How do I migrate data from a Domain Controller ( DC ) to a member server, then translate permissions (NETIQKB9919)

  • 7709919
  • 02-Feb-2007
  • 22-Jun-2007


How do I migrate data from a Domain Controller ( DC ) to a member server, then translate permissions from source domain local groups to target machine local groups?

Server Consolidator 7.1

Domain Migration Administrator 7.1


When your target domain is in native mode, domain local groups can be used for permissions on member servers.  In this case, the solution would be to use DMA to migrate the domain local groups from the source domain to the target domain.

However, if your target domain is in mixed mode, then domain local groups cannot be used for permissions on member servers.  In mixed mode, consider the following workaround.  This is not a supported scenario because DMA is intended for migration from one domain to another.  Also, Server Consolidator local group migration is intended to be used between two machines that are not domain controllers.  

Step 1:  Use DMA to migrate the domain local groups to machine local groups on the member server as follows:

  1. Open a DMA project.
  2. Select the domain local groups using the Select Objects wizard.
  3. Migrate the groups.  Specify the target domain as \\server02.  Do not select the option to 'Migrate the members of the groups selected' in the migrate groups wizard.

Step 2:  Use Server Consolidator to migrate the data, from \\DC01 to \\server02.  This will copy the ACL's just as they are, meaning only domain local groups will have permissions after this step.

Step 3:  Use DMA to translate security settings on the member server. Run the Translate Security Settings wizard, and select the domain local groups and the member server in the wizard.  Select Files and folders and Shares on the "Translate Objects" screen in the wizard.  Select either Add mode or Replace mode, depending on your objectives.  It is safest to use Add first, check the permissions, then run this step again using the Remove option to remove the source account permissions.

After completing these 3 steps, the ACL's on the member server will reference the machine local groups that you have migrated from the source domain local groups. 

If you have Global Groups in the source Local Groups and you want to maintain the source and the target Global Groups in the target Local Group, adjust this process as follows:

1. Migrate the Local Groups and allow DMA to add the source Global Group during the migration. (Advanced Options)

2. Migrate the Global Group

3. If you are migrating the Global Groups with SID History, then do not proceed to step 4.

4. If you are not migrating with SID History, then translate security on the target Local Group and the target Global Group will be added.


Please contact Technical Support to create a 'Support Request' for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current Hotfixes available for download.

Additional Information

Formerly known as NETIQKB9919