Domain Tips and Tricks Lab

Installing a Domain Service for Windows: Domain Tips and Tricks Lab

Novell Training Services www.novell.com OES10 ATT LIVE 2012 LAS VEGAS

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http:// www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES.

Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED. OES10-Installing a Domain Service for Windows: Domain Tips and Tricks / Lab Section 1 Implement Domain Services for Windows

Objective: Create a domain named da.com

Requirements: Map the domain to o=da Add the partitions corp, administration, and eu to the domain

Resource Information: Install source: http://172.17.0.11/install/oes11 Domain name: da.com Domain mapped to: o=da Tree = DA-TREE admin: cn=admin.o=da admin passwd: novell administrator passwd: novell eDir server: 172.17.0.11 oes11-edir.da.com DSfW server: 172.17.0.21 oes11-dsfw1.oessystemobjects.da.com (to be installed) NTP server: 172.17.0.11 SLP Configuration: Scope = DEFAULT SLP DA = 172.17.0.11 Retrieve existing DNS info: 171.17.0.11 DNS Proxy: cn=DNS_Proxy_User,o=da DNS Proxy passwd: novell iManager server: 171.17.0.11

TID 7002172 Preparing for Domain Services for Windows Install The install of DSfW has to be done on a new OES server . The OES server can be configured on and existing SLES server or a new install of SLES where OES is the add on product.

OES2SP1 is installed on SLES10-SP2. OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3. OES11 is installed on SLES 11SP1

eDirectory can not be installed on the server prior to installing DSfW.

Extend the DSfW schema before installing. The schema tool on an existing OES server in the tree is an easy way to accomplish this.

/etc/hosts should have the domain name listed as well as the loopback address listed. If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075. example of an /etc/hosts with a server named server1 and domain name of da.com: 127.0.0.1 localhost 172.17.0.21 oes11-dsfw1.da.com oes11-dsfw1

For OES11 verify the /etc/HOSTNAME has the full DNS name listed (server.domain). It should be the same domain name as in the /etc/hosts file otherwise the field for the DSfW domain name will be empty while doing the YaST configuration. Example: oes11-dsfw1.da.com

The domain name should not end in .local, the .local top level domain is regarded as a link-local domain. The DNS queries are sent to a multicast address instead of the DNS server. .int or .internal are common substituted for .local

/etc/resolv.conf should list the first name server with the IP address of the to be installed DSfW server. If installing into an existing domain point to the first DSfW server. It should be a DNS server also unless DNS was removed and the records imported on another DNS server after the install of DSfW. example: nameserver 172.17.0.21 search dsfwdomain.com

If doing a name map install (installing into an existing tree): Partition the container that is to be the domain. The domain name has to be the same as the container it is being mapped to for OES2SP1 and OES2SP2.

Example: da.com has to be mapped to a partitioned container named da. For OES2SP3 and OES11 the domain name and the container name can be different.

If this is the first DSfW server in the tree. A forest will be create (only one forest per eDir tree) and the container that is to be a domain in DSfW will be the root for all other domains. An additional domain will not be permitted to be installed in a higher location in the tree.

The max depth for domains in a forest is 5 and a total of 10 domains per forest is allowed. The maximum number of Domain Controllers per domain is 5.

A partition cannot exist between domains. Example city.county.state.country.com country.com is partitioned and the root domain. state is a partition not a domain county is a partition not a domain city is a partition not a domain A domain cannot be created for county until a domain has been created for state. A domain cannot be created for city until a domain has been created for state and county.

With OES2SP3 and OES11 multiple partitions can be added to a domain. When the provisioning wizard is started check the 'Enable Custom Provisioning' to add additional partitions to the domain. Replicas of the additional partitions (not the top partition/container the domain is created at) will need to be added to the DSfW server. Only child partitions, not sibling partitions can be added to the domain.

If doing a name mapped install verify the following ACL's do not exist on the container that will be mapped: ACL: 1#subtree#[Public]#cn ACL: 3#subtree#[Root]#[All Attributes Rights] ACL: 4#subtree#[This]#dBCSPwd ACL: 4#subtree#[This]#unicodePwd ACL: 4#subtree#[This]#supplementalCredentials ACL: 3#subtree#[Root]#userCertificate;binary ACL: 3#subtree#[Root]#cACertificate;binary

When you are installing DSfW, default containers will be created. Make sure that the following container names do not already exist under the domain partition:

cn=Computers cn=Users ou=Domain Controllers cn=DefaultMigrationContainer cn=Deleted Objects cn=ForeignSecurityPrincipals cn=Infrastructure cn=LostAndFound cn=NTDS Quotas cn=Program Data cn=System cn=Container Note: What matters is if the name of the object and not the base-class. If there is an ou=users or dc=computers under the domain container they will need to be re-named or moved lower down in the tree before installing DSfW.

For OES2SP1 and SP2 the first domain controller in a domain will automatically be designated as the master of the partition and will be the RID master for the domain. For OES2SP3 and OES11 the Master will be retained on the eDirectory server. A R/W will be added to the DSfW server.

Verify the time and time zone are correct on both the eDir server and the DSfW server.

Perform a eDirectory Health check as listed in TID 3564075.

Before installing DSfW either install Apparmor or the perl-TermReadKey perl module otherwise the install will fail with because of a missing dependency (TID 7010065)

If LUM is configured with unix config in the container where the domain will be mapped to, look at TID 7009930. LUM attributes on the container need to be removed.

When installing DSfW only select the DSfW pattern. All the necessary patterns will also be selected. Do no uncheck any of the other patterns.

Exercise – Install Domain Services for Windows into an existing eDirectory Tree

In this exercise you will create a domain called da.com, mapped the domain to o=da, and add the corp, administration, and eu partitions Use the resource information above to complete the install You will follow TID 7002172 to prepare to install Domain Services for Windows.

Prepare to install Domain Services for Windows

1. With oes11-edir powered down, select VM > Snapshot > Start Here; then 2. When prompted to open the snapshot, select Yes. 3. Power on the virtual machine. 4. Log in as root with the password of novell. 5. With oes11-dsfw1 powered down, select VM > Snapshot > Start Here; then 6. When prompted to open the snapshot, select Yes. 7. Log in as root with the password of novell. 8. Follow TID 7002172

The following exercises will cover common issues revealed while following TID 7002172

1. Rem out the IPv6 loopback address of ::1 in the /etc/hosts file on the DSfW server (oes11 dsfw frd) a) Open a terminal by right click on the desktop and select the terminal icon b) Begin to edit the /etc/hosts file by entering vi /etc/hosts c) Arrow down to the line ::1 localhost ipv6-localshot ipv6-loopback d) Switch to insert mode by pressing the i key e) Rem out the line by entering the # key f) Exit out of insert mode by pressing the esc key g) Save the changes by entering :wq 9. Correct the /etc/HOSTNAME using the gui a) Click on Computer in the tool bar b) Click on the Network icon c) Click on the Hostname/DNS tab and change the Domain Name from da.lan to da.com

10. In the same tab enter the DSfW servers IP address of 172.17.0.21 as Name Server 1 and click ok

11. Go to the oes11-edir server virtual machine 12. Create a partition at o=da a) Start iManager by opening firefox and going to https://172.17.0.11/nps Username: admin Password: novell Tree: da-tree b) In Roles and Task on the right hand side click Partition and Replicas c) Click Create Partition d) Enter da or browse to the o=da container object and click ok e) When the partition operation is complete click ok

The following exercises will guide you through the install of Domain Services for Windows

1. Add the OES11 repository f) Start YaST g) Click 'Install Add-On Products' h) Click 'Add' i) Select 'Specify URL' and click 'Next' j) Enter 'http://172.17.0.11/install/oes11/' in the URL field and click next

k) Click Import when the Import untrusted GnuPGKey pops up l) Click I Agree at the license agreement and then click OK

13. Select Novell Domain Services for Windows and click Accept

14. When the warning message pops up select following actions will be done: and click OK

15. Click Accept

16. Select Existing Tree and enter DA-TREE for the eDirectory tree name

17. Enter the IP address of 172.17.0.11, the name cn=admin.o=da and password novell

18. Leave the dib location default and click Next

19. Click add on the NTP servers and enter the eDirectory server's ip address of 172.17.0.11 and click Next

20. Select Configure SLP to use an existing Directory Agent a) The name of the scope is DEFAULT and the Configured SLP Directory Agent is 172.17.0.11

21. Leave the Novell Modular Authentication Service screen as default and click Next

22. On the eDirectory Configuration – Domain Services for Windows screen select New Domain Services for Windows Forest, leave the NetBIOS Name as DA and click Next

23. On the eDirectory Configuration – New Domain Information screen enter the password of novell for the Domain Administrator

24. On the eDirectory Configuration – Domain Services for Windows screen enter o=da for the FDN of the container that needs to be mapped as a da.com and check Retain existing Novell Password Policies on Users

25. Click Next On the eDirectory Configuration – OES Common Proxy User Information

26. Novell DNS Services Configuration a) Click the Get context and proxy user information from existing DNS server and enter the ip address of 172.17.0.11, then click Retrieve. This will auto populate the fields. The password for the DNS_Proxy user is novell, then click Next

NOTE: The DNS Locator object along with the other DNS objects is located in o=da.

27. On the Novell Open Enterprise Server Configuration page click Next. a) Open two terminals and tail the y2log and ndsdcinit.log for troubleshooting 1. tailf /var/log/YaST/y2log 2. tail -F /var/opt/novell/xad/log/ndsdcinit.log

28. Add the partitions corp, administration, and eu to the domain. a) When the install of the RPMs has finished reboot and log into the server. The Provisioning Wizard will automatically start. b) Check Enable Customer Provisioning c) Log into the provisioning wizard. The password for both admin and administrator is novell.

29. Add replicas of the corp, administration, and eu partitions using iManager. Then check the containers in the provisioning wizard and click 'Next' a) Start iManager by opening firefox and going to https://172.17.0.11/nps Username: admin Password: novell Tree: da-tree b) In Roles and Task on the right hand side click Partition and Replicas c) Click Create Partition d) Browse to the ou=corp.o=da container object and click ok e) When the partition operation is complete click ok f) Continue to add replicas of ou=administration.ou=corp.o=da and ou=eu.o=da

30. Run the provisioning a) Open two terminals and tail the ndsdcinit.log and provision.log 1. tail -F /var/opt/novell/xad/log/provision.log 2. tail -F /var/opt/novell/xad/log/ndsdcinit.log b) When finished reboot the server.

31. The installation of Domain Services for Windows is complete. 32. Follow TID 7001884 Verify a Domain Services for Windows Install

TID 7001884 Verify a Domain Services for Windows Install If installing a child domain or an additional domain controller, the DSFW DNS server listed in the /etc/resolv.conf must also be restarted rcnovell-named restart

Verify the eDirectory database is open and that the ndspath properly exported the paths for eDir commands by issuing the following command: ndsstat

Check that all the services necessary for Domain Services for Windows are running xadcntrl validate

Verify LDAP is functioning and that Administrator is provisioned. A provisioned user will have an attribute of saMAccountName and the value will be the users ID. Be sure to export the LDAPCONF. If not then use the -e parameter and point to an exported cert or us -x. If using -x the required TLS needs to be unchecked from the ldap group object and nldap needs to be restarted (nldap -u AND nldap -l) export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Y EXTERNAL -LLL -b (base context to search) sAMAccountName EXMAPLE: ldapsearch -Y EXTERNAL -LLL -b cn=Administrator,cn=users,dc=da,dc=com sAMAccountName

results should be as follows: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=Administrator,cn=Users,dc=da,dc=com sAMAccountName: Administrator

Check the /etc/resolve.conf contains a DSFW nameserver and domain search entry for this server. less /etc/resolv.conf Should return something like this: nameserver 172.17.0.21 search da.com

Verify the /etc/hosts has only one entry with the server's primary IP address less /etc/hosts

Verify DNS is working nslookup da.com nslookup -query=any _ldap._tcp.dc._msdcs.da.com

Verify that the local KDC is working. You should be able to authenticate with out any errors /opt/novell/xad/bin/kinit [email protected]

Locate the domain controller for a domain and get the DC capabilities /opt/novell/xad/sbin/provision --locate-dc da.com Should see something like this: Domain Services for Windows Server Provisioning Tool Copyright (c) 2001-2007 Novell, Inc. All rights reserved.

DC: \\.da.com Address: \\10.10.10.10 Dom Guid: c1eada0d-391c-4ca9-b488-0bdaeac11c38 Dom Name: da.com Forest Name: da.com Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV CLOSEST WRITABLE GTIMESERV DNS_DC DNS_DOMAIN DNS_FOREST

Verify the xadsd is working rpcclient -k ncalrpc: -c dsroledominfo Should see something like this: Machine Role = [5] Directory Service is running. Domain is in native mode.

Verify the xadsd is working via netbios. rpcclient -k localhost -c dsroledominfo Should see something like this: Machine Role = [5] Directory Service is running. Domain is in native mode.

If you get the following error: ads_krb5_mk_req: krb5_get_credentials failed for cifs/[email protected] (Ticket expired) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Ticket expired failed session setup with NT_STATUS_LOGON_FAILURE Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

Then issue another ticket by running: kinit [email protected]

Objective: Join a workstation to the da.com domain Create a user with MMC

Requirements: oes11-edir virtual machine oes11 dsfw1 virtual machine winxp virtual machine

Resource Information: Domain name: da.com Domain mapped to: o=da Tree = DA-TREE admin: cn=admin.o=da admin passwd: novell administrator passwd: novell eDir server: 172.17.0.11 oes11-edir.da.com PDC DSfW server: 172.17.0.21 oes11-dsfw1.oessystemobjects.da.com ADC DSfW server: 172.17.0.22 oes11-dsfw2.oessystemobjects.da.com DNS server: 171.17.0.21 winxp: 172.17.0.101

Exercise – Join a Windows XP workstation to the domain

In this exercise you will Join a Windows XP workstation to the Domain Services for Windows Domain You will login with the Administrator user after joining the workstation to the domain You will create a new user with MMC You will modify the new user with iManager and see the changes in MMC

Join workstation to domain

1. With winxp virtual machine powered down, select VM > Snapshot > Start Here; then 2. When prompted to open the snapshot, select Yes. 3. Power on the virtual machine. 4. Log in as geeko with the password of novell 5. Modify the DNS settings Start > control panel > Network Connections 6. Right-click on Local Area Connection and select properties 7. Select Internet Protocol and click Properties 8. For the Preferred DNS server enter 172.17.0.21, click OK, and click Close 9. Right click on My Computer and select properties 10. Click Computer Name tab, then click Change 11. Enter winxp1 in the Computer Name field 12. Select Domain 13. Specify the domain name da.com 14. Click OK 15. Enter Administrator in the User Name field 16. Enter the password of novell in the Password Field 17. Click OK 18. On success, will see message stating “Welcome to the da.com domain” 19. Click OK at the prompt to restart the computer 20. After restarting the computer enter Administrator for User Name 21. Password of novell 22. Select DA for the domain and login

Exercise – Create a Custom Management Console, a user, and Group Policy In this exercise you will create a custom Management Console (MMC) and using the newly created Management Console create a user and group policy for all authenticated users in the da.com domain

Create a custom management console

1. On the winxp virtual machine lick Start > Run. 2. In the text box type mmc and click OK. 3. From the File menu, select Add/Remove Snap-In. 4. Click Add. 5. Select Active Directory Users and Computers then click Add. 6. Click Close to close the Add Standalone Snap-In dialog box. 7. Click OK to close the Add/Remove Snap-In dialog box. 8. From the File menu, select Save As. 9. In the Save in: text box select Desktop from the drop down list. 10. In the File Name text box type MY MMC and click Save.

Create a user with MY MMC

1. Start Active Directory Users and Computers by clicking on the desktop MY MMC 2. Select Active Directory Users and Computers 3. Expand the domain by clicking on the domain object da.com 4. Select the corp container object 5. Click the new user button in the task bar 6. At the prompts, enter the name and password information for the user Example: First name: corpuser User logon name: corpuser Password: novell

Modify the corpuser with iManager

1. Start iManager by opening a browser (ie: Internet Explore) and going to https://172.17.0.11/nps Username: admin Password: novell Tree: da-tree 2. Click on the View Objects icon in the tool bar of iManager. 3. Browse for the corpuser by clicking on da > corp > corpuser. 4. Add a telephone number to the corpuser a) Click on corpuser > Telephone number: and enter 555-555-5555. 5. Open MMC by clicking on MY MMC on the Desktop. 6. Check that the telephone number has been added. 7. Log out as Administrator. 8. At the login prompt for User Name enter corpuser. 9. Password is novell 10. Select DA domain and login 11. A local profile will be created for the new user on a successful login. Section 3 Merge Zones Exercises

Objective: Merge the reverse lookup zones using the db files

Merge the da.com zones using DNS/DHCP Console

Requirements: oes11-edir virtual machine oes11 dsfw1 virtual machine oes11 dsfw2 virtual machine

Exercise – Merge DNS zones

In this exercise you will export two reverse lookup and two forward zones, merge the two reverse lookup zones and the two forward zones so that they are ready to import.

Merge reverse lookup zones using dns db files

1. With oes11 eDir virtual machine powered down, select VM > Snapshot > Start Here; then 2. When prompted to open the snapshot, select Yes. 3. Power on the virtual machine. 4. Log in as root with the password of novell 5. Open a terminal by clicking on the gnome terminal icon in the toolbar panel 6. Copy the 0.17.172.IN-ADDR.ARPA.db to /root/ a) In the terminal type cp /etc/opt/novell/named/0.17.172.IN-ADDR.ARPA.db to /root/ 7. With oes11 dsfw1 virtual machine powered down, select VM > Snapshot > Start Here; then 8. When prompted to open the snapshot, select Yes. 9. Power on the virtual machine. 10. Log in as root with the password of novell 11. View the 0.17.172.in-addr.arpa.db a) Start nautilus (on the desktop open the root's Home folder) b) Browse to /etc/opt/novell/named/ c) With gedit open 0.17.172.in-addr.arpa.db 12. Switch to the oes11 eDir virtual machine 13. Open the /root/ 0.17.172.IN-ADDR.ARPA.db a) Start nautilus (on the desktop open the root's Home folder) b) With gedit open /root/ 0.17.172.IN-ADDR.ARPA.db 14. Notice the oes11-eDir server has many more records. 15. Edit the oes11 eDir server's 0.17.172.IN-ADDR.ARPA.db file and add the necessary records for the oes11 dsfw1 server. 16. Make the following changes in the /root/ 0.17.172.IN-ADDR.ARPA.db file that are in bold. a) The oes11dsfw1 server should be the Start of Authority (SOA)

$ORIGIN . $TTL 86400 ; 1 day

0.17.172.IN-ADDR.ARPA IN SOA oes11-dsfw1.da.com. root.0.17.172.IN- ADDR.ARPA. ( 2012040231 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS oes11-edir.da.com. NS oes11-dsfw1.da.com. $ORIGIN 0.17.172.IN-ADDR.ARPA. 11 PTRoes11-edir.da.com. 21 PTR oes11-edir.da.com. 201 PTR workstation1.da.com. 202 PTR workstation2.da.com. 203 PTR workstation3.da.com. 204 PTR workstation4.da.com. 205 PTR workstation5.da.com. 206 PTR workstation6.da.com. 207 PTR workstation7.da.com. 208 PTR workstation8.da.com. 209 PTR workstation9.da.com. 210 PTR workstation10.da.com.

The file is ready to import. Import the zone after we have the reverse lookup zones deleted and the da.com zone is ready to be imported.

Merge the da.com forward zones with the DNS/DHCP Console

1. On the oes11 eDir server login to iManager by opening Firefox and in the url enter https://172.17.0.11/nps Username: admin Password: novell Tree: da-tree 2. Click on the View Objects icon in the tool bar of iManager. 3. Look at zones and their locations. a) oes11 eDir server's zones are da > da_com and 0_17_172_IN-ADDR_ARPA b) oesll dsfw1 server's zones are da > OESSystemObjects > da_com and 0_17_172_in-addr_arpa 4. On the oes11 eDir server login DNS/DHCP Console. a) Click on the DNS/DHCP Console icon in the toolbar panel. b) Server Address: 172.17.0.11 c) Port: 636 d) User Name: cn=admin,o=da e) Password: novell f) Click ok 5. Notice the duplicate zone names. 6. Click on the lower da.com zone. This is the DSfW created zone. a) Notice the Designated Primary server is the DNS_oes11-dsfw1 7. Click the export button in the toolbar (white piece of paper with arrow pointing to the left). 8. Enter the location and name of the file /root/dsfw-da.txt and click Export. 9. Click on the upper da.com zone, this is the pre-existing zone on the oes eDir server. a) Notice the Designated Primary server is the DNS_oes11-edir 10. Click the export button in the toolbar (white piece of paper with arrow pointing to the left)

11. Enter the location and name of the file /root/edir-da.txt and click Export. 12. Copy the /root/dsfw-da.txt to /root/da.db a) From a terminal enter cp /root/dsfw-da.txt /root/da.db 13. With gedit open /root/da.db and /root/edir-da.txt 14. Copy all records from the $ORIGIN da.com. section in /root/edir-da.txt and paste in the $ORIGIN da.com. section in the /root/da.db a) Here are the resource records to be copied. oes11-edir IN A 172.17.0.11 workstation1 IN A 172.17.0.201 workstation10 IN A 172.17.0.210 workstation2 IN A 172.17.0.202 workstation3 IN A 172.17.0.203 workstation4 IN A 172.17.0.204 workstation5 IN A 172.17.0.205 workstation6 IN A 172.17.0.206 workstation7 IN A 172.17.0.207 workstation8 IN A 172.17.0.208 workstation9 IN A 172.17.0.209

b) In the section $ORIGIN com. da add : IN NS oes11-edir.da.com. IN NS 172.17.0.11.

15. The da.db file should look as follows with changes in bold $ORIGIN da.com. @ IN SOA oes11-dsfw1.da.com. root.oes11-dsfw1.da.com. ( 20124100 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ; Minimum; $ORIGIN _tcp.da.com. _gc IN SRV 0 100 3268 oes11-dsfw1.da.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.da.com. _gc IN SRV 0 100 3268 oes11-dsfw1.da.com.

$ORIGIN _tcp.da.com. _kerberos IN SRV 0 100 88 oes11-dsfw1.da.com.

$ORIGIN _tcp.dc._msdcs.da.com. _kerberos IN SRV 0 100 88 oes11-dsfw1.da.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.da.com. _kerberos IN SRV 0 100 88 oes11-dsfw1.da.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.da.com. _kerberos IN SRV 0 100 88 oes11-dsfw1.da.com.

$ORIGIN _udp.da.com. _kerberos IN SRV 0 100 88 oes11-dsfw1.da.com.

$ORIGIN _tcp.da.com. _kpasswd IN SRV 0 100 464 oes11-dsfw1.da.com.

$ORIGIN _udp.da.com. _kpasswd IN SRV 0 100 464 oes11-dsfw1.da.com.

$ORIGIN _tcp.da.com. _ldap IN SRV 0 100 389 oes11-dsfw1.da.com.

$ORIGIN _tcp.597ea0fd-98ae-4047-82a2-fda07e59ae98.domains._msdcs.da.com. _ldap IN SRV 0 100 389 oes11-dsfw1.da.com.

$ORIGIN _tcp.dc._msdcs.da.com. _ldap IN SRV 0 100 389 oes11-dsfw1.da.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.da.com.

_ldap IN SRV 0 100 389 oes11-dsfw1.da.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.da.com. _ldap IN SRV 0 100 389 oes11-dsfw1.da.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.gc._msdcs.da.com. _ldap IN SRV 0 100 3268 oes11-dsfw1.da.com.

$ORIGIN _tcp.gc._msdcs.da.com. _ldap IN SRV 0 100 3268 oes11-dsfw1.da.com.

$ORIGIN _tcp.pdc._msdcs.da.com. _ldap IN SRV 0 100 389 oes11-dsfw1.da.com.

$ORIGIN com. da IN A 172.17.0.21 IN NS oes11-dsfw1.da.com. IN NS oes11-edir.da.com. IN NS 172.17.0.11. $ORIGIN _msdcs.da.com. a6416b5a-7c70-11e1-be90-000c297c5128 IN CNAME oes11-dsfw1.da.com.

$ORIGIN da.com. oes11-dsfw1 IN A 172.17.0.21 oes11-edir IN A 172.17.0.11 workstation1 IN A 172.17.0.201 workstation10 IN A 172.17.0.210 workstation2 IN A 172.17.0.202 workstation3 IN A 172.17.0.203 workstation4 IN A 172.17.0.204 workstation5 IN A 172.17.0.205 workstation6 IN A 172.17.0.206 workstation7 IN A 172.17.0.207 workstation8 IN A 172.17.0.208 workstation9 IN A 172.17.0.209

Exercise – Merge DNS zones

In this exercise you will delete the zones from eDirectory/DNS and import the newly merged zones into eDirectory/DNS. Both da.com zones and the reverse lookup zones have should have been exported and ready to merge.

Delete and import forward and reverse lookup zones

1. Delete the two da.com zones and the two 172.17.0 reverse lookup zones. a) Select a zone and click the deleted button (red x) in the toolbar. b) Do this for each zone (leave the RootServerInfo). 2. Import the /root/ 0.17.172.IN-ADDR.ARPA.db first, then the /root/da.db. a) Select All Zones and click the import button in the tool bar (brown piece of paper with arrow pointing to the right). b) Enter /root/ 0.17.172.IN-ADDR.ARPA.db for the DNS BIND File then click next. c) In the Selected Record field select o=da and click ok. d) Select cn=DNS_oes11-dsfw1,ou=OESSystemObjects,o=da and click Next. e) Select Primary and click Next. f) The Zone Context should be o=da and the DNS server should be cn=DNS_oes11- dsfw1,ou=OESSystemObjects,o=da, if correct click Import. g) Follow the same instructions for importing the /root/da.db file. 3. Restart DNS on both servers using the command rcnovell-named reload Section 4 Install Additional Domain Services for Windows Server

Goal: Install an Additional Domain Controller

Requirements: Install Additional Domain Controller to the da.com domain Install and configure DNS on the ADC

Resource Information: Install source: http://172.17.0.11/install/oes11 Domain name: da.com Domain mapped to: o=da Tree: DA-TREE admin: cn=admin.o=da admin passwd: novell eDir server: 172.17.0.11 oes11-edir.da.com PDC DSfW server: 172.17.0.21 oes11-dsfw1.oessystemobjects.da.com ADC DSfW server: 172.17.0.22 oes11-dsfw2.oessystemobjects.da.com (to be installed) NTP server: 172.17.0.11 SLP Configuration: Scope = DEFAULT SLP DA = 172.17.0.11 Retrieve existing DNS info: 171.17.0.11 DNS Proxy: cn=DNS_Proxy_User,o=da DNS Proxy passwd: novell iManager server: 171.17.0.11

Exercise – Install a second Domain Services for Windows server into an existing domain In this exercise you will install a second Domain Services for Windows into an existing DSfW domain

You will configuration DNS on the Additional Domain Controller You will follow TID 7009927 Preparing for an ADC Install of Domain Services for Windows Use the resource information above to complete the install of the ADC When the install if finished follow TID 7001884 to verify DSfW is working properly Use the Install Domain Services for Windows into an existing eDirectory Tree exercise for additional help

TID 7009927 Preparing for an ADC Install of Domain Services for Windows The install of DSfW has to be done on a new OES server. The OES server can be configured on and existing SLES server or a new install of SLES where OES is the add on product.

OES2SP1 is installed on SLES10-SP2. OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3. OES11 is installed on SLES 11SP1

The install of DSfW has to be done on a new OES2 server. The OES server can be configured on and existing SLES 10 server or a new install of SLES where OES is the add on product.

For OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3. For OES11 use SLES11-SP1.

eDirectory cannot be installed on the server prior to installing DSfW.

Verify the time and time zone is correct.

Perform a eDirectory Health check as listed in TID 3564075.

When installing DSfW only select the DSfW pattern. All the necessary patterns will also be selected. Do not uncheck any of the other patterns.

Verify uniquedomainid attribute is present on all objects within the domain. This can be done using ldapsearch or with iMonitor.

Check for objects without the uniquedomainid using ldapsearch on the first DSfW server. This search will list of objects without uniquedomainid attribute and send the list to /tmp/uniquedomainid.txt.

LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "dc=da,dc=com" -s sub '(! (uniquedomainid=*))' dn uniquedomainid | tee /tmp/uniquedomainid.txt

The list might have objects that are not in the domain like the ou=configuration container or other partitions that are not part of the domain since the search is going a subtree search.

Some key objects to check for the uniquedomainid attribute are: krbtgt, domain controller object, and the container mapped to the domain.

ldapsearch can be used to check these individual objects. Example of ldapsearches: domain name = da.com container mapped to domain = dc=da,dc=com dsfw server = oes11-dsfw1

Example of a ldapsearch for the uniquedomainid on the domain name (container mapped to the domain): LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "dc=da,dc=com" -s base dn uniquedomainid

Returns: dn: o=da uniquedomainid: 1049076

Example of a ldapsearch for the Domain Controller object and successfully returning the uniquedomainid on the Domain Controller object: LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=oes11-dsfw1,ou=domain controllers,dc=da,dc=com" -s base dn uniquedomainid

Returns: dn: cn=oes11-dsfw1,ou=Domain Controllers, dc=da,dc=com uniquedomainid: 1049076

Example of a ldapsearch for the krbtgt object and successfully returning the uniquedomainid on the krbtgt object: LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf ldapsearch -Y EXTERNAL -LLL -Q -b "cn=krbtgt,cn=users,dc=da,dc=com" -s base dn uniquedomainid

Returns: dn: cn=krbtgt,cn=Users, dc=da,dc=com uniquedomainid: 1049076

Verify the eDirectory database is open and that the ndspath properly exported the paths for eDir commands by issuing the following command:

ndsstat

Check that all the services necessary for Domain Services for Windows are running xadcntrl validate

Check the /etc/resolve.conf contains a DSFW nameserver and domain search entry for this server. less /etc/resolv.conf Should return something like this: nameserver 172.17.0.21 nameserver 172.17.0.21 search da.com

Verify the /etc/hosts has only one entry with the server's primary IP address less /etc/hosts

Verify DNS is working nslookup da.com nslookup -query=any _ldap._tcp.dc._msdcs.da.com

Verify that the local KDC is working. You should be able to authenticate with out any errors /opt/novell/xad/bin/kinit [email protected]

DC: \\dsfwserver.mydomain.com Address: \\10.10.10.10 Dom Guid: c1eada0d-391c-4ca9-b488-0bdaeac11c38 Dom Name: mydomain.com Forest Name: mydomain.com Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV CLOSEST WRITABLE GTIMESERV DNS_DC DNS_DOMAIN DNS_FOREST

Verify the xadsd is working rpcclient -k ncalrpc: -c dsroledominfo Should see something like this: Machine Role = [5] Directory Service is running. Domain is in native mode.

Verify the xadsd is working via netbios. rpcclient -k localhost -c dsroledominfo Should see something like this: Machine Role = [5] Directory Service is running. Domain is in native mode.

Then issue another ticket by running: kinit [email protected]