Like any enterprise-scale application in a Windows network, ClearCase LT is affected when the network is converted from Windows NT domains to Active Directory domains. This section and the following sections describe how this conversion affects ClearCase LT, and how to manage ClearCase LT users, groups, hosts, and data during and after the conversion.
NOTE: If you are using ClearCase LT in an environment that is already running Active Directory, these sections do not apply to you.
Microsoft provides tools and documentation to facilitate conversion of a Windows network from Windows NT domains to Active Directory. In this section, we assume you have read the applicable documents from Microsoft and are familiar with the terminology they use and the procedures they describe. In particular, we assume you have read the Microsoft white paper entitled Planning Migration from Microsoft Windows NT to Microsoft Windows 2000. (It is distributed as part of the Windows 2000 Support Tools and is also available on Microsoft's Web site.) That document and related documents introduce several key concepts- including native mode, mixed mode, domain upgrade, domain migration, SID history, and cloning of principals-that we use throughout this chapter.
In an Active Directory environment, some details of user and group identity are handled differently than they are in a Windows NT domain environment. Depending on how your Windows NT domain environment is configured, where your ClearCase user and group accounts exist in this domain structure, and how your organization plans to convert Windows NT domains to Active Directory domains, you may need to take steps during and after the conversion process to maintain user access to artifacts under ClearCase control.
Conversion to Active Directory affects ClearCase LT in several ways:
In Active Directory, trust relationships between domains are created and maintained differently than they are in Windows NT domains. During and after the conversion to Active Directory, these differences will affect ClearCase LT communities in which users from multiple domains access a common set of VOBs and views.
Windows Security Identifiers (SIDs) for users and groups can change in some conversion scenarios. Because ClearCase stores SIDs in VOB databases (to represent owners of objects), VOBs must be updated with new SIDs in these scenarios.
In general, sites that have the simplest domain structure (all ClearCase LT users and hosts in a single domain) will encounter very few problems during the conversion process. Sites with more complex domain structures (users from multiple domains accessing a common set of VOBs and views) can benefit from Active Directory's improved interdomain security features after they modify some existing user and group account information.
Microsoft provides tools and documentation to facilitate conversion of domains from Windows NT to Active Directory. The conversion can take one of two forms:
An upgrade (often referred to as an in-place upgrade), in which a Windows NT domain controller is converted to an Active Directory domain controller operating in mixed or native mode. After an upgrade, all users, groups, and resources have the same SIDs as they had in their original Windows NT domain.
A migration, in which user, group, and resource accounts migrate (using a process referred to as cloning) from a Windows NT domain to an Active Directory domain. After a migration is complete, all users, groups, and resources have new SIDs. Because a native mode Active Directory maintains information about each principal's current and former SIDs (referred to by Microsoft as the principal's SID history), both types of domains can be used together for as long as needed.
We recommend that a knowledgeable ClearCase administrator who has reviewed this chapter and applicable documents from Microsoft, and who understands the impact of various conversion or migration strategies on ClearCase, be familiar with (and if possible help plan) your organization's conversion from Windows NT domains to Active Directory.
CAUTION: Microsoft supplies tools for converting the SIDs stored in NTFS ACLs. Never use these tools (or any tools that change native file system protection information) on a VOB or view storage directory. Only ClearCase utilities should be used to convert SIDs in VOB or view storage directories. See Migrating Multiple Domains for details.
Before you begin the conversion process, your ClearCase LT hosts must be configured for use in an Active Directory environment.
All ClearCase LT hosts must be running ClearCase LT version 5.0 or later.
NOTE: Hosts running earlier releases of ClearCase LT can be converted to Active Directory, although various restrictions apply. For more information, see the ClearCase customer site at www.rational.com. This chapter does not apply to hosts running earler releases.
All VOBs on Windows hosts must be at schema version 54. Schema version 54 stores Windows user and group identity information in SID form to better support Active Directory's improved handling of user and group authentication.
All views must be reformatted. A view is reformatted automatically the first time it is started after ClearCase LT version 5.0 has been installed on the view host. You can also reformat a view manually using the reformatview command.
The user environment variable CLEARCASE_PRIMARY_GROUP must be defined for all users. We recommend that the value of this variable be a domain-qualified group name of the form DOMAIN_NAME\group_name.
Verify that all ClearCase LT hosts have been configured as described in this section and that ClearCase LT is operating normally for all users and hosts before you proceed with the conversion to Active Directory.
Feedback on the documentation in this site? We welcome any comments!
Copyright © 2001 by Rational Software Corporation. All rights reserved. |