
\\WIN2K8R2\C$\Data\Sales \\SYNOLOGY\Sales$
\\WIN2K8R2\C$\Data\Support \\SYNOLOGY\Support$

Synchronization: Add/Update/Delete

File Attributes and Time Page
File compression settings: Never compress destination files

ACL and Owner Permissions Page
Permissions (DACL): Enabled
Owner: Enabled
Auditing (SACL): Disabled
Group owner: Disabled
Synchronize NTFS Permissions: Enabled
Map security identifiers with a predefined mapping table: Mapping.Map (previously created)

Advanced Page
Use asynchronous I/O: Enabled
Enable NAS Compatibility Mode: Enabled


The settings used assume that no users are working while the migration takes place. If you want to use an approach with multiple passes (pre-copy/final copy) you additionally have to enable either the "Use Volume Shadow Copy" ("Source and Destination" page) or the "Ignore errors resulting from locked files" ("Error Processing" page) option for the pre-copy pass(es) to prevent errors from occurring because of locked files.

Terms Of UsePrivacy StatementCopyright © Sys-Manage, 1998-2024. All Rights Reserved.
Back To Top