Conversion to Active Directory
As with any enterprise-scale application in a Windows network, DevOps Code ClearCase® is affected when the network is converted from Windows NT domains to Active Directory domains. These topics explain how this conversion affects DevOps Code ClearCase and how to manage users, groups, hosts, and data during and after the conversion.
Understanding Active Directory
Microsoft provides tools and documentation to facilitate conversion of a Windows network from Windows NT domains to Active Directory. This topics and its subtopics assume you have read the applicable documents from Microsoft and are familiar with the terminology they use and the procedures they describe. In particular, it assumes you have read the Microsoft white paper Planning Migration from Microsoft Windows NT to Microsoft Windows 2000. (It is distributed as part of the Windows 2000 Support Tools and is also available on the Microsoft Web site.) That document and related documents introduce several key concepts (native mode, mixed mode, domain upgrade, domain migration, SID history, and cloning of principals) which are essential to understanding Active Directory.
How Active Directory affects DevOps Code ClearCase
In an Active Directory environment, some details of user and group identity are handled differently than they are in a Windows NT domain environment. Depending on how your Windows NT domain environment is configured, where your DevOps Code ClearCase user and group accounts exist in this domain structure, and how your organization plans to convert Windows NT domains to Active Directory domains, you may need to take steps during and after the conversion to maintain user access to artifacts under DevOps Code ClearCase control.
- In Active Directory, trust relationships between domains are created and maintained differently than they are in Windows NT domains. During and after the conversion to Active Directory, these differences affect DevOps Code ClearCase communities in which users from multiple domains access a common set of VOBs and views.
- Windows Security Identifiers (SIDs) for users and groups can change in some conversion scenarios. Because DevOps Code ClearCase stores SIDs in VOB databases (to represent owners of objects), VOBs must be updated with new SIDs in these scenarios.
In general, sites that have the simplest domain structure (all DevOps Code ClearCase users and hosts in a single domain) encounter very few problems during the conversion process. Sites with more complex domain structures (users from multiple domains accessing a common set of VOBs and views) can benefit from the improved interdomain security features of Active Directory after they modify some existing user and group account information.
Planning your Active Directory upgrade or migration strategy
- An upgrade (often referred to as an in-place upgrade), in which a Windows NT domain controller is converted to an Active Directory domain controller operating in mixed or native mode. After an upgrade, all users, groups, and resources have the same SIDs as they had in their original Windows NT domain.
- A migration, in which user, group, and resource accounts migrate (using a process referred to as cloning) from a Windows NT domain to an Active Directory domain. After a migration is complete, all users, groups, and resources have new SIDs. Because a native mode Active Directory maintains information about each principal's current and former SIDs (which Microsoft refers to as the principal's SID history), both types of domains can be used together for as long as needed.
A knowledgeable DevOps Code ClearCase administrator who has reviewed this chapter and applicable documents from Microsoft and who understands the impact of various conversion or migration strategies on DevOps Code ClearCase, should review (and if possible help plan) your organization's conversion from Windows NT domains to Active Directory.