Novell Home

My Favorites

Close

Please to see your favorites.

Preparing for Domain Services for Windows Install

This document (7002172) is provided subject to the disclaimer at the end of this document.

Environment

Novell Open Enterprise Server 2 SP2 (OES 2SP2)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW

Situation

Here are some tips for a successful DSfW install.

Resolution

The install of DSfW has to be done on a new OES server .  The OES server can be configured on and existing SLES server or a new install of SLES where OES is the add on product.

OES2SP1 is installed on SLES10 SP2
OES2 SP2 or OES2 SP3 DSfW use SLES10 SP3
OES11 is installed on SLES 11SP1
OES11 SP1 is installed on SLES 11 SP2
 
eDirectory can not be installed on the server prior to installing DSfW.

Extend the DSfW schema before installing.  The schema tool on an existing OES server in the tree is an easy way to accomplish this.

Keep the server name to 15 characters or less.  The reason for this is NetBIOS.  A domain controller server object (non ncp server object) will be create for the server based on the NetBIOS name.  NetBIOS is limited to 15 characters.  Any server created with a name longer than 15 characters be created with a NetBIOS name containing only the first 15 characters.  This can cause issues during the provisioning wizards portion of the install or overall performance and behavior issues with the domain controller.

As with the server name, keep in mind the DNS name will be used to create the NetBIOS name for the domain.  You will have the opportunity to change the NetBIOS name during the install.  The NetBIOS name does not have to match the domain name.  See TID 7006988 on how to rename the NetBIOS name for the DSfW domain.

Before doing the install determine the dns name for the domain.  This will be the name for the domain.  The domain name should not end in .local, the .local top level domain is regarded as a link-local domain. The DNS queries are sent to a multicast address instead of the DNS server.  .int, .lan, .dsfw, or .internal are common substituted for .local
 
/etc/hosts should have the domain name listed as well as the loopback address listed.  If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075.   
example of an /etc/hosts with a server named server1 and domain name of dsfwdomain.com:
    127.0.0.1       localhost
    192.168.0.5 server1.dsfwdomain.com server1

For OES11 verify the /etc/HOSTNAME has the full DNS name listed (server.domain).  It should be the same domain name as in the /etc/hosts file otherwise the field for the DSfW domain name will be empty while doing the YaST configuration.
Example:
     server1.dsfwdomain.com

Ensure the hostname in the /etc/hosts file is lower case.

Best Practice is to use a unique domain name.  If a domain name already exists like novell.com, there will be a conflict and the zones most likely will need to be merged.  It is recommend in these situations to use another domain name.  Example for novell.com use novell.lan or novell.dsfw instead so that it is not only unique, also the domain will only be available internal and will not be rout-able on the internet. 

/etc/resolv.conf should list the first name server with the IP address of the to be installed DSfW server.  If installing into an existing domain point to the first DSfW server.  It should be a DNS server also unless DNS was removed and the records imported on another DNS server after the install of DSfW.
example:
    nameserver 192.168.0.5
    nameserver 4.2.2.1
    nameserver 4.2.2.2
    search dsfwdomain.com

If doing a name map install (installing into an existing tree):
Partition the container that is to be the domain.  The domain name has to be the same as the container it is being mapped to for OES2SP1 and OES2SP2. 
Example:
dsfwdomain.com has to be mapped to a partitioned container named dsfwdomain.
For OES2SP3 and OES11, and current versions of DSfW the domain name and the container name can be different.

If this is the first DSfW server in the tree.  A forest will be create (only one forest per eDir tree) and the container that is to be a domain in DSfW will be the root for all other domains.  An additional domain will not be permitted to be installed in a higher location in the tree.

The max depth for domains in a forest is 5  and a total of 10 domains per forest is allowed.  The maximum number of Domain Controllers per domain is 5.

A partition can not exist between domains.  Example city.county.state.country.com
country.com is partitioned and the root domain.
state is a partition not a domain
county is a partition not a domain
city is a partition not a domain
A domain can not be created for county until a domain has been created for state.
A domain can not be created for city until a domain has been created for state and county.

With OES2SP3 and OES11 multiple partitions can be added to a domain.  When the provisioning wizard is started check the 'Enable Custom Provisioning' to add additional partitions to the domain.  Replicas of the additional partitions (not the top partition/container the domain is created at) will need to be added to the DSfW server.  Only child partitions, not sibling partitions can be added to the domain.

If doing a name mapped install verify the following ACL's do not exist on the container that will be mapped:
ACL: 1#subtree#[Public]#cn
ACL: 3#subtree#[Root]#[All Attributes Rights]
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
ACL: 3#subtree#[Root]#userCertificate;binary
ACL: 3#subtree#[Root]#cACertificate;binary

When you are installing DSfW, default containers will be created. Make sure that the following container names do not already exist under the domain partition:

cn=Computers
cn=Users
ou=Domain Controllers
cn=DefaultMigrationContainer
cn=Deleted Objects
cn=ForeignSecurityPrincipals
cn=Infrastructure
cn=LostAndFound
cn=NTDS Quotas
cn=Program Data
cn=System
cn=Container
Note: What  matters is if the name of the object and not the base-class.  If there is an ou=users or dc=computers under the domain container they will need to be re-named or moved lower down in the tree before installing DSfW.

For OES2SP1 and SP2 the first domain controller in a domain will automatically be designated as the master of the partition and will be the RID master for the domain.
For OES2SP3 and OES11 the Master will be retained on the eDirectory server.  A R/W will be added to the DSfW server.

Verify the time and time zone are correct on both the eDirectory server and the DSfW server.

Perform a eDirectory Health check as listed in TID 3564075.

Before installing DSfW either install Apparmor or the perl-TermReadKey perl module otherwise the install will fail with because of a missing dependency (TID 7010065)

If LUM is configured with unix config in the container where the domain will be mapped to, look at TID 7009930.  LUM attributes on the container need to be removed.  This only affects OES11 installs, not OES11SP1.

If a password policy is assigned to the container where the domain will be mapped, be sure to enable Synchronize Distribution Password when Setting Universal Password" in the password policy.  If this is not enabled the unicode password will not be synchronized.  Ensure the option to "Retain existing Novell Password Policies on Users" is checked.  This option will be available on the screen to enter the FDN of the container that needs to be mapped.  Again only check this option if a password policy is already assigned to the container where the domain will be mapped.

When installing DSfW only select the DSfW pattern.  All the necessary patterns will also be selected.  Do no uncheck any of the other patterns.
 
Starting with the April 2013 Maintenance patch, apply patches before installing and configuring DSfW.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7002172
  • Creation Date:12-DEC-08
  • Modified Date:09-DEC-13
    • NovellOpen Enterprise Server
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback