Page 1 AUTHORIZED DOCUMENTATION Domain Services for Windows Administration Guide Novell ® Open Enterprise Server 2.0 SP2 November 16 2009 www.novell.com OES 2 SP2: Domain Services for Windows Administration Guide...
Page 2: Server
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3: Server
Novell Trademarks For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/ legal/trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 4: Server
OES 2 SP2: Domain Services for Windows Administration Guide...
Page 5: Table Of Contents
Users and Applications Hosted in the DSfW Forest ......22 Working With Windows Systems Without Novell Client ......22 Leveraging an Existing eDirectory Setup .
Page 6 6 Installing Domain Services for Windows Prerequisites for Installation ........... 41 Installation Scenarios .
Page 7 Limitations ............. . . 134 11.4.1 Joining a Workstation that Has Novell Client Installed ..... . 135 11.4.2 Error while Joining a Workstation to a Domain .
Page 8 16.2 Accessing Files by Using the Novell Client for Windows ......197 16.3 Accessing Files in Another Domain .
Page 9 19.1.10 Identifying novell-named Error ........
Page 10 Understanding DSfW in Relation to IDM ........231 D Network Ports Used by DSfW Glossary E Documentation Updates...
Page 11: About This Guide
About This Guide ® This documentation describes how to install, configure, and use Novell Domain Services for Windows on a Novell Open Enterprise Server (OES) 2 server. This guide is divided into the following sections: Chapter 1, “Overview,” on page 13 Chapter 2, “What’s New,”...
Page 12: Additional Documentation
Domain Services for Windows see OES 2: Novell Domain Services for Windows Security Guide Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark.
Page 13: Overview
Clientless login and cross-platform file access for Windows users: From a standard Windows workstation, users can authenticate to an OES 2 SP2 Linux server running eDirectory without the need for the Novell Client software or multiple logins. After the Windows Overview...
Page 14: Architectural Overview
workstations have joined the DSfW domain, authorized users can log in and access the file and print services they are authorized to use, whether the services are provided by OES 2 SP2 Linux servers in the DSfW domain or Windows servers in a trusted Active Directory domain. Unified repository of user account information: DSfW is not a directory synchronization solution.
Page 15 8.8 SP2 and above supports DSfW. Kerberos Key Distribution Center (KDC): Provides Active Directory-style authentication. NOTE: This is a KDC specifically developed for DSfW. It is different from the Novell Kerberos KDC (http://www.novell.com/documentation/kdc15/index.html). NMAS Extensions: Provide support for GSS-API authentication mechanisms, and for SAMSPM, to generate Active Directory-style credentials when a user’s Universal Password is...
Page 16: Basic Directory Services Concepts
1.3 Basic Directory Services Concepts To effectively set up and work with DSfW, a basic understanding of both eDirectory and Active Directory is required. This section briefly outlines helpful concepts and terminology. Section 1.3.1, “Domains, Trees, and Forests,” on page 16 Section 1.3.2, “Naming,”...
Page 17: Groups
Server LDAP Operations like Search and Uses Domain Name format. For Uses X.500 format. For example: Modify example: dc=eng, dc= novell. ou=eng, o=novell. Ports When DSfW server is configured eDirectory uses ports 389 and LDAP requests, such as Search 636 for communication purposes.
Page 18 Function DSfW LDAP Server eDirectory Server Schema Addition Attribute and class mappings are changed for some object classes. For example, User and Group object classes are mapped to user and group; server is mapped to ndsServer User and Group object classes are extended to hold additional Active Directory attributes.
Page 19: What's New
This section describes additions to the Novell Domain Services for Windows (DSfW) service for the Novell Open Enterprise Server 2 SP2 Linux platform over the previous release: DSfW Installation and configuration are now handled in a two-step process: 1. The YaST install prepares the server and the tree for domain users. This part of the process features restructured installation screens.
Page 20 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 21: Use-Cases
Section 3.1, “Authenticating to Applications That Require Active Directory-Style Authentication,” on page 21 Section 3.2, “Working With Windows Systems Without Novell Client,” on page 22 Section 3.3, “Leveraging an Existing eDirectory Setup,” on page 23 Section 3.4, “Interoperability Between Active Directory and eDirectory,” on page 23 3.1 Authenticating to Applications That Require...
Page 22: Users And Applications Hosted In The Dsfw Forest
Novell Storage Services (NSS) file system. Novell Client does not need to be installed and managed as an extra software on the desktop. This helps in streamlining user experiences in terms of login to the directory and single login facility to both Active Directory applications and eDirectory services.
Page 23: Leveraging An Existing Edirectory Setup
Windows on a workstation for which you plan to provide native Windows access to DSfW servers. Novell Client access and native Windows access to DSfW servers do not work well together on the same workstation. But if you already have...
Page 24: Figure
DSfW servers, an eDirectory 8.8 SP2 server, and an eDirectory 8.8 SPx server, configured in the same replica ring. Novell administrators can manage the domain by using iManager connected to any of these servers, and a Microsoft administrator can use MMC connected to one of the DSfW servers.
Page 25: Deployment Scenarios
Deployment Scenarios This section describes deployment scenarios for name-mapped and non-name mapped scenarios: Section 4.1, “Deploying DSfW in a Non-Name-Mapped Setup,” on page 25 Section 4.2, “Deploying DSfW in a Name-Mapped Setup,” on page 27 4.1 Deploying DSfW in a Non-Name-Mapped Setup In case of installing DSfW in a non-name-mapped setup, you are setting up a new tree in a DSfW forest.
Page 26: Width
Width In this scenario, the DSfW forest is spread out in an horizontal manner. You can have each branch office of the company configured as a domain. As represented in the figure, example.com is the first domain in the forest. It represents the head office of the company and the branch offices are represented by domains, America, India, Korea, China and Mexico.
Page 27: Deploying Dsfw In A Name-Mapped Setup
Depth and Width With this combination you get benefits of a tree that is spread both horizontally and vertically spread out. This is best suited for organizations that have offices locally as well as globally and there is a high requirement for load processing. Deploying DSfW in a Combination Structure Figure 4-4 dc=example,dc=com...
Page 28 Deploying DSfW in an Existing eDirectory Tree Figure 4-5 T=Global America Asia Europe dc=com dc=asia India China Japan Delhi Bangalore Sales Finance Sales Finance OES 2 SP2: Domain Services for Windows Administration Guide...
Page 29: Planning For Dsfw
Planning for DSfW ® This section describes requirements and guidelines for using the Novell Domain Services for Windows on a Novell Open Enterprise Server (OES) 2 server. Section 5.1, “Server Requirements for Installing DSfW,” on page 29 Section 5.2, “Scalability Guidelines,” on page 29 Section 5.3, “Deciding Between Name-Mapped or Non-Name-Mapped Installation,”...
Page 30: Deciding Between Name-Mapped Or Non-Name-Mapped Installation
Forest Component Scale upto Number of domain controller per domain Number of simultaneous logins per domain controller Number of child domains at the same level (width) Number of child domains(depth) 5.3 Deciding Between Name-Mapped or Non- Name-Mapped Installation Name-Mapped Installation: Installing DSfW in a name-mapped setup means you are installing DSfW in an existing eDirectory tree inside a specific container.
Page 31 Name-Mapped Installation Figure 5-1 T=Global America Asia Europe dc=com dc=asia India China Japan Delhi Bangalore Sales Finance Sales Finance Non-Name-Mapped: In case of installing DSfW in a non-name-mapped setup, you are setting up a new tree in a DSfW forest. Here the tree structure overlaps with the DNS namespace. Non-Name-Mapped Installation Figure 5-2 o=acme...
Page 32: Impact Of A Name Mapped / Non-Name-Mapped Setup On A Tree
It is also not possible to partition the root container and map it to create a DSfW forest. For more information, see Designing the eDirectory Tree (http://www.novell.com/documentation/ edir871/?page=/documentation/edir871/edir871/data/a2iiidp.html) 5.4 Meeting the Installation Requirements Before you start the process of installation, ensure you have met the following prerequisites. These steps can be used to validate the state of the system before beginning the installation process.
Page 33 Domain Name is Correct Before installing DSfW, ensure the domain name is entered correctly in YaST. To verify and correct the domain name, do the following: 1 Open YaST>NetWork Configurations. Select the Hostname and Name Server option. 2 Verify that the domain name is correct. 3 Select the Write Hostnames to /etc/hosts option to ensure that that changes you have made gets added to the files.
Page 34 DNS Server is Installed Ensure that Novell DNS service is installed and the server is up and running to resolve name resolution queries. In case of a first domain installation, the file must have an entry of the local /etc/resolv.conf...
Page 35: Installation Prerequisites For A Name-Mapped Setup
Alternatively you can also use iMonitor to see if the schema is synchronized. For information on using iMonitor, see Novell eDirectory Management Utilities (http://www.novell.com/ documentation/ndsedir86/?page=/documentation/ndsedir86/taoenu/data/a5hgofu.html) Servers in the Replica Ring are Synchronized...
Page 36 2 Verify that the domain name is correct. 3 Select the Write Hostnames to /etc/hosts option to ensure that that changes you have made gets added to the files. /etc/hosts 4 Verify that the Name Server 1 points to the local DNS server. For details see, “DNS Server is Installed”...
Page 37 NOTE: Ensure that the domain name that you are creating is same as the partition name. If the names do not match, installation will fail. DNS Server is Installed Ensure that Novell DNS service is installed and the server is up and running to resolve name resolution queries. In case of a first domain installation, the file must have an entry of the local /etc/resolv.conf...
Page 38 Time is Synchronized Ensure time is synchronized between all servers in the replica ring by executing the following command: ndscheck -a <bind dn> -w <password> This command in addition to displaying partition and replica health also displays time difference between servers in the replica ring. If you observe a time difference between the server, ensure that all the servers in the replica ring are referencing the same NTP server.
Page 39: Supported Installation Scenarios
5.6 Unsupported Service Combinations IMPORTANT: Do not install any of the following service combinations on the same server as DSfW. Although not all of the combinations cause pattern conflict warnings, Novell does not support any of the following combinations: File Server (SLES 10 - Samba)
Page 40: Administrative Tools
You should assume that an installation is not supported unless these sources indicate otherwise. ® NOTE: This section refers to Novell products that are not included with OES 2 , such as GroupWise. It doesn’t apply to services included with OES 2, such as Novell iPrint.
Page 41: Installing Domain Services For Windows
Installation Prerequisites For a Non-Name-Mapped Setup. 1 In the YaST install for OES from Software Selections page, select Novell Domain Services for Windows pattern. Click Accept. Ensure that Novell DNS is selected along with Novell Domain Services for Windows. Pattern deployment provides patterns for different services. Selecting a pattern automatically selects and installs its dependencies.
Page 42 2 On the first eDirectory configuration page in YaST, select the New Tree option. This indicates that you are installing a new DSfW server in the forest: 2a Select New Tree and specify a name for the tree. For example, DSfW-TREE. 2b Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.
Page 43 3 Specify the eDirectory administrator password in both fields, then click Next. Installing Domain Services for Windows...
Page 44 4 Specify the settings to configure the local server in the eDirectory tree. 4a Leave the location of the Directory Information Base (DIB) at the default setting. 4b Leave the iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.
Page 45 5a Specify a reliable Network Time Protocol (NTP) provider. Novell eDirectory requires that all servers in a tree be time-synchronized. In a single-server scenario, you can specify the local machine as the NTP provider. 5b Specify details to configure SLP: 5b1 If you do not want to configure the Service Location Protocol, select the Do not configure SLP option.
Page 46 Click Next. 7 Specify details to configure DSfW on eDirectory. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 47 7a Select the New Domain Services for Windows forest option. This indicates that you are installing a new DSfW forest. 7b The DNS Name for the New Domain is by default taken from the entry in the /etc/hosts file. In case you need to change the domain name, make sure you follow the instructions in “Domain Name is Correct”...
Page 48 8a Specify the following information: Specify the context of the DNS service locator object (for example, ou=OESSystemObjects,dc=dsfw,dc=com Specify the context of the DNS Root ServerInfo object (for example, ou=OESSystemObjects,dc=dsfw,dc=com Specify the context of the DNS Services Group object (for example, ou=OESSystemObjects,dc=dsfw,dc=com 8b Specify the fully distinguished, typeful name of the proxy user that will be used for DNS Management.
Page 49 10 This starts the DSfW installation.When the installation is complete, click Finish. Installing Domain Services for Windows...
Page 50: Oes 2 Sp2
Prerequisites: Before proceeding with this non-name-mapped installation, review Installation Prerequisites For a Non-Name-Mapped Setup 1 In the YaST install for OES from Software Selections page, select Novell Domain Services for Windows pattern. Click Accept. Ensure that Novell DNS is selected along with Novell Domain Services for Windows.
Page 51 2a Select Existing Tree and specify the name of the tree. For example, DSFW_TREE. 2b Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.
Page 52 3a Specify the IP address of the Forest Root Domain. 3b Do not change the NCP Port, LDAP Port and Secure LDAP Port information. 3c Specify the tree admin credentials for the administrator to log into the eDirectory tree. 3d Click Next. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 53 4 Select the settings for the local server configuration: 4a Leave the location of the Directory Information Base (DIB) at the default setting. 4b Leave the iMonitor port settings at the defaults unless you need to change them to avoid port conflicts with other services.
Page 54 5a Specify a reliable Network Time Protocol (NTP) provider. Novell eDirectory requires that all servers in a tree be time-synchronized. In a single-server scenario, you can specify the local machine as the NTP provider. 5b Specify details to configure SLP: 5b1 If you do not want to configure the Service Location Protocol, select the Do not configure SLP option.
Page 55 6a Click Next. 7 Specify details to configure DSfW on eDirectory. Installing Domain Services for Windows...
Page 56 DNS server. For more information, see “Zone Management” in the OES 2 SP2: Novell DNS/DHCP Administration Guide for Linux. 7d We recommend you to leave the NetBIOS name setting at the default, then click Next to continue. For more information, see Section 5.9, “Limitation with NETBIOS Names,”...
Page 57 9 Specify the IP address of the parent domain, the administrator name and password. Installing Domain Services for Windows...
Page 58 10 This screen need to be used when you need to map a new domain to an existing eDirectory container. As this is a non-name-mapped installation scenario, click Next to skip this screen. 11 Specify details to configure DNS. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 59 11a If you already have an DNS server configured in your tree, select the Get context information from existing DNS Server option and provide the IP address of an existing DNS server and select Retrieve. This will fetch the contexts of the existing Locator and Group objects. If you do not wish to use the existing contexts, you can manually enter the details.
Page 60 13 This starts the DSfW installation.When the installation is complete, click Finish. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 61 Prerequisites: Before proceeding with this non-name-mapped installation, review Installation Prerequisites For a Non-Name-Mapped Setup 1 In the YaST install for OES from Software Selections page, select Novell Domain Services for Windows pattern. Click Accept. Ensure that Novell DNS is selected along with Novell Domain Services for Windows.
Page 62 2a Select Existing Tree and specify the name of the tree. For example, DSfW-TREE. 2b Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.
Page 63 3a Specify the IP address of the an existing eDirectory tree that holds read/write or master replica of the partition. 3b Do not change the NCP Port, LDAP Port and Secure LDAP Port information. 3c Specify the tree admin credentials for the administrator to log into the eDirectory tree. 3d Click Next.
Page 64 4a Leave the location of the Directory Information Base (DIB) at the default setting. 4b Leave the iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services. 4c Leave the Secure iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.
Page 65 5a Specify a reliable Network Time Protocol (NTP) provider. Novell eDirectory requires that all servers in a tree be time-synchronized. In a single-server scenario, you can specify the local machine as the NTP provider. 5b Specify details to configure SLP: 5b1 If you do not want to configure the Service Location Protocol, select the Do not configure SLP option.
Page 66 6a Click Next. 7 Specify details to configure DSfW on eDirectory 7a Select the New Domain in an Existing Domain Services for Windows forest option. This indicates that you are installing a new DSfW forest. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 67 7b The configuration partition is forest-specific and by default the first domain controller of every domain gets a replica. The subsequent domain gets the replica of this partition if you select the Replicate schema and configuration Partitions option. NOTE: We recommend that you select this option to replicate the schema and configuration partition to the subsequent domain controller 8 Specify administrator name and forest root domain details Installing Domain Services for Windows...
Page 68 8a Specify the name of the forest root domain in which you want to create the domain controller. 8b Specify the password for the domain administrator. 8c Click Next. 9 Specify details to configure DNS. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 69 9a If you already have an DNS server configured in your tree, select the Get context information from existing DNS Server option and provide the IP address of an existing DNS server and select Retrieve. This will fetch the contexts of the existing Locator and Group objects. If you do not wish to use the existing contexts, you can manually enter the details.
Page 70 11 This starts the DSfW installation.When the installation is complete, click Finish. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 71: Installing Dsfw In A Name-Mapped Setup
Prerequisites: Before proceeding with this name-mapped installation, review Installation Prerequisites for a Name-Mapped Setup 1 In the YaST install for OES from Software Selections page, select Novell Domain Services for Windows pattern. Click Accept. Ensure that Novell DNS is selected along with Novell Domain Services for Windows.
Page 72 2a Select Existing Tree and specify the name of the tree. For example, DSFW-TREE. 2b Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.
Page 73 3a Specify the IP address of the Forest Root Domain. 3b Do not change the NCP Port, LDAP Port and Secure LDAP Port information. 3c Specify the tree admin credentials for the administrator to log into the eDirectory tree. 3d Click Next. Installing Domain Services for Windows...
Page 74 4 Select the settings for the local server configuration: 4a Leave the location of the Directory Information Base (DIB) at the default setting. 4b Leave the iMonitor port settings at the defaults unless you need to change them to avoid port conflicts with other services.
Page 75 5a Specify a reliable Network Time Protocol (NTP) provider. Novell eDirectory requires that all servers in a tree be time-synchronized. In a single-server scenario, you can specify the local machine as the NTP provider. 5b Specify details to configure SLP: 5b1 If you do not want to configure the Service Location Protocol, select the Do not configure SLP option.
Page 76 6a Click Next. 7 Specify details to configure DSfW on eDirectory. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 77 7a Select the New Domain Services for Windows Forest option. This indicates that you are installing a DSfW server in an existing forest. 7b The DNS Name for the New Domain is by default taken from the entry in the /etc/hosts file.
Page 78 8 Specify the password for the domain administrator in both fields, then click Next. 9 Specify details to map the existing eDirectory container to the new domain. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 79 9c Specify the name of the NKDC realm from where you want to migrate the users to DSfW domain. 9d If you select the Retain existing Novell Password Policies on Users option the password policies assigned to the users within the container that is mapped to the new domain does not change.
Page 80 10a Specify the following information: Specify the context of the DNS service locator object (for example, ou=OESSystemObjects,dc=dsfw,dc=com Specify the context of the DNS Root ServerInfo object (for example, ou=OESSystemObjects,dc=dsfw,dc=com Specify the context of the DNS group object (for example, ou=OESSystemObjects,dc=dsfw,dc=com 10b Specify the fully distinguished, typeful name of the proxy user that will be used for DNS Management.
Page 81 12 This starts the DSfW installation.When the installation is complete, click Finish. Installing Domain Services for Windows...
Page 82 Prerequisites: Before proceeding with this name-mapped installation, review Installation Prerequisites for a Name-Mapped Setup 1 In the YaST install for OES from Software Selections page, select Novell Domain Services for Windows pattern. Click Accept. Ensure that Novell DNS is selected along with Novell Domain Services for Windows.
Page 83 2a Select Existing Tree and specify the name of the tree. For example, DSfW-TREE. 2b Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.
Page 84 5a Specify a reliable Network Time Protocol (NTP) provider. Novell eDirectory requires that all servers in a tree be time-synchronized. In a single-server scenario, you can specify the local machine as the NTP provider. 5b Specify details to configure SLP: 5b1 If you do not want to configure the Service Location Protocol, select the Do not configure SLP option.
Page 85 7a Select the New Domain in an Existing Domain Services for Windows forest option. This indicates that you setting up a new domain in an existing DSfW forest. 7b The DNS Name for the New Domain is by default taken from the entry in the /etc/hosts file.
Page 86 8a Specify the name of the Forest Root Domain in which you want to create the child domain. 8b Specify the parent domain in which you want to create the child domain. 8c Click Next. 9 Specify the information needed to identify the child domain you are creating. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 87 9a Specify the IP Address, name and context for the administrator of the parent domain. 9b Specify the password for the administrator of the new child domain. Retype the password to verify it. 9c Click Next. 10 Specify the information to map the new domain to an existing eDirectory container Installing Domain Services for Windows...
Page 88 10c Specify the name of the realm where you have existing Kerberos users. 10d If you select the Retain existing Novell Password Policies on Users option the password policies assigned to the users within the container that is mapped to the new domain does not change.
Page 89 11a If you already have an DNS server configured in your tree, select the Get context information from existing DNS Server option and provide the IP address of an existing DNS server and select Retrieve. This will fetch the contexts of the existing Locator and Group objects. If you do not wish to use the existing contexts, you can manually enter the details.
Page 90 13 This starts the DSfW installation.When the installation is complete, click Finish. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 91 Prerequisites: Before proceeding with this non-name-mapped installation, review Installation Prerequisites For a Non-Name-Mapped Setup 1 In the YaST install for OES from Software Selections page, select Novell Domain Services for Windows pattern. Click Accept. Ensure that Novell DNS is selected along with Novell Domain Services for Windows.
Page 92 2a Select Existing Tree and specify the name of the tree. For example, DSfW-TREE. 2b Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.
Page 93 3a Specify the IP Address of the Forest Root domain. 3b Do not change the NCP Port, LDAP Port and Secure LDAP Port information. 3c Specify the tree admin credentials for the administrator to log into the eDirectory tree. 3d Click Next. 4 Specify the configuration for the local server in the eDirectory tree Installing Domain Services for Windows...
Page 94 4a Leave the location of the Directory Information Base (DIB) at the default setting. 4b Leave the iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services. 4c Leave the Secure iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.
Page 95 5a Specify a reliable Network Time Protocol (NTP) provider. Novell eDirectory requires that all servers in a tree be time-synchronized. In a single-server scenario, you can specify the local machine as the NTP provider. 5b Specify details to configure SLP: 5b1 If you do not want to configure the Service Location Protocol, select the Do not configure SLP option.
Page 96 6a Click Next. 7 Specify details to configure DSfW on eDirectory 7a Select the New Domain in an Existing Domain Services for Windows forest option. This indicates that you are installing DSfW in an existing eDirectory tree. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 97 7b The configuration partition is forest-specific and by default the first domain controller of every domain gets a replica. The subsequent domain gets the replica of this partition if you select the Replicate schema and configuration Partitions option. NOTE: We recommend that you select this option to replicate the schema and configuration partition to the subsequent domain controller 8 Specify administrator name and forest root domain details Installing Domain Services for Windows...
Page 98 8a Specify the name of the forest root domain in which you want to create the domain controller. 8b Specify the password for the domain administrator. 8c Click Next. 9 Specify details to configure DNS. OES 2 SP2: Domain Services for Windows Administration Guide...
Page 99 9a If you already have an DNS server configured in your tree, select the Get context information from existing DNS Server option and provide the IP address of an existing DNS server and select Retrieve. This will fetch the contexts of the existing Locator and Group objects. If you do not wish to use the existing contexts, you can manually enter the details.
Page 100 11 This starts the DSfW installation.When the installation is complete, click Finish. 100 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 101: Using A Container Admin To Install And Configure Dsfw
125. 6.3 Using a Container Admin to Install and Configure DSfW For this procedure, assume that you want to configure DSfW in an existing tree with as root partitions. o=novell,ou=india.o=novell and ou=blr.ou=india.o=novell The replica looks like: o=novell cn=srv1.o=novell(M), cn=srv2,ou=india,o=novell(RW) ou=india.o=novell cn=srv2,ou=india,o=novell(M) ou=blr.ou=india.o=novell...
Page 102 5 Use the tree admin to extend the schema for DSfW: 5a On an existing OES 2 Linux server, run the Novell Schema tool found in YaST > Open Enterprise Server > Novell Schema Tool and enter the IP address of the eDirectory 8.8 SP5 server with a writable replica of the root.
Page 103: Provisioning Domain Services For Windows
Resuming Tasks : The Provisioning Wizard stores the status and details of the tasks being performed in the file. If you close the wizard /etc/opt/novell/xad/provisioning.xml window or cancel a task during provisioning, the next time you launch provisioning, the task resumes from the point it was stopped.
Page 104: Provisioning Wizard Interface
Each task has a corresponding script located in the /opt/novell/xad/lib/perl/Install folder. These scripts contain pre-operation and post-operation pluggable subroutines that take care of the validation process. The precheck ensures that the all the pre-requisites are met for execution of the task and the post-check ensures that the task is finished before moving on to the next task.
Page 105 Snapshot of the Provisioning Wizard Figure 7-1 Task List : The task list displayed on the left pane of the wizard varies with the installation scenario. The configuration information provided during DSfW installation serves as input for the Provisioning Wizard to compute the list of tasks to be displayed. For example: If you selected a non-name-mapped scenario for DSfW installation, the tasks to be performed for provisioning are different from the tasks to be performed if you selected a name- mapped scenario for installation.
Page 106: Using The Wizard To Provision The Dsfw Server
To launch the wizard, do one of the following: From the terminal, run the script. /opt/novell/xad/sbin/provision_dsfw.sh Launch YaST. The DSfW Provisioning Wizard is listed as an option. This opens the login dialog box. NOTE: If you do not provision the DSfW server everytime you login, a dialog box indicating that DSfW configuration is not complete is displayed.
Page 107: Provisioning Tasks
Provisioning Scenario Password Details Required Subsequent Domain Controller The current domain password. After the password details are verified, the Provisioning Wizard is launched. IMPORTANT: If you are installing the first child domain in a non-name-mapped scenario, the tree admin and the parent domain password is the same. 7.5 Provisioning Tasks The Provisioning Wizard lets you perform the following tasks: Section 7.5.1, “Provisioning Precheck,”...
Page 108: Configure Dns
The zone references are added to the DNS Server, DNS Group object, and the DNS Locator object. ® Currently, DSfW is tightly coupled with Novell DNS and needs at least one DNS server to run on a domain controller, but there are future plans to provide support any DNS server capable of supporting secure DNS updates.
Page 109: Add Domain Replica
7.5.5 Add Domain Replica This task moves the replica of the domain partition from the master server to the local server. The replica on the local server is then changed to be the master replica. For a non-name-mapped child installation, the read-write replica is deleted from the other server. For an subsequent domain controller, this task moves the replica from the master server to the local server, but doesn’t delete the copy from the other server.
Page 110: Add Configuration Objects
The restart is essential for the changes to be committed. The services that are restarted, as part of this task are: 1. ndsd (eDirectory) 2. novell-named (DNS) 3. nscd (Name Server cache daemon) 4. rpcd (RPC server) 5. xad-krb5kdc (Kerberos) 6.
Page 111: Set Credentials For Accounts
7.5.13 Set Credentials for Accounts This task sets the password and kerberizes the administrator, krbgt, and guest accounts. 7.5.14 Enable Kerberos In DSfW, Kerberos is the primary security protocol for authentication within a domain. The Kerberos authentication mechanism issues tickets for accessing network services. As part of this task, the file is updated and a ticket is sent to the administrator principal.
Page 112 Provisioning Tasks for Different Installation Scenarios Table 7-3 Installation Scenario Provisioning Tasks Installing DSfW in a Non-Name-Mapped Setup Provisioning Precheck (Forest Root Domain) Configure DNS Create Domain Partition Configure SLAPI Plug-Ins Add Domain Objects Create Configuration Partition Create Schema Partition Add Configuration Objects Assign Rights Restart DSfW Services...
Page 113 Installation Scenario Provisioning Tasks Installing DSfW in a Name-Mapped Setup(Child Provisioning Precheck domain) Configure DNS Add Domain Replica Configure SLAPI Plug-Ins Add Domain Objects Create Configuration Partition Create Schema Partition Add Configuration Objects Assign Rights Restart DSfW Services Set Credentials for Accounts Enable Kerberos Samify Objects Establish Trust...
Page 114: Logging
The Log Messages pane in the Provisioning Wizard displays the details and status of events happening in the background during the execution of each task. The log details are displayed on the GUI and also logged in the /var/opt/novell/xad/log/ file. provisioning.log The details that are recorded in the log file are: The status of each task.
Page 115: Troubleshooting
Pre and post check operation details. 7.8 Troubleshooting This section describes some issues you might experience with Novell Domain Services for Windows(DSfW) while provisioning and provides suggestions for resolving or avoiding them. Section 7.8.1, “Troubleshooting Provisioning Tasks,” on page 115 7.8.1 Troubleshooting Provisioning Tasks...
Page 116: Configure Dns
Configuration task failed, you need to delete the Locator object and the Group object ldapmodify Failed Cause: Replica synchronization fails. Solution: To resolve this issue, refer Novell Error Codes Reference Guide (http://www.novell.com/ documentation/nwec/?page=/documentation/nwec/nwec/data/al39nky.html) No such Entry Cause : This error is seen in cases where the version of the forest root domain is OES 2 SP1 and you are attempting to install a subsequent domain controller of version OES 2 SP2.
Page 117: Configure Slapi Plug-In
Solution : 1 To resolve this issue, run the provisioning script with the get-domain-guid option. For example: /opt/novell/xad/share/dcinit/provisionTools.sh get-domain-guid -p 192.168.3.11 -c ou=domain,o=novell Here -p represents the IP address of the domain and -c represents the distinguished name of the mapped domain.
Page 118: Create Domain Partition
Configuration task failed, you need to delete the Locator object and the Group object ldapmodify Failed Cause: Replica synchronization fails. Solution: To resolve this issue, refer Novell Error Codes Reference Guide (http://www.novell.com/ documentation/nwec/?page=/documentation/nwec/nwec/data/al39nky.html) Create Domain Partition All details related to task execution and state of the task are recorded in the file provisioning.log...
Page 119: Add Domain Objects
Error: 626 All Referrals Failed Cause: The synchronization process between the replicas fails. Solution: To resolve this issue, refer Novell Error Codes Reference Guide (http://www.novell.com/ documentation/nwec/?page=/documentation/nwec/nwec/data/al39nky.html) Error: 625 Transport Failure/ Unknown Error Cause: The DSfW server could not reach the master server. For example, installing a child server requires the parent server to be reachable, or installing a DSfW server in the name-mapped forest root domain scenario requires the server holding the tree replica to be reachable.
Page 120: Create Configuration Partition
Configuration task failed, you need to delete the Locator object and the Group object ldapmodify Failed Cause: Replica synchronization fails. Solution: To resolve this issue, refer Novell Error Codes Reference Guide (http://www.novell.com/ documentation/nwec/?page=/documentation/nwec/nwec/data/al39nky.html) Create Configuration Partition All details related to task execution and state of the task are recorded in the file provisioning.log...
Page 121: Add Configuration Objects
Error: 626 All Referrals Failed Cause: The synchronization process between the replicas fails. Solution: To resolve this issue, refer Novell Error Codes Reference Guide (http://www.novell.com/ documentation/nwec/?page=/documentation/nwec/nwec/data/al39nky.html) Error: 625 Transport Failure/ Unknown Error Cause: The DSfW server could not reach the master server. For example, installing a child server requires the parent server to be reachable, or installing a DSfW server in the name-mapped forest root domain scenario requires the server holding the tree replica to be reachable.
Page 122: Assign Rights
Configuration task failed, you need to delete the Locator object and the Group object ldapmodify Failed Cause: Replica synchronization fails. Solution: To resolve this issue, refer Novell Error Codes Reference Guide (http://www.novell.com/ documentation/nwec/?page=/documentation/nwec/nwec/data/al39nky.html) Assign Rights All details related to task execution and state of the task are recorded in the file provisioning.log...
Page 123: Executing Provisioning Tasks Manually
Solution Use the command to resolve the parent provision -q -q --locate-dc parent.domain domain. Retry executing the task. Update Service Configuration Cause This error occurs in cases where the parent realm could not be resolved Solution Use the command to resolve the parent provision -q -q --locate-dc parent.domain domain.
Page 124 124 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 125: Verifying Dsfw Installation
(or the DNS server you are pointing to in file) /etc/resolv.conf must be restarted. Execute the following command on the server hosting the Novell DNS service: rc-novell-named restart Check the file to ensure that it contains only one entry with this server’s primary /etc/hosts IP address.
Page 126 0 query logging is OFF recursive clients: 0/1000 tcp clients: 0/100 server is up and running zone details are dumped at /var/opt/novell/log/named/named_zones.info Checking for Name Service Cache Daemon: running Checking for RPC Endpoint Mapper Service running...
Page 127: Upgrading Dsfw
Upgrading DSfW This section provides information and links for upgrading DSfW to OES 2 SP2. Section 9.1, “Upgrading DSfW to OES 2 SP2,” on page 127 Section 9.2, “Upgrading from OES 1.0 Linux,” on page 127 Section 9.3, “Migrating Data to a Domain Services for Windows Server,” on page 127 Section 9.4, “Limitations,”...
Page 128: Limitations
For information on how to use the OES 2 migration tools for migrating data, see the OES 2 SP2: Migration Tool Administration Guide 9.4 Limitations An error is seen in cases where the version of the forest root domain is OES 2 SP1 and you are attempting to install a subsequent domain controller of version OES 2 SP2.
Page 129: Running Domain Services For Windows In A Virtualized Environment
Domain Services for Windows runs in a virtualized environment just as it does on a physical Open Enterprise Server (OES) 2 Linux server and requires no special configuration or other changes. To get started with virtualization, see “Introduction to Xen Virtualization (http://www.novell.com/ documentation/sles10/xen_admin/data/sec_xen_basics.html)” in the Virtualization with Xen (http:// www.novell.com/documentation/sles10/xen_admin/data/bookinfo.html)
Page 130 130 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 131: Logging In From A Windows Workstation
Logging In from a Windows Workstation With Domain Services for Windows (DSfW) properly set up, Windows workstations can be joined to the DSfW domain and users can log in to the domain. Windows users can then use Windows Explorer (or other familiar Windows interfaces) to browse to the DSfW domain and see the CIFS shares to which they have access.
Page 132 4 From the Start menu, right-click My Computer and select Properties. 5 On the Computer Name tab, click Change. 6 In the Computer Name Changes dialog box, select Domain, enter the DSfW domain name, then click OK. 132 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 133 7 When prompted, provide the name and password for an account with permission to join the domain. This is the Administrator and password configured when you installed DSfW. 8 A welcome message is displayed after the computer has successfully joined the domain. Click OK to continue.
Page 134: Logging In To A Dsfw Domain
NOTE: When you install Windows XP, it prompts you to select whether it is part of the workgroup or the domain. If domain is selected, it reports that an invalid domain is specified. However, if there is an existing Windows XP machine installed, it is possible to join this workstation to the domain. 11.2 Logging In to a DSfW Domain After the Windows workstation has joined the DSfW domain and the computer has been restarted (as explained in...
Page 135: Joining A Workstation That Has Novell Client Installed
11.4.1 Joining a Workstation that Has Novell Client Installed While joining a workstation to a domain, you do not need to have Novell Client installed. But if you have Novell Client installed on your workstation, it will affect DSfW communication. We recommend that you add the IP address of the DSfW server to the Bad Address Cache of the Novell Client.
Page 136 136 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 137: Creating Users
Creating Users After Domain Services for Windows (DSfW) is properly installed and provisioned, you can create users with either Novell iManager or a Microsoft Active Directory management tool such as Microsoft Management Console (MMC). Although the users are created in eDirectory , they appear in the DSfW domain when viewed from MMC.
Page 138 3 Under Roles and Tasks, select Directory Administration > Create Object. 4 Select the User object class and click OK. 5 Specify the user account information, specify the context, and click OK. Users created anywhere in the domain (partition) are automatically provisioned for DSfW. Additional information you specify for each user, such as telephone numbers and e-mail addresses, can also be viewed and modified in MMC.
Page 139: Creating Users In Mmc
NOTE: If an administrator changes the primary group of the user objects, the gidNumber and primaryGroupID attributes might not be synchronized. LUM refers to the gidNumber, and Samba depends on the primaryGroupId. File system access issues might occur if they are not synchronized. 12.2 Creating Users in MMC If you have a Windows Server 2003 network with Active Directory, you should have the Administrative Tools already installed.
Page 140: Limitations
Users created in the domain are automatically provisioned for DSfW. Additional information you specify for the user, such as telephone numbers and e-mail addresses, can also be viewed and modified in iManager. However, attributes that are specific to Active Directory cannot be managed in iManager.
Page 141: Understanding Dns In Relation To Dsfw
DNS stores information in a distributed, coherent, reliable, autonomous, and hierarchical database. DSfW uses the Novell DNS service as its location service, enabling users or computers to find the location of network resources. It maps hostnames to IP addresses and locates the services provided by the domain, such as LDAP, Kerberos and Global Catalog.
Page 142: Limitations
Section 13.4, “Migrating DNS to Another Domain Controller,” on page 144 13.1.1 Limitations It is not possible to use an existing Novell DNS server configured on a local or remote server to work with DSfW. Third-party DNS servers are also not supported, with the exception of the Windows DNS, which can later be used by transferring the DNS data from an existing DSfW DNS to the Windows DNS.
Page 143: Configuring A Domain Controller As A Primary Dns Server
For information on installing and configuring Novell® DNS services, see “Installing and Configuring DNS ” in the OES 2 SP2: Novell DNS/DHCP Administration Guide for Linux OES 2 SP2: Novell DNS/DHCP Administration Guide for Linux 13.2.3 Configuring a Domain Controller by Using an Existing DNS Server When the first domain controller in a domain is using an existing DNS server, YaST provides an option to retrieve these values from the existing DNS server.
Page 144: Setting Up A Windows Dns Server For Dsfw
3 In the first domain controller, edit the file and change the IP address to /etc/resolv.conf the server where the Windows DNS Server is running 4 Restart Novell DNS server for the changes to take effect by using the rc-novell-named command. restart 13.4 Migrating DNS to Another Domain...
Page 145: Restarting Dns
Management” in the OES 2 SP2: Novell DNS/DHCP Administration Guide for Linux 3 Restart novell-named on the subsequent domain controller using the following command: rcnovell-named restart After migrating the DNS server to the destination domain controller, the DNS entry referencing the first domain controller is still retained in the cache for some time.
Page 146 146 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 147: Managing Group Policy Settings
Managing Group Policy Settings In Active Directory, Group Policies ease the administrator's job of implementing security settings and enforcing IT policies for all users within an organizational unit, domain, or across an entire site. Group policy settings are made in a Group Policy Object (GPO). You can create GPOs for various departments in an organization to more easily manage the computers and users in each department.
Page 148 4 Specify a name for the new Group Policy, then click OK. The policy settings you define are linked to the domain, which means the policy settings you define are applied to the domain according to the inheritance and preference options used by Active Directory.
Page 149: Group Policy Objects
For more information about NMAS and Universal ® Password settings, refer to the Novell eDirectory documentation (http://www.novell.com/ documentation/edir88/). 14.2 Group Policy Objects Section 14.2.1, “GPO Account Policies,” on page 149 Section 14.2.2, “gpo2nmas,” on page 150 Section 14.2.3, “Enforcing Computer Configuration and User Configuration,” on page 150 Section 14.2.4, “Troubleshooting,”...
Page 150: Gpo2Nmas
In a Domain Services for Windows domain, the password policies are stored in the container cn=Domain Password Policy,cn=Password Policies,cn=System, <domain root> The Password Policy and the Account Lockout Policy are enforced by eDirectory. The Account Policies settings are not read directly by eDirectory or KDC. The Kerberos Policy is enforced by the Kerberos Key Distribution Center (KDC).
Page 151: Troubleshooting
The Sysvol corresponds to the directory on the domain controller. /var/opt/novell/xad/sysvol/sysvol The Group Policy Template of the default domain policy GPO is stored in the /var/opt/novell/ xad/sysvol/sysvol/<domain name>/Policies/{31B2F340-016D-11D2-945F- directory.
Page 152: Limitations With Group Policy Management
All the POSIX file permissions and ACLs are retained during transfer. For intermediate synchronization, you can invoke the utility using the following command: /opt/novell/xad/sbin/sysvolsync During the synchronization the changes are transferred from the first domain controller(holding the PDC Emulator role) to the other domain controllers.
Page 153: Wmi Filters Cannot Be Applied For Processing Gpos
14.4.4 WMI Filters Cannot be Applied for Processing GPOs WMI filters are not supported in this release. Managing Group Policy Settings 153...
Page 154 154 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 155: Managing Trust Relationships In Domain Services For Windows
Managing Trust Relationships in Domain Services for Windows Trust relationships are a key to managing Domain Services for Windows (DSfW). Section 15.1, “What is a Trust?,” on page 155 Section 15.2, “Cross-Forest Trust Relationships,” on page 156 Section 15.3, “Limitations with Cross-Forest Trust,” on page 188 15.1 What is a Trust? A trust is used to allow users of one domain to access resources from another domain.
Page 156: Cross-Forest Trust Relationships
Refer to Understanding Trusts (http://technet.microsoft.com/en-us/library/cc736874.aspx) Trust Wizard Pages (http://technet.microsoft.com/en-us/library/cc784531.aspx) for more information on trusts. 15.2 Cross-Forest Trust Relationships Administrators must configure trust relationships manually to access resources in a different forests. Every trust relationship between each domain in the different forests must be explicitly configured. Section 15.2.1, “Creating a Cross-forest Trust between Active Directory and Domain Services for Windows Forests,”...
Page 157: Configuring The Dns Forwarders On The Domain Services For Windows Server
Active Directory domain name: win2003ad.com DSfW domain name: dsfw.com 1 Open the Novell iManager DNS plug-in. 1a Click DNS > Zone Management to open the Zone Management window in the main panel. 1b Click DNS > Zone Management to open the Zone Management window in the main panel.
Page 158 2 From the drop-down list select Create Zone, then click OK to open the Create DNS Zone window. 158 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 159 3 Select Create New Zone and specify the DNS configuration parameters as follows: 3a Specify a name for the zone; that is, the domain name of the Active Directory forest (in this example, it is win2003ad.com 3b Specify the eDirectory context for the zone or browse to select it; that is, the container containing the DNS related objects (In this example, it is OESSystemObjects.dsfw 3c Select the Zone Type as Forward.
Page 160 3e Click Create. A message indicates that the new forward zone has been created. 160 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 161 4 Select Zone Management from the iManager DNS plug-in, then select View/Modify Zone from the drop-down list and click OK. Managing Trust Relationships in Domain Services for Windows 161...
Page 162 5 Select Active Directory forest's domain zone from the drop-down list, then click OK. 162 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 163 6 Click Next. Managing Trust Relationships in Domain Services for Windows 163...
Page 164 7 Click Add. 164 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 165 8 Select the Forward option, then specify the IP address of Active Directory forest's DNS server (in the example, it is 192.168.1.20). Click Add. Managing Trust Relationships in Domain Services for Windows 165...
Page 166 9 Click Done. 166 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 167: Configuring The Reverse Lookup Zone Forwarder
10 A message indicates that the new secondary zone has been created. Click OK. 11 Restart DNS by using the command. rcnovell-named start Configuring the Reverse Lookup Zone Forwarder You need to configure a DNS reverse lookup zone for DSfW for a Windows domain. 1 After selecting Zone Management from the iManager DNS plug-in, select the Create Zone option from the drop-down list.
Page 168 2 Specify the DNS configuration parameters as follows: 168 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 169 2a Select the Create IN-ADDR ARPA option as the Zone Type. 2b Specify the network address. This is the IP address of the Active Directory forest's DNS server (in this example, it is 192.168.1.20). 2c Select Forward as the Zone Type. 2d Select a DNS server from the Assigned Authoritative DNS Server drop-down list.
Page 170 170 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 171 4 Select the Active Directory forest's reverse lookup zone from the drop-down list, then click Managing Trust Relationships in Domain Services for Windows 171...
Page 172 5 Click Next. 172 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 173 6 Click Add to add this DNS server object. Managing Trust Relationships in Domain Services for Windows 173...
Page 174 7 Select Forward List and click Add. 174 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 175 8 Select the Forward option and specify the IP address of Active Directory forest's DNS server (192.168.1.20 in this example). Click Add, then click Done. Managing Trust Relationships in Domain Services for Windows 175...
Page 176 9 A message indicates that a zone has been created. Click OK. 10 Verify the DNS configuration by trying to resolve the Active Directory domain and its DNS SRV records using , as follows: nslookup nslookup -query=any _ldap._tcp.dc._msdcs.<AD domain name> For example: # nslookup -query=any _ldap._tcp.dc._msdcs.win2003ad.com Server: 192.168.1.10...
Page 177: Configuring The Dns Forward Lookup Zone On The Active Directory Server
Configuring the DNS Forward Lookup Zone on the Active Directory Server To resolve the DSfW forest from the Active Directory forest, you must either create a forward lookup stub zone or a forwarder on the Active Directory forest's DNS server. 1 At your Windows management workstation, click Start>Run, enter in the text field and click OK.
Page 178 1b Select the Forwarders tab, then click New and add a new forwarder for the DSfW domain. Specify the DSfW domain name and click OK. 178 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 179 1c Select the new forwarder, specify the IP address of the DNS server of the DSfW domain, then click Add. 1d Verify the DNS configuration by using to resolve the Active Directory domain nslookup and its DNS SRV records, as follows: nslookup -query=any _ldap._tcp.dc._msdcs.<DSfW domain name>...
Page 180: Creating The Trust
2b Specify the Network IP and click Finish. The zone is now created. 2c Right-click the newly created zone to create a PTR record and enter the required details. 3 If the Active Directory domain's Domain Functional Level is not Windows Server 2003, do the following to raise it: 3a Open Active Directory Domains and Trusts snap-in from the MMC.
Page 181 6 Click Next to start creating a new trust. 7 Specify the DNS name (or NetBIOS name) of the Active Directory forest, then click Next. Managing Trust Relationships in Domain Services for Windows 181...
Page 182 8 Select Forest trust, then click Next. 9 To select the direction of trust, do one of the following: Click Two-way to create a two-way forest trust. Click One-way:incoming to create a one-way incoming forest trust. Click One-way:outgoing to create a one-way outgoing forest trust. 10 Click Next.
Page 183 11 Select Both this domain and the specified domain and click Next. 12 Specify the user name and password of the Active Directory domain administrator, then click Next. Managing Trust Relationships in Domain Services for Windows 183...
Page 184 13 Select Forest-wide authentication to authorize users to use resources in the local forest or those identified by the administrator, then click Next. 14 Select Forest-wide authentication to authenticate Active Directory forest users to use resources in the dsfw.com forest or those identified by the administrator, then click Next. 184 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 185 15 Review the trust settings and complete the creation of trust by clicking Next. 16 Click any option depending on your choice, then click Next. Managing Trust Relationships in Domain Services for Windows 185...
Page 186 17 Click any option depending on your choice, then click Next. NOTE: In Step 16 Step 17, if you select Yes option to confirm the trust, ensure that you validate the trust later by selecting Properties>Validate option. 18 Complete the trust creation by clicking Finish. 186 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 187: Shortcut Trusts
19 The new domain summary appears in the Trusts page. Verifying the Trust To verify that the DNS configuration is correct: 1 Verify that the Log on to drop-down list in the Login window of a Windows machine that is joined to the Domain Services for Windows domain has an entry for the Active Directory domain.
Page 188: Limitations With Cross-Forest Trust
15.3 Limitations with Cross-Forest Trust Trust created between DSfW and Active Directory, will only permit the DSfW users to access the resources on the Active Directory domain. The users in the Active Directory domain cannot access the resources on the DSfW domain. 188 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 189: Providing Access To Server Data
Section 16.1, “Accessing Files by Using Native Windows Methods,” on page 189 Section 16.2, “Accessing Files by Using the Novell Client for Windows,” on page 197 Section 16.3, “Accessing Files in Another Domain,” on page 197 16.1 Accessing Files by Using Native Windows...
Page 190: Samba In The Dsfw Environment
The DSfW configuration of Samba. Section 16.1.3, “Samba in the DSfW Environment,” on page 190 explains key differences between the Novell Samba configuration in OES 2 SP2 and the configuration that is included with DSfW. 16.1.3 Samba in the DSfW Environment When you install a DSfW server, Samba software is automatically installed on that server.
Page 191: Creating Samba Shares In Imanager
Item Novell Samba in OES 2 SP2 Samba in DSfW Samba Users must be enabled for Samba and eDirectory users in the domain enablement assigned to a Samba group. (eDirectory partition) are automatically Samba users and are enabled to access Samba shares.
Page 192 4 Specify the IP address of the server you want to manage, or use the Object Selector to browse to and select the server. The NCP Server objects for DSfW servers are located in .Novell.System.domain_name.com. The General page displays Samba-related information about the selected server.
Page 193: Creating Samba Shares In The Smb.conf File
The path you enter must already exist on the OES 2 Linux server’s file system. By default, NSS volumes are located in /media/nss/volume_name The example shown above creates a Samba share called Projects for the NSS volume named PROJECTS. The share name and volume name do not need to be the same, but making them identical can make share management easier.
Page 194: Assigning Rights To Samba Shares
Tools for Managing File System Rights Table 16-2 File System Rights Management Tools Notes Novell Storage iManager > Files and Folders > For more information on assigning file Services (NSS) Properties > Rights system rights on NSS volumes in iManager, see “Configuring File System...
Page 195: Adding A Network Place
-f /projects/doc -r rf trustee user2.full_edir_context Because Samba access to NSS volumes is controlled by Novell trustee rights, user1 and user2 can now work in their respective project folders, and they can see but not change the contents of the project folder belonging to their coworker.
Page 196: Adding A Web Folder
Share names and the server directories they point to are defined in the /etc/samba/ file on the OES Linux server. For more information and for instructions on smb.conf setting up shares, see Section 16.1.4, “Creating Samba Shares in iManager,” on page 191.
Page 197: Mapping Drives To Shares
Windows Organizations that have the Novell Client for Windows installed on Windows workstations can continue to use the standard NCP methods, such as Novell drive mappings, to access data that is located on NSS or NCP volumes on DSfW servers.
Page 198 Because DSfW is designed to emulate the Active Directory domain model, it might be necessary to establish trust relationships between DSfW domains in the same eDirectory tree. When you install subsequent domains in an existing eDirectory tree, you have the option of specifying a parent domain for the child domain you are creating.
Page 199: Printing In The Domain Services For Windows Environment
Printing in the Domain Services for Windows Environment Novell iPrint is the printing solution for Open Enterprise Server (OES) 2. This section describes ® how Domain Services for Windows users can set up and use Novell iPrint on DSfW. Section 17.1, “Setting Up iPrint,” on page 199 Section 17.2, “Special Handling for iPrint on DSfW,”...
Page 200: Using A Common Driver Store In A Dsfw Partition
'wwwrun' & 'www' objects added as trustees to the iPrint areas on the Cluster NSS Volume. The location they need to be added as trustee with 'rwcemf' rights is, var/opt/novell/iprint the specific clustered iPrint NSS Volume. 200 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 201: Flexible Single Master Operation (Fsmo) Roles
Flexible Single Master Operation (FSMO) Roles This section provides details on the various FSMO roles and provides details on transferring and seizing FSMO roles. Section 18.1, “FSMO Roles and Limitations,” on page 201 Section 18.2, “Transferring and Seizing FSMO Roles,” on page 202 18.1 FSMO Roles and Limitations FSMO roles also known as Operations Master are roles performed by the domain controller to facilitate replication.
Page 202: Infrastructure Master
18.1.3 Infrastructure Master The infrastructure is responsible for updating references from objects in its domain to objects in other domains. Limitations This role is not defined in DSfW but all the functionalities provided by this role are supported. 18.1.4 Schema Master The schema master domain controller controls all updates and modifications to the schema.
Page 203: To Transfer The Pdc Emulator Role From The First Domain Controller To A Subsequent Domain Controller
For more information, see Administering Replicas (http://www.novell.com/documentation/edir88/ edir88/data/fbgciaad.html) 18.2.1 To Transfer the PDC Emulator Role from the First Domain Controller to a Subsequent Domain Controller In this scenario, the machine functioning as the first domain controller is functional. But you want to transfer the PDC Emulator role from the first domain controller to an another domain controller for load-balancing purposes.
Page 204: Transferring The Adph Master Role To Other Domain Controllers
Another Domain Controller. 3 Get the domain administrator's kerberos ticket by executing following command: /opt/novell/xad/bin/kinit Administrator@_DOMAIN NAME_ 4 Update the samba configuration, msdfs links and the DNS SRV record for first domain controller by running the following script: /opt/novell/xad/share/dcinit/UpdatePDCMaster.p 18.2.4 Transferring the ADPH Master Role to Other Domain...
Page 205: Troubleshooting
Section 19.1.9, “Requirements for Samba/CIFS Access to NSS volumes via DSfW,” on page 209 Section 19.1.10, “Identifying novell-named Error,” on page 209 Section 19.1.11, “Login Failure,” on page 210 Section 19.1.12, “Unable to Connect to Legacy Applications,” on page 210 Section 19.1.13, “User in a Domain Can Access Resources from Another Domain by Using the...
Page 206: If Administrator And Default Group Objects Are Accidentally Deleted
SIDs. You can use the following LDIF files to search the deleted objects: /var/opt/novell/xad/ds/domain/domain.ldif /var/opt/novell/xad/ds/domain/domain-bl.ldif /var/opt/novell/xad/ds/domain/nds-domain.ldif The above LDIF files host the information for the following objects: cn=Domain Admins,cn=users,<domain>...
Page 207: Tree Admin Is Not Automatically Granted Rights For Dsfw Administration
Failed to establish LDAP connection with <domain name> : Unknown authentication method. To execute other options, export with a SASL_PATH=/opt/novell/xad/lib/sasl2 kinit valid domain username before using Provision utility. All the options will work. 19.1.5 Users Are Not Samified When the RID Master Role is...
Page 208: Shared Volumes Are Not Accessible
There are a number of components that must be restarted in a specific order, and this doesn’t always happen when the server restarts. The correct order to restart services are: 1. ndsd (eDirectory) 2. novell-named (DNS) 3. nscd (Name Server cache daemon) 4. rpcd (RPC server) 5. Xad-krb5kdc (Kerberos) 6.
Page 209: Requirements For Samba/Cifs Access To Nss Volumes Via Dsfw
NSS uses the NetWare Trustee Model for file access. Users must be made file system trustees and granted trustee rights to data on the NSS volume that you want them to be able to access. Rights management can be done in multiple management tools, including iManager, Novell Remote Manager, the Novell Client , and the command line.
Page 210: Login Failure
To samify the users, run the following script: /opt/novell/xad/share/dcinit/provision/provision_samify.pl 19.1.12 Unable to Connect to Legacy Applications To connect to legacy applications, you must either extend the object class or connect to a non-DSfW server.
Page 211: Making The Dsfw Server Work When The Ip Address Is Changed
To prevent this issue from occurring, make sure that at least one domain controller in a domain is up. For more details on this issue, see TID 7003552. (http://www.novell.com/support/php/ search.do?cmd=displayKC&docType=kc&externalId=7003552&sliceId=1&docTypeID=DT_TID_ 1_1&dialogID=77853582&stateId=0%200%2077851408) 19.1.17 Making the DSfW Server work When The IP address is...
Page 212: Iprint Issues
Creating the drive store with the tree admin succeeds. cn=admin,o=abc Solution: The base context for LDAP search is stored in the /etc/opt/novell/iprint/httpd/ as mentioned below: conf/iprint_ssl.conf AuthLDAPDNURL "ldaps://frd.xyz.com:1636/o=abc???(objectClass=user)" The above configuration limits the LDAP search to . Removing the base context completely...
Page 213: A Executing Provisioning Tasks Manually
Executing Provisioning Tasks Manually This section details the method of Provisioning DSfW server by using command line scripts. A.1 Exporting Passwords Before provisioning DSfW server using the command line scripts, it is important to export the passwords in order to authenticate and pass the credentials for the provisioning tasks. You do not need to export the username.
Page 214: Provisioning Precheck
This makes the health check very important. After you have exported the environment variable, execute the following script: /opt/novell/xad/share/dcinit/provision/provision_precheck.pl A.2.2 Configure DNS This task configures DNS on the DSfW server. DSfW uses DNS as its location service, enabling computers to find the location of domain controllers.
Page 215: Create Domain Partition
NOTE: This task is not executed in a name-mapped scenario. After you have exported the passwords, execute the following script: /opt/novell/xad/share/dcinit/provision/provision_partition_domain.pl A.2.5 Add Domain Replica This task moves the replica of the domain partition from the master server to the local server.
Page 216: Add Configuration Objects
This task adds the configuration and schema partition objects. It helps maintain integrity with the Active Directory information model. After you have exported the passwords, execute the following script: opt/novell/xad/share/dcinit/provision/provision_add_configobj.pl A.2.10 Add Domain Controller This task adds the domain controller to the domain.
Page 217: Samify Objects
A.2.15 Samify Objects This task is specific to a name-mapped installation. The existing user and group objects are extended to receive Active Directory attributes that allow them to be part of the domain being provisioned. Some of the extended attributes are supplementary Credentials, objectSid, and samAccountName.
Page 218 218 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 219: B Schema
Schema In Domain Services for Windows (DSfW), the schema is stored in its own partition (the schema partition) in the directory. The attributes and classes are stored in the schema partition as directory objects that are called schema objects. The schema partition is represented by an object that is an instance of the Directory Management Domain (DMD) class.
Page 220 Some Attributes for the Attribute Schema Object Table B-1 Attribute Syntax Description Unicode Descriptive relative distinguished name for the schema object. cn is a mandatory attribute. attributeID Object Object identifier that uniquely identifies this attribute. identifier attributeID is a mandatory attribute. lDAPDisplayName Unicode Name by which LDAP clients identify this attribute.
Page 221 Attribute Syntax Description systemFlags Integer Flags that determine specific system operations. This attribute cannot be set or modified. The following systemFlags attributes are relevant to the schema objects: The attribute is required to be a member of the partial set = 0x00000002 The attribute is not replicated = 0x00000001 The attribute is a constructed attribute = 0x00000004 systemFlags is not a mandatory attribute.
Page 222: Syntaxes
Attribute Syntax Description oMObjectClass String For attributes with object syntax (OM-syntax = 127), this is (Octet) the Basic Encoding Rules (BER) encoded object identifier of the XOM object class. For more information about BER encoding, see Request for Comments (RFC) 2251 (http://www.ietf.org/rfc/rfc2251.txt) in the IETF RFC Database.
Page 223: Attribute Mappings
Attribute Syntax oMSyntax eDirectory Syntax Description Syntax String (Object- 2.5.5.2 SYN_CI_STRING The object identifier. Identifier) Case-Sensitive 2.5.5.3 SYN_CI_STRING General string. Differentiates String uppercase and lowercase. CaseIgnoreString 2.5.5.4 SYN_CI_STRING Teletex. Does not differentiate (Teletex) uppercase and lowercase. String (Printable), 2.5.5.5 19, 22 SYN_PR_STRING Printable string or IA5 string.
Page 224: Special Attributes
LDAP Attribute Name eDirectory Attribute Name mailRecipient msds:mailRecipient homePostalAddress msds:homePostalAddress objectVersion msds:objectVersion unixHomeDirectory homeDirectory uniqueID B.1.3 Special Attributes Some of the following attributes can be used in search query: allowedAttributes: Returns the list of attributes that can be present on that entry. allowedAttributesEffective: Returns the list of attributes that can be modified by the user (the logged-in entity) on that object.
Page 225 Attribute Syntax Description systemMayContain Object identifier The optional attributes for instances of this class. systemMayContain is multivalued but not a mandatory attribute. mayContain Object identifier The optional attributes for instances of this class. mayContain is not a mandatory attribute. systemPossSuperiors Object identifier The classes that can be parents of this class in the directory hierarchy.
Page 226: Class Mappings
Attribute Syntax Description nTSecurityDescriptor NT-Sec-Desc The security descriptor on the classSchema object. nTSecurityDescriptor is not a mandatory attribute. defaultObjectCategory Distinguished The default object category of new instances of this name class. If none has been specified, the objectClass value is used. For example, suppose that the objectCategory attribute for inetOrgPerson is set to Person.
Page 227: Changing The Pas Status Of An Attribute
/opt/novell/xad/share/dcinit/aggregateSchema.pl schema.ldif --ndsschema > msschema.sch IMPORTANT: You must review manually for any containment issues. msschema.sch 3 Extend this schema to a DSfW server by executing the following command: /opt/novell/eDirectory/bin/ndssch admin-context -t tree-name msschema.sch 4 Use to create schema elements in the schema partition.
Page 228 228 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 229: C Understanding Dsfw In Relation To Idm And Samba
(For handling RPC calls over LSARPC, SAMR and NETLOGON) Kerberos KDC Kerberos password server During installation through YaST, when the Novell Domain Services for Windows pattern is selected, a set of other dependant RPMs also get selected. Provisioning helps in configuring DSfW and the supporting services.
Page 230 Kerberos transitive trusts and cross-forest trusts. DNS and Secure Updates Does not come with DNS. Has to Comes packaged with Novell be installed separately. The bind Bind DNS that supports secure DNS does not support secure dynamic updates. As it is dynamic updates.
Page 231: C.2 Understanding Dsfw In Relation To Idm
On the other hand DSfW allows Microsoft Windows users to work in a pure Windows desktop environment and still take advantage of some OES back-end services and technology, without the need for a Novell Client on the desktop.
Page 232 Feature DSfW Storage of user data Data is duplicated across Data is stored in eDirectory, but directory services. the DSfW suite of services make it possible for the data to be accessed and retrieved from Active Directory environment. Manageability Can be managed from iManager. DSfW can be managed from Microsoft MMC as well as eDirectory web management tools like iManager.
Page 233: D Network Ports Used By Dsfw
Network Ports Used by DSfW This section discusses the network ports that are used by DSfW services to listen on for incoming network traffic. These ports are configured automatically after the DSfW installation. Services and Network Ports used by DSfW Table D-1 Service Port / Protocol...
Page 234 234 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 235: Glossary
Glossary Access Token When a user is authenticated, the Local Security Authority (LSA) creates an access token, which in this case is a primary access token for that user. An access token contains a security identifier (SID) for the user, SIDs for the groups to which the user belongs, and the user’s privileges.
Page 236 Cross-reference objects are created in two ways: - Internally by the system to refer to known locations that are within the forest. - Externally by administrators to refer to locations outside of the forest. Domain A single partition in the eDirectory tree. In DSfW, a domain also forms the administrative boundary for a logical group of network resources such as users or computers.
Page 237 Group Policy An infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings reside in the Group Policy objects (GPOs). GPOs are linked to directory service containers, such as sites, domains, or organizational units (OUs). These settings are then evaluated by the impacted targets, using the hierarchical nature of the directory.
Page 238 The Sysvol corresponds to the directory on the /var/opt/novell/xad/sysvol/sysvol domain controller. Sysvolsync The sysvolsync utility is introduced to provide synchronization of Sysvol and the underlying policies between the domain controllers of a domain.
Page 239 For example, if users in the eng.novell.com domain need to gain access to resources in the sales.novell.com domain, the novell.com domain must be traversed because it is on the trust path. You can create a shortcut trust between eng.novell.com and sales.novell.com, bypassing novell.com in the trust path.
Page 240 240 OES 2 SP2: Domain Services for Windows Administration Guide...
Page 241: Chapter 11, "Logging In From A Windows Workstation," On
“What’s New” on page 19 to capture additions to the Novell Domain Services for Windows (DSfW) service for the Novell Open Enterprise Server 2 SP2 Linux platform over the previous release.o Included new chapter on Use-Cases. Included new chapter on Deployment Scenarios.
Page 242 Added the following Appendix files: Appendix A, “Executing Provisioning Tasks Manually,” on page 213 Appendix B, “Schema,” on page 219 Appendix C, “Understanding DSfW in Relation to IDM and Samba,” on page 229 Appendix D, “Network Ports Used by DSfW,” on page 233 Updated “Glossary”...

Novell OPEN ENTERPRISE SERVER 2.0 SP2 - DOMAIN SERVICE FOR WINDOWS Manual

Table of Contents

3 Use-Cases

4 Deployment Scenarios

5 Planning for Dsfw

7.8 Troubleshooting

15.2 Cross-Forest Trust Relationships

Chapter 11, "Logging in from a Windows Workstation," on

Chapter 12, "Creating Users," on

Chapter 13, "Understanding DNS in Relation to Dsfw," on

Chapter 14, "Managing Group Policy Settings," on

Chapter 15, "Managing Trust Relationships in Domain Services for Windows," on

Quick Links

Chapters

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell OPEN ENTERPRISE SERVER 2.0 SP2 - DOMAIN SERVICE FOR WINDOWS

Summary of Contents for Novell OPEN ENTERPRISE SERVER 2.0 SP2 - DOMAIN SERVICE FOR WINDOWS

Table of Contents