howto: migrate fileserver resources from NT4 BDC to W2003 member server

We have to migrate 14 NT4 BDC's with a lot of fileserver resources to
Windows 2003 member servers. The domain is in Windows 2000 mixed mode
(because of all NT4 BDC's). The AD forest/domain has to be W2K, a schema
upgrade to Windows 2003 is not possible due to regulations of the holding
company.

Have discovered now that all local group ACE entries on the migrated
directories and files on the Windows 2003 member servers are without effect!
And the local groups are not visible in the ACL editor of the Windows 2003
server. Have then found a KB article Q296369 which states that domain local
groups can not be used when a Windows 2000 domain is in mixed mode (although
the KB article mention that the problem only applies to MS sharepoint portal
server 2001). It's also not possible to change the scope of the domain local
groups when the W2K domain is in mixed mode. And the 14 NT4 BDC's are
distributed in the whole country and it's impossible to migrate them all at
the same time (even if Switzerland is not very big).

We are now in a bad situation. The Windows 2000 domain contains about 240
local groups which are all used for assigning permissions on directories on
the file server. Have found the tool "subinacl.exe" that is capable to
replace a local group ACE entry with a global group ACL entry for all
objects in a directory tree. But run subinacl.exe 240 times through
directory trees of 20 to 50 GBytes is very time consuming.

The only MS KB article Q296369 where Microsoft aknowledge that this is a
problem in Windows 2000 was last modified January 3, 2003.

- Does anyone know if there is any solution available for this problem
today?
- Would an upgrade of the AD forest and domain to Windows 2003 solve this
problem?
- Does anyone knows another, better solution than replace ACE entries with
subinacl.exe?

We really appreciate any help, thank you all in advance!
Franz


.

Relevant Pages

  • RE: howto: migrate fileserver resources from NT4 BDC to W2003 member server
    ... The domain is in Windows 2000 mixed mode ... >>server. ... >>replace a local group ACE entry with a global group ACL entry for all ... >>objects in a directory tree. ...
    (microsoft.public.windows.server.migration)
  • Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
    ... directory and files with assigned NT4 system local group permissions from ... NT4 BDC's to Windows 2003 member servers without rewriteing the ACL of all ...
    (microsoft.public.windows.server.migration)
  • Re: Login Domain
    ... > controller as it's preferred dns server. ... > list permissions and local group memberships if permissions were given to ... I can't login to the Windows 2000 Server to do any of what you ...
    (microsoft.public.windows.server.security)
  • RE: assign domain user rights to change ip address
    ... Windows XP and Server 2003 have a local group called Network Configuration ... Groups GPO settings to implement this across your infrastructure. ...
    (microsoft.public.windows.server.active_directory)
  • RE: SID to SIDHistory
    ... Windows 2000 or Windows Server 2003. ... sidhist.vbs supports Account Types: The source and destination principals ... "Shared" Local Group (local group defined once and shared by all domain ...
    (microsoft.public.windows.server.migration)