Domain Services for Windows: Best Practices for Windows Interoperability
31
Domain Services for Windows: Best Practices for Windows Interoperability Nicel KM Engineering Manager [email protected] David Shepherd Senior Technical Specialist [email protected]
description
Attend this session to learn how Domain Services for Windows can help you enhance Windows interoperability. Find out how to design trees and forests for Domain Services for Windows, how to integrate it into existing Novell eDirectory trees, how to leverage deployment methods that support application access and much more. We'll also discuss how you can deploy Domain Services for Windows with Citrix, VMware and NetApp.
Transcript of Domain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows:Best Practices for Windows Interoperability
Nicel KMEngineering [email protected]
David ShepherdSenior Technical [email protected]
© Novell, Inc. All rights reserved.2
• What is Domain Services for Windows (DSfW)?
• Features in DSfW
• Prerequisites for Successful Deployment
• Deployment Options
• Demonstration
• DSfW in OES2 SP2 and beyond
• Third Party Applications Support
Agenda
What is Domain Services for Windows?
© Novell, Inc. All rights reserved.4
What is Domain Services for Windows?• Domain Services for Windows (DSfW) is a suite of
technologies
• Provides AD style authentication to users, applications
• eDirectory™ users can access AD resources and applications with a cross forest trust in place
• Seamless (need to depict that it doesnt change becos of dsfw) access to OES services like file and print services present on NSS or POSIX file systems
© Novell, Inc. All rights reserved.5
DSfW: What Does It Achieve?
eDirectory™ Tree ActiveDirectory
Forest
eDirectory
DSfW
DSfW Cross Forest TrustResource Access
eDirectoryUser
WindowsUser
AD Style AuthenticationApplications
MMCAdd/Modify User
iManager
Clientless Access
Features in DSfW
© Novell, Inc. All rights reserved.7
Features in DSfW
• AD protocol support
• Domain Emulation/Samba support
• Manageability – MMC/iManager
• Authentication
© Novell, Inc. All rights reserved.8
Features in DSfW (cont.)
• need more information here.
Prerequisites forSuccessful Deployment
© Novell, Inc. All rights reserved.10
Understand What You Are Trying To Achieve• What is DSfW going to be used for?
– Application support. Check that the Windows based application is going to work with DSfW. Do you need a Trust to a real AD Domain for this to work correctly? What is the support position on the proposed solution?
– Windows 2003 and 2008 are not yet supported as member servers but do seem to work
• DSfW into an existing Tree– eDirectory™ versions need to be up to date. At least one existing
eDirectory 8.8 Server should be in the tree with the rest at 8.73.10 or later. Put at least one OES2 Linux Server in place to begin with with any NetWare® 6.5 Servers on SP8
– Time synchronization is key. Kerboros is also time sensitive
© Novell, Inc. All rights reserved.11
• Current eDirectory™ Structure
– Examine your existing eDirectory structure. Flat eDirectory designs with many Organization objects at the Tree Root may be problematic to implement DSfW
– The first DSfW servers DNS Suffix needs to match the AD Domain Name and suffix. For example if your AD domain name is dc=novell,dc=com then the DNS Suffix needs to be novell.com
– Schema checks. Check your schema in accordance with Novell® tid 7003431. May require a dial in to fix
– Partitioning and replication. Check the general tree health and how the existing partitions map to DSfW
Understand What You Are Trying To Achieve
Deployment Options
© Novell, Inc. All rights reserved.13
New DomainNon-Name Mapped Configuration• Characteristics:
– eDirectory™ tree is new– eDirectory Tree Administrator is newly created and the DN is
fixed. The AD Forest Name is created at the Tree Root as a hierarchy of DC objects. User administrator is created in cn=administrator,cn=users,dc=novell,dc=com. The dc objects are actual eDirectory objects
server 1 server 2 server 3 server 4 server 5
domain
dc=example, dc=com
DomainControllers
© Novell, Inc. All rights reserved.14
New DomainNon-Name Mapped Configuration• Why would this be used?
– Single Server Tree can only be configured in a Non-Name Mapped configuration
– New Tree just for DSfW. No other application considerations
– The eDirectory Tree Administrator is also the DSfW Administrator. No eDirectory user called admin is created
– A domain is automatically mapped to the eDirectory container. e.g. domain acme.com is mapped to container dc=novell,dc=com
© Novell, Inc. All rights reserved.15
Into Existing eDirectory™ Trees(Name Mapping Mode)
• Characteristics
– A existing eDirectory Tree's partitioned container is used to map the DSfW domain (Name Mapping Mode)
– The eDirectory Tree Administrator is different from the First Domain Administrator
– The domain mapping to eDirectory Tree is managed by the eDirectory Tree Administrator
© Novell, Inc. All rights reserved.16
Into Existing eDirectory™ Trees(Name Mapping Mode)
• Why would this be used ?
– To add DSfW to an existing eDirectory environment
– To allow the use of Novell Workstations without the Novell® Client
– To allow access through an AD style trust for Microsoft Applications to Novell Users and Data
– To preserve use of existing Novell based applications such as GroupWise® and the Novell Client
Demonstration of Deployment
© Novell, Inc. All rights reserved.18
Deployment of DSfW Into An Existing eDirectory™ Tree• Existing NW6.5 SP8 Tree – Novell-Tree
• OES2 SP2 Server has already been part configured and joined to the tree
• The DSfW Provisioning wizard still needs to run
• Once deployed examine how access can be given to Microsoft Clients to data volumes hosted on the NetWare® Server
DSfW in OES2 SP2 and Beyond
© Novell, Inc. All rights reserved.20
DSfW in OES2 SP2
• New Provisioning Wizard
• Sysvol replication
• Password Policies
• Upgrade
© Novell, Inc. All rights reserved.21
DSfW Provisioning Wizard
• Allows autoYaST to configure a basic OES2 SP2 system. A Java-based wizard is then used
• Gives more control and management over the DSfW install process then OES2 SP1
• Gives the opportunity for remedial action if an installation stage fails. Each stage can be executed multiple times until successful
• Is only run when the base OS is installed and operational
• Can be scripted if required
© Novell, Inc. All rights reserved.22
DSfW Provisioning Wizard
© Novell, Inc. All rights reserved.23
SysVol Replication
• Allows for the replication of sysvol between Domain Controllers in OES2 SP2
• Uses rsync to execute the synchronization
• Similar functionality to native Windows 2003 Domain Controller
© Novell, Inc. All rights reserved.24
Password Policies
• Needs adding
© Novell, Inc. All rights reserved.25
Upgrade
• Allows the in place upgrade of an existing DSfW Domain Controller
© Novell, Inc. All rights reserved.26
DSfW in OES2 SP3
• Removing Partition Boundary Limitation
• DNS configuration on ADC
• Deployment limiters
– Not moving master replica
– Disconnected children
– Domain name != container name
• Windows 2008 member server support
• Application?
Third Party Application Support
© Novell, Inc. All rights reserved.28
Citrix
• Supported configuration for Citrix XENDesktop and DSfW: http://support.citrix.com/article/CTX123281
– XenDesktop 3 and 4 are supported when used in an environment with Novell® Domain Services for Windows (DSfW) in Open Enterprise Server 2 Support Pack 1 and higher as follows:
– The XenDesktop farm must be configured to use registry-based controller discovery, as documented in KB article CTX118976 - How to Configure XenDesktop to Function Properly Without an Organizational Unit in Active Directory, and all Desktop Delivery Controllers and virtual desktops must be a member of the same “Domain Services for Windows” domain. There is no requirement for Novell client software to be installed either on the Desktop Delivery Controllers or the virtual desktops
© Novell, Inc. All rights reserved.29
NetApp
USERS
COMPUTERS
DSfWDomain
•Unpublished Work of Novell, Inc. All Rights Reserved.•This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.••General Disclaimer•This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
