Our backup database server is now also an additional domain controller. After DC promotion DB2 failed to start with error:
No mapping between account names and security IDs was done.
It’s an expected behavior, since server removes all local users groups during promotion, including DB2ADMNS and DB2USERS. These groups are used for extended security and in case it’s enabled (which is default) you will experience these kinds of problems. If you don’t change these groups before promotion then you won’t be able to use db2extsec to change them gracefully after promotion because database just won’t start and all CLI commands won’t work.
To solve this problem you need to disable extended security by changing DB2_EXTSECURITY registry variable to NO in HKLM\ SOFTWARE\ IBM\ DB2\ GLOBAL_PROFILE and HKLM\ SOFTWARE\ IBM\ DB2\ InstalledCopies\ DB2COPY1\ GLOBAL_PROFILE. Then create DB2ADMNS and DB2USERS active directory groups and point to them using:
db2extsec -u mydom\db2users -a mydom\db2admns
Bear in mind that using domain groups for extended security is supported starting from DB2 version 9 Fix pack 2. If you’re using an older version then you will have to disable this feature.
Tags: active directory, DB2, DB2ADMNS, db2extsec, DB2USERS, DB2_EXTSECURITY, DC, domain, extended security, IBM, registry
Niktips's Blog 
February 4, 2014 at 3:12 pm |
Thanks! What IBM provides on their knowledgebase does not work but your post did the trick!
February 4, 2014 at 10:44 pm |
Remember the rule number 1, Alex? Never trust IBM KBs.
September 20, 2014 at 11:28 pm |
Haha, there you go.
September 18, 2014 at 5:06 pm |
Thanks !!! really od the trick, after promote to DC my db2 databases died, so many hours looking for a “official IBM Solution”, thanks, now i learn the rule number 1, !!!!