Examples of Migrating Users Gradually
An organization with an existing NIS environment wants to do authentication with Active Directory and keep standard NIS maps and custom maps used by an in-house application on NIS, but wants to migrate the users over time to Active Directory. This approach is similar to the previous example. The DirectControl Agent is installed on the NIS clients for authentication to Active Directory, but the users are not placed in the DirectControl Zone so that they can continue to use NIS authentication if they have not been migrated to Active Directory. The following steps can be performed:
- Create a DirectControl Zone in Active Directory with the same name as the NIS domain.
- Install the DirectControl Agent on all the NIS client machines. This can be done before any users are migrated to Active Directory for the machines they use.
- Join each NIS client machine to the Active Directory domain and add them to the DirectControl Zone. NSS switch should be configured something like this:
- Import all the users and groups into Active Directory using the DirectControl Administrator Console, but leave them in a "pending" state. This means a user or group is not in the DirectControl Zone until they are accepted. As soon as a user is accepted into the Zone, they will immediately begin authenticating using their Active Directory credentials. The groups should not be added until all the NIS users have been enabled in the Zone. The group membership and other maps will continue to be served by NIS until the user migration is complete.
- Add all of the groups to the DirectControl Zone using the DirectControl Administrator Console.
- Import all NIS maps into Active Directory using the DirectControl Administrator Console.
- Install the DirectControl Agent on the NIS servers.
- Join the NIS servers to the Active Directory domain and add them to the DirectControl Zone.
- Schedule down time, and stop the legacy NIS servers.
- Install and start the DirectControl Network Information Service (adnisd) on the NIS servers.
- Modify NSS switch to remove nis from the passwd and group lines.
passwd centrifydc files nis
passwd compat (if +/- is used)
passswd_compat centrifydc files nis
At this point, all users are still authenticating against the existing NIS servers since no uses have been added to the zone.
Users will use their Active Directory credentials to authenticate to Active Directory and have their account managed by Active Directory if they were migrated, but get maps from the legacy NIS server via normal NIS requests. All other users will continue to use their NIS credentials to login and get maps from the legacy NIS server using normal NIS requests.
During the user migration, it is also a good idea to change the password prompt using DirectControl's Group Policy feature (which extends Active Directory Group Policy to non-Microsoft systems) so that users know what machines require their Active Directory password and which require their NIS password.
After all of the users are migrated to Active Directory:
All users will use their Active Directory credentials to authenticate to Active Directory, but get maps from the DirectControl Network Information Service using normal NIS requests. All user accounts, group membership, and map entries are managed in Active Directory.› Example of Complete Removal of NIS from the Enterprise