DOCSLIB.ORG

Oes 2018 Sp2)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Oes 2018 Sp2) Open Enterprise Server 2018 SP2 Domain Services for Windows Administration Guide May 2020 Legal Notices For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/. Copyright © 2020 Micro Focus Software, Inc. All Rights Reserved. Contents About This Guide 11 1 Overview of DSfW 13 1.1 Features and Benefits . 13 1.2 Architectural Overview . 15 1.3 Basic Directory Services Concepts . 16 1.3.1 Domains, Trees, and Forests. .16 1.3.2 Naming . 16 1.3.3 Security Model . 17 1.3.4 Groups . 17 1.4 Key Differences Between the DSfW LDAP Server and the eDirectory Server. 17 2 What’s New or Changed in Domain Services for Windows 19 2.1 What’s New or Changed in Domain Services for Windows (OES 2018 SP2) . 19 2.2 What’s New or Changed in Domain Services for Windows (OES 2018 SP1) . 19 2.3 What’s New or Changed in Domain Services for Windows (Update 10 - OES 2018) . 20 2.4 What’s New or Changed in Domain Services for Windows (OES 2018) . 20 3 Use-Cases 21 3.1 Authenticating to Applications That Require Active Directory-Style Authentication . 21 3.1.1 Users Located in the DSfW Forest and Accessing Applications Hosted in the Active Directory Forest . 21 3.1.2 Users and Applications Hosted in the DSfW Forest . 22 3.2 Working With Windows Systems Without Client for Open Enterprise Server . 22 3.3 Leveraging an Existing eDirectory Setup . 23 3.4 Interoperability Between Active Directory and eDirectory . 23 4 Deployment Scenarios 25 4.1 Deploying DSfW in a Non-Name-Mapped Setup . 25 4.1.1 Deploying as a Single Domain. 25 4.1.2 Deploying as Multiple Domains in a Forest . 25 4.2 Deploying DSfW in a Name-Mapped Setup . .27 4.2.1 Deploying DSfW by Skipping Containers . 30 4.2.2 Custom Domain Name . .31 5 Planning for DSfW 33 5.1 Server Requirements for Installing DSfW . 33 5.2 Scalability Guidelines . 34 5.3 Deciding between Name-Mapped and Non-Name-Mapped Installation . 34 5.3.1 Impact of a Name Mapped / Non-Name-Mapped setup on a Tree . 36 5.4 Impact of Mixed Mode Configuration in a Forest or Domain . 37 5.5 Extending a Domain Boundary in a Name-Mapped Installation. 37 5.5.1 Prerequisite . 37 5.5.2 Use Case Scenario . 38 5.5.3 Caveat . 39 Contents 3 5.6 Meeting the Installation Requirements. 39 5.6.1 Resolving Samba Dependencies on Selecting DSfW Patterns . 39 5.6.2 Installation Prerequisites For a Non-Name-Mapped Setup . 40 5.6.3 Installation Prerequisites for a Name-Mapped Setup . 42 5.7 Unsupported Service Combinations. 45 5.7.1 Installing Other Products in the DSfW Partition . 45 5.8 Operating System Version Support . 45 5.9 Client for Open Enterprise Server and Windows Co-existence . 46 5.10 Administrative Tools . 46 5.10.1 Windows Administration Tools . .47 5.10.2 Linux Administration Tools . 47 5.11 Utilities Not Supported in DSfW . 47 5.12 Limitations . 47 5.12.1 Hostname . 47 5.12.2 NetBIOS Names . 47 5.12.3 Installation Issue . 48 5.13 Restrictions with Domain Names . 48 5.14 Supported Special Characters in DSfW Passwords. 48 5.15 Enabling Universal Password Policy for DSfW . 48 5.16 Ensuring Filesystem ACL Support . 49 6 Installing Domain Services for Windows 51 6.1 Installing and Configuring DSfW Using the YaST Administrative Tool . 51 6.1.1 Prerequisites for Installation . 51 6.1.2 Installation Scenarios. 51 6.1.3 Express Installation . 63 6.1.4 Using a Container Admin to Install and Configure DSfW. 63 6.2 Installing DSfW Using AutoYaST . 64 6.2.1 Prerequisites . 64 6.2.2 Installing DSfW . 65 6.2.3 Modifying Template Files . 65 7 Provisioning Domain Services for Windows 81 7.1 What Is Provisioning? . 81 7.2 Features and Capabilities of the Provisioning Wizard . .81 7.3 Provisioning Wizard Interface . 82 7.4 Using the Wizard to Provision the DSfW Server . 84 7.5 Provisioning Tasks . 85 7.5.1 Provisioning Precheck . 86 7.5.2 Configure DNS. ..
Load more

Recommended publications
  • Administrative Guide for Windows 10 and Windows Server Fall Creators Update (1709)
    Operational and Administrative Guidance Microsoft Windows 10 and Windows Server Common Criteria Evaluation for Microsoft Windows 10 and Windows Server Version 1903 (May 2019 Update) General Purpose Operating System Protection Profile © 2019 Microsoft. All rights reserved. Microsoft Windows 10 GP OS Administrative Guidance Copyright and disclaimer The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial VLicense (which allows redistribution of the work). To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.
    [Show full text]
  • © Iquila Ltd 2018-2019 - 1
    Rev-1 Joining a Client PC to a Domain Controller using iQuila Server Setup 1. Install the iQuila client software on your windows domain controller server (please note if you have more than one domain controller, you must install the iQuila client software on each domain controller in your network.) 2. Assign a static IP address to the iQuila virtual network adaptor. (Please see Help Document for using Static IP addresses) 3. Go to Control Panel then select view network status and tasks, select change adaptor settings, right click on the iQuila network adaptor (VPN – VPN Client) and client properties. 4. Select Internet protocol version v (TCP/IPv4) and click properties. Select use the following IP address and enter an IP address in your given range, i.e. 192.168.30.9. Enter your given subnet mask i.e. 255.255.255.0 Leave the default gateway setting blank Under the DNS section select use the preferred DNS server address and enter the same address as you entered for the IP address 192.168.30.9 Click ok to save IP address and click on the exit the adaptor properties window. © iQuila Ltd 2018-2019 - www.iquila.com 1 Client Setup 1. Install the iQuila client software on the client computers that you would like to join to the domain and ensure they have registered with the iQuila Cloud server. 2. You now need to set the DNS server address on the iQuila virtual adaptor or contact iQuila support and request the change of DNS address in your Virtual DHCP Server settings.
    [Show full text]
  • Contents About the Author
    Auditing Microsoft Domain Environment Contents About the Author.........................................................................................................................2 About The Microsoft Domain Environments:............................................................................3 About Auditing:...........................................................................................................................4 Gaining First User:......................................................................................................................5 Enumerating AD Users and Groups With Gained User:.............................................................8 Checking Common Vulnerabilities:..........................................................................................12 Gaining First Shell:...................................................................................................................13 Migrating Into A Process:.........................................................................................................15 Pass The Hash:..........................................................................................................................17 Dump Everything From Domain Controller:............................................................................18 Auditing Microsoft Domain Environment 1 Auditing Microsoft Domain Environment About the Author Engin Demirbilek, Computer Engineering Student Penetration Tester in Turkey at SiberAsist Cyber Security Consultancy.
    [Show full text]
  • Appendix a – Microsoft Windows
    Revision 4.6.0 (February 23, 2021) Appendix A – Microsoft Windows Please Read and Heed Appendix Z in order to properly configure RingCentral Meetings. Microsoft Windows, by default, resets the DSCP value of all transmitted packets to BestEffort (0). You must take positive action forcing Windows to tag RingCentral traffic with proper DSCP values. Please note that the traffic going TO RingCentral will be marked, but you must implement proper QoS in the remainder of your network to take advantage of the markings and to set the DSCP values on return traffic as it ingresses your network. This is only one element of a proper QoS implementation. This is particularly critical if you are using WiFi. Wireless Access Points depend on the DSCP marking of traffic in order to enable WMM prioritization of voice/video traffic. Without this marking a busy wireless network will not support voice / video traffic effectively. A special PowerShell script has been developed to automatically generate the QoS policy rules, removing the tedious task of manually entering the large quantity of individual rules. The script supports two action variants based on the Windows environment. 1. Windows 10 clients that are not part of a domain (must be run on each client machine using the 'Administrator' account). All required elements if a NetQosPolicy are generated. The script must be executed on each client computer!!! 2. Domain-based Windows networks (must be run on a domain controller using the 'Administrator' account). A default group QoS policy will be generated. The script should only be executed once for the entire domain.
    [Show full text]
  • Active Directory with Powershell
    Active Directory with PowerShell Learn to configure and manage Active Directory using PowerShell in an efficient and smart way Uma Yellapragada professional expertise distilled PUBLISHING BIRMINGHAM - MUMBAI Active Directory with PowerShell Copyright © 2015 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: January 2015 Production reference: 1200115 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78217-599-5 www.packtpub.com Credits Author Project Coordinator Uma Yellapragada Sageer Parkar Reviewers Proofreaders David Green Simran Bhogal Ross Stone Stephen Copestake Nisarg Vora Martin Diver Ameesha Green Commissioning Editor Paul Hindle Taron Pereira Indexer Acquisition Editor Hemangini Bari Sonali Vernekar Production Coordinator Content Development Editor Aparna Bhagat Prachi Bisht Cover Work Technical Editor Aparna Bhagat Saurabh Malhotra Copy Editors Heeral Bhatt Pranjali Chury Gladson Monteiro Adithi Shetty About the Author Uma Yellapragada has over 11 years of experience in the IT industry.
    [Show full text]
  • National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme
    National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Common Criteria Evaluation and Validation Scheme Validation Report Nexor MMHS Security Report Number: CCEVS-VR-05-0095 Dated: 14 March 2005 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 Nexor MMHS Security Validation Report ACKNOWLEDGEMENTS Validation Team Dr. Jerome Myers The Aerospace Corporation Columbia, Maryland Common Criteria Testing Laboratory Science Applications International Corporation Common Criteria Testing Laboratory 7125 Columbia Gateway Drive, Suite 300 Columbia, Maryland 21046 2 Nexor MMHS Security Validation Report Table of Contents 1 EXECUTIVE SUMMARY____________________________________________ 4 2 Identification ______________________________________________________ 5 3 Security Policy _____________________________________________________ 7 3.1 Communications Policy _______________________________________________ 7 3.2 User Data Protection Policy ____________________________________________ 7 3.3 Identification and Authentication Policy _________________________________ 8 3.4 Management Policy___________________________________________________ 8 4 Assumptions and Clarification of Scope_________________________________ 9 4.1 Usage Assumptions ___________________________________________________ 9 4.2 Clarification of Scope _________________________________________________
    [Show full text]
  • Open Directory Administration for Version 10.5 Leopard Second Edition
    Mac OS X Server Open Directory Administration For Version 10.5 Leopard Second Edition Apple Inc. © 2008 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to make sure that the information in this manual is correct. Apple Inc., is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino CA 95014-2084 www.apple.com The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, iCal, iChat, Leopard, Mac, Macintosh, QuickTime, Xgrid, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products.
    [Show full text]
  • Vmware Workstation Pro 16.0 Using Vmware Workstation Pro
    Using VMware Workstation Pro VMware Workstation Pro 16.0 Using VMware Workstation Pro You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents Using VMware Workstation Pro 14 1 Introduction and System Requirements 15 Host System Requirements for Workstation Pro 15 Processor Requirements for Host Systems 15 Supported Host Operating Systems 16 Memory Requirements for Host Systems 16 Display Requirements for Host Systems 16 Disk Drive Requirements for Host Systems 17 Local Area Networking Requirements for Host Systems 18 ALSA Requirements 18 Virtual Machine Features and Specifications 18 Supported Guest Operating Systems 18 Virtual Machine Processor Support 18 Virtual Machine Chipset and BIOS Support 19 Virtual Machine Memory Allocation 19 Virtual Machine Graphics and Keyboard Support 19 Virtual Machine IDE Drive Support 19 Virtual Machine SCSI Device Support 20 Virtual Machine Floppy Drive Support 20 Virtual Machine Serial and Parallel Port Support 20 Virtual Machine USB Port Support 20 Virtual Machine Mouse and Drawing Tablet Support 21 Virtual Machine Ethernet Card Support 21 Virtual Machine Networking Support 21 Virtual Machine Sound Support 21 2 Installing and Using Workstation Pro 23 Obtaining the Workstation Pro Software and License Key 23 Trial Version Expiration Date Warnings 24 Installing Workstation Pro with Other VMware Products 24 Reinstalling Workstation Pro When Upgrading a Windows Host Operating System 24 Installing the Integrated Virtual Debuggers for Eclipse 25 Installing Workstation Pro 25 Install Workstation Pro on a Windows Host 26 Run an Unattended Workstation Pro Installation on a Windows Host 26 Install Workstation Pro on a Linux Host 28 Upgrading Workstation Pro 31 VMware, Inc.
    [Show full text]
  • Freeipa Global Catalog Challenges
    FreeIPA Global Catalog challenges Samba XP - 2020 May 27 Alexander Bokovoy Florence Blanc-Renaud Red Hat / Samba team Red Hat Alexander: ● Samba team member since 2003 ● FreeIPA core developer since 2011 Florence ● LDAP server technology engineer since 2007 ● FreeIPA core developer since 2016 Samba: ● Andreas Schneider ● Isaac Boukris ● Simo Sorce 389-ds LDAP server ● Thierry Bordaz ● William Brown Thank you all! ● Mark Reynolds ● Ludwig Krispenz MIT Kerberos ● Greg Hudson ● Robbie Harwood ● Isaac Boukris ● Simo Sorce and many others Allow access to Active Directory resources for IPA users and services Frankenstein's Active Directory: for Linux clients, not Windows Uses 389-ds LDAP server, MIT Kerberos, and Samba NT domain controller code base to implement what Active Directory domain controller sees as a separate Active Directory forest ▸ LDAP schema optimized for Linux clients and POSIX identity management use cases ▸ Flat directory information tree for users, groups, and services ▸ No compatibility with Active Directory schema ▸ LDAP objects specific to POSIX environment use cases (SUDO rules, own access control rules, etc) ▸ KDC based on MIT Kerberos, native two-factor authentication and modern pre-authentication methods ▸ NetLogon and LSA pipes with enough support to allow AD DCs to interoperate via a forest trust ▸ Integrated DNS server and Certificate Authority It is not that simple... Global Catalog Entries LDAP is a communication protocol designed with flexibility and extensibility in mind ▸ Schema: ▸ Syntaxes ▸ Attribute types
    [Show full text]
  • Freeipa 3.3 Trust Features
    FreeIPAFreeIPA 3.33.3 TrainingTraining SeriesSeries FreeIPA 3.3 Trust features Sumit Bose, Alexander Bokovoy March 2014 FreeIPA and Active Directory ● FreeIPA and Active Directory both provide identity management solutions on top of the Kerberos infrastructure ● FreeIPA AD Trust feature is designed ● To give Active Directory users access to FreeIPA resources ● To allow FreeIPA servers and clients to resolve identities of AD users and groups ● FreeIPA AD Trust feature does not require ● Synchronizing accounts and passwords with AD ● Installing any software on AD domain controllers 2 FreeIPA 3.3 Training Series Cross-realm forest trust: FreeIPA and Active Directory ● FreeIPA exposes its own realm as an Active Directory- compatible forest ● Two Active Directory-compatible forests can trust each other ● As result: ● Active Directory users can access FreeIPA resources ● FreeIPA servers and clients can resolve identities of AD users and groups ● Access to FreeIPA is controlled by FreeIPA rules (HBAC, ...) for Active Directory users and groups ● All AD user and group management stays at AD side 3 FreeIPA 3.3 Training Series Active Directory → FreeIPA ● FreeIPA Kerberos infrastructure cannot be joined to Active Directory forest as a domain, only trusted as an Active Directory-compatible forest ● FreeIPA provides access to its own services to Active Domain's users by trusting Active Directory Kerberos infrastructure ● All FreeIPA access control decisions are done on FreeIPA side ● FreeIPA uses Kerberos trust by an Active Directory to perform LDAP
    [Show full text]
  • Freeipa Hands-On Tutorial Fedora 18 Update: Active Directory Trusts and More
    FreeIPA hands-on tutorial Fedora 18 update: Active Directory trusts and more Alexander Bokovoy Jakub Hrozek Martin Koˇsek |||{ Red Hat Inc. LinuxCon Europe November 5th, 2012 1 Preparation 2 Installation 3 Active Directory trusts 4 Users 5 Certificates, keytabs 6 HBAC 7 RBAC 8 Replication 9 Other features 10 SSSD: More than a FreeIPA client Section 1 Preparation Preparation Lab structure Use cases will use 3 VMs and the host machine server: server.ipa-X.example.com - will host an IPA server replica: replica.ipa-X.example.com - will host an IPA replica client: client.ipa-X.example.com - will host IPA client with a web server Instructor machine hosts: IPA: server.ipa-0.example.com - will host an IPA server IPA: replica.ipa-0.example.com - will host an IPA replica IPA: client.ipa-0.example.com - will host an IPA client with a web server AD: ad.example.com - Active Directory domain AD: dc.ad.example.com - Active Directory domain controller Section 2 Installation Installation Install IPA server Check install options in ipa-server-install --help Core options: --external-ca, --setup-dns, --selfsign Most common install issues: broken DNS, bad /ect/hosts configuration --no-host-dns, --setup-dns Remains after the last unsuccessful install /var/lib/ipa/sysrestore/ Time issues (Kerberos time sensitive) - on clients, replicas ipa-server-install --setup-dns Installation Install IPA server (cont.) kinit as admin, check tickets with klist Check logs (useful for debugging): /var/log/pki-ca/debug /var/log/pki-ca-install.log /var/log/dirsrv/ (permissions!)
    [Show full text]
  • Using DC Agent for Transparent User Identification
    Using DC Agent for Transparent User Identification Using DC Agent | Web Protection Solutions | v8.2.x, v8.3.x | 10-Dec-2016 If you have an on-premises installation of TRITON AP-WEB or Web Filter & Security, and your organization uses Microsoft Windows Active Directory, you can use DC Agent to identify users transparently. The agent periodically queries domain controllers for logon session information, and can be configured to poll client machines to verify logon status. This collection includes the following articles to help you understand how to deploy, configure, and use DC Agent. Click a link below to jump to the topic, or use the arrows at the top of the content pane to browse the articles. ● How DC Agent identifies users, page 2 ● Components used for DC Agent user identification, page 4 ● DC Agent deployment overview, page 6 ● Configure DC Agent settings, page 7 ● Configure DC Agent to ignore certain user names, page 10 ● Custom configuration for a DC Agent instance, page 11 For DC Agent troubleshooting help, see the DC Agent Troubleshooting, available from support.forcepoint.com. © 2015-2016 Forcepoint LLC Using DC Agent for Transparent User Identification How DC Agent identifies users Using DC Agent | Web Protection Solutions | v8.2.x, v8.3.x | 10-Dec-2016 ● DC Agent detects domain controllers: At startup, and (by default) every 24 hours thereafter, DC Agent identifies available domains and domain controllers in the network and saves the information to its dc_config.txt file. In order to perform domain discovery, DC Agent requires domain or enterprise admin permissions. If you do not want to grant DC Agent these permissions, you can maintain the DC Agent list of domains and domain controllers manually.
    [Show full text]