Migration to windows 2003. Replace ACLs
Posted on 2004-08-28
We are planning the migration to Windows 2000. We are going to use ADMT v2 to help us with the process.
-nt 4.0 Domain A (accounts and resources) for a Business unit
-nt 4.0 Domain B (accounts and resources) for a Business unit.
-New Domain w2k3 for consolidating domains.
two-way trust between Domain A and Domain B
two-way trust between Domain A and Domain w2k3
two-way trust between Domain B and Domain w2k3
There are users in Domain A who access to shared folders in Domain B.
There are users in Domain B who access to shared folders in Domain A.
Using Admt v2 we are going to migrate users from Domain A to Domain W2k3, using Sids history, so the migrated users to the Domain w2k3 will be able to access to the resources in Domain A and Domain B (through Sid-History).
Ok, at the end of the migration process in Domain A, we would like to run the Security translation wizard to replace the Old SID in the migrated objects for the New SiDs. Ok ADMT V2 will work well for the migrated objects (from the Domain A) and will replace the SIDs. After this, theorically, if all is ok, we could remove pdc and bdc. However, the question is for the ACLs which exist in Domain B (referencing users of Domain A who have been migrated to the new domain), What will happen ?. Once We remove the Domain A, this ACEs will appear as "Unkown account",
Are there any tools to scan and replace ACEs in other domains resources where appears ACEs refering to users and groups in Domain A?
thanks in advance