Some considerations for changing user source from eDirectory to Active Directory

  • 7017934
  • 09-Aug-2016
  • 21-Jan-2021

Environment

Novell ZENworks Configuration Management 11.4

Situation

When a mature zone needs to change the user source from eDirectory to Active Directory there are many details involved and concern to minimize disruptions.  This is not officially supported via any process or explicit functionality, and different setups may have different needs or requirements.  Below is not an exhaustive list, just a starting place for things to consider prior to making the change.

NOTE:  Changing user source can cause agents to fail login and fail to receive user assignments!

Resolution

  • Recommend confirm all steps in a lab environment prior to moving to production.  Provide adequate time in the plan to cover all aspects of the move (can take weeks to complete).
  • DefaultRealm:  This sets the default user source for New Users logging into the device.  While the old and new are in the zone, this can be set to the old user source and later changed when the transition is made.  Set to Original Zone until all the assignments have been migrated to the New Zone and all testing has been completed on the newly added zone.  Users who have previously logged into the device will continue to logon to the user source cached under HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZCM\ZenLgn\History\CachedUserZenNames.
  • EnableSeamlessLogin:  Enabled - This allows all user sources to be searched when a user logs in.  
  • ReadCachedDN:  Disabled - This disables the use of the FQDN ldap username stored in registry and used to bind.  All logins will search for user prior to LDAP bind.  This is recommended to be disabled for Active Directory User Sources.

    Only after the above registry keys are in place on all managed devices should the steps below be taken.  Failure to do this will result in users not properly receiving their assignments.  This may result in a System Outage from the end user perspective.

  • Add the new user source to the zone so that there are now old and new both active in the zone.
  • Ensure that agents see both user sources after refresh.  ZICON login drop down should show both.
  • Ensure that passive mode login works properly using registry keys above.
  • Create redundant new user source based Administrators based on the new user source to match the rights etc. of those using the old user source.  If Groups and OUs vary between the user sources, the assignments in the new user source need to be customized to account for these differences.  Remove the old Administrators that point to the old user source.
  • Go through all existing assignments to Users, User Containers and User Groups and create redundant matching assignments to the new user source Users, User Containers and User Groups for bundles, policies etc.  If Groups and OUs vary between the user sources, the assignments in the new user source need to be customized to account for these differences.
  • Create redundant blocked assignments if any were blocked on the old user source users.
  • Ensure adequate time for all devices to have refreshed to see all of the changes in the zone so far.
  • Prior to removing the old user source, change the DefaultRealm on devices so that the login now uses the new user source.  Test adequately to ensure logins are working fine and that the new assignments are seen prior to pushing out to the entire zone. 
  • At this point testing off the new User source can commence.
  • On test devices, change the DefaultRealm on devices so that the login now uses the new user source. Test adequately to ensure logins are working fine prior to beginning a phased roll-out of the changes.  
  • Test also with a user who is not in the old user source.
  • Test a bundle assigned ONLY to AD user group to confirm that they will see new assignments to the new user source.
  • Since the assignment migration is a manual process, at least some may be missed and ensure the help desk staff is aware of how to compare and correct any differences in assignments.
  • Once all of the registry settings have been rolled out to all devices the migration should be complete.  The LDAP Servers of the old User Source should be monitored to see if ZCM user logins are still taking place against the old user source.
  • Only after no logins to the old user source have occurred for an extended period of time to ensure nearly all staff, including those on leave or travel, have successfully logged into ZCM using the new User Source, should consideration be taken to remove the old user source from the ZCC.
  • If workstations are not moving in or out of a new domain, we don't expect "run once per user" bundles to run again, but strongly recommend testing to confirm.  A situation where workstations are moving from DLU into Domain will impact local user sid and may cause "install once per user" bundles reinstalling.

Additional Information

Note: Cached Logon values stored under HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZCM\ZenLgn\History\CachedUserZenNames  will OVERRIDE the "DefaultRealm" value.

Getting information about existing user assignments may be difficult.  The query below may help identify which objects in the zone have user assignments:

select z.Name as ObjectName, z.Path ObjectPath , z.ZUID ObjectUID ,z.PrimaryType, z.SubType, zo.name as ConsumerName,zo.PrimaryType as ConsumerType, 
a.Type AssignmentType from zZENObject z inner join zAssignment a on z.ZUID = a.ContentUID inner join zZENObject zo on zo.ZUID = a.ConsumerUID where 
a.Type like '%Users%'