Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
- Date: Tue, 10 Jan 2006 11:36:50 +0100
Hi,
As far as I know, in NT4 (and older NT Versions) is no such thing as domain
global groups and domain local groups. There are only two types, local
groups and global groups available. And these local groups are the only
local groups, available on all NT4 PDC's and BDC's.
The problem is that during migration of a NT4 domain, these NT4 local groups
are converted in domain local groups", and these domain local groups are not
visible on member servers until the domain is switched from mixed mode into
Windows 2000 native mode. Microsft aknowledge this as a problem in KB
article 296369. Changing the domain local group scope to domain global or
universal is also not possible when the domain is in NT4 mixed mode.
Thank you, and best regards,
Franz
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:5kJwaucFGHA.3696@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I'm confused. Actually Microsoft suggest Add Domain Global Group to Domain
> Local Group,not the local group of member server. Please clarifying your
> situation.
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> --------------------
>>>From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
>>>References: <eWnu3ruEGHA.3728@xxxxxxxxxxxxxxxxxxxx>
> <POf4BHOFGHA.3696@xxxxxxxxxxxxxxxxxxxxx>
> <etwqfSQFGHA.3856@xxxxxxxxxxxxxxxxxxxx>
> <iErXdZYFGHA.3152@xxxxxxxxxxxxxxxxxxxxx>
>>>Subject: Re: howto: migrate fileserver resources from NT4 BDC to W2003
> member server
>>>Date: Tue, 10 Jan 2006 08:54:33 +0100
>>>Lines: 211
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>X-RFC2646: Format=Flowed; Original
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>Message-ID: <uV5tZsbFGHA.3900@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>>>Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.windows.server.migration:21962
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>Hi
>>>
>>>Thank you for your feedback.
>>>
>>>It seems indeed that there is no other solution.
>>>
>>>But since Windows NT exists, Microsoft recommends even for single domain
>>>environments to make global groups, put people in global groups, make
> local
>>>groups, put the global groups into the local groups and finally assigning
>>>permissions to files and directories to this local groups.
>>>
>>>These local groups exists an NT4 PDC's, BDC's and NT4 Member Servers as
>>>well.
>>>
>>>When finally the domain is upgraded to W2K (or Windows 2003 as well?),
> all
>>>these local groups disappear on all member servers and all permissions to
>>>files and directories have to be redefined. Would be better if we didn't
>>>following Microsoft Guidelines and choosing the easy way: Just assigning
> all
>>>permissions to global groups and don't using local groups.
>>>
>>>What is important to us as Microsoft Partner for future projects:
>>>- Does this problem also exist if an NT4 domain is upgraded to Windows
> 2003
>>>SP1?
>>>- Haven't found any Microsoft documents describing this problem how to
>>>upgrade a NT4 domain and migrating fileserver ressources from NT4 BDC to
>>>member servers. Are there any documents, KB articles available?
>>>
>>>Thankyou in advance for any help
>>>Franz
>>>
>>>"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
>>>news:iErXdZYFGHA.3152@xxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi,
>>>>
>>>> Please understand ACL use SID to indentify each user account. Since
> Local
>>>> users(groups) is only exist in one system, it cannot be transferred to
>>>> another system. The only thing we can do is replace the SID with new
> SID
>>>> to
>>>> let the users in another system have permission to access.
>>>>
>>>> Thanks.
>>>>
>>>> Best regards,
>>>>
>>>> Vincent Xu
>>>> Microsoft Online Partner Support
>>>>
>>>> Get Secure! - www.microsoft.com/security
>>>>
>>>> When responding to posts, please "Reply to Group" via your newsreader
>>>> so
>>>> that others may learn and benefit from your issue.
>>>>
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>>
>>>> --------------------
>>>>>>From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
>>>>>>References: <eWnu3ruEGHA.3728@xxxxxxxxxxxxxxxxxxxx>
>>>> <POf4BHOFGHA.3696@xxxxxxxxxxxxxxxxxxxxx>
>>>>>>Subject: Re: howto: migrate fileserver resources from NT4 BDC to W2003
>>>> member server
>>>>>>Date: Mon, 9 Jan 2006 11:08:20 +0100
>>>>>>Lines: 117
>>>>>>X-Priority: 3
>>>>>>X-MSMail-Priority: Normal
>>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>>>>X-RFC2646: Format=Flowed; Original
>>>>>>Message-ID: <etwqfSQFGHA.3856@xxxxxxxxxxxxxxxxxxxx>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
>>>>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>>>>>Xref: TK2MSFTNGXA02.phx.gbl
>>>> microsoft.public.windows.server.migration:21947
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>Hi
>>>>>>
>>>>>>Thank you for your feedback.
>>>>>>
>>>>>>We already use robocopy for migrating the files to the memberserver,
> copy
>>>>>>the security information (ACL's of files and directories) is not a
>>>> problem.
>>>>>>The file server migration wizard can do the same, but the FSMT
> whitepaper
>>>>>>(on page 8) explicit states that it does not migrate local groups as
>>>>>>well.
>>>>>>
>>>>>>So, we are still very interested in ideas or a solution how to migrate
>>>>>>directory and files with assigned NT4 system local group permissions
> from
>>>>>>NT4 BDC's to Windows 2003 member servers without rewriteing the ACL of
>>>> all
>>>>>>objects.
>>>>>>
>>>>>>Thank you all in advance for any help
>>>>>>Franz
>>>>>>
>>>>>>
>>>>>>
>>>>>>"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> schrieb im
> Newsbeitrag
>>>>>>news:POf4BHOFGHA.3696@xxxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'd like to provide following two tools:
>>>>>>>
>>>>>>> FSMT
>>>>>>>
>>>>
> http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx
>>>>>>>
>>>>>>> Robocopy
>>>>>>> http://support.microsoft.com/?kbid=323275
>>>>>>>
>>>>>>> Hope it helps
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Vincent Xu
>>>>>>> Microsoft Online Partner Support
>>>>>>>
>>>>>>> Get Secure! - www.microsoft.com/security
>>>>>>>
>>>>>>> When responding to posts, please "Reply to Group" via your
> newsreader
>>>>>>> so
>>>>>>> that others may learn and benefit from your issue.
>>>>>>>
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>>
>>>>>>> --------------------
>>>>>>>>>From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
>>>>>>>>>Subject: howto: migrate fileserver resources from NT4 BDC to W2003
>>>> member
>>>>>>> server
>>>>>>>>>Date: Fri, 6 Jan 2006 18:59:38 +0100
>>>>>>>>>Lines: 38
>>>>>>>>>X-Priority: 3
>>>>>>>>>X-MSMail-Priority: Normal
>>>>>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>>>>>>>X-RFC2646: Format=Flowed; Original
>>>>>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>>>>>>>Message-ID: <eWnu3ruEGHA.3728@xxxxxxxxxxxxxxxxxxxx>
>>>>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>>>>NNTP-Posting-Host: pop-ls-13-1-dialup-72.freesurf.ch 194.230.24.72
>>>>>>>>>Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>>>>>>>Xref: TK2MSFTNGXA02.phx.gbl
>>>>>>> microsoft.public.windows.server.migration:21928
>>>>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>>>>
>>>>>>>>>We have to migrate 14 NT4 BDC's with a lot of fileserver resources
> to
>>>>>>>>>Windows 2003 member servers. The domain is in Windows 2000 mixed
> mode
>>>>>>>>>(because of all NT4 BDC's). The AD forest/domain has to be W2K, a
>>>> schema
>>>>>>>>>upgrade to Windows 2003 is not possible due to regulations of the
>>>> holding
>>>>>>>>>company.
>>>>>>>>>
>>>>>>>>>Have discovered now that all local group ACE entries on the
>>>>>>>>>migrated
>>>>>>>>>directories and files on the Windows 2003 member servers are
>>>>>>>>>without
>>>>>>> effect!
>>>>>>>>>And the local groups are not visible in the ACL editor of the
> Windows
>>>>>>> 2003
>>>>>>>>>server. Have then found a KB article Q296369 which states that
> domain
>>>>>>> local
>>>>>>>>>groups can not be used when a Windows 2000 domain is in mixed mode
>>>>>>> (although
>>>>>>>>>the KB article mention that the problem only applies to MS
> sharepoint
>>>>>>> portal
>>>>>>>>>server 2001). It's also not possible to change the scope of the
> domain
>>>>>>> local
>>>>>>>>>groups when the W2K domain is in mixed mode. And the 14 NT4 BDC's
> are
>>>>>>>>>distributed in the whole country and it's impossible to migrate
>>>>>>>>>them
>>>> all
>>>>>>> at
>>>>>>>>>the same time (even if Switzerland is not very big).
>>>>>>>>>
>>>>>>>>>We are now in a bad situation. The Windows 2000 domain contains
> about
>>>> 240
>>>>>>>>>local groups which are all used for assigning permissions on
>>>> directories
>>>>>>> on
>>>>>>>>>the file server. Have found the tool "subinacl.exe" that is capable
> to
>>>>>>>>>replace a local group ACE entry with a global group ACL entry for
> all
>>>>>>>>>objects in a directory tree. But run subinacl.exe 240 times through
>>>>>>>>>directory trees of 20 to 50 GBytes is very time consuming.
>>>>>>>>>
>>>>>>>>>The only MS KB article Q296369 where Microsoft aknowledge that this
> is
>>>> a
>>>>>>>>>problem in Windows 2000 was last modified January 3, 2003.
>>>>>>>>>
>>>>>>>>>- Does anyone know if there is any solution available for this
> problem
>>>>>>>>>today?
>>>>>>>>>- Would an upgrade of the AD forest and domain to Windows 2003
>>>>>>>>>solve
>>>> this
>>>>>>>>>problem?
>>>>>>>>>- Does anyone knows another, better solution than replace ACE
> entries
>>>>>>> with
>>>>>>>>>subinacl.exe?
>>>>>>>>>
>>>>>>>>>We really appreciate any help, thank you all in advance!
>>>>>>>>>Franz
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
>>>
>>>
>
.
- Follow-Ups:
- Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Vincent Xu [MSFT]
- Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- References:
- howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Franz Schenk
- RE: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Vincent Xu [MSFT]
- Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Franz Schenk
- Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Vincent Xu [MSFT]
- Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Franz Schenk
- Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- From: Vincent Xu [MSFT]
- howto: migrate fileserver resources from NT4 BDC to W2003 member server
- Prev by Date: RE: inter-forest domain migration and SQL server
- Next by Date: moveuser
- Previous by thread: Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- Next by thread: Re: howto: migrate fileserver resources from NT4 BDC to W2003 member server
- Index(es):
Relevant Pages
|
