Using -delete_groups with replicas that preserve identities and permissions
About this task
HCL VersionVault MultiSite customers who use identity-preserving and permissions-preserving replicas (created with mkreplica –preserve) must take several additional steps when they migrate those replicas’ hosts from Windows NT® domains to Active Directory.
Because the changes in SIDs made by vob_sidwalk are not propagated by
replication, you must run vob_sidwalk on each identity-preserving and
permissions-preserving replica in a replica family when the server that hosts the replica is
migrated to Active Directory. When run on such a replica, vob_sidwalk preserves
the original SIDs on the VOB’s group list, so that operations that require container creation
continue to succeed whether or not all such replicas in a family have been updated. After all such
members of a replica family are updated, the administrator must run vob_sidwalk
again, using the –delete_groups option to remove these historical group SIDs.
Remove historical SIDs, because a VOB has a limit of 32 groups on its group list. Keeping unused
historical SIDs on the list may cause the list to overflow as new groups are added.
Note: This
procedure assumes that you have migrated user and group accounts for all users of all replicas to
Active Directory and that all users have set their CLEARCASE_PRIMARY_GROUP environment variable to the
name of the HCL
VersionVault users group in the
Active Directory domain.
Procedure
- Synchronize all replicas in the family to ensure that each replica includes the same set of user and group SIDs.
- Follow the procedure in Migrating individual hosts to migrate hosts.All identity-preserving and permissions-preserving replicas in a family must be processed using the same vob_sidwalk options. If the –map option is used, you can save time by generating one mapping file and using it on all identity-preserving and permissions-preserving replicas in a family.
- After the replica has been synchronized again
with other replicas whose SIDs have been updated, as described in Step 2 of this procedure, run
this command:
vob_sidwalk –sid_history vob-tag SIDfile-path
Examine the resulting SID file to see whether any new SID mappings are needed (because new user or group identities have been added to the replica). If new SID mappings are required, run vob_sidwalk again using the options you used in Step 2. - After all identity-preserving and permissions-preserving replicas
have been updated (Step ) and the SID file generated (Step 3)
shows that no new SID mappings are needed, run vob_sidwalk –execute
–delete_groups on each replica. This command deletes historical group SIDs from the VOB’s group list.