Examples of Migrating NIS Clients Gradually to AD
An organization with an existing NIS environment wants to do authentication with Active Directory and keep standard NIS maps and custom maps used by an in-house application on NIS, but wants to migrate the users over time to Active Directory. This approach is similar to the previous example. The DirectControl Agent is installed on the NIS clients for authentication to Active Directory, but the users are not placed in the DirectControl Zone so that they can continue to use NIS authentication if they have not been migrated to Active Directory. The following steps can be performed:
- Create a Centrify Zone in Active Directory.
- Define the NIS domain name within the Zone Properties for the NIS domain that you are migrating.
- Install the Centrify Agent on all the NIS client machines. This can be done before any users are migrated to Active Directory for the machines they use.
- Join each NIS client machine to the Active Directory domain and add them to the Centrify Zone. NSS switch should be configured something like this:
- Import all the users and groups into Active Directory using the Centrify Access Manager Console, but leave them in a "pending" state. This means a user or group is not in the Centrify Zone until they are accepted. As soon as a user is accepted into the Zone, they will immediately begin authenticating using their Active Directory credentials. The groups should not be added until all the NIS users have been enabled in the Zone. The group membership and other maps will continue to be served by NIS until the user migration is complete.
- Add all of the groups to the DirectControl Zone using the Centrify Access Manager Console.
- Import all NIS maps into Active Directory using the Centrify Access Manager Console.
- Install the DirectControl Agent on the NIS servers.
- Join the NIS servers to the Active Directory domain and add them to the DirectControl Zone.
- Schedule down time, and stop the legacy NIS servers.
- Install and start the Centrify NIS Server daemon (adnisd) on the NIS servers.
- Modify NSS switch to remove nis from the passwd and group lines.
passwd centrifydc files nis
passwd compat (if +/- is used)
passswd_compat centrifydc files nis
At this point, all users are still authenticating against the existing NIS servers since no uses have been added to the zone.
Users will use their Active Directory credentials to authenticate to Active Directory and have their account managed by Active Directory if they were migrated, but get maps from the legacy NIS server via normal NIS requests. All other users will continue to use their NIS credentials to login and get maps from the legacy NIS server using normal NIS requests.
During the user migration, it is also a good idea to change the password prompt using DirectControl's Group Policy feature (which extends Active Directory Group Policy to non-Microsoft systems) so that users know what machines require their Active Directory password and which require their NIS password.
After all of the users are migrated to Active Directory:
All users will use their Active Directory credentials to authenticate to Active Directory as well as get NIS maps from the Centrify Agent. All user accounts, group membership, and map entries are managed in Active Directory. The Centrify NIS Server will be used by any other services such as NAS appliances that cannot be joined to Active Directory, otherwise you can retire the NIS Servers completely.› Example of Complete Removal of NIS from the Enterprise