Preparing for Domain Services for Windows Install

  • 7002172
  • 12-Dec-2008
  • 09-Mar-2015

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Novell Open Enterprise Server 2 SP2 (OES 2SP2)
Domain Services for Windows
DSfW

Situation

Here are some tips for a successful DSfW install.

Resolution

The install of DSfW has to be done on a new OES server .  The OES server can be configured on an existing SLES server or a new install of SLES where OES is the add on product.

OES11 SP2 is installed on SLES 11 SP3
OES11 SP1 is installed on SLES 11 SP2
OES11 is installed on SLES 11SP1
OES2 SP2 or OES2 SP3 DSfW use SLES10 SP3
OES2SP1 is installed on SLES10 SP2
  
eDirectory can not be installed on the server prior to installing DSfW: If  eDirectory is  installed or has been installed on the server, the DSfW install will fail.  Start with a basic SLES server and then configure DSfW or configure DSfW at the time of installing the server.  Do not use an existing OES server with eDirectory configured.

Extend the DSfW schema before installing:  Use the schema tool on an existing OES server in the tree is an easy way to extend DSfW schema or look at the DSfW documentation for other suggestions on extending schema. 

Keep the server name to 15 characters or less: The reason for this is NetBIOS.  A domain controller server object (non ncp server object) will be create for the server based on the NetBIOS name.  NetBIOS is limited to 15 characters.  Any server created with a name longer than 15 characters be created with a NetBIOS name containing only the first 15 characters.  This can cause issues during the provisioning wizards portion of the install or overall performance and behavior issues with the domain controller.

NetBIOS name (short name) for the domain must be limited to 15 characters or less: As with the server name, keep in mind the DNS name will be used to create the NetBIOS name for the domain.  You will have the opportunity to change the NetBIOS name during the install.  The NetBIOS name does not have to match the domain name.  See TID 7006988 on how to rename the NetBIOS name for the DSfW domain.

Determine the DNS name for the domain: Before doing the install determine the DNS name for the domain.  This will be the name for the domain.  The domain name can not be changed once the DSfW installation is complete.  Changing the domain name after the install of DSfW requires the removal of DSfW from the tree and installing.
The domain name should not end in .local, the .local top level domain is regarded as a link-local domain. The DNS queries are sent to a multicast address instead of the DNS server.
Examples of possible substitutions: .int, .lan, .dsfw, or .internal instead of .local
 
Ensure /etc/hosts file is correct: The /etc/hosts should have the domain name listed as well as the loopback address listed.  If the 127.0.0.2 address also exists, please rem it out along with the IPv6 line (starts with ::1) or follow TID 7010075.   

Example of an /etc/hosts with a server named server1 and domain name of dsfwdomain.com:
    127.0.0.1       localhost
    192.168.0.5 server1.dsfwdomain.com server1

Ensure the hostname in the /etc/hosts file is lower case.

Note: If changes need to be made for the ip, servername, domain name, or dns server, use YaST to apply these changes.

Verify the /etc/HOSTNAME is correct: Starting with OES11 verify the /etc/HOSTNAME has the full DNS name listed (server.domain).  It should be the same domain name as in the /etc/hosts file otherwise the field for the DSfW domain name will be empty while doing the YaST configuration.

Example:
     server1.dsfwdomain.com

Best Practice is to use a unique domain name: If a domain name already exists like novell.com, there will be a conflict and the zones most likely will need to be merged.  It is recommend in these situations to use another domain name.  Example for novell.com use novell.lan or novell.dsfw instead so that it is not only unique, also the domain will only be available internal and will not be rout-able on the internet. 

Verify the /etc/resolv.conf is correct: The /etc/resolv.conf should list the first name server with the IP address of the to be installed DSfW server.  If installing into an existing domain point to the first DSfW server.  It should be a DNS server also unless DNS was removed and the records imported on another DNS server after the install of DSfW.

Example:
    nameserver 192.168.0.5
    nameserver 4.2.2.1
    nameserver 4.2.2.2
    search dsfwdomain.com

Name Mapped Install: If doing a name map install (installing into an existing tree):
Partition the container that is to be the domain.  The domain name has to be the same as the container it is being mapped to for OES2SP1 and OES2SP2. 

Example:
    dsfwdomain.com has to be mapped to a partitioned container named dsfwdomain.

For OES2SP3 and OES11, and current versions of DSfW the domain name and the container name can be different.

First DSfW in tree: If this is the first DSfW server in the tree.  A forest will be create (only one forest per eDir tree) and the container that is to be a domain in DSfW will be the root for all other domains.  An additional domain will not be permitted to be installed in a higher location in the tree or at a sibling level in the tree.

Max Depth for Domain in Forest: The max depth for domains in a forest is 5 and a total of 10 domains per forest is allowed.

Partition and Domains:  A partition can not exist between domains prior to OES2SP3.

Example:
    city.county.state.country.com
    country.com is partitioned and the root domain.
    state is a partition not a domain
    county is a partition not a domain
    city is a partition not a domain

A domain can not be created for county until a domain has been created for state.
A domain can not be created for city until a domain has been created for state and county.

Starting with OES2SP3 and above multiple partitions can be added to a domain.  When the provisioning wizard is started check the 'Enable Custom Provisioning' to add additional partitions to the domain.  

Replicas of the additional partitions (not the top partition/container the domain is created at) will need to be added to the DSfW server.

Only child partitions, not sibling partitions can be added to the domain at the top level of the domain.

Example:
    There are two Organizations in the tree:  o=prv and o=blr
    Domain is mapped to o=prv
    o=blr can not be added to the domain.  It must be a child container to o=prv.  
    To add o=blr into the domain move the o=blr under o=prv to add blr to the domain.  
    The o=blr will change from an organization to organizational unit (ou=blr).

Existing ACLs:  If doing a name mapped install verify the following ACL's do not exist on the container that will be mapped:
ACL: 1#subtree#[Public]#cn
ACL: 3#subtree#[Root]#[All Attributes Rights]
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
ACL: 3#subtree#[Root]#userCertificate;binary
ACL: 3#subtree#[Root]#cACertificate;binary

Existing Names:  When you are installing DSfW, default containers will be created. Make sure that the following container names do not already exist under the domain partition:
cn=Computers
cn=Users
ou=Domain Controllers
cn=DefaultMigrationContainer
cn=Deleted Objects
cn=ForeignSecurityPrincipals
cn=Infrastructure
cn=LostAndFound
cn=NTDS Quotas
cn=Program Data
cn=System
cn=Container

Note: What  matters is if the name of the object and not the base-class.  If there is an ou=users or dc=computers under the domain container they will need to be re-named or moved lower down in the tree before installing DSfW.

Master of Domain Partition: For OES2SP1 and SP2 the first domain controller in a domain will automatically be designated as the master of the partition and will be the RID master for the domain.
For OES2SP3 and OES11 the Master will be retained on the eDirectory server.  A R/W will be added to the DSfW server.

Time: Verify the time and time zone are correct on both the eDirectory server and the DSfW server.

eDirectory Health: Perform a eDirectory Health check as listed in TID 3564075.

OES11 and Apparmor: Before installing DSfW either install Apparmor or the perl-TermReadKey perl module otherwise the install will fail with because of a missing dependency (TID 7010065)

LUM Configuration: If LUM is configured with unix config in the container where the domain will be mapped to, look at TID 7009930.  LUM attributes on the container need to be removed.  This only affects OES11 installs, not OES11SP1.

Password Policy: If a password policy is assigned to the container where the domain will be mapped, be sure to enable Synchronize Distribution Password when Setting Universal Password" in the password policy.  If this is not enabled the unicode password will not be synchronized.  
Ensure the option to "Retain existing Novell Password Policies on Users" is checked.  This option will be available on the screen to enter the FDN of the container that needs to be mapped.  Again only check this option if a password policy is already assigned to the container where the domain will be mapped.

When installing DSfW only select the DSfW pattern.  All the necessary patterns will also be selected.  Do no uncheck any of the other patterns.
 
Starting with the April 2013 Maintenance patch, apply patches before installing and configuring DSfW.