I posted a question to find out any information on migrating Netware file permissions to CIFS. I did not get any in-depth feedback, so I want to share what I have learned, and see if anyone has done this.

Basically I have a large Netware 4.x environment, as well as a NT4 domain. All clients (95/NT/2k) authenticate on both NDS and NT4 domain when logging on.

Due to time and budget restraints, I need to migrate data with security intact, from Netware to NT/Filer. In a perfect world this would be a great time to review security and start from the ground up, but this is not possible on this project.

Also, scripting the security migration (file permissions) is beyond what I would deem reasonable for a shell script. My first thought was to dump the Novell permissions to a text file and use cacls or the like to reset them. Novell permissions are just too different. It would take too long (for me) to write and test, and there is a proven solution out there.

After doing some research it seems the best tool for the job is FastLane NDS Migrator (now owned by Quest software). The limitation is that it only goes from NDS to Active Directory. Perfect if you have AD, but we don't. The answer given to me by Quest that I will be testing and letting the group know about is migrating straight from NDS to the filer, but with a AD "proxy domain". So I build an AD server, install NDS Migrator and SQL server, and then import my users/groups from my existing domain. Once I have an AD Domain with my users and groups, I use FastLane NDS Migrator to move data and migrate security from NDS to AD, with the data being put on the filer. NDS OUs become AD Global Groups. Data transfer speed is limited due to the fact that all data will go from the Netware server, through the AD server, then to the filer. This is offset by the ability of NDS Migrator to migrate data while the users are accessing the data, the SQL server being used by NDS Migrator to track changes. Obviously there will be downtime when the actual cutover occurs.

Now that the data is on the filer with permissions migrated from NDS to CIFS/AD, we are set except for the fact that although user and group names are correct, the domain name and SID is wrong. There is functionality within FastLane to re-ACL everything to the correct NT4 Domain SID that we actually need.

If anyone has done this, or sees any flaws in this plan, I would appreciate feedback.

Additional info can be found at: http://www.quest.com/fastlane/nds_migrator/index.asp http://www.quest.com/fastlane/nds_migrator/index.asp

Thank you,

Steve Hight perotsystems ...Servicing Catholic Healthcare West