I would like suggestions on the best method of moving a Win2003 fileserver (ServerA) that is currently a member server in an NT4 domain to an AD environment as a member server. ServerA uses local groups, which contain NT4 Global Groups, to provide access control to its fileshares. Obviously, when I have ServerA join the AD, no one on the AD will have access to the fileshares on ServerA. I have thought about scripting the creation of Domain Local Groups in the AD with the same names as the ServerA local groups. I could then use subinacl to swap the SIDS (i.e. ServerA\FinanceGroup's sids would be replaced with the AD Domain Local group FinanceGroup's sids.). This seems kind of hairy and would need to be thoroughly tested to give me peace of mind. I have also thought about using the sIDHistory attribute, but from what I have read this is only a short-term solution until all ACLs have been re-ACLed.
Any suggestions are welcome.
Thanks.
This conversation is currently closed to new comments.
The fileserver is actually node1 of a 2-node cluster. I need to have the security based on domain level groups in order to still function in the event of a node failure.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Migrating Win2003 Fileserver
Any suggestions are welcome.
Thanks.