I would like suggestions on the best method of moving a Win2003 fileserver (ServerA) that is currently a member server in an NT4 domain to an AD environment as a member server. ServerA uses local groups, which contain NT4 Global Groups, to provide access control to its fileshares. Obviously, when I have ServerA join the AD, no one on the AD will have access to the fileshares on ServerA. I have thought about scripting the creation of Domain Local Groups in the AD with the same names as the ServerA local groups. I could then use subinacl to swap the SIDS (i.e. ServerA\FinanceGroup’s sids would be replaced with the AD Domain Local group FinanceGroup’s sids.). This seems kind of hairy and would need to be thoroughly tested to give me peace of mind. I have also thought about using the sIDHistory attribute, but from what I have read this is only a short-term solution until all ACLs have been re-ACLed.
Any suggestions are welcome.
Thanks.