Adding another domain

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor II
Posts: 80
Registered: ‎03-14-2012
#1 of 13 4,826
Accepted Solution

Adding another domain

I have a server in production that I'm trying going to eventually move to another domain.  I was wondering if it is possible to have centrify connected to a second domain to start setting things up to test before removing it from the 1st domain?

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#2 of 13 4,824

Re: Adding another domain

[ Edited ]

@jviola,

 

Are you using the product in zone mode (commercial) or in workstation/express  (Auto Zone) mode (or a mix)?

 

R.P

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor II
Posts: 80
Registered: ‎03-14-2012
#3 of 13 4,820

Re: Adding another domain

I only have the express version.

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#4 of 13 4,813

Re: Adding another domain

In that case a 10,000 foot view:

  • Nothing is stopping you from doing your testing once the new domain is installed.
  • If there will be a trust between the old and new domains, remember that Express only supports 2-way trusts.  The commercial version supports one-way trusts.
  • Identity Namespace:  Note that this is automatically genereated for you by the client (unlike the commercial version, that you have control over):
    • login - > user's samaccountname
    • group name -> group's samaccountame
    • UID and GID - > uniquely generated based on the domain's SID
    • GECOS -> the user's display name (or group's display name)
    • Home & Shell - > based on platform settings.

      What does this mean to you?
      When if you don't plan to use a trust to connect the old and the new, this means that you must plan for a migration.  Once you join the new domain, although the login or display names for users may be the same, since that domain will have it's unique SID, all uid/gids will change, therefore users will lose ownership of their files.

If this will be a brand-new Windows 2016 AD, make sure you are using the latest and greatest version of adclient to enjoy benefits.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor II
Posts: 80
Registered: ‎03-14-2012
#5 of 13 4,793

Re: Adding another domain

I can not find the windows app to run this.  Also, I'm not able to find install-express.sh on my linux server.   This was setup back 2012.  I think there was some house cleaning.  How do I go about adding the second domain?  Can I just edit /etc/centrifydc/centrifydc.conf?  Then run adjoin?

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#6 of 13 4,791

Re: Adding another domain

[ Edited ]

The very last suggestion was to download the latest and greatest versions of the sofware. 

Go go the download center and download the bits you need.

 

https://www.centrify.com/express/linux/download/

 

If you are doing a new domain, keep in mind that your option most likely will be do do it in Windows Server 2016 since Windows 2012 R2 is out of mainsteam support.

The clients from the year 2012 will not work with a Windows 2016-based Active Directory domain.  There is also the need to keep software up-to-date becasue of security due-diligence.

 

Just in case you used this, also remember that our Samba support changed significantly 2 years ago.  We went from distributing a "Centrified"  version of Samba to only providing an Identity Mapper.

 

Finally - you don't need the Windows app to distribute software.  We provide all the native packages, so if you're using a DevOps solution like Chef, Puppet or Ansible, that would probably be the better way to go.

 

To install and join:

- Use the native package manager to install  (e.g.  sudo yum install CentrifyDC) or with DevOps  (package CentrifyDC)

- Run the adjoin command  (e.g. sudo adjoin -w -c ou=your,ou=container -u your-user  domain.name).

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor II
Posts: 80
Registered: ‎03-14-2012
#7 of 13 4,787

Re: Adding another domain

Thanks for the download link and additional information.   A new company has purchased us and we are moving to their domain.  They only have windows 2012 R2 domain controller and told me that I can only use windows 2012 r2 DC for now.  Also, there is no trust between the old domain and the new domain.    What problems is this going to cause?

 

The usernames will be the same on the new domain, but with a different domain name.  

I would like to add the new domain to the production server and then have the users login.  I assume they will have different id and not have permission on their files/directories.   But once they login and I see what they new ids are then I can change the files/directories to their new accounts.  I'm hoping this is the best way to accomplish this in express?

 

I've downloaded the new version as suggested.  When I run it will it overwrite the old settings or will it just give me the option to add the additional domain?

 

Regards,

Jeff

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#8 of 13 4,785

Re: Adding another domain

What problems is this going to cause?

Without knowing your environment, it's going to be hard to tell you with full certainty (I don't know how you use the software.  Is it only for authentication?  How many users?  How many servers?  Are there any filers? Do you have a sense of how large the new environment is?  Note that if it's an acquiring company there is a new namespace and possibly a new naming convention (joedoe vs. joe.doe) .  Are the constraints of this freemium product the right thing for you?  Are you subject to any regulation (e.g. SOx, PCI, HIPAA, etc)?

 

See what I mean?

 

The main problem you're going to have was outlined in my original response - your namespace is going to change and your UID/GID numbers will change.  This can be from an ' annoying users/chown fest'  exercise to an 'application down/ceo is breathing over my shoulder'  exercise (this depends on how many critical servers use the software and the different ways to use it.  E.g. you could have a Kerberos key table that is key for a Java app to run that is critical for your business).

 

I assume they will have different id and not have permission on their files/directories.   But once they login and I see what they new ids are then I can change the files/directories to their new accounts.

Yes you can.  The most common issue is that you are able to log in, but not change directories to your home folder. 

However, it's also possible that you have an NFS server with multi-terabyte files belonging to key project owners.

 

I've downloaded the new version as suggested.  When I run it will it overwrite the old settings or will it just give me the option to add the additional domain?

Depending on how old the version of the software is, you may or may not be able to upgrade in place.  Reasoning:

  • 32-bit operating systems are no longer supported
  • as part of the normal lifecycle, your operating system may no longer be supported by the express version you downloaded (e.g. AIX 6.x)
  • In the winter of 2016 with the 2017 release, the packaging of the software changed significantly. We split cURL, OpenSSL and OpenLDAP from the main installer.

The answer to the behavior depends on the bullet points above.  If you kept your software up to date, this will be as simple as 'yum update CentrifyDC'  or as painful as a uninstall/reinstall * n servers.

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor II
Posts: 80
Registered: ‎03-14-2012
#9 of 13 4,783

Re: Adding another domain


@Robertsonwrote:

What problems is this going to cause?

Without knowing your environment, it's going to be hard to tell you with full certainty (I don't know how you use the software.  Is it only for authentication?  How many users?  How many servers?  Are there any filers? Do you have a sense of how large the new environment is?  Note that if it's an acquiring company there is a new namespace and possibly a new naming convention (joedoe vs. joe.doe) .  Are the constraints of this freemium product the right thing for you?  Are you subject to any regulation (e.g. SOx, PCI, HIPAA, etc)?

 

I have a very simple environment.  No Sox, PCI, HIPAA, etc.  I have 1 Redhat LInux Enterprise (x64) server running version 7.1.  I have 18 or 19 users that need access.    We use putty and samba to connect our users.  We have root and 1 other account for local admininstration, but all other users rely on Centrify.  Yes, the domain name will change.

 

See what I mean?

 

The main problem you're going to have was outlined in my original response - your namespace is going to change and your UID/GID numbers will change.  This can be from an ' annoying users/chown fest'  exercise to an 'application down/ceo is breathing over my shoulder'  exercise (this depends on how many critical servers use the software and the different ways to use it.  E.g. you could have a Kerberos key table that is key for a Java app to run that is critical for your business).  

 

We have mapped drives to the server which we hope to keep in place until we are ready to remap to the new domain.

 

I assume they will have different id and not have permission on their files/directories.   But once they login and I see what they new ids are then I can change the files/directories to their new accounts.

Yes you can.  The most common issue is that you are able to log in, but not change directories to your home folder. 

However, it's also possible that you have an NFS server with multi-terabyte files belonging to key project owners.

 

We will use our local accounts to make any changes.   Only Local drives.

 

 

I've downloaded the new version as suggested.  When I run it will it overwrite the old settings or will it just give me the option to add the additional domain?

Depending on how old the version of the software is, you may or may not be able to upgrade in place.  Reasoning:

  • 32-bit operating systems are no longer supported
  • as part of the normal lifecycle, your operating system may no longer be supported by the express version you downloaded (e.g. AIX 6.x)
  • In the winter of 2016 with the 2017 release, the packaging of the software changed significantly. We split cURL, OpenSSL and OpenLDAP from the main installer.

The answer to the behavior depends on the bullet points above.  If you kept your software up to date, this will be as simple as 'yum update CentrifyDC'  or as painful as a uninstall/reinstall * n servers.

 

I have version adinfo (CentrifyDC 5.1.1-831) installed currently.   Can I just run yum update?  

 

If I remember correctly (about 5 years ago) when you run install-express.sh it prompts for the domain you want to join and the OU path.   What will happen if I upgrade or run Centrify again?  Will prompt for both domains?  Will it just prompt for a second domain and leave the first one in place?  I'm trying to do this without breaking the domain I'm currently on.

 

Thanks,

 


 

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#10 of 13 4,780

Re: Adding another domain

[ Edited ]

I have a very simple environment.  No Sox, PCI, HIPAA, etc.  I have 1 Redhat LInux Enterprise (x64) server running version 7.1.  I have 18 or 19 users that need access.    We use putty and samba to connect our users.  We have root and 1 other account for local admininstration, but all other users rely on Centrify.  Yes, the domain name will change.

 

This looks simple enough.  I am not sure how you're doing the Samba integration, but note my comment from above (we no longer ship a recompiled version of Samba).

 

I have version adinfo (CentrifyDC 5.1.1-831) installed currently.   Can I just run yum update?  

Good timing, this version is set to EOL in July.   I don't think you'll be able to upgrade in place.  Work these scenarios in your lab testing.

 

If I remember correctly (about 5 years ago) when you run install-express.sh it prompts for the domain you want to join and the OU path.   

The behavior of install-express.sh is the same.

 

What will happen if I upgrade or run Centrify again?  Will prompt for both domains? 

If you run install-express.sh, it will tell you if it can  (or can't) upgrade in place.

Note - you can only be joined to ONE domain at a time.  This is how Active Directory operates.

 

Caveat-emptor:  I know you're asking all these questions to research/due-diligence.  Please don't just take my answers and jump into a production setup.  These answers are no substitute to real work in a lab setting.

 

I'm trying to do this without breaking the domain I'm currently on.

You will definitely break the trust relationship between the existing domain to join the other one.  That's one of the reasons why trusts exist in the first place, to facilitate merges, acquisitions and migrations.

 

Good luck!!!!

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: