ACL

[purek77]

Some information about problem:
- first server (fs1) is a file server (win2k3), which is daily backed up by Networker/Legato Software (v. 7.3) and is a domain member server,
- one volume on this server (ntfs) is mission critical,
- file server fs1 uses local groups to grant permisions to folders (old NT domain style, when there was no Domain Local group). In local groups are nested domain globals groups

Problem:
We want to migrate data from fs1 to another server (fs2) (some kind of virtual lab, which uses ESX and vmware win2k3 member servers), which is also a domain member server. On fs2 there is no local groups such as on fs1 (there cant be - SIDs are kept in local SAM database). After restoring data to fs2 we have messed up Access Controll Lists on all restored folders and files.

Question:
Is there a possibility to turn-off ACL restoring of all data ?

 

[Rif123]

Hi,

I've never heard of a way to turn off the ACL and I pretty sure it's not possible. As an admin you can always fix this after the restore has been done and fix the ACL manually. The problem is quite obvious that the local groups on one server won't match the local groups on another server.

If this is a migration, why not use other tools than your backup/restore tool? It sounds like you want to do a copy rather than a restore?!

 

[purek77]

Hi again,

sure Rif - i used wrong word - 'migrate'. We need to have another file server in domain with exacly copy of fs1 data. Data from fileserver fs1 is stored by NetWorker on our SAN.

Company stanards describes how exacly win2k3 file server should be organised:
- shared folder at the top level should be associated with three local groups:
-> foldername_localgroupread (read and execute [this folder and subfolders])
-> foldername_localgroupchange (modify [this folder and subfolders] + deny on delete [this folder only])
-> foldername_localgrouplist (like read but this folder only)

Subfolders should be organised same way. As we can see, when we have folder tree with 500 directories we have 1500 localgroups (list groups are also used to grant share permissions). Each local group has one member - analogue domain global group. Domain groups read and change are members of proper list group. Every domain group list is a member of parent folder domain group list... and so on.

So we have to create 3 localgroups and 3 domain groups to create one folder :/

File server fs1 is backuped on daily basis. I want to use this data and restore it to 'mirror' file server. Because of company standards, i have to use (stupid) local groups again.

I've run some tests with restoring whole directories and with restoring only files within directory. For example, if i restore folders and files D:\DATA_A, D:\DATA_B, D:\DATA_C from fs1 to D:\ on fs2, i'll lost ACL, and this is obvious (local groups are kept in local SAM database). But if i prepare top-level directories on fs2 (D:\DATA_A, D:\DATA_B, ...) and create proper local groups (with domain global groups as members) and assign them to folders, after restoring files and subfolders from D:\DATA_A (without marking directory DATA_A itself - only what is 'inside'!) to prepared folder D:\DATA_A on fs2 - everything is almost ok (i have restored permissions at the top level, and so far this is fine).

Question: is it possible with networker to restore data from specified folder (i mean again - subfolders and files within this folder, without folder itself) and to do this in 'automated way' ? Of course i can 'click' every day morning proper subfolders and file checkboxes in networker client, but for (around) 150GB of data and (around) 70 directories it's pointless...

Yes, yes, yes ... i know ... who uses local groups ... but it's not my fault, that stanards are ... weird

 

[Chapter11]

It could be automated, but it would take some sophisticated scripting to handle it. I suspect it would be beyond the capability of a .bat file to perform, I tend to think in ksh.

Is it necessary to use Networker to perform the refresh of the data on fs2? This seems more like a job for a tool like robocopy.