Domain Tips and Tricks Lab
Total Page:16
File Type:pdf, Size:1020Kb
Installing a Domain Service for Windows: Domain Tips and Tricks Lab Novell Training Services www.novell.com OES10 ATT LIVE 2012 LAS VEGAS Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED. Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http:// www.novell.com/documentation). Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners. 2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES. Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED. OES10-Installing a Domain Service for Windows: Domain Tips and Tricks / Lab Section 1 Implement Domain Services for Windows Objective: Create a domain named da.com Requirements: Map the domain to o=da Add the partitions corp, administration, and eu to the domain Resource Information: Install source: http://172.17.0.11/install/oes11 Domain name: da.com Domain mapped to: o=da Tree = DA-TREE admin: cn=admin.o=da admin passwd: novell administrator passwd: novell eDir server: 172.17.0.11 oes11-edir.da.com DSfW server: 172.17.0.21 oes11-dsfw1.oessystemobjects.da.com (to be installed) NTP server: 172.17.0.11 SLP Configuration: Scope = DEFAULT SLP DA = 172.17.0.11 Retrieve existing DNS info: 171.17.0.11 DNS Proxy: cn=DNS_Proxy_User,o=da DNS Proxy passwd: novell iManager server: 171.17.0.11 TID 7002172 Preparing for Domain Services for Windows Install The install of DSfW has to be done on a new OES server . The OES server can be configured on and existing SLES server or a new install of SLES where OES is the add on product. OES2SP1 is installed on SLES10-SP2. OES2-SP2 or OES2-SP3 DSfW use SLES10-SP3. OES11 is installed on SLES 11SP1 eDirectory can not be installed on the server prior to installing DSfW. Extend the DSfW schema before installing. The schema tool on an existing OES server in the tree is an easy way to accomplish this. /etc/hosts should have the domain name listed as well as the loopback address listed. If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075. example of an /etc/hosts with a server named server1 and domain name of da.com: 127.0.0.1 localhost 172.17.0.21 oes11-dsfw1.da.com oes11-dsfw1 For OES11 verify the /etc/HOSTNAME has the full DNS name listed (server.domain). It should be the same domain name as in the /etc/hosts file otherwise the field for the DSfW domain name will be empty while doing the YaST configuration. Example: oes11-dsfw1.da.com The domain name should not end in .local, the .local top level domain is regarded as a link-local domain. The DNS queries are sent to a multicast address instead of the DNS server. .int or .internal are common substituted for .local /etc/resolv.conf should list the first name server with the IP address of the to be installed DSfW server. If installing into an existing domain point to the first DSfW server. It should be a DNS server also unless DNS was removed and the records imported on another DNS server after the install of DSfW. example: nameserver 172.17.0.21 search dsfwdomain.com If doing a name map install (installing into an existing tree): Partition the container that is to be the domain. The domain name has to be the same as the container it is being mapped to for OES2SP1 and OES2SP2. 1 Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED. OES10-Installing a Domain Service for Windows: Domain Tips and Tricks / Lab Example: da.com has to be mapped to a partitioned container named da. For OES2SP3 and OES11 the domain name and the container name can be different. If this is the first DSfW server in the tree. A forest will be create (only one forest per eDir tree) and the container that is to be a domain in DSfW will be the root for all other domains. An additional domain will not be permitted to be installed in a higher location in the tree. The max depth for domains in a forest is 5 and a total of 10 domains per forest is allowed. The maximum number of Domain Controllers per domain is 5. A partition cannot exist between domains. Example city.county.state.country.com country.com is partitioned and the root domain. state is a partition not a domain county is a partition not a domain city is a partition not a domain A domain cannot be created for county until a domain has been created for state. A domain cannot be created for city until a domain has been created for state and county. With OES2SP3 and OES11 multiple partitions can be added to a domain. When the provisioning wizard is started check the 'Enable Custom Provisioning' to add additional partitions to the domain. Replicas of the additional partitions (not the top partition/container the domain is created at) will need to be added to the DSfW server. Only child partitions, not sibling partitions can be added to the domain. If doing a name mapped install verify the following ACL's do not exist on the container that will be mapped: ACL: 1#subtree#[Public]#cn ACL: 3#subtree#[Root]#[All Attributes Rights] ACL: 4#subtree#[This]#dBCSPwd ACL: 4#subtree#[This]#unicodePwd ACL: 4#subtree#[This]#supplementalCredentials ACL: 3#subtree#[Root]#userCertificate;binary ACL: 3#subtree#[Root]#cACertificate;binary When you are installing DSfW, default containers will be created. Make sure that the following container names do not already exist under the domain partition: cn=Computers cn=Users ou=Domain Controllers cn=DefaultMigrationContainer cn=Deleted Objects cn=ForeignSecurityPrincipals cn=Infrastructure cn=LostAndFound cn=NTDS Quotas cn=Program Data cn=System cn=Container Note: What matters is if the name of the object and not the base-class. If there is an ou=users or dc=computers under the domain container they will need to be re-named or moved lower down in the tree before installing DSfW. For OES2SP1 and SP2 the first domain controller in a domain will automatically be designated as the master of the partition and will be the RID master for the domain. For OES2SP3 and OES11 the Master will be retained on the eDirectory server. A R/W will be added to the DSfW server. Verify the time and time zone are correct on both the eDir server and the DSfW server. Perform a eDirectory Health check as listed in TID 3564075. Before installing DSfW either install Apparmor or the perl-TermReadKey perl module otherwise the install will fail with because of a missing dependency (TID 7010065) If LUM is configured with unix config in the container where the domain will be mapped to, look at TID 7009930. LUM attributes on the container need to be removed.