Working with classic zones after an upgrade

Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service supports both classic and hierarchical zones. After you upgrade the agents, you can choose to either migrate your classic zones into a hierarchical zone structure or maintain them as classic zones. If you want to convert your classic zones into hierarchical zones, you can use the admigrate program. For details about using the admigrate program to migrate a classic zone to a new parent or child hierarchical zone, see the man page for admigrate.

Note that you can only migrate classic zones to hierarchical zones if you have upgraded the Centrify agent to version 5.x or later.

You are not required to migrate any existing classic zones. If you choose to maintain your existing zones as classic zones, however, you should be aware that the authorization model in classic zones differs from the authorization model used in hierarchical zones. For example:

  • In classic zones, any user with a profile in a zone is automatically granted login access to all computers joined to the zone.
  • In hierarchical zones, a user with a profile in a zone must be assigned to a role with login rights and PAM access rights before being able to login to a computer joined to a zone.

In addition, there are configuration parameters, commands, APIs, and features that are only applicable in classic zones and other parameters, commands, APIs, and features that are only applicable in hierarchical zones. For example, authorization is an optional feature that can be enabled or disabled in classic zones, so there is a configuration parameter and a zone property option to support the feature in classic zones. For hierarchical zones, authorization is required for access to any managed computer, so the configuration parameter and zone property option are not visible in hierarchical zones.