howto: migrate fileserver resources from NT4 BDC to W2003 member server

Discussion in 'Server Migration' started by Franz Schenk, Jan 6, 2006.

  1. Franz Schenk

    Franz Schenk Guest

    We have to migrate 14 NT4 BDC's with a lot of fileserver resources to
    Windows 2003 member servers. The domain is in Windows 2000 mixed mode
    (because of all NT4 BDC's). The AD forest/domain has to be W2K, a schema
    upgrade to Windows 2003 is not possible due to regulations of the holding
    company.

    Have discovered now that all local group ACE entries on the migrated
    directories and files on the Windows 2003 member servers are without effect!
    And the local groups are not visible in the ACL editor of the Windows 2003
    server. Have then found a KB article Q296369 which states that domain local
    groups can not be used when a Windows 2000 domain is in mixed mode (although
    the KB article mention that the problem only applies to MS sharepoint portal
    server 2001). It's also not possible to change the scope of the domain local
    groups when the W2K domain is in mixed mode. And the 14 NT4 BDC's are
    distributed in the whole country and it's impossible to migrate them all at
    the same time (even if Switzerland is not very big).

    We are now in a bad situation. The Windows 2000 domain contains about 240
    local groups which are all used for assigning permissions on directories on
    the file server. Have found the tool "subinacl.exe" that is capable to
    replace a local group ACE entry with a global group ACL entry for all
    objects in a directory tree. But run subinacl.exe 240 times through
    directory trees of 20 to 50 GBytes is very time consuming.

    The only MS KB article Q296369 where Microsoft aknowledge that this is a
    problem in Windows 2000 was last modified January 3, 2003.

    - Does anyone know if there is any solution available for this problem
    today?
    - Would an upgrade of the AD forest and domain to Windows 2003 solve this
    problem?
    - Does anyone knows another, better solution than replace ACE entries with
    subinacl.exe?

    We really appreciate any help, thank you all in advance!
    Franz
     
    Franz Schenk, Jan 6, 2006
    #1
    1. Advertisements

  2. Hi,

    I'd like to provide following two tools:

    FSMT
    http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx

    Robocopy
    http://support.microsoft.com/?kbid=323275

    Hope it helps

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
     
    Vincent Xu [MSFT], Jan 9, 2006
    #2
    1. Advertisements

  3. Franz Schenk

    Franz Schenk Guest

    Hi

    Thank you for your feedback.

    We already use robocopy for migrating the files to the memberserver, copy
    the security information (ACL's of files and directories) is not a problem.
    The file server migration wizard can do the same, but the FSMT whitepaper
    (on page 8) explicit states that it does not migrate local groups as well.

    So, we are still very interested in ideas or a solution how to migrate
    directory and files with assigned NT4 system local group permissions from
    NT4 BDC's to Windows 2003 member servers without rewriteing the ACL of all
    objects.

    Thank you all in advance for any help
    Franz
     
    Franz Schenk, Jan 9, 2006
    #3
  4. Hi,

    Please understand ACL use SID to indentify each user account. Since Local
    users(groups) is only exist in one system, it cannot be transferred to
    another system. The only thing we can do is replace the SID with new SID to
    let the users in another system have permission to access.

    Thanks.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
     
    Vincent Xu [MSFT], Jan 10, 2006
    #4
  5. Franz Schenk

    Franz Schenk Guest

    Hi

    Thank you for your feedback.

    It seems indeed that there is no other solution.

    But since Windows NT exists, Microsoft recommends even for single domain
    environments to make global groups, put people in global groups, make local
    groups, put the global groups into the local groups and finally assigning
    permissions to files and directories to this local groups.

    These local groups exists an NT4 PDC's, BDC's and NT4 Member Servers as
    well.

    When finally the domain is upgraded to W2K (or Windows 2003 as well?), all
    these local groups disappear on all member servers and all permissions to
    files and directories have to be redefined. Would be better if we didn't
    following Microsoft Guidelines and choosing the easy way: Just assigning all
    permissions to global groups and don't using local groups.

    What is important to us as Microsoft Partner for future projects:
    - Does this problem also exist if an NT4 domain is upgraded to Windows 2003
    SP1?
    - Haven't found any Microsoft documents describing this problem how to
    upgrade a NT4 domain and migrating fileserver ressources from NT4 BDC to
    member servers. Are there any documents, KB articles available?

    Thankyou in advance for any help
    Franz
     
    Franz Schenk, Jan 10, 2006
    #5
  6. Hi,

    I'm confused. Actually Microsoft suggest Add Domain Global Group to Domain
    Local Group,not the local group of member server. Please clarifying your
    situation.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
     
    Vincent Xu [MSFT], Jan 10, 2006
    #6
  7. Franz Schenk

    Franz Schenk Guest

    Hi,

    As far as I know, in NT4 (and older NT Versions) is no such thing as domain
    global groups and domain local groups. There are only two types, local
    groups and global groups available. And these local groups are the only
    local groups, available on all NT4 PDC's and BDC's.

    The problem is that during migration of a NT4 domain, these NT4 local groups
    are converted in domain local groups", and these domain local groups are not
    visible on member servers until the domain is switched from mixed mode into
    Windows 2000 native mode. Microsft aknowledge this as a problem in KB
    article 296369. Changing the domain local group scope to domain global or
    universal is also not possible when the domain is in NT4 mixed mode.

    Thank you, and best regards,
    Franz
     
    Franz Schenk, Jan 10, 2006
    #7
  8. Hi Franz,

    You are correct that NT4 didn't have such conception of global groups and
    local groups as AD domain. Therefore, Microsoft just recommend add "Global
    groups into Local groups" in AD domain, not NT4 domain.

    For your situation, I think you have to use SubinAcl to replace the ACL in
    Each folder.

    Have a good day~


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
     
    Vincent Xu [MSFT], Jan 11, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.