Migrating users and groups
Begin by migrating users and groups from the Windows NT® domains in which they were created to new Active Directory domains.
About this task
Procedure
-
Use the procedures defined by Microsoft to migrate users and groups from the Windows
NT® domains to the Active Directory domains.
Include the HCL VersionVault users group and, if they exist, the HCL VersionVault administrators group and versionvault_albd account in the migration.
- Ensure uninterrupted VOB access.
In many migration scenarios, there is a period when users logged on to the Active Directory domain access the same VOBs as users logged on to a Windows NT® domain. To ensure access to VOBs by users in either type of domain, do one of the following:
- Add the domain-qualified name of the HCL
VersionVault users
group that has been migrated to the Active Directory domain to the
VOB's supplemental group list. For example, you can use the cleartool protectvob command
as shown here to add the clearusers group in the Active Directory
domain AD-DOMAIN to the group list of the VOB with storage on the
VOB server host at C:\vobstg\srcs.vbs:
cleartool protectvob –add_group AD-DOMAIN\clearusers C:\vobstg\srcs.vbs
- Ask users who are logged on to an Active Directory domain to set their CLEARCASE_PRIMARY_GROUP environment variable to the
string representation of the SID of the HCL
VersionVault users group in the Windows NT® domain. To find
the SID string, run the creds command on a computer that is a member of the Windows
NT® domain or a domain that trusts the Windows NT® domain. For example:
versionvault-home-dir\etc\utils\creds –g NT-DOMAIN\clearusers. . .
In this case, the user must set CLEARCASE_PRIMARY_GROUP to the value
VersionVault group info:
Name: NT-DOMAIN\clearusers
GID: 0x100423 SID credentials S-1-5-21-103034363-981818062-1465874335-1064S-1-5-21-103034363-981818062-1465874335-1064
- Add the domain-qualified name of the HCL
VersionVault users
group that has been migrated to the Active Directory domain to the
VOB's supplemental group list. For example, you can use the cleartool protectvob command
as shown here to add the clearusers group in the Active Directory
domain AD-DOMAIN to the group list of the VOB with storage on the
VOB server host at C:\vobstg\srcs.vbs:
-
Adjust CLEARCASE_GROUPS environment
variables as needed.
Because migrated accounts include SID history, user accounts in the Active Directory domain include twice as many group memberships as they had in the Windows NT® domain. (Each user's group list includes groups from both domains.) Users who are members of multiple groups in a Windows NT® domain and find that their group list includes more than 32 groups after migration should set the CLEARCASE_GROUPS environment variable to include the SID string that represents the HCL VersionVault users group in the Windows NT® domain, and the name of the HCL VersionVault users group in the Active Directory domain. For example:
CLEARCASE_GROUPS=AD-DOMAIN\clearusers;S-1-5-21-103034363-981818062-1465874335-1064Step 2 explains how to use creds to obtain the SID string. For more information about the CLEARCASE_GROUPS environment variable, see Limitations when a user belongs to more than 32 groups.