I've been running a Windows 2003R2 AD ad1.local for some time. Two DCs are involved in this domain.
Some time later on, another AD was created, ad2.local. This AD was also hosted on Windows Server 2003 systems. One of the servers on this AD was a system with a 1TB raid drive. Some time ago trust between the two domains was implemented. With that done, users from ad1.local could authenticate on ad2.local to obtain access to the 1Tb drive. On the latter, a lot of directories were made with different group/user permissions from the ad1.local AD.
This is a troublesome setup, especially now that we have a roadmap of moving everything to VMs (finally!!!) on some new hardware, plus upgrade to Windows 2019 (not directly, if we want to keep our ad1.local user accounts and stuff). One step of this process is moving this multitude of data from the 1Tb ad2.local system to be directly accessible from ad1.local, but keeping permissions intact.
I don't know if this is possible. In simple terms I would like to "move" this ad2.local system to join ad1.local. If it was a workstation things would be easy: leave the ad2.local AD, reboot a couple of times to get rid of the policies and then join the ad1.local AD.
But in my scenario the 1tb disk holds complex permissions (who from ad1.local can see or write or modify what on which subdirectory). I presume that all this information will be lost doing this exit ad2.local -> enter ad1.local domain dance...
I'm also willing to follow other alternatives. I do have a NAS which can server iSCSI shares. I could attach it perhaps on the system hosting the ad2.local 1tb disk to clone it, and then connect this iSCSI to one of my ad1.local servers?
Really clueless on how to accomplish all this. Any info will be appreciated!
For the record, I do not employ roaming profiles in ad1.local. I do have a number of GPOs in place to have shared disks appear on my ad1.local users pointing to this ad2.local shared disk, which could be changed of course.
EDIT The thread is locked and I can not post this as a solution, but I'll leave this for whoever stumbles into a similar issue:
I cloned the disk from the 1tb on the ad2.domain system to an iSCSI drive (obviously a physical drive would do, but since this is a server system, it was not easy to remove physically disks since they are RAID members; perhaps an external USB drive would suffice). I then disconnected the iSCSI drive and connected it to one of my ad1.domain servers and presto: all permission were there, everything worked perfectly, without even subinacl! The only thing I had to do is create the shares, which was rather easy!
