Setting Up NT Domain

For the default NetWare 6.5 setup, the driver for NT is installed on the Primary Domain Controller.

NOTE:  Additional installation options are explained in Planning Considerations in the Implementation Guide for the NT Driver.

To synchronize account information for NT Domain users, complete the following sections:


Prerequisites

The computer where you will install the Remote Loader and the driver must be running Windows NT* 4 with Service Pack 6a or later.


Collecting Configuration Information

You'll need to provide a number of system-specific details when you configure the DirXML driver for NT Domain. Some of these details can be collected before you complete the following procedures, and others will be defined during the process.

During the configuration process, you will need to provide the container names for placement of synchronized objects. For more information about NT placement options, see Default Driver Settings for NT Domain .


Required Driver Configuration Information for NT Domain

IMPORTANT:  The data you supply during configuration is used to build DirXML rules. Often case is significant to a rule. Mirror case when entering the requested data.

System Value

 

Domain Server
(example: DOMAIN_SERVER)

If necessary, ask the NT Administrator for this information.

 

Domain Name
(example: DOMAIN_NAME)

If necessary, ask the NT Administrator for this information.

 

Authoritative User

Used by the driver to access objects necessary for data synchronization. To create this user, see Creating an Authoritative User .

 

Authoritative Password

Password for the above user. Can be set when Creating an Authoritative User .

 

eDirectory Container
(example: Users.MyOrganization)

The container holding objects to synchronize with NT. If this container does not exist, you must create it before starting the driver.

 

Remote Host and Port

(Specify the port when Installing and Configuring the Remote Loader and Driver .)

 

Driver Password

Specify the password when Installing and Configuring the Remote Loader and Driver .

 

Remote Password

Specify the password when Installing and Configuring the Remote Loader and Driver .

 

Figure 18
NT Configuration Form


NT Configuration Form (continued)


NT Configuration Form (continued)


Creating an Authoritative User

The driver needs Read/Write rights to the domain. You can configure the driver to use any existing account with the appropriate rights. However, to ease future management, we recommend that you create a new account to be used exclusively by the driver.

  1. Click Start > Programs > Administrative Tools (Common) > UserManager for Domains.

  2. In the User Manager dialog box, select User > New User.

  3. Specify a username and password.

    Record the Authoritative user information in the table under Required Driver Configuration Information for NT Domain .

  4. Unmark User Must Change Password at Next Logon, then mark Password Never Expires so that a password policy won't disable the driver unexpectedly.

  5. Click Groups, then move Domain Admins to the Member of list.

  6. Click Set, then click OK.

  7. Click Add, then close the New User dialog box.

  8. Continue with the next section, Granting Rights to the Driver .


Granting Rights to the Driver

You need to grant rights to the authoritative user that the driver uses so that it can access the SAM keys in the registry of the server that has the domain you want to use.

Creating a user equivalent to Administrator for the driver gives the driver rights to read and write to the domain, but, by default, even the Administrator cannot access the registry until you explicitly assign that access.

  1. Log in to NT as Administrator.

  2. Run regedt32.

  3. Select the HKEY_LOCAL_MACHINE window.

  4. Select the SAM key, then go to the Security menu and select Permissions.

  5. Mark Replace Permission on Existing Subkeys.

  6. Give Full Control permission to Administrators, then click OK.

  7. Click Yes to replace the permission on all existing subkeys within the SAM.

  8. Close the registry and continue with the next section, Installing and Configuring the Remote Loader and Driver .


Installing and Configuring the Remote Loader and Driver

The Remote Loader allows you to run the driver on a computer other than the server hosting the DirXML engine.

  1. At the NT computer that will host the driver, insert the DirXML CD into the CD drive. The CD may take a moment to load. Then, at the Welcome page, click Next.

  2. Read the license agreement; if you agree to the terms, click I Accept.

  3. On the Components page, select DirXML Remote Loader and Drivers, then click Next.

  4. Accept the default installation path for the Remote Loader, then click Next.

  5. Mark the following items, then click Next.

  6. Review the Product Summary, then click Finish to install the Remote Loader files.

  7. When prompted, create a shortcut.

  8. On the Installation Complete page, click Close.

  9. Run the DirXML Remote Loader Configuration Wizard from your desktop.

  10. On the Welcome page, click Next.

  11. Keep the default Command Port number, then click Next.

  12. Keep the default Configuration File Name, then click Next.

  13. On the DirXML Driver page, mark Native, browse to and select the NT Domain driver (c:\Novell\Remoteloader\NTDomainShim.dll) then click Next.

  14. On the Connection to DirXML page, leave the default Port settings and Addresses.

  15. If appropriate for your environment, mark Use SSL and browse to the Trusted Root Certificate.

    Using SSL with Remote Loader encrypts the communication between the Remote Loader and the DirXML engine.

    You can create a Server Certificate object and then export a self-signed root certificate from your Organizational CA as explained in Exporting the Organizational CA's Self-Signed Certificate. Save the certificate file in base64 format and copy it to a local directory on the computer hosting the Remote Loader.

    IMPORTANT:  If you use SSL, then after the driver configuration is imported you must:
    - Use iManager to edit the Authentication section of the Driver Parameters. In the Remote Loader Connection Parameters add a reference to the certificate as shown in the following example:
    hostname=192.168.0.1 port=8090 kmo=servernamecert.
    - Re-enter the application and the Remote Loader passwords.

  16. Record the port number in the table under Required Driver Configuration Information for NT Domain , then click Next. This information will be required later during driver parameter configuration.

  17. Set Trace Level to 3 so that you'll get adequate tracking data from the Remote Loader for troubleshooting.

    Trace information can include general state information, event information, warning messages, error messages, etc.

    Trace Level Information

    0

    No information display or tracking

    1

    General informational messages about processing

    2

    Displays messages from level 1 plus the XML documents that are passed between the engine and driver

    3

    Displays messages from level 2 plus documents sent and received between the Remote Loader and the DirXML engine

    4

    Displays messages from level 3 plus information about the connection between the Remote Loader and the DirXML engine

  18. Specify a location and filename for the trace file, then click Next.

    The default location is c:\Novell\RemoteLoader.

    IMPORTANT:  The trace file is a tool to help you monitor events during startup or when you are troubleshooting. Messages will be logged to this file continuously, making it grow until it fills the available disk space. Ensure the location of this file is appropriate for your environment.

    After you're satisfied that the driver is running as expected, you can reset the Trace Level to 0. Then use the Windows Event Viewer found under Administrative Tools or the eDirectory Report and Notification Service to monitor events on an ongoing basis.

    Ensure that this path exists. If the path does not exist, messages will not be logged.

    If the path to the trace file includes spaces, enclose the path in quotes. For example, type "c:\documents and settings\Adminstrator\My Documents." If the trace level is greater than 0, trace messages will be written to the log file even if the trace window is not open.

    If you are running multiple Remote Loader sessions on a single computer, you should create separate trace files for each session.

  19. Mark Install the Remote Loader Instance as a Service, then click Next.

    Installing Remote Loader as a service allows the Remote Loader to continue to run, even when you log off.

  20. Set Remote Loader and Driver Object passwords.

    We recommend keeping remote passwords and driver passwords the same across systems and changing them later when you go to production.

    Record the passwords in the table under Required Driver Configuration Information for NT Domain . This information will be required later during driver parameter configuration.

  21. Review the summary, then click Finish.

  22. When prompted, start the service.

    You will see the Trace screen with messages indicating that Remote Loader is waiting for a DirXML connection.

    NOTE:  If you close the Trace screen and then want to open it again, you can do so at a command prompt by entering dirxml_remote -window on.

    To stop or start the service, locate DirXML Loader in Microsoft Services (Start > Settings > Control Panel > Administrative Tools > Services).

    The NT system is prepared to synchronize data. Complete preparation of other participating systems and then proceed to Configuring the DirXML Drivers .