6.1 Installing and Configuring DSfW Using the YaST Administrative Tool

This section describes how to install and configure DSfW using the YaST administrative tool. It covers the following topics:

6.1.1 Prerequisites for Installation

  • Before you proceed with the installation, please review the details in Planning for DSfW.

  • If you are installing a Child Domain Controller (CDC) or an Additional Domain Controller (ADC) in a domain with OES 2018 SP2, ensure to upgrade all the existing domain controllers (FRD, CDC, and ADC) in the domain to OES 2018 SP2. The domain controllers in a domain having different OES versions (mixed mode configuration) is not supported in OES 2018 SP1 and later.

    If such a configuration is attempted, an error message is displayed and the installation does not proceed.

6.1.2 Installation Scenarios

DSfW can be installed in the following scenarios:

Installing a Forest Root Domain

  1. In the YaST install for OES, on the Software Selections page, ensure that DNS is selected. Then select the OES Domain Services for Windows pattern.

    Pattern deployment provides patterns for different services. Selecting a pattern automatically selects and installs its dependencies.

    For information about the entire OES installation process, see the OES 2018 SP2: Installation Guide.

  2. Click Accept.

  3. Select the type of Domain Services for Windows configuration you want:

    1. To install a forest root domain (FRD), select the New Domain Services for Windows Forest option.

    2. Select the Express Install option to deploy a domain controller by automatically populating certain YaST configuration fields. For more information, see Section 6.1.3, Express Installation.

    3. Click Next.

  4. On the eDirectory configuration page, choose whether to install into an existing eDirectory tree or create a new tree.

    New Tree: Select the New Tree option if this is the first server to go into the tree or if this server requires a separate tree. Keep in mind that this server will have the master replica for the new tree, and that users must log in to this new tree to access its resources.

    Existing Tree: Select the Existing Tree option if you want to incorporate this server into an existing eDirectory tree. This server might not have a replica copied to it, depending on the tree configuration.

    Use eDirectory Certificates for HTTPS Services: Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.

    Require TLS for Simple Binds with Password: Select the Require TLS for Simple Binds with Password option if you want to disallow clear passwords and other data.

    By default, the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are not enabled in Active Directory.

    Install SecretStore: Select Install SecretStore if you want to eliminate the need to remember or synchronize all the multiple passwords required for accessing password-protected applications.

  5. Click Next to continue.

  6. Specify information to access the existing eDirectory tree.

    This screen is displayed only of you select the Existing Tree option in Step 4.

    1. Specify the IP address of an existing eDirectory server.

    2. Do not change the NCP Port, LDAP Port, and Secure LDAP Port information.

    3. Specify the tree admin credentials for the administrator to log in to the eDirectory tree. For information about the special characters that you can use while specifying the password, see Section 5.14, Supported Special Characters in DSfW Passwords.

    4. Click Next.

  7. Specify the Domain Name and NetBIOS information:

    DNS Name for New Domain: The DNS name for the new domain is automatically populated based on the Hostname and DNS configuration settings.

    You must ensure that the host name in the properties of the active Ethernet controller is an FQDN. For example, if the host name is dc1 and the domain name is dsfw.com, then the host name in the YaST > Network Devices > Network Settings > Hostname/DNS tab of the active Ethernet controller must be dc1.dsfw.com. You can modify the host name of the active Ethernet controller by using the Edit option in the Overview tab of the LAN settings in YaST.

    Configure this Server as a DNS Server: If you want this server to be a DNS server for the domain, select the Configure this server as a DNS Server option. If this option is not selected, you must ensure that a DNS server that contains the domain names for Domain Services for Windows is available somewhere in the network.

    NetBIOS Domain Name: The NetBIOS Domain name is automatically populated based on the Hostname and DNS configuration settings.

    By default, this is the domain context name without the parent context. For example, in the cn=central,dc=example,dc=com domain, the default NetBIOS name is central.

    Configure this machine to be a WINS server: If you want this server to be a WINS server, select the Configure this machine to be a WINS server option. For more information about WINS, see Section 17.0, Configuring DSfW Server as a WINS Server.

    Site Name of Domain Controller: Default-First-Site-Name is specified as the site name by default. To create a new site, specify the site name or click Browse to specify a site from the list of sites. For more information about sites and subnets, see Section 25.0, Configuring Sites and Subnets.

  8. Specify details to map the existing eDirectory container to the new domain.

    This screen is displayed only of you select the Existing Tree option in Step 4.

    Specify the domain administrator password in both fields. For information about the special characters that you can use while specifying the password, see Section 5.14, Supported Special Characters in DSfW Passwords.

    The administrator name is hard-coded. However, after you finish DSfW installation and configuration (post provisioning), you can modify administrator details such as the administrator name. For more information, see Section 9.2, Renaming Administrator Details Using MMC.

    FQDN of the eDirectory Container: Specify the Fully Qualified Domain Name of the existing eDirectory container that you want to be mapped to the new domain.

    IMPORTANT:A DSfW domain can only be created in Organization (O), Organizational Unit (OU) and Domain Component (DC) containers. Installing a name-mapped domain to map Country and Locality containers is not supported. However, you can map O and OU under these containers.

    Retain Existing NMAS Password Policies: If you select the Retain existing NMAS Password Policies option, the password policies assigned to the users within the container that is mapped to the new domain do not change. However, the password policies outside the partition boundary are not carried forward. You need to create a new password policy assigned to the partition root. For details on creating a new password policy, see Creating Password Policies. For information about default password policy settings for DSfW, see Section D.0, DSfW Password Policy Attributes.

  9. Specify a reliable Network Time Protocol (NTP) provider.

    eDirectory requires that all servers in a tree be time-synchronized. To add multiple time servers to the list of NTP servers, click the Add button and specify the IP address or DNS host name of the NTP server. In a single-server scenario, you can select the Use local clock check box and specify the local machine as the NTP provider.

  10. Click Next.

    NOTE:If you are using the Express install, Step 11 through Step 17 are not displayed.

  11. Specify the settings to configure the local server in the eDirectory tree:

    1. Leave the location of the Directory Information Base (DIB) at the default setting.

    2. Leave the iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.

    3. Leave the Secure iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.

    4. Click Next to continue.

  12. Specify details to configure SLP:

    Multicast to access SLP: Select the Use multicast to access SLP option to request SLP information through a multicast packet.

    Configure SLP to use an Existing Directory Agent: If you have more than three servers in your eDirectory tree, and you already have a Directory Agent running, select the Configure SLP to use an existing Directory Agent option.

    Configuring Directory Agent: Select the Configure as Directory Agent option if you want the local server to act as a directory agent.

    • Select the DASyncReg check box to enable SLP to query statically configured directory agents for registrations.

    • Select the Backup SLP Registrations check box to enable periodical backup of all registrations. In the Backup Interval in Seconds field, specify the time interval (seconds) to perform the backup.

    Service Location Protocol Scopes: In the Service Location Protocol Scopes field, specify the scope that a User Agent (UA) or Service Agent (SA) is allowed when making requests or when registering services, or specify the scope that a Directory Agent (DA) must support.

    The default value is DEFAULT. Use commas with no space to separate each scope. For example:

    net.slp.useScopes = myScope1,myScope2,myScope3

    Configuring SLP Directory Agents: In the Configured SLP Directory Agents field, specify the host name or IP address of one or more external servers on which an SLP Directory Agent is running. Do not specify the local host.

    To add an agent, click Add. In the SLP DA Server field, specify a server's DNS name or IP address, then click Add.

    To remove an agent, select one or more agents to remove, then click Delete.

  13. Click Next.

  14. Select the authentication service you want to install:

    NOTE:The SASL GSSAPI mechanism is an eDirectory-specific SASL mechanism. It is not used on a DSfW server. The DSfW-specific SASL GSSAPI mechanism is extended during DSfW configuration by default.

  15. Click Next.

  16. Specify the common proxy details:

    1. To use a common proxy for DSfW, select the Use Common Proxy User as default for OES Products check box. When this check box is selected, the OES Common Proxy User Name and Password fields are enabled. These fields are populated with a system-generated user name and password. To change these values, see Step 16.b.

      or

      If you do not want to use a common proxy, clear the check box and click Next. Then continue with Step 17.

    2. Specify the following information:

      • The common proxy user name. You must specify a fully distinguished name.

      • The proxy user password.

      • Retype the password in the Verify OES Common Proxy User Password field.

    3. To assign a common proxy password policy to the proxy user, select the Assign Common Proxy Password Policy to Proxy User check box.

    4. Click Next to continue.

  17. Specify the details to configure the DNS server:

    1. If you are configuring DNS in an existing tree where DNS is already configured, select the Get context and proxy user information from existing DNS server check box. Specify the IP address of an NCP server hosting the existing DNS server and click Retrieve. This retrieves the Locator, Root Server Info, and Group contexts.

      NOTE: Before running the configure DNS task in the DSfW provisioning wizard, ensure that the partition hosting the Locator, Root Server Info, and Group contexts has a local replica on the DSfW server that is being configured.

    2. If there is no existing DNS server in the tree, specify the following information:

      • The context of the DNS service locator object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

      • The context of the DNS Root ServerInfo object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

      • The context of the DNS Services Group object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

    3. Specify the fully distinguished, typeful name of the proxy user that will be used for DNS management, such as cn=OESCommonProxy_server1,ou=OESSystemObjects,dc=com to authenticate to eDirectory during runtime for accessing information for DNS. The user must have eDirectory read, write, and browse rights under the specified context.

    4. Specify the password of the proxy user for accessing DNS.

      If you selected the Use Common Proxy User as default for OES Products check box in Step 16.a, the proxy user and password fields are populated with common proxy user name and password.

    5. Decide whether to use a secure LDAP port.

      Use Secure LDAP Port option is selected by default to ensure that the data transferred by this service is secure and private. If you deselect this option, the data transferred is in clear text format.

    6. Specify the Credential Storage Location as OES Credential Store.

    7. Click Next to continue.

  18. After the installation is complete, the OES Configuration Summary page is displayed. Review the settings, then click Next to start the DSfW installation.

  19. When the installation is complete, click Finish.

    This completes the DSfW installation. However, the server is not ready for use until you provision DSfW and the supporting services.

  20. To start provisioning, do one of the following:

    • From the terminal, run the /opt/novell/xad/sbin/provision_dsfw.sh script.

    • Launch YaST. The DSfW Provisioning Wizard is listed as an option.

    To authenticate, enter the password of the current domain.

    For more details on provisioning, see Provisioning Domain Services for Windows.

  21. When provisioning is complete, the DSfW server is ready for use. Verify that eDirectory and DSfW have been installed and configured correctly by using the instructions in Section 9.0, Activities After DSfW Installation or Provisioning.

Installing a Child Domain

  1. In the YaST install for OES, on the Software Selections page, ensure that DNS is selected. Then select the OES Domain Services for Windows pattern.

    Pattern deployment provides patterns for different services. Selecting a pattern automatically selects and installs its dependencies.

    For information about the entire OES installation process, see the OES 2018 SP2: Installation Guide.

  2. Click Accept.

  3. Select the type of Domain Services for Windows configuration you want:

    1. To create a new Domain in an existing Windows forest, select the New Domain in an Existing Domain Services for Windows Forest option.

    2. Select the Express Install option to deploy a Domain Controller by automatically populating certain YaST configuration fields. For more information, see Section 6.1.3, Express Installation.

    3. Click Next.

  4. On the eDirectory configuration page in YaST, specify the following:

    Use eDirectory Certificates for HTTPS Services: Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.

    Require TLS for Simple Binds with Password: Select the Require TLS for Simple Binds with Password option if you want to disallow clear passwords and other data.

    By default, the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are not enabled in Active Directory.

    Install SecretStore: Select Install SecretStore if you want to eliminate the need to remember or synchronize all the multiple passwords required for accessing password-protected applications.

    Enable NMAS-based login for LDAP Authentication: Select this option if you want to enable NMAS-based login for LDAP authentication.

  5. Click Next to continue.

  6. Specify information to access the existing eDirectory Tree.

    1. Do not change the NCP Port, LDAP Port, and Secure LDAP Port information.

    2. Specify the tree admin credentials for the administrator to log in to the eDirectory tree. For information about the special characters that you can use while specifying the password, see Section 5.14, Supported Special Characters in DSfW Passwords.

    3. Click Next.

  7. Specify the Domain Name and NetBIOS information:

    DNS Name for New Domain: The DNS name for the new domain is automatically populated based on the Hostname and DNS configuration settings.

    You must ensure that the host name in the properties of the active Ethernet controller is an FQDN. For example, if the host name is dc1 and the domain name is dsfw.com, then the host name in the YaST > Network Devices > Network Settings > Hostname/DNS tab of the active Ethernet controller must be dc1.dsfw.com. You can modify the host name of the active Ethernet controller by using the Edit option in the Overview tab of the LAN settings in YaST.

    Configure this Server as a DNS Server: If you want this server to be a DNS server for the domain, select the Configure this server as a DNS Server option. If this option is not selected, you must ensure that a DNS server that contains the domain names for Domain Services for Windows is available somewhere in the network.

    NetBIOS Domain Name: The NetBIOS Domain name is automatically populated based on the Hostname and DNS configuration settings.

    By default, this is the domain context name without the parent context. For example, in the cn=central,dc=example,dc=com domain, the default NetBIOS name is central.

    Configure this machine to be a WINS server: If you want this server to be a WINS server, select the Configure this machine to be a WINS server option. For more information about WINS, see Section 17.0, Configuring DSfW Server as a WINS Server.

    Site Name of Domain Controller: Default-First-Site-Name is specified as the site name by default. To create a new site, specify the site name or click Browse to specify a site from the list of sites. For more information about sites and subnets, see Section 25.0, Configuring Sites and Subnets.

  8. Specify details to map the existing container to the new domain.

    Parent Domain Administrator Name: The name and context for the parent domain administrator that you are creating this domain in.

    New Domain Administrator Name: The name and context of the administrator account. This is the administrator you are entering the password for. You will use this account to log in to the Domain Services for Windows domain.

    FDN of the container that needs to be mapped: Specify the FDN of the container that you want to map to the new domain.

    IMPORTANT:A DSfW domain can only be created in Organization (O), Organizational Unit (OU) and Domain Component (DC) containers. Installing a name-mapped domain to map Country and Locality containers is not supported. However, you can map O and OU under these containers.

    Retain Existing NMAS Password Policies: If you select the Retain existing NMAS Password Policies option, the password policies assigned to the users within the container that is mapped to the new domain do not change. However, the password policies outside the partition boundary are not carried forward. You need to create a new password policy assigned to the partition root. For details on creating a new password policy, see Creating Password Policies. For information about default password policy settings for DSfW, see Section D.0, DSfW Password Policy Attributes.

  9. Specify a reliable Network Time Protocol (NTP) provider.

    eDirectory requires that all servers in a tree be time-synchronized. To add multiple time servers to the list of NTP servers, click the Add button and specify the IP address or DNS host name of the NTP server. In a single-server scenario, you can select the Use local clock check box and specify the local machine as the NTP provider.

  10. Click Next.

    NOTE:If you are using express install, Step 11 to Step 17 is not displayed.

  11. Specify the settings to configure the local server in the eDirectory tree:

    1. Leave the location of the Directory Information Base (DIB) at the default setting.

    2. Leave the iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.

    3. Leave the Secure iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.

    4. Click Next to continue.

  12. Specify details to configure SLP:

    Multicast to access SLP: Select the Use multicast to access SLP option to request SLP information through a multicast packet.

    Configure SLP to use an Existing Directory Agent: If you have more than three servers in your eDirectory tree, and you already have a Directory Agent running, select the Configure SLP to use an existing Directory Agent option.

    Configuring Directory Agent: Select the Configure as Directory Agent option if you want the local server to act as a directory agent.

    • Select the DASyncReg check box to enable SLP to query statically configured directory agents for registrations.

    • Select the Backup SLP Registrations check box to enable periodical backup of all registrations. In the Backup Interval in Seconds field, specify the time interval (seconds) to perform the backup.

    Service Location Protocol Scopes: In the Service Location Protocol Scopes field, specify the scope that a User Agent (UA) or Service Agent (SA) is allowed when making requests or when registering services, or specify the scope that a Directory Agent (DA) must support.

    The default value is DEFAULT. Use commas with no space to separate each scope. For example:

    net.slp.useScopes = myScope1,myScope2,myScope3

    Configuring SLP Directory Agents: In the Configured SLP Directory Agents field, specify the host name or IP address of one or more external servers on which an SLP Directory Agent is running. Do not specify the local host.

    To add an agent, click Add. In the SLP DA Server field, specify a server's DNS name or IP address, then click Add.

    To remove an agent, select one or more agents to remove, then click Delete.

  13. Click Next.

  14. Select the authentication service you want to install:

    NOTE:The SASL GSSAPI mechanism is an eDirectory-specific SASL mechanism. It is not used on a DSfW server. The DSfW-specific SASL GSSAPI mechanism is extended during DSfW configuration by default.

  15. Click Next.

  16. Specify the common proxy details:

    1. To use a common proxy for DSfW, select the Use Common Proxy User as default for OES Products check box. When this check box is selected, the OES Common Proxy User Name and Password fields are enabled. These fields are populated with a system-generated user name and password. To change these values, see Step 16.b.

      or

      If you do not want to use a common proxy, clear the check box and click Next. Then continue with Step 17.

    2. Specify the following information:

      • The common proxy user name. You must specify a fully distinguished name.

      • The proxy user password.

      • Retype the password in the Verify OES Common Proxy User Password field.

    3. To assign a common proxy password policy to the proxy user, select the Assign Common Proxy Password Policy to Proxy User check box.

    4. Click Next to continue.

  17. Specify the details to configure the DNS server.

    1. If you are configuring DNS in an existing tree where DNS is already configured, select the Get context and proxy user information from existing DNS server check box. Specify the IP address of an NCP server hosting the existing DNS server and click Retrieve. This retrieves the Locator, Root Server Info, and Group contexts.

      NOTE: Before running the configure DNS task in the DSfW provisioning wizard, ensure that the partition hosting the Locator, Root Server Info, and Group contexts has a local replica on the DSfW server that is being configured.

    2. Specify the following information:

      • The context of the DNS service locator object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

      • The context of the DNS Services Group object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

    3. Click Next to continue.

  18. After the installation is complete, the OES Configuration Summary page is displayed. Review the settings, then click Next to start the DSfW installation.

  19. When the installation is complete, click Finish.

    This completes the DSfW installation. However, the server is not ready for use until you provision DSfW and the supporting services.

  20. To start provisioning, do one of the following:

    • From the terminal, run the /opt/novell/xad/sbin/provision_dsfw.sh script.

    • Launch YaST. The DSfW Provisioning Wizard is listed as an option.

    To authenticate, enter the password of the current domain.

    For more details on Provisioning, see Provisioning Domain Services for Windows.

  21. When provisioning is complete, the DSfW server is ready for use. Verify that eDirectory and DSfW have been installed and configured correctly by using the instructions in Section 9.0, Activities After DSfW Installation or Provisioning.

Installing DSfW as an Additional Domain Controller in a Domain

  1. In the YaST install for OES, on the Software Selections page, ensure that DNS is selected. Then select the OES Domain Services for Windows pattern.

    Pattern deployment provides patterns for different services. Selecting a pattern automatically selects and installs its dependencies.

    For information about the entire OES installation process, see the OES 2018 SP2: Installation Guide.

  2. Click Accept.

  3. Select the type of Domain Services for Windows configuration you want:

    1. To create a new domain controller in an existing Domain Services for Windows domain, select the New Domain in an Existing Domain Services for Windows Domain option.

    2. Select the Express Install option to deploy a domain controller by automatically populating certain YaST configuration fields. For more information, see Section 6.1.3, Express Installation.

  4. On the eDirectory configuration page in YaST, specify the following:

    Use eDirectory Certificates for HTTPS Services: Select Use eDirectory certificates for HTTPS Services if you want your OES services that provide HTTPS connectivity to use the more secure eDirectory certificates instead of the self-signed certificates created by YaST.

    Require TLS for Simple Binds with Password: Select the Require TLS for Simple Binds with Password option if you want to disallow clear passwords and other data.

    By default, the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are not enabled in Active Directory.

    Install SecretStore: Select Install SecretStore if you want to eliminate the need to remember or synchronize all the multiple passwords required for accessing password-protected applications.

    Enable NMAS-based login for LDAP Authentication: Select this option if you want to enable NMAS-based login for LDAP authentication.

  5. Click Next to continue.

  6. Specify information to access the existing eDirectory tree.

    1. Do not change the NCP Port, LDAP Port and Secure LDAP Port information.

    2. Specify the tree admin credentials for the administrator to log in to the eDirectory tree. For information about the special characters that you can use while specifying the password, see Section 5.14, Supported Special Characters in DSfW Passwords.

    3. Click Next.

  7. Specify the Domain Name and NetBIOS information:

    DNS Name for New Domain: The DNS name for the new domain is automatically populated based on the Hostname and DNS configuration settings.

    You must ensure that the host name in the properties of the active Ethernet controller is an FQDN. For example, if the host name is dc1 and the domain name is dsfw.com, then the host name in the YaST > Network Devices > Network Settings > Hostname/DNS tab of the active Ethernet controller must be dc1.dsfw.com. You can modify the host name of the active Ethernet controller by using the Edit option in the Overview tab of the LAN settings in YaST.

    Configure this Server as a DNS Server: If you want this server to be a DNS server for the domain, select the Configure this server as a DNS Server option. If this option is not selected, you must ensure that a DNS server that contains the domain names for Domain Services for Windows is available somewhere in the network.

    NetBIOS Domain Name: The NetBIOS Domain name is automatically populated based on the Hostname and DNS configuration settings.

    By default, this is the domain context name without the parent context. For example, in the cn=central,dc=example,dc=com domain, the default NetBIOS name is central.

    Configure this machine to be a WINS server: If you want this server to be a WINS server, select the Configure this machine to be a WINS server option. For more information about WINS, see Section 17.0, Configuring DSfW Server as a WINS Server.

    Site Name of Domain Controller: Default-First-Site-Name is specified as the site name by default. To create a new site, specify the site name or click Browse to specify a site from the list of sites. For more information about sites and subnets, see Section 25.0, Configuring Sites and Subnets.

  8. Specify the domain administrator password in the Enter Administrator Password field. For information about the special characters that you can use while specifying the password, see Section 5.14, Supported Special Characters in DSfW Passwords.

  9. Specify a reliable Network Time Protocol (NTP) provider.

    eDirectory requires that all servers in a tree be time-synchronized. To add multiple time servers to the list of NTP servers, click the Add button and specify the IP address or DNS host name of the NTP server. In a single-server scenario, you can select the Use local clock check box and specify the local machine as the NTP provider.

  10. Click Next.

    NOTE:If you are configuring using Express install, then Step 11 through Step 16 will not be displayed.

  11. Specify the settings to configure the local server in the eDirectory tree:

    1. Leave the location of the Directory Information Base (DIB) at the default setting.

    2. Leave the iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.

    3. Leave the Secure iMonitor Port settings at the defaults unless you need to change them to avoid port conflicts with other services.

    4. Click Next to continue.

  12. Specify details to configure SLP:

    Multicast to access SLP: Select the Use multicast to access SLP option to request SLP information through a multicast packet.

    Configure SLP to use an Existing Directory Agent: If you have more than three servers in your eDirectory tree, and you already have a Directory Agent running, select the Configure SLP to use an existing Directory Agent option.

    Configuring Directory Agent: Select the Configure as Directory Agent option if you want the local server to act as a directory agent.

    • Select the DASyncReg check box to enable SLP to query statically configured directory agents for registrations.

    • Select the Backup SLP Registrations check box to enable periodical backup of all registrations. In the Backup Interval in Seconds field, specify the time interval (seconds) to perform the backup.

    Service Location Protocol Scopes: In the Service Location Protocol Scopes field, specify the scope that a User Agent (UA) or Service Agent (SA) is allowed when making requests or when registering services, or specify the scope that a Directory Agent (DA) must support.

    The default value is DEFAULT. Use commas with no space to separate each scope. For example:

    net.slp.useScopes = myScope1,myScope2,myScope3

    Configuring SLP Directory Agents: In the Configured SLP Directory Agents field, specify the host name or IP address of one or more external servers on which an SLP Directory Agent is running. Do not specify the local host.

    To add an agent, click Add. In the SLP DA Server field, specify a server's DNS name or IP address, then click Add.

    To remove an agent, select one or more agents to remove, then click Delete.

  13. Select the authentication service you want to install.

    NOTE:The SASL GSSAPI mechanism is an eDirectory-specific SASL mechanism. It is not used on a DSfW server. The DSfW-specific SASL GSSAPI mechanism is extended during DSfW configuration by default.

  14. Click Next.

  15. Specify the common proxy details:

    1. To use a common proxy for DSfW, select the Use Common Proxy User as default for OES Products check box. When this check box is selected, the OES Common Proxy User Name and Password fields are enabled. These fields are populated with a system-generated user name and password. To change these values, see Step 15.b.

      or

      If you do not want to use a common proxy, deselect the check box and click Next. Then continue with Step 16.

    2. Specify the following information:

      • The common proxy user name. You must specify a fully distinguished name.

      • The proxy user password.

      • Retype the password in the Verify OES Common Proxy User Password field.

    3. To assign a common proxy password policy to the proxy user, select the Assign Common Proxy Password Policy to Proxy User check box.

    4. Click Next to continue.

  16. Specify the details to configure the DNS server:

    1. If you are configuring DNS in an existing tree where DNS is already configured, select the Get context and proxy user information from existing DNS server check box. Specify the IP address of an NCP server hosting the existing DNS server and click Retrieve. This retrieves the Locator, Root Server Info, and Group contexts.

      NOTE: Before running the configure DNS task in the DSfW provisioning wizard, ensure that the partition hosting the Locator, Root Server Info, and Group contexts has a local replica on the DSfW server that is being configured.

    2. Specify the following information:

      • The context of the DNS service locator object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

      • The context of the DNS Services Group object (for example, ou=OESSystemObjects,dc=dsfw,dc=com).

    3. Click Next to continue.

  17. After the installation is complete, the OES Configuration Summary page is displayed. Review the settings, then click Next to start the DSfW installation.

  18. When the installation is complete, click Finish.

    This completes the DSfW installation. However, the server is not ready for use until you provision DSfW and the supporting services.

  19. To start provisioning, do one of the following:

    • From the terminal, run the /opt/novell/xad/sbin/provision_dsfw.sh script.

    • Launch YaST. The DSfW Provisioning Wizard is listed as an option.

    To authenticate, enter the password of the current domain.

    For more details on provisioning, see Provisioning Domain Services for Windows.

  20. When provisioning is complete, the DSfW server is ready for use. Verify that eDirectory and DSfW have been installed and configured correctly by using the instructions in Section 9.0, Activities After DSfW Installation or Provisioning.

6.1.3 Express Installation

Beginning in OES 11 SP2, DSfW enables you to easily configure a domain controller by using the Express Install option. An Express Install simplifies the installation of a domain controller and reduces user intervention by automatically populating certain YaST configuration fields. This is done by assigning default values for the Local server configuration, NMAS, SLP, DNS, and common proxy pages to minimize the number of configuration pages.

You cannot use an Express Install to customize configuration parameters for components such as DNS.

6.1.4 Using a Container Admin to Install and Configure DSfW

For this procedure, assume that you want to configure DSfW in an existing tree with o=novell,ou=india.o=novell, and ou=blr.ou=india.o=novell as root partitions.

You must have at least one eDirectory 8.8 SP2 and above server in the tree that holds a writable replica of the root partition. The root partition should be on the server that is holding the name-mapped container. This is required for creating partitions during DSfW configuration.

To configure a container admin and use it to install DSfW:

  1. Create a container in an existing tree. For example:

    ou=india.o=novell
  2. Create a cn=localadmin user under the ou=india.o=novell container.

    The container must be partitioned (before installing the server) by using the admin for the tree.

  3. Assign the following rights to the container admin:

    • Supervisor rights on this partition.

    • Supervisor rights (inherited) for the entry rights to the security container.

    • Read and Write permission for the DNS locator and DNS group object.

    • Read and Write permission for the DNS server object if the DNS server is located in other domain.

    • Supervisor rights (inheritable) on the ou=OESSystemObjects container holding the NCP Server object of the forest root domain, while installing a subsequent domain or an additional domain controller as a container admin.

      For example, ou=OESSystemObjects,dc=parent,dc=com where dc=parent,dc=com is the forest root domain.

    • Supervisor rights on the configuration partition and schema partition to create a subsequent domain or an additional domain controller.

    For information on rights that must be assigned before doing a container admin installation, see Rights Required for Subcontainer Administrators in the OES 2018 SP2: Installation Guide.

    For more information on installing a secondary server into an existing tree as a non-administrator user, refer to the eDirectory 9.2.1 Installation Guide.

  4. Use the tree admin to extend the schema for DSfW:

    1. On an existing OES server, run the Novell Schema tool found in YaST > Open Enterprise Server > Novell Schema Tool and specify the IP address of the eDirectory server with a writable replica of the root.

      or

      Use the OES schema tool or iManager to extend the schema.

    2. Specify the tree admin’s password and click Next.

    3. Select OES Linux User Management (LUM), OES DNS, OES Domain Services for Windows, OES Directory Services, OES iPrint Services, OES Storage Services (NSS), OES NCP Server, OES SMS, and NMAS.

      It is not necessary to select any of the other items in the list. Wait for the schema changes to be synchronized across the tree before proceeding with the installation of the first DSfW server.

  5. Use YaST with container admin credentials to configure OES DSfW.

    For information on installing and configuring the OES DNS service, refer to Installing the DNS Server and eDirectory Permissions in the OES 2018 SP1: DNS/DHCP Services for Linux Administration Guide.

NOTE:Apart from the tree administrator installation, container administrator installation is the only supported installation scenario. DSfW installation as a DSfW Domain Administrator is not supported.