Migrating users and groups
Begin by migrating users and groups from the Windows NT domains in which they were created to new Active Directory domains.
About this task
Procedure
-
Use the procedures defined by Microsoft to migrate users and groups from the Windows NT
domains to the Active Directory domains.
Include the HCL VersionVault users group and, if they exist, the HCL VersionVault administrators group and versionvault_albd account in the migration.
- Ensure uninterrupted VOB access.
In many migration scenarios, there is a period when users logged on to the Active Directory domain access the same VOBs as users logged on to a Windows NT domain. To ensure access to VOBs by users in either type of domain, do one of the following:
- Add the domain-qualified name of the HCL
VersionVault users
group that has been migrated to the Active Directory domain to the
VOB's supplemental group list. For example, you can use the cleartool protectvob command
as shown here to add the clearusers group in the Active Directory
domain AD-DOMAIN to the group list of the VOB with storage on the
VOB server host at C:\vobstg\srcs.vbs:
cleartool protectvob –add_group AD-DOMAIN\clearusers C:\vobstg\srcs.vbs
- Ask users who are logged on to an Active Directory domain to set their CLEARCASE_PRIMARY_GROUP environment variable to
the string representation of the SID of the HCL
VersionVault users group in the Windows NT
domain. To find the SID string, run the creds command on a computer that is
a member of the Windows NT domain or a domain that trusts the Windows NT domain. For example:
versionvault-home-dir\etc\utils\creds –g NT-DOMAIN\clearusers. . .
In this case, the user must set CLEARCASE_PRIMARY_GROUP to the value
VersionVault group info:
Name: NT-DOMAIN\clearusers
GID: 0x100423 SID credentials S-1-5-21-103034363-981818062-1465874335-1064S-1-5-21-103034363-981818062-1465874335-1064
- Add the domain-qualified name of the HCL
VersionVault users
group that has been migrated to the Active Directory domain to the
VOB's supplemental group list. For example, you can use the cleartool protectvob command
as shown here to add the clearusers group in the Active Directory
domain AD-DOMAIN to the group list of the VOB with storage on the
VOB server host at C:\vobstg\srcs.vbs:
-
Adjust CLEARCASE_GROUPS environment
variables as needed.
Because migrated accounts include SID history, user accounts in the Active Directory domain include twice as many group memberships as they had in the Windows NT domain. (Each user's group list includes groups from both domains.) Users who are members of multiple groups in a Windows NT domain and find that their group list includes more than 32 groups after migration should set the CLEARCASE_GROUPS environment variable to include the SID string that represents the HCL VersionVault users group in the Windows NT domain, and the name of the HCL VersionVault users group in the Active Directory domain. For example:
CLEARCASE_GROUPS=AD-DOMAIN\clearusers;S-1-5-21-103034363-981818062-1465874335-1064
Step 2 explains how to use creds to obtain the SID string. For more information about the CLEARCASE_GROUPS environment variable, see Limitations when a user belongs to more than 32 groups.