Novell Home

Configuring and Using Active Directory with Novell SecureLogin

Novell Cool Solutions: AppNote
By Girish Mutt

Digg This - Slashdot This

Posted: 20 Jul 2006
 

The purpose of this AppNote is to provide an overview of configuring and using Active Directory with Novell SecureLogin (NSL).This article clearly explains you how to configure your AD in a deployment scenario. As AD can be used in many ways to cater the needs of an organization, this article is helpful for those who want to integrate the AD with a DNS (Domain Name Server).

  • Introduction
  • Configuring AD on a Windows 2003 Server
  • Schema Extension and User Rights Assignments on an AD Server
  • Configuring the NSL windows client for using with AD
  • Conclusion

Introduction

Novell SecureLogin is basically a Single-Sign On (SSO) technology that eliminates the need for Windows users to remember user names and passwords for the various applications they use, after initial network login. The user names and passwords are stored and automatically entered into the corresponding fields of an application when the Windows/Java/Web and other applications are launched. NSL can be used with most directories such as eDirectory and AD.

The AD directory service is the distributed directory service that is included with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Active Directory enables centralized, secure management of an entire network. Typically this Active directory is used as an internal directory, external directory or as an application directory depending on the needs.

This article describes the usage of Active Directory with NSL in three stages:

  1. On the server side, Active Directory has to be configured in integration with DNS server.
  2. Perform NSL-related Active Directory Schema extension and User Rights assignments on the AD server.
  3. On the Windows client side we need to add the computer to be part of the AD domain controller and also should have NSL installed in AD mode.

Configuring AD on a Windows 2003 Server

Before we get into the actual configuration of AD, let's check the minimum set of requirements that are to be met by the server:

  • An NTFS partition with sufficient space to support all installations
  • Administrative privileges to the Windows 2003 server
  • Network connection configured with all TCP/IP configurations
  • The Windows 2003 server CD

The steps to be followed to configure the AD with DNS integration are as follows:

  • Configuring the server suffixes
  • Configuring server TCP/IP settings
  • Create a New DNS server for AD

Configuring the Server Suffixes

The configuration of the server suffixes is essential. It enables you to start configuring your DNS server to be integrated with the new AD domain controller. The configuration can be done by using the following steps:

1. Right-click My Computer and select Properties.

Figure 1: Viewing the properties of the computer

2. Go to the Computer Name tab and click Change.

Figure 2: Computer Name properties window

3. Click More and change the Primary DNS Suffix of the computer to the domain name you will use. In this article the domain name being used is "girish.com".

Figure 3: Changing the Primary DNS Suffix of the computer

As Administrator, you'll be prompted to reboot the machine so that the changes take effect.

4. Click OK to restart the machine.

Figure 4: The Full computer name being changed after making changes

Configuring server TCP/IP settings

The basic purpose here is to configure the domain controller to use its own IP address as the address of the DNS server. Since we need to query the DNS database for address resolution, and this server is being used as a DNS server in the integration with AD, we will configure the TCP/IP DNS server settings to point to itself.

This can be done by using the following steps:

1. From the Start Menu go to Settings and then to Control Panel.

2. From Control Panel, choose Network and Dial-up Connections.

3. Right-click on Local Area Connection and Click Properties.

Figure 5:Local Area Connection Properties window

4. Go to the Properties of the Internet Protocol (TCP/IP) as shown.

5. Change the IP address of the Preferred DNS Server to be same as the Server IP address.

Note: This is true if the server will also be its own DNS server.

Figure 6: Internet Protocol (TCP/IP) Properties window

6. Click the Advanced tab to go to Advanced TCP/IP Settings.

7. Select "Append primary and connection specific DNS suffixes".

8. Check the "Append parent suffixes of the primary DNS suffix" and "Register this connection's addresses in DNS" options.

Figure 7: Advanced TCP/IP Settings window Properties after changes

9. Click OK to make all changes take effect.

Creating a New DNS server for AD

The Domain Name System (DNS) is the Active Directory locater. Active Directory clients and client tools use DNS to locate domain controllers for administration and login. For the Active Directory and its clients to work properly, you should have the DNS server installed and configured on the server.

The installation and configuration of the DNS server will involve the following activities:

  • Installing the DNS Service
  • Promoting the DNS server as Domain Controller
  • Enable Active Directory Integrated DNS

Installing the DNS Service

The DNS Service Installation involves the following steps:

  • Installing the DNS Server
  • Configuring the DNS Server
  • Enabling forward lookup capability for Forward and Reverse Lookup Zones
  • Enabling DNS forwarding for Internet connections

DNS Server Installation

The DNS Server Installation can be done very easily by adding the corresponding DNS Server components from the Control Panel. The steps to be followed to perform this activity are:

1. From the Start Menu, go to Settings and choose Control Panel.

2. Choose Add/Remove Programs.

Figure 8: Add/Remove Programs window

3. From the above menu, choose the Add/Remove Windows Component option.

4. Find and select Networking Services. This will automatically install DNS on the server.

Figure 9: Networking Services option being chosen for DNS installation

5. Continue with the installation to finish the Add Component wizard.

DNS Server Configuration

The following steps will guide you through DNS configuration, using the DNS Manager snap-in in the Microsoft Management Console (MMC):

1. From the Start Menu, go to Programs > Administrative Tools > DNS Manager.

Figure 10: Launching DNS Management console

2. From the DNS management MMC console, right-click the server and choose "Configure a DNS Server". The "Configure a DNS Server" wizard is triggered.

Figure 11: Running DNS server configuration wizard

3. Click Next to start the wizard.

Figure 12: Start of DNS server configuration wizard

4. Select the "Create a forward lookup zone" and click Next. The new forward lookup zone must be a primary zone so it can accept dynamic updates.

5. Choose the option "This Server maintains the zone" and proceed.

Figure 13: Creating the Forward lookup zone

Figure 14: Choosing Primary Server Location for the zone

6. At the prompt, type the name of the zone and click Next. Note: The zone name must be exactly the same as your Active Directory Domain name

Figure 15: New zone name for the DNS namespace

7. Accept the default settings and click Finish to complete the wizard.

Figure 16: Final DNS Server Wizard window

Enabling Forward Lookup capability for Forward and Reverse Lookup Zones

Although adding this capability to the DNS server is optional, it is always recommended, in order to avoid issues with DNS resolution. Follow these steps:

1. From the Start Menu, go to Programs > Administrative Tools > DNS Manager.

2. Expand the Forward Lookup Zones folder.

3. Right-click the zone you created and choose Properties.

Figure 17: Forward lookup zone properties window

4. On the General tab, select the "Nonsecure and secure" option for dynamic updates.

5. Click OK to accept the changes.

6. Expand the Reverse Lookup Zones folder. Since you have not added any zones to the Reverse Lookup zone, the wizard will prompt you to add a new zone here. The Reverse lookup helps you translate IP addresses to DNS names.

7. Select the Primary zone option and click Next to continue.

Figure 18: Reverse Lookup zone creation wizard

8. Specify the network ID to identify the lookup zones for the DNS server.

Figure 19: Network ID being specified for the Reverse Lookup zone

9. When you are prompted to create a new file, select the default option.

10. On the General tab, select the "Nonsecure and secure" option for dynamic updates.

11. Click OK to accept the changes.

Figure 20: New zone file creation

12. When prompted to enable the dynamic updates, select the "Do not allow dynamic updates" option and continue.

Figure 21: Disabling Dynamic updates for DNS clients

13. Choose the Finish option to complete the wizard.

Figure 22: Finishing the Reverse Lookup zone wizard

14. Expand the Reverse Lookup Zones folder.

15. Right-click the zone you created, then select Properties.

16. On the General tab, select the Nonsecure and secure option for dynamic updates.

17. Click OK to accept the changes.

Figure 23: Dynamic updates for reverse Lookup zones

Enabling DNS forwarding for Internet connections

The DNS forwarding for Internet related connections can be enable by using the following steps:

1. From the Start Menu, go to Programs > Administrative Tools > DNS Manager.

2. Right-click the DNS Server object for your server in the left pane of the console, and select Properties.

3. Click the Forwarders tab.

4. In the IP addresses box make sure that you enter the IP address of the DNS servers you want to forward queries to - typically the DNS server of organization or ISP. The one that is highest in the list gets the first try, and if it does not respond within a given time limit - the query will be forwarded to the next server in the list.

Figure 24: Enabling DNS forwarding

Promoting the DNS server as Domain Controller

In order to promote the DNS server as a Domain Controller integrated with the AD, you need to install Active Directory on the server. Follow these steps:

1. From the Start Menu, choose Run.

2. Enter the command "dcpromo" to start the Active Directory Installation wizard.

3. Click Next to continue with the installation.

Figure 25: Active Directory Installation wizard

4. Choose the option "Domain Controller for a new domain" and click Next to continue.

Figure 26: Choosing to install a new domain controller

5. Choose the option "Domain in a new forest" and click Next to continue.

Figure 27: Choosing Domain in a New forest option

6. Provide the full DNS name of the domain and click Next to continue.

Figure 28: Providing the new domain name

7. When the chosen NetBIOS domain name appears, check it and click Next to continue.

Figure 29: NetBIOS name being chosen for the computer

8. Accept the Database and Log file location dialog box being shown and click Next to continue.

Figure 30: Choosing the default database and log folder paths

9. Accept the Sysvol folder location dialog box being shown and click Next to continue.

Figure 31: Choosing the default sysvol location for the domain's public files

The DNS registration diagnostics will be run and you will be shown a final confirmation dialog.

10. Click Next to continue.

Figure 32: DNS registration diagnostics results

11. Accept the "Permissions compatible only with Windows 2000 or Windows Server 2003" settings, unless you have legacy applications running on Pre-Windows 2000 servers.

12. Click Next to continue.

Figure 33: Providing compatibility permissions

13. Enter "Restore Mode administrator's password" and click Next to continue.

Figure 34: Restore mode administrator password

14. Review your settings and click Next to continue

Figure 35: Final settings details before configuring

15. Click Next to continue with configuring the Active Directory. The Active Directory installation completion window appears.

16. Choose Finish to complete the process.

Figure 36: Active Directory installation completion window

Enabling Active Directory Integrated DNS

Active Directory Integrated DNS uses the directory for the storage and replication of DNS zone databases. In order to enable this we need to perform the following steps:

1. From the Start Menu go to Programs > Administrative Tools > DNS Manager.

2. Expand the Forward Lookup Zones folder.

3. Right-click the zone you created, and then click Properties.

4. On the General tab, the Zone Type value is set to Primary. Check the box "Store the zone in Active Directory " and click OK.

Figure 37: Storing the zone information in AD

5. When prompted whether you want this zone to become Active Directory integrated, click Yes to finish the server setup.

Figure 38: Prompt to integrate the zone into AD

Performing an NSL-related Active Directory Schema Extension and User Rights Assignments on the AD Server

Once you are done with the all the AD related installations and configurations, you need to do some more NSL-related user rights assignments and schema extensions.

SecureLogin introduces six schema attributes to the Directory. The attributes are added using the appropriate schema extension tool, depending on your choice of Directory for SecureLogin data storage. In the Novell eDirectory environment, ndsschema.exe is used; in Active Directory environments, adsschema.exe is used. These attributes are required for the encryption and storage of SecureLogin data against directory objects such as user objects and organizational units. ZThey are also required for the storage of SecureLogin data.

The directory schema extensions and user rights assignments are performed by following the steps below:

1. Ensure that you are logged into the AD as a user with administrative privileges.

2. From the \SecureLogin\Tools folder, launch the "adsschema.exe" program.

3. As the option "Extend Active Directory Schema" would have been already selected, click OK finish the schema extension.

Figure 39: "adsschema.exe" tool being launched to extend the directory schema

Once the extension happens without any issues, a dialog box shows the message indicating the successful completion of the operation.

Figure 40: Schema extension successful message

Once you are done with the Active Directory Schema Extension, the next step is to assign the users with the rights to be able to write to their own attributes.

4. Use the "Assign User Rights" option of the tool as shown below.

Figure 41: "adsschema.exe" tool being launched to "Assign User Rights"

5. Provide the context of the Container object under which the user objects have been created.

Figure 42 :Providing the context of container under which user object's are stored

A dialog indicates the successful completion of the rights assignment.

Figure 43: Successful completion of rights assignments

Configuring the NSL Windows Client with AD

Once you are ready with the AD server setup with the DNS integration, the next step is to add your Windows client to be part of the AD domain controller. So, you need to do two things before you can start using NSL with AD:

  • Add the Windows XP/Windows 2000 client as part of AD domain controller
  • Install NSL in AD mode

Adding the Windows XP/Windows 2000 client as part of AD domain controller

You can easily add the Windows client to be part of the AD domain controller by following the steps below:

1. Because you are using the DNS integrated AD, you need to provide the preferred DNS server to be the IP address of your AD server, as shown below.

Figure 44: Changing the Preferred DNS server IP to be same as AD server

2. Add the computer to be part of the AD domain. On the Desktop, goto My Computer right click to get the options and select the Properties options as shown below.

Figure 45: For adding the computer to the AD domain controller

3. In the System Properties window, click the Computer Name tab.

4. Click the Change button.

5. Click the Member tab and enter the domain name as shown. You will be prompted to enter the username and password of an user with permission to join the computers to domain.

Figure 46: Prompting to provide credentials for adding computer to AD domain

A welcome message for joining the domain appears.

Figure 47: Welcome message from AD domain

Installing NSL in AD Mode

Once the Windows client computer gets added as part of the AD domain, you just need to install the NSL in AD mode to start using it.

For further information on installing NSL in AD mode, please refer the Novell SecureLogin 6.0 Installation Guide from the link below:

http://www.novell.com/documentation/securelogin60/index.html

Conclusion

This AppNote has been written for all the NSL customers who want to use DNS integrated AD on a Windows 2003 server. This article extensively covers all the intricate steps to be followed for configuring and using NSL with AD.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell