SUBINACL – and needing to migrate ACLs for a foreign forest

So here I was today working an a folder a server in a foreign forest, trying to duplicate the ACLs of the source forest to the target forest. Both forests contained groups with the same RDNs and SAM account names.

My first choice was the obvious and trusty SUBINACL. So I entered the command below expecting it to start chugging away.

subinacl /subdirectories "x:\foldertochange\*.*" /migratetodomain=source=target

Instead of the nice chug of folders being modified I got an error saying the syntax was wrong. Quick check – Yep, using an elevated prompt. Spelling good – check. Trust between the forest was still going. Switching the command to verbose mode I got a different result:

subinacl /verbose=1 /subdirectories "x:\foldertochange\*.*" /migratetodomain=source=target

1722 Unexpected error  NetUserModalsGet on server \\DC-IN-TARGET
Error finding domain name : 1722 The RPC server is unavailable

The fix is simple. On the source data server I opened the HOSTS file and added an entry for the target DC it was trying to talk to. Re-ran the command and 211,000+ objects later everything was golden.

Advertisements

Comments are closed.