2.2 Meeting NSS AD Infrastructure Requirements

You can select NSS AD pattern during OES installation or after the OES server is installed and running.

Table 2-1 Preparing Your Infrastructure for OES

 

Selecting NSS AD pattern with OES Server installation

Installing NSS AD post OES Server installation

OES Server

Ensure to select the NSS AD pattern during OES server installation.

Ensure the OES server that will run NSS AD is fully patched (including SLES patches) before you install NSS AD.

Active Directory

Ensure that your Active Directory deployment meets the following constraints:

  • The Domain Controller for the domain your OES server will join is a Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, or Windows 2016 server.

  • Your NSS AD deployment targets can be a Single AD forest or Multi-forest environment.

    • Single Forest Environment: Create a Universal Group with the sAMAccountName "OESAccessGrp" anywhere in the AD forest. Only the members of this group will have access to the NSS resources based on their trustee assignments. In absence of this group, all the AD users in the forest can access the NSS resources based on their trustee assignments.

    • Multi-Forest Environment: Create a Domain Local Group (DLG) with the sAMAccountName "DLOESAccessGrp" in the AD domain to which this OES server is joined. Only the members of this group (OES forest and across forest) will have access to the NSS resources based on their trustee assignments. In absence of this group, the AD users across the forest cannot access the NSS resources.

AD Rights

Identify the username and password of an AD user who has rights to join the OES server to the domain.

The following rights are required on the container where the OES server object will be located:

  • Reset password

  • Create computer objects

  • Delete computer objects

  • Read and write the msDs-supportedEncryptionTypes attribute

DNS

  1. Ensure that the DNS service that the OES server will use is configured such that the server will be able to resolve the DNS name of the AD domain controller for the domain to which the server will be joined.

  2. Ensure that the DNS service includes a reverse lookup entry for the AD domain controller.

  1. Ensure that the OES server can resolve the DNS name of the AD domain controller for the domain that the server will join.

  2. Ensure that the DNS service includes a reverse lookup entry for the AD domain controller.

CIFS

Install and configure CIFS at the same time as you install OES and NSS AD Support.

Ensure that the CIFS service that AD users will access is configured and operational on the OES server.

Time Synchronization

Ensure that the date and time settings that you specify for the OES server match those of the AD domain controller.

Ensure that the date and time for the OES server match the AD domain controller’s date and time.