File Server Migration Tool

Discussion in 'Server Migration' started by blockout99, Aug 5, 2004.

  1. blockout99

    blockout99 Guest

    Encountered issue when migrating file shares from an NT4
    BDC to a W2K3 member server in mixed mode AD.

    File share on the BDC had permissions applied using local
    groups. FSMT migrated the shares and data and
    permissions perfectly. However, users got Access Denied

    This is because Domain Local groups do not exist properly
    in mixed mode AD - see;en-

    Point is why didn't the FSMT flag this as an error?
    Using the GUI doesn't allow you to select a Domain Local
    group to apply permissions to, only Global groups when in
    mixed mode. Yet FSMT performed the operation with no
    indication that it wouldn't work. Looking at the file
    and share permissions it looked as though permissions had
    been applied properly, but access was still denied.

    Try it and you'll see what I mean.

    FSMT should flag this behaviour with local groups when in
    mixed mode.

    That's it off my chest!

    Gar W (MCSE since 1995!)
    blockout99, Aug 5, 2004
  2. Hi, Gar

    You are correct in describing both the symptoms and the reasons - when AD is
    running in mixed mode, local groups on BDC are also domain local groups, so
    their SIDs are recognized on member servers - but not honored in ACLs. The
    solution is use subinacl
    to change group SIDs in file ACLs, or (as the KB suggests) to convert the
    domain to native mode.

    This is relatively rare case, and we need to document it properly. Thanks
    for finding, diagnosing and posting the information.

    -- Mark
    Mark Sterin
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Mark Sterin [MSFT], Aug 6, 2004
