AD migration ntfs issues........

How did you move the user accounts/groups over? Did you just upgrade them or are you starting from fresh? If you're starting on a new domain with a new batch of users (rather than transferring them), the accounts won't be copied over. So the reason you are getting this is that when you are using robocopy it's coping the SIDS for the user accounts (or groups) from the NT Domain which is no longer there (or can't be seen by the AD domain). If you transferred the accounts over, then you're probably getting duplication (so for instance you could have a user called ABC in your NT domain who now has an AD log on with ABC2 (or ABC0).

Off the top of my head, you'll have either have to use subinacl to alter the ntfs permissions, or alter them manually on the folders yourself the normal way if the accounts are new in the AD structure.

Thanks for the info...

The nt4 server is a member server in the original domain. I beleive the AD migration tool was used to migrate users and groups to new 2003 domain.

There is a trust setup between the old and new domain.

Ideally we want to transfer the data to a NAS box, however I don't beleive I can run the subinacl command on the NAS box as far as I'm aware....

As long as your NAS box is a member of the domain, robocopy will work perfectly okay. We use it for these types of data migrations regularly.

Forget that, I mis-read your reply.

Possibly you could use calcs to extract the permissions on the old server and then apply them to the new location. As long as the same object names are used, then the underlying security identifiers are not important.

Is this still an option ..........

"If the server IS a member of the domain, then you are seeing the SIDs as they are objects that have been defined on the local server. The new server cant resolve the objects that are part of the old server's local security database.
You can fix this by creating new domain based users and groups, and assigning the rights to the data on the NT4 server. After this has been done and the data re-copied, then the new server will still be able to resolve the SIDs as they are known to the domain.

This issue typically occurs when rights and permissions are assigned to local group. You can view these groups by running 'usrmgr \\myserver' after login to the old server. After creating the domain based groups, move the users to the new groups and remove the local groups from the filesystem permissions"

And does subinacl have to be run from the destination NAS box?

thanks

scott

If your old nt4 domain trusts the new domain, then you can assign file permissions on the NT box to users and groups in the new domain. A robocopy will then assign the newdomain security to your NAS shares. Sadly though, any dag ends of allocation from the old domain will still show up as SIDs.

Do we need a two way trust setup for me to complete the above work? We only have a one way trust at the moment - our new 2003 AD domain has an incoming trust from the old nt domain. Is this enough to robocopy the data inc ntfs permissions?

thanks

An incoming trust is one where the AD domain is trusted by another domain, so in this case, your NT4 domain can trust user accounts that exist in your new AD domain.

You dont need to setup two way trusts unless you need your old NT4 domain user accounts to be able to access resources in the new AD domain.