Migrate Users to Active Directory

The Network Information System (NIS) migration tool imports Linux, Unix, and macOS passwd files and group files and maps them to users and groups in Active Directory. The migration tool includes options to ease your NIS migration to Active Directory, including:

  • Migration of account information to the organizational units that you want.
  • Creation of groups in Active Directory to match your Linux and Unix groups.
  • Generation of scripts to repair file ownership and group settings.
  • Changes to the GID of imported users to that of the AD Domain Users group.
  • Automatically setting an alias for each migrated user.
  • Generation of Visual Basic scripts to migrate users and groups in an automated and custom way.
  • Modification of GIDs during migration.
  • Selection of only the groups and users that you want to migrate from your full list of groups and users.
  • Setting the home directory and shell for migrated users.
  • Filtering out standard Unix and Linux accounts, such as mail and news.
  • Modification of UID information during migration.
  • Use of NIS map files to migrate netgroups, automounts, and other services to Active Directory.

Overview

The AD Bridge Enterprise NIS migration tool can import Linux, Unix, and macOS password and group files (typically /etc/passwd and /etc/group) and automatically map their UIDs and GIDs to users and groups defined in Active Directory.

You can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. Before you commit the changes, you can resolve ambiguous user names and other conflicts.

 

Before you migrate users to a domain that operates in unprovisioned mode, we recommend that you find and remove orphaned objects. The IDs associated with orphaned objects are reserved until you remove the orphaned objects. For more information, please see Use the BeyondTrust Management Console to Find Orphaned Objects

Before Running the Migration Tool

Before running the migration tool, obtain the following information:

  • The name of the domain where you want to migrate the account information
  • Credentials that allow you to modify the domain
  • The Unix or Linux passwd file and corresponding group file that you want to add to Active Directory. The password and group files can be from a computer or an NIS server.

Run the Migration Tool

To import Linux, Unix, and macOS password and group files and automatically map UIDs and GIDs to users and groups in Active Directory:

  1. In the BeyondTrust Management Console tree, expand Enterprise Console, and then click Diagnostics & Migration.
  2. From the Tasks list, click Run Migration Tool.
  3. Click Next.
  4. In the Domain box, type the domain name that you want to migrate the account information to.
  5. Select credentials:
    • Use logon credentials: Select if your logon credentials allow you to modify the domain.
    • Use alternate credentials: Select if your logon credentials are not allowed to modify the domain, and then enter credentials that have the appropriate privileges.
  1. Click Next.
  2. Select your mapping files:
    • Click Import to import a Linux/Unix password and group file, and then provide the following information.
      • Map name: The migration tool imports the passwd file and group file into the map file, which is then matched to existing Active Directory user and group names.
      • Passwd file: Type the path and name of the file that you want to import, or click Browse to find the file.
      • Group file: Type the path and name of the passwd file's corresponding group file, or click Browse and then find the file.  
      • To import default Unix or Linux user accounts such as rootandpublic, clear the Omit standard Linux/UNIX user accounts check box.
      • In the list under Users, clear the Import check box for any user that you do not want to import, and then click Next.
    • Click Import NIS Map to import an NIS Map File. You can run the ypcat command on the NIS server to create the map file.
      • NIS Map file: Click Browse to find the map file.
      • Map type: Select the map file type: Netgroups, Automounts, or Services.
  1. Select the OU where you want to migrate the Linux or Unix account information.
  2. If you select the top of your domain, the information is migrated to the default AD Bridge cell of your Active Directory forest and UID numbers are automatically assigned within the domain's range.

    If you select an OU, AD Bridge Enterprise creates a cell for the OU and migrates the account information to it. UIDs and GIDs are maintained if the passwd and group files agree, and if the UIDs and GIDs do not conflict with existing users or groups.

    The migrated account information applies only to computers that are members of the OU.

  1. Click Next.
  2. Select from the following list of migration options:
    • Create groups in Active Directory to match Linux/Unix groups: Create groups in Active Directory that match your Linux or Unix groups
    • Create all groups in AD: Create all groups in Active Directory, not just the referenced ones. To select this option, you must first select the Create groups in Active Directory to match Linux/UNIX groups check box.
    • Generate scripts to repair file ownership and group settings: Run scripts that can repair ownership issues and group settings issues.
    • Change GID of imported users to Domain Users
    • Always set Login Name (alias), even when same as sAMAcountName
    • Generate VBScript to perform migration: Enter the name of the script in the Script name box. Enter the directory where the script is located.
    • Name map file (optional): File to automatically map Linux and UNIX users and groups to Active Directory accounts and groups in the form of the key/value pairs (delimited by = sign). The value can use the LDAP path to the Active Directory user or group or it can use the format DOMAIN\username.
    • For example, john=LDAP://CN=jdoe,OU=accounts,DC=thedomain,DC=com or john=thedomain\jdoe, where Unix user with login john is matched to AD user with CN=jdoe.

      If [name map file] is not provided or a successful match is not found, then the Migration tool will try to find the best match in the target domain.

  1. Click Next.
  2. Click the Users tab and verify that the information is correct.
  3. Click the Groups tab and verify that the information is correct.
  4. To import the passwd and group files after you verify that the information is correct, click Next.

Migrate NIS Domains

If you use AD Bridge Enterprise to migrate all your Unix and Linux users to Active Directory, in most cases you will assign these users a UID and GID that is consistent across all the Unix and Linux computers that are joined to Active Directory. This is a simple approach that reduces administrative overhead.

In cases when multiple NIS domains are in use and you want to eliminate these domains over time and migrate all users and computers to Active Directory, mapping an Active Directory user to a single UID and GID might be too difficult. When multiple NIS domains are in place, a user typically has different UID-GID maps in each NIS domain. With AD Bridge Enterprise, you can eliminate these NIS domains but retain the different NIS mapping information in Active Directory because AD Bridge Enterprise lets you use a cell to map a user to different UIDs and GIDs depending on the Unix or Linux computer that they are accessing.

To move to Active Directory when you have multiple NIS servers, you can create an OU or choose an existing OU, and join to the OU all the Unix computers that are connected to the NIS server. You can then use cells to represent users' UID-GID mapping from the previous identity management system.