Microsoft KB Archive/250267

= You cannot resolve local groups when you migrate files between member servers of different domains =

Article ID: 250267

Article Last Modified on 11/6/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 3.51

-



This article was previously published under Q250267





SUMMARY
''When you copy files or folders from a server to a member server of a different domain, the second server may not identify the local groups of the first server. This behavior occurs because the second server cannot identify the security identifiers (SIDs) of the first server's local groups. This article discusses a method to resolve this behavior.''



SYMPTOMS
When you copy files or folders from one server to another server that is a member of a different domain, the access control entries for the first server's local groups appear as Unknown on the second server. These access control entries are part of the discretionary access control lists (DACLs) for files and folders.

This behavior occurs when both servers are running Microsoft Windows NT Server 4.0 or Microsoft Windows 2000 Server.



CAUSE
This behavior occurs because the security identifier (SID) values for the local groups on the first server are valid only on that server. (The SID values for other user accounts on the first server are also valid only on that server.) These SID values are not valid on a server that is located on a different domain. The second server does not recognize the SID values for the first server's local groups and user accounts.



RESOLUTION
To resolve this behavior, follow these steps:  Save the first server's local group information to a file:  Log on to the first server as a member of the Administrators group. At a command prompt, type the following command, and then press ENTER:

addusers  /d

In this command,  is the name of the first server, and   is the file where local groups information is saved. Edit the  file to delete user accounts information and global groups information, and then save the file with a different name. For example, save the modified file as Renfile.txt.

Important Retain the local groups information in the file. Copy the modified file to the second server's domain.</li></ol> </li> Copy the first server's local groups to the second server's domain as local domain groups: <ol style="list-style-type: lower-alpha;"> Log on to the domain of the second server as a member of the Administrators group.</li> At a command prompt, type the following command, and then press ENTER:

addusers  /c renfile.txt

In this command,  is the name of the domain, and Renfile.txt is the file that contains local group information of the first server. If the groups do not exist in the domain, they will be created. If the groups exist in the domain, the group members will be added to the corresponding groups.</li></ol> </li> Copy data from the first server to the second server: <ol style="list-style-type: lower-alpha;"> Log on to the second server as a member of the Administrators group who has access to the data on the first server.</li> Create a shared folder on the second server.</li> Log on to the first server and copy the data to the new shared folder on the second server. To do this, use one of the following methods: <ul> To use the Xcopy command-line tool, type the following command at the command prompt, and then press ENTER:

xcopy  /O /X /E /H /K

In this command,  is a placeholder for the location of the first server files, and   is a placeholder for the location of the new shared folder in the second server.</li> To use the Robocopy command-line tool, type the following command at the command prompt, and then press ENTER:

robocopy   /secfix /xo /xn /xc K

In this command,  is a placeholder for the location of the first server files, and   is a placeholder for the location of the new shared folder in the second server.

Note If you want the destination folder to be an exact mirror of the source folder, you must run Robocopy by using the parameters to update only the file security information, and then run the Robocopy command without using the /xo, /xn, or /xc parameters.</li></ul> </li> Copy the Renfile.txt file to the second server.</li></ol> </li> Retrieve the SID values for the first server's local groups and for the domain, and then save them to a file: <ol style="list-style-type: lower-alpha;">  Copy the local groups from the Renfile.txt file to a new file on the second server. Give the new file a name such as Listmemberlocal.txt. This file must contain only the names of the first server's local groups. There must be only one name displayed in each row. The content of the Listmemberlocal.txt file must appear similar to the following text, where "LocalA" and "LocalB" are the names of local groups: <pre class="fixed_text">LocalA LocalB </li> Create three batch files on the second server. These batch files retrieve and store the SID values to a text file. You must create these files in one folder. The contents of the batch files must be similar to the following sample code.

Note In this code,  is a placeholder for the file where the SID values are stored. Save the following to a file that is named Listsid.bat. <ul>  echo off cls if exist groupssid.txt del groupssid.txt for /F "tokens=1" %%a in (listmemberlocal.txt) do call listsid1.bat %%a Save the following to a file that is named Listsid1.bat. </li>  getsid \\2b21d %1 \\w2kdomain1.loc %1 >sid1.txt for /F "skip=1 tokens=5,7" %%a in (sid1.txt) do call listsid2.bat %%a %%b Note Here,  is a placeholder for the NetBIOS name of the first server, and   is a placeholder for the domain name of the second server. Save the following to a file that is named Listsid2.bat. </li>  echo %1 %2 >>groupssid.txt </li></ul> </li> <li>At a command prompt, locate and then run the Listsid.bat file.</li> <li> To view the SID values, open the Groupssid.txt file. The content of the Groupssid.txt file is similar to the following: <pre class="fixed_text">2B21D\LocalA S-1-5-21-90593156-579754539-1338337383-1002 W2KDOMAIN1\LocalA S-1-5-21-1844237615-261478967-839522115-1126 2B21D\LocalB S-1-5-21-90593156-579754539-1338337383-1003 W2KDOMAIN1\LocalB S-1-5-21-1844237615-261478967-839522115-1127 2B21D\LocDom1 S-1-5-21-90593156-579754539-1338337383-1004 W2KDOMAIN1\LocDom1 S-1-5-21-1844237615-261478967-839522115-1125 </li> <li> Edit the content of the Groupssid.txt file so that it is similar to the following: <pre class="fixed_text">S-1-5-21-90593156-579754539-1338337383-1002  S-1-5-21-1844237615-261478967-839522115-1126 S-1-5-21-90593156-579754539-1338337383-1003  S-1-5-21-1844237615-261478967-839522115-1127 S-1-5-21-90593156-579754539-1338337383-1004  S-1-5-21-1844237615- 261478967-839522115-1125 In this content, the SID for the first local group is followed by the SID for the local group in the domain of the second server. </li></ol> </li> <li>Replace the SID values of all the first server's local groups with the SID values of the second server's domain local groups: <ol style="list-style-type: lower-alpha;"> <li>Create two batch files on the second server. The contents of the batch files must be similar to the following: <ul> <li> for /F "tokens=1,2" %%a in (groupssid.txt) do subin.bat %%a %%b Note Here,  is a placeholder for the file that contains the local group SID values for both the first server and the domain. </li> <li> subinacl /subdirectories e:\root\*.* /replace=%1=%2 Note Here,  is a placeholder for the new folder in the second server to where the first server data is copied. </li></ul> </li> <li>At a command prompt, locate and then run the Sub.bat file.</li></ol> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
The Addusers, Robocopy, Getsid, and Subinacl utilities are available in the Microsoft Windows 2000 Resource Kits. For more information about the Microsoft Windows 2000 Resource Kits, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx?mfr=true

<div class="references_section">