Robocopy error 1338 (0x0000053A) during file migration from NetApp to Windows Server 2016

I am working on a project to migrate CIFS shares on a NetApp to Windows Server 2016 file servers. To migrate the folder and file structure I use Robocopy with the following command line:

robocopy \\netapp\vol_home$ D:\vol_home /MIR /SEC /SECFIX /R:1 /W:1 /MT:32 /LOG:D:\Migration\Robocopy\vol_home_output.log /NFL /NDL /NP

The migration of the data has so far worked without problems. Today, however, Robocopy displays an error while trying to copy a directory:

2018/02/25 13:47:46 FEHLER 1338 (0x0000053A) NTFS-Sicherheit wird in Zielverzeichnis kopiert D:\vol_home\test\
Die Struktur der Sicherheitsbeschreibung ist unzulässig.

Or in english:

ERROR 1338 (0x0000053A) Copying NTFS Security to Destination Directory D:\vol_home\test\
The security descriptor structure is invalid.

I found the following information about this error online (KB2459083):

“The error is usually caused by the CIFS file server returning invalid security information for a file. For example, if the CIFS file server returns a NULL Security ID (SID) for a file’s Owner, or a file’s Primary Group, when Robocopy tries to copy this information to the destination file, Windows will return error 87 “The parameter is incorrect” or error 1338 “The security descriptor is invalid”. This is by design – file security information in Windows is expected to contain both Owner and Primary Group SIDs.”

The reason for the problem could be that there is no owner and/or primary group set on the folder’s security description. I can change the owner via the properties in Windows Explorer, so I first tried to set another owner here. The new owner was set, but this did not solve the problem. The same error message still appeared.

Unfortunately, only the owner can be displayed and set with the Windows Explorer, the Primary group is not displayed. Fortunately, Windows PowerShell is able to display the ACL of a folder including its owner and primary group. The Get-ACL cmdlet is used for this purpose:

Get-ACL \\netapp\vol_home$\test

As you can see here, the value for the group is missing:

For comparison, here is a screenshot with the group set correctly:

To set the primary group for the folder, I have written the following PowerShell script:

$folderPath = "\\netapp2a\vol_home$\test"
$primaryGroup = "VORDEFINIERT\Administratoren"
$folder = Get-Item $folderPath
Write-Host ("ACL for folder '{0}' before change:" -f $folderPath)
$folderACL = Get-Acl $folderPath
$folderACL | fl
$newPrimaryGroupACL = New-Object System.Security.AccessControl.DirectorySecurity
$primaryGroup = New-Object System.Security.Principal.NTAccount($primaryGroup)
# Sets the primary group for the security descriptor associated with this ObjectSecurity object
# https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity(v=vs.110).aspx
$newPrimaryGroupACL.SetGroup($primaryGroup)
$folder.SetAccessControl($newPrimaryGroupACL)

Subsequently, a new call to the Get-Acl cmdlet returned the following result:

Robocopy then copied the directory without any problems.