Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server

Hi

Thank you for your feedback.

We already use robocopy for migrating the files to the memberserver, copy
the security information (ACL's of files and directories) is not a problem.
The file server migration wizard can do the same, but the FSMT whitepaper
(on page 8) explicit states that it does not migrate local groups as well.

So, we are still very interested in ideas or a solution how to migrate
directory and files with assigned NT4 system local group permissions from
NT4 BDC's to Windows 2003 member servers without rewriteing the ACL of all
objects.

Thank you all in advance for any help
Franz



"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:POf4BHOFGHA.3696@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I'd like to provide following two tools:
>
> FSMT
> http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx
>
> Robocopy
> http://support.microsoft.com/?kbid=323275
>
> Hope it helps
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> --------------------
>>>From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
>>>Subject: howto: migrate fileserver resources from NT4 BDC to W2003 member
> server
>>>Date: Fri, 6 Jan 2006 18:59:38 +0100
>>>Lines: 38
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>X-RFC2646: Format=Flowed; Original
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>Message-ID: <eWnu3ruEGHA.3728@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: pop-ls-13-1-dialup-72.freesurf.ch 194.230.24.72
>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.windows.server.migration:21928
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>We have to migrate 14 NT4 BDC's with a lot of fileserver resources to
>>>Windows 2003 member servers. The domain is in Windows 2000 mixed mode
>>>(because of all NT4 BDC's). The AD forest/domain has to be W2K, a schema
>>>upgrade to Windows 2003 is not possible due to regulations of the holding
>>>company.
>>>
>>>Have discovered now that all local group ACE entries on the migrated
>>>directories and files on the Windows 2003 member servers are without
> effect!
>>>And the local groups are not visible in the ACL editor of the Windows
> 2003
>>>server. Have then found a KB article Q296369 which states that domain
> local
>>>groups can not be used when a Windows 2000 domain is in mixed mode
> (although
>>>the KB article mention that the problem only applies to MS sharepoint
> portal
>>>server 2001). It's also not possible to change the scope of the domain
> local
>>>groups when the W2K domain is in mixed mode. And the 14 NT4 BDC's are
>>>distributed in the whole country and it's impossible to migrate them all
> at
>>>the same time (even if Switzerland is not very big).
>>>
>>>We are now in a bad situation. The Windows 2000 domain contains about 240
>>>local groups which are all used for assigning permissions on directories
> on
>>>the file server. Have found the tool "subinacl.exe" that is capable to
>>>replace a local group ACE entry with a global group ACL entry for all
>>>objects in a directory tree. But run subinacl.exe 240 times through
>>>directory trees of 20 to 50 GBytes is very time consuming.
>>>
>>>The only MS KB article Q296369 where Microsoft aknowledge that this is a
>>>problem in Windows 2000 was last modified January 3, 2003.
>>>
>>>- Does anyone know if there is any solution available for this problem
>>>today?
>>>- Would an upgrade of the AD forest and domain to Windows 2003 solve this
>>>problem?
>>>- Does anyone knows another, better solution than replace ACE entries
> with
>>>subinacl.exe?
>>>
>>>We really appreciate any help, thank you all in advance!
>>>Franz
>>>
>>>
>>>
>


.

Relevant Pages

  • Re: EnumLocalGroup.vbs - only want logon account name and description fields
    ... one if the member is a member of a local group and another if ... Windows 2000 and Windows 23000 servers. ... and the logon id is: ...
    (microsoft.public.windows.server.scripting)
  • Re: NT AUTHORITY/NETWORK SERVICE missing from IIS_WPG
    ... System error 1388 has occurred. ... A new member could not be added to a local group because the member has the ... > Can you use this technique on Windows 2003? ...
    (microsoft.public.inetserver.iis)
  • RE: Permissions
    ... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ...
    (microsoft.public.win2000.security)
  • Re: Nesting domain groups under local groups
    ... seem to indicate that if I make a local group a member of a role in an SQL ... Server database, a domain user that is a member of a domain group, which is ... groups in SQL Server. ... Microsoft MVP Scripting and ADSI ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding Domain User to local PC
    ... Group Policy to add you to the list of allowed users to connect using remote ... If your user is a member of Domain Admins and remote desktop is enabled on ... The procedure would be to bind to the domain user (or ... >> group), bind to the local group on the PC, then use the Add method of the ...
    (microsoft.public.windows.server.scripting)