scottyboy777
asked on
AD migration ntfs issues........
We've having difficulty transferring our data ntfs permissions to a new AD domain from NT4.
When using robocopy with /sec the data copied but all the ace's come up with ? s-1-5-2 1264763 etc.
Should I be using the subinacl command? If so where should this be run from??
thanks in advance....
When using robocopy with /sec the data copied but all the ace's come up with ? s-1-5-2 1264763 etc.
Should I be using the subinacl command? If so where should this be run from??
thanks in advance....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info...
The nt4 server is a member server in the original domain. I beleive the AD migration tool was used to migrate users and groups to new 2003 domain.
There is a trust setup between the old and new domain.
Ideally we want to transfer the data to a NAS box, however I don't beleive I can run the subinacl command on the NAS box as far as I'm aware....
The nt4 server is a member server in the original domain. I beleive the AD migration tool was used to migrate users and groups to new 2003 domain.
There is a trust setup between the old and new domain.
Ideally we want to transfer the data to a NAS box, however I don't beleive I can run the subinacl command on the NAS box as far as I'm aware....
As long as your NAS box is a member of the domain, robocopy will work perfectly okay. We use it for these types of data migrations regularly.
Forget that, I mis-read your reply.
Possibly you could use calcs to extract the permissions on the old server and then apply them to the new location. As long as the same object names are used, then the underlying security identifiers are not important.
ASKER
Is this still an option ..........
"If the server IS a member of the domain, then you are seeing the SIDs as they are objects that have been defined on the local server. The new server cant resolve the objects that are part of the old server's local security database.
You can fix this by creating new domain based users and groups, and assigning the rights to the data on the NT4 server. After this has been done and the data re-copied, then the new server will still be able to resolve the SIDs as they are known to the domain.
This issue typically occurs when rights and permissions are assigned to local group. You can view these groups by running 'usrmgr \\myserver' after login to the old server. After creating the domain based groups, move the users to the new groups and remove the local groups from the filesystem permissions"
And does subinacl have to be run from the destination NAS box?
thanks
scott
"If the server IS a member of the domain, then you are seeing the SIDs as they are objects that have been defined on the local server. The new server cant resolve the objects that are part of the old server's local security database.
You can fix this by creating new domain based users and groups, and assigning the rights to the data on the NT4 server. After this has been done and the data re-copied, then the new server will still be able to resolve the SIDs as they are known to the domain.
This issue typically occurs when rights and permissions are assigned to local group. You can view these groups by running 'usrmgr \\myserver' after login to the old server. After creating the domain based groups, move the users to the new groups and remove the local groups from the filesystem permissions"
And does subinacl have to be run from the destination NAS box?
thanks
scott
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If your old nt4 domain trusts the new domain, then you can assign file permissions on the NT box to users and groups in the new domain. A robocopy will then assign the newdomain security to your NAS shares. Sadly though, any dag ends of allocation from the old domain will still show up as SIDs.
ASKER
Do we need a two way trust setup for me to complete the above work? We only have a one way trust at the moment - our new 2003 AD domain has an incoming trust from the old nt domain. Is this enough to robocopy the data inc ntfs permissions?
thanks
thanks
An incoming trust is one where the AD domain is trusted by another domain, so in this case, your NT4 domain can trust user accounts that exist in your new AD domain.
You dont need to setup two way trusts unless you need your old NT4 domain user accounts to be able to access resources in the new AD domain.
You dont need to setup two way trusts unless you need your old NT4 domain user accounts to be able to access resources in the new AD domain.
Off the top of my head, you'll have either have to use subinacl to alter the ntfs permissions, or alter them manually on the folders yourself the normal way if the accounts are new in the AD structure.