HP OpenVMS Systems Documentation
DIGITAL PATHWORKS for OpenVMS (Advanced
This section describes how to upgrade a PATHWORKS LAN Manager server using the Upgrade utility. There are several different ways to complete the upgrade. Chapter 3, Changing Server Roles and Domain Names, describes the most common scenarios. In some cases, you need to modify the existing PATHWORKS LAN Manager environment before you can run the Upgrade utility, to preserve the existing database or to avoid a conflict in server roles.
After you have completed the steps described in Chapter 3, Changing Server Roles and Domain Names, you can use the Upgrade utility as described in the following sections:
The order in which you upgrade servers is important for several reasons:
Therefore, you must upgrade servers in the following order:
If your server runs on the license server only, upgrade the license server before any other server. Refer to the PATHWORKS for OpenVMS Server Installation and Configuration Guide for more information on installing the standalone license server.
All nodes in an OpenVMS cluster have the same role: PDC or BDC. OpenVMS clusters are upgraded in the same manner as other servers. If all the nodes in the cluster are running PATHOWRKS LAN Manager, they will be upgraded together. If the cluster is a BDC, then upgrade the PDC first.
You can run the Upgrade utility on any member of the cluster regardless
of whether the PATHWORKS LAN Manager server is running on that node.
However, the node must have access to the PATHWORKS on-disk structure
and the shared resources. You only need to run the Upgrade utility
once. You need not run it on all nodes in the cluster that are running
PATHWORKS LAN Manager.
5.3 How the Upgrade Utility Works
The PATHWORKS Advanced Server kit provides an Upgrade utility that lets you establish a domain for the server and upgrade server information. The first time you run the Upgrade utility, the system lets you create PATHWORKS Advanced Server security account manager (SAM) database files and identify the domain for the server you are upgrading. See Appendix A, Files Created by the Upgrade Utility, in this guide.
The Upgrade utility then lets you generate upgrade reports that show the PATHWORKS LAN Manager server objects that will be upgraded to PATHWORKS Advanced Server objects. You can then review the reports and identify and resolve conflicts to ensure a smooth and complete upgrade. Once the upgrade reports accurately reflect your desired environment, the Upgrade utility allows you to upgrade objects one at a time or all at once.
The Upgrade utility creates reports for the following objects:
The upgrade process preserves passwords set with PATHWORKS LAN Manager.
There are two ways to upgrade security:
Digital Equipment Corporation recommends that you use the Upgrade utility to upgrade security on files because this procedure provides greater control and definition. This allows you to upgrade while the PATHWORKS LAN Manager server is running. However, if a file is open during the upgrade process, the file may not be upgraded. You can enable dynamic security upgrade, to upgrade remaining files dynamically after you complete the upgrade procedure. Files are upgraded when users make connections to them. Note that dynamic security upgrade slows the performance of the server so it is not recommended as a permanent setting. Dynamic security upgrade is disabled by default. To enable dynamic security, use the PATHWORKS Configuration Manager. Refer to the PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide for more information about how to use the Configuration Manager.
The following sections describe the differences between PATHWORKS LAN
Manager and Advanced Server permissions. The PATHWORKS Advanced Server
security upgrade is designed to preserve access to the PATHWORKS LAN
Manager environment. While LAN Manager access can be mapped directly to
the PATHWORKS Advanced Server security model, there are some
differences. These differences are described in the following sections.
22.214.171.124 Administrator Privilege
The PATHWORKS Advanced Server security upgrade process is designed to preserve the behavior of users with Administrative privilege or their right to have full access to all files accessible in the PATHWORKS LAN Manager environment. The Upgrade utility will grant full access to the ADMIN user and the local Administrators group for any file that has a PATHWORKS LAN Manager security ACE. By doing so, the access to these files is preserved.
A user with Administrator privilege may be denied access to some files after the server had been upgraded if a file has an ACE that explicitly denies access to the user. With PATHWORKS LAN Manager, this deny-access ACE is not enforced when the file is accessed by a user with Administrative privilege.
126.96.36.199 Permissions Set on Root Device ACLs
The PATHWORKS Advanced Server security upgrade process does not upgrade
access control information set on the root device directory. If your
environment relies on access control information set on the root
device, you must apply the ACEs to the appropriate directory and file
prior to upgrading security.
188.8.131.52 Permissions Set on Object's Parent ACLs
The PATHWORKS Advanced Server security upgrade process upgrades all security ACLs on an object. However the access control information set on the parent directory is not propagated to the object with the upgrade. Users may lose access to files they had access to when running PATHWORKS LAN Manager.
With PATHWORKS Advanced Server, the object's parent directory is checked:
The PATHWORKS Advanced Server security upgrade process does not upgrade a group deny-all ACE. With PATHWORKS LAN Manager, if a user was denied access through a deny-all ACE, the user may gain access to a file if another ACE in the ACL grants access. With PATHWORKS Advanced Server, access is denied when any deny ACE is found.
If you used a deny-all ACE to control access to resources in PATHWORKS
LAN Manager, you must reapply these ACEs to individual objects.
184.108.40.206 Full Access and Child Delete Permissions
With PATHWORKS LAN Manager, if a user has full access to a directory,
and has no access to a file in the directory, the user cannot delete
this file. With PATHWORKS Advanced Server, a user with full access to
the directory also is granted a new access right called Child-delete.
This new access right allows the user to delete any file in the
directory and disregards the access setting on the file.
220.127.116.11 Change Attribute (A) and Create (C) Permission Bits
The PATHWORKS Advanced Server security upgrade process does not upgrade the PATHWORKS LAN Manager "Change Attribute" (A) permission. Any Change Attribute operation will be successful regardless of the file or directory permissions.
The PATHWORKS Advanced Server security upgrade process upgrades the
PATHWORKS LAN Manager Create (C) permission to the PATHWORKS Advanced
Server Write permission. If you use Create permission to control access
to a directory, be sure to check these resources after the upgrade, to
ensure that the new permission does not cause a security problem.
18.104.22.168 Printer permission "C" and "P"
The PATHWORKS Advanced Server security upgrade will upgrade printer permissions as shown in the following table.
|LAN Manager||PATHWORKS Advanced Server Equivalent||Description/Differences|
|C=Y (Yes)||User can access and send jobs to the printer queue.|
|C=N (No)||None||User cannot access or send jobs to the printer queue.|
|None||Manage Documents||User can control settings for print queues and pause, resume, restart, and delete print jobs; applies only to PATHWORKS Advanced Server|
|P (Yes+Change Permissions)||Full||Users can access and send jobs to the printer queue; manage print jobs; control settings for, set access permissions for, and change properties of the printer queue.|
|To do this....||Select...|
|Select an option||
Do one of the following:
|Move between options||Use the Tab or arrow keys.|
|Enter information in a field||
Do one of the following:
|Advance to the next screen||Select the Continue Button and press Enter or Return.|
|Return to the previous screen||Select the Back Button and press Enter or Return.|
|Exit from the Upgrade utility||Select the Exit Button and press Enter or Return.|
|Get information about the utility||Select the Help Button and press Enter or Return.|
This table lists the steps for upgrading a Primary Domain Controller (PDC).
|1.||Step 1: Enter Domain Information (Optional).|
|2.||Step 2: Enter PDC Information.|
|3.||Step 3: Log On to the PDC and Create SAM Database Files.|
|4.||Step 4: Select Objects to Upgrade.|
Step 5: Create and Edit Upgrade Reports for Selected Objects, including:
|6.||Step 6: Start and Track the Upgrade.|
Install the Upgrade utility, as described in Chapter 4, Installing the Upgrade Utility, in this guide.
Then, start the Upgrade utility as follows:
$ SET DEFAULT SYS$UPDATE
Will this server be upgraded as a BDC? [no]
Figure 5-1 Program Initialization Dialog Box
Figure 5-2 Main Screen
The Domain Information screen allows you to change the domains.
If you are upgrading to a domain with an existing PDC, then your server will be upgraded as a BDC, as described in Chapter 3, Changing Server Roles and Domain Names, in this guide.
To change the domain information, follow these steps:
Figure 5-3 Domain Information Screen
If you are upgrading a BDC, the Primary Domain Controller Information screen allows you to enter PDC information, as shown in the following figure. If you are upgrading a PDC, this screen is disabled.
Figure 5-4 Primary Domain Controller Information Screen
Select the Continue button to proceed to Section 5.5.4, Step 3: Log On to the PDC and Create SAM Database Files.
5.5.4 Step 3: Log On to the PDC and Create SAM Database Files
Figure 5-5 Log On to the PDC and Create Database Files Screen
Now you are ready to upgrade users, groups, and other server upgrade
objects. Begin by creating upgrade reports on each object and resolving
conflicts in the upgrade reports.
5.5.5 Step 4: Select Objects to Upgrade
To select objects to upgrade, follow these steps:
Figure 5-6 Select V5 Objects to Upgrade Screen
The Miscellaneous option refers to security parameters, such as password length or age, and security on devices, such as printers and CD-ROM drives. These settings are upgraded when you start the upgrade if you selected the Miscellaneous option. You do not need to create an upgrade report for the miscellaneous option.
This section describes how to create and edit upgrade reports for selected objects including:
Figure 5-7 Generate Upgrade Reports Screen
Figure 5-8 Select a Text Editor Dialog Box
Figure 5-9 User Report Screen
The User report lists the PATHWORKS LAN Manager users that will be upgraded to PATHWORKS Advanced Server users. If there are users in the report that you do not want upgraded, type a backslash (\) in front of the user name or delete the name. Refer to Appendix B, Resolving Log File Error Messages, in this guide for more information about how to edit User reports.
The User report is used as input to the Group report; therefore, you must edit the User report before you create the Group report.