Configuring File Servers and Active Directory with · PDF fileCopying all or part of this manual, or dist ributing such copies, is strictly prohibited. To report suspected copying,

www.novel l .comNovell Training Services

AT T L I V E 2 0 1 2 L A S V E G A S

Configuring File Servers and Active Directory with Domain Services for Windows-Lecture

O E S 1 1

Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.

NovelNovel

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.

Version 12

l, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.l, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.

http://www.novell.com/info/exports/

http://www.novell.com/company/legal/patents/

http://www.novell.com/documentation

http://www.novell.com/company/legal/trademarks/tmlist.html

TrustsWhat the are they and how to create them

Rance BurkerGlobal Support [email protected]

Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.

Trusts


© Novell, Inc. All rights reserved.3

TrustsWhy do we need trusts?

● Trusts allow users of one domain to access resources from another domain.

● The resources can be another servers file system or Applications

● The trust relationship is a shared secret that can be used for both Kerberos and NTLM authentication and information that is used to support name resolution.



● Type of Trusts DSfW supports● Parent Child● External● Realm● Forest● Shortcuts

● Direction of Trusts● Two-way● one-way

● Transitivity

TrustsKey terms



● Transitivity● Determines if a trust can be extended beyond the two domains where the

trust is formed

● Transitive trusts● Is not restricted to the two domains a trust is created between. If domain

A is trusted by domain B and new trust is created between domain B and domain C, domain C will trust domain A.

● Examples of transitive trusts● Forest trust● Realm trusts● Shortcut Trusts

TrustsKey terms



● Non transitive trusts● The trust is restricted by two domains and does not flow to other domains

in the forest. Transitive trusts can be one-way or two-way

● Examples of non-transitive trusts● External Trust● Realm Trust

TrustsKey terms



● Parent Child● Is created by default when a child domain is created. It is a two way

transitive trust

● External● These trusts are non-transitive trusts between two domains in different

forests. They can be one-way or two-way. This type of trust is useful to allow resource sharing only between specific domains in different forests.

● Realm● Are one-way and two-way transitive and non-transitive trusts that you can

set up between an Active Directory domain and a Kerberos V5 realm

TrustsTypes of Trusts



● Forest Trust● These trusts are transitive trusts between two forests. These trusts

include complete trust relationships between all domains in the relevant forests, so resource sharing among all domains in the forests is allowed. The trust relationship can be either one-way or bidirectional

● Both forests must be operating at the Windows Server 2003 forest functional level. By default, DSfW operates at this level.

● DSfW Cross-Forests trusts will only allow DSfW users to access AD resources AD users can not access DSfW resources

● The use of forest trusts offers several benefits– They simplify resource management between forests by reducing the number

of external trusts needed for resource sharing.– They provide a wider scope of UPN authentications, which can be used across

the trusting forests.– They provide increased administrative flexibility by enabling administrators to

split collaborative delegation efforts with administrators in other forests.– They provide greater trustworthiness of authorization data. Administrators can

use both the Kerberos and NTLM authentication protocols when authorization data is transferred between forests




TrustsForest Trust

Forest TrustDSfW Domain MS AD Domain



● Shortcuts● These are trusts created within a tree. ● By default trusts go up and down the tree, but not sidways● Shortcut trusts are created between child domains.





Two-Way Transitive Trust Two-Way Transitive Trust

Shortcut Trust


DNS Terminology



● Domain Names● represents the position of an entity within the domain name space

contains DNS settings also known as DNS records

● Hosts● hosts is a computer within the domain● host can be a server, workstation, phone, any device using an IP address

and needs a name● can be part of any 2nd level or sub domain example: dsfw1.da.com

● Zone● A continuous portion of a domain namespace. Allows for DNS records to

be kept in order● Every domain name which is a part of the DNS system has several DNS

settings, also known as DNS records. The DNS zone keeps the DNS records in order

DNS Terminology



● Forward Lookup Zone● Is a zone used to contain records for mapping names to IP addresses.

● Reverse Lookup Zone or in-addr.arpa zone● Is a zone used to contain records for mapping IP addresses to names.

DNS Terminology Types of Zones



● Name Servers● Server running DNS, contain the domain database. ● Allows the domain database to be divided into zones

● Authoritative Name Server● Answer DNS requests

● Primary Name Server● The one DNS name server in each administrative zone maintains the

read-write copies of hostname database and address information for an entire domain.

DNS TerminologyTypes of Name Servers



● Secondary Name Server● Holds a read-only copy of the primary name server’s DNS database. ● Secondary name servers provide redundancy and load balancing for a

domain

● Forward Name Server● Forwards all queries to another DNS server and caches the results.● Does not contain a copy of the DNS database

● Root Name Servers● The Root name servers contain information for the name servers in all

top-label domains

DNS TerminologyTypes of Name Servers



● Resource Record● Resource records (RRs) contain the host information maintained by the

name servers and make up the DNS database. Different types of records contain different types of host information.

● Address Record (A record): Provides the name-to-address mapping for a given host

● Pointer Record (PTR record): Matches IP address to host, used for reverse mapping

● Name Server (NS): Binds a domain name with a hostname for a specific name server.

DNS TerminologyResource Record



● Relative DNS name: The short name● The server appends default DNS suffix● Relative name: dsfw1

● Fully Qualified DNS name: The long name● Fully qualified: dsfw1.da.com

DNS TerminologyRelative and FQDN Names



● In order to create a trust DNS has to be configured so that each domain can not only resolve it's own domain name, but also the domain name of the trusted domain.

● The two most common configurations to configuring DNS between two forests in order to set up a cross forest trust are:

● Forwarder● Zone Transfer




● Forwarders● DNS queries for a specified domain are forwarded to a

designated server that hosts the domain or contains information about the domain. A stub zone is similar to a forwarder.

● Zone Transfer (Secondary)● Zone transfer is essential for maintaining up-to-date zone data in the

server. When a Novell server is designated as primary, all the changes made by the designated primary to eDirectory are reflected in the eDirectory replicas, using the eDirectory sync property. When a Novell server is designated secondary, zone transfer is needed for receiving the most up-to-date zone data from any primary servers.

● The designated secondary server sends a zone-in request after the refresh time interval or after receiving a notification from the primary server. The zone transfer-in requests are not triggered if the eDirectory services are not available.




● Use nslookup or dig to verify DNS is resolving properly

● Nslookup by default only queries A records. ● Use nslookup -query=any to query all records● nslookup -query=<type> to query a specific record type.

● Common queries● Reverse lookup query- nslookup 172.17.0.31● Query the domain name - nslookup ad.com or dig ad.com● Query the SRV record _ldap._tcp.dc._msdcs.<domain name>

– nslookup -query=any _ldap._tcp.dc._msdcs.ad.com– dig _ldap._tcp.dc._msdcs.ad.com

DNS Queries nslookup and dig


Demonstration


Group Policy ObjectsWhat the are they and how does DSfW use them

Rance BurkerGlobal Support [email protected]


Group Policy Basics



Group Policy Objects

● The group policy object is a feature of Windows that allows multiple workstations to be managed and configured from a central point of administration.

● There are thousands of possible configurations● Group Policies contain Policies settings and

Preference settings● Policies settings

– It is the simplest, most granular component of the Group Policy that contains settings for workstations.

● Preferences settings – New in 2008 and Windows 7 preference settings provide the ability to change

almost any registry setting, file, folder, or other item. By using preference settings, one can configure applications and Windows features that are not Group Policy–aware.



● There are 3 setting options for Policy Settings● Enabled

– writes the policy setting to the registry with a value that enables it.● Disabled

– writes the policy setting to the registry with a value that disables it. ● Not Configured

– leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users.

Group Policy ObjectsPolicy Settings



● Two types of Group Policies● Local GPO● Domain GPO

● Local Group Policy Object● Local group policy is set on individual computers● It affects local user accounts ● It is not centrally managed (unless using Zenworks)● It is assigned to local users or groups

● Domain-Based Group Policy Object● Is managed centrally at the domain level

– writes the policy setting to the registry with a value that enables it.● Is assigned to users or groups

Group Policy ObjectsTypes of GPOs



● Create GPO● All GPOs are created in the Group Policy Objects container. ● They are linked to the containers the gpo apply to● Use the GPMC or Group Policy Management Console to create GPOs

● Editing● Allows for the editing of policy settings● Start the GPME (Group Policy Management Editor)● To edit, right-click on the GPO (or link of the GPO) and select edit.

● Scope● The collection of users and computers the GPO applies to.● Made up of links, Security Filters, and WMI Filters (Windows Management

Instrumentation)

Group Policy ObjectsCreating, editing, and the scope of GPOs



● Scope● The collection of users and computers the GPO applies to.● Made up of links, Security Filters, and WMI Filters (Windows Management

Instrumentation)

● Links● Can be made on domains and OUs (sites are not supported in DSfW) ● Can not create links to users or group● The attribute created for the link is gplink

● Filters● security filters are global applied to specified groups or users.● WMI Filter – characteristics of a operating system or free disk space.● Can use only one type of filter, usually security filter.

Group Policy ObjectsCreating, the scope, and editing GPOs



● Editing a GPO● right-click on the GPO (or link of the GPO) and select edit.● Allows for the editing of policy settings● start the GPME Group Policy Management Editor

Group Policy ObjectsCreating, the scope, and editing GPOs



● GPSI Group Policy Software Installation● Allows software packages (msi) to be installed, it is configured in the gpo

● Group Policy Refresh● Computer Configuration\Administrative Templates\System\Group Policy ● By default, computer Group Policy is updated in the background every 90

minutes, with a random offset of 0 to 30 minutes. In addition to background updates, Group Policy for the computer is always updated when the system starts.

● The refresh is a pull from the client-side meaning the client initiates the update.

● It is possible to specify an update rate from 0 to 64,800 minutes (45 days). 0 being every 7 seconds

● Disabling the refresh will set it back to default which is 90 minutes

Group Policy ObjectsGroup Policy Software Installation and Refresh



● Group Policy Refresh● If the Disable background refresh of Group Policy policy is enabled, this

policy is ignored.● The GPO can be updated manually with the gpupdate.exe tool.● Gpupdate /force forces an update of the gpo● Gpresult /z to view a complete status of the gpo● When the Group Policy refresh begins, a service called Group Policy

client running on the client-side determines which GPOs to apply to the computer and the user. If the GPO is not already cached

Group Policy ObjectsGroup Policy Refresh


Group Policy Implementation in DSfW



● Each group policy has two parts● Group Policy container: This is stored in the directory● Group Policy template (GPT): This is stored in the 'sysvol' volume of the

first Domain Controller● Location is /var/opt/novell/xad/sysvol/

● In Oes2SP1 ADCs were configured to return referrals to first DomainController. The sysvol was not replicated from the pdc to adcs

● Starting in oes2sp2 ADCs hold the GPO by way of sysvolsync.

Group Policy ObjectsGroup Policy Implementation in DSfW



● Sysvolsync is configured during the provisioning wizard

● A cronjob is created to run sysvolsync every 30 minutes

● sysvolsync.sh script is located at /opt/novell/xad/sbin/sysvolsync




● Password Policies can be applied through a GPO.● gposync syncs the password policy setting located

in the sysvol to eDirectory● A crontab entry is created during the update service

configuration task in the provisioning wizard. ● The setting “XADRETAINPOLICIES ”in the

/etc/opt/novell/xad/xad.ini determines if the password policy comes from the GPO or and eDirectory created password policy.

● no = use the password policy created with the GPO. The Group Policy Management Tool and Editor are used to create the password policy.

● yes = retain existing policies/ use password policies created in iManager.




● If an existing password policy is intended to be applied, but the change is made to the policy do not take effect or are reset every 30 minutes change the XADRETAINPOLICIES to yes. See TID 7005721.

● gposync reads the sysvol to creates password policy objects and group policy objects with in the directory.

● Password policies are located in Password Policies.System.<domain>

● Group Policy Objects are located inPolicies.System.<domain>



Troubleshooting Group Policy



● Troubleshoot GPO TID 7006275● Verify the DSFW services are running on all domain

controllers● xadcntrl validate

● Verify the time, timezone, and date are correct on the workstation and server and that time is in sync not only between servers, but between the workstation and server

● Perform an eDirectory health check TID 10060600

Group Policy ObjectsTroubleshooting GPOs



● Check the DNS is resolving names properly● Run gpupdate/force to ensure the workstation

receives any updates to the GPO. ● To do this open a command prompt (cmd) on the workstation as

Administrator. ● Type gpupdate/force and hit Enter. ● Run gpresult /z >c:\gpresult.txt to view the complete status of the gpos

and out put to a file. ● gpresult /v for verbose mode, but not as verbose as /z. /r give a basic

report.

● If there is more than one DC make sure the PDC is active in the dfs tab before running gpupdate.

● Map a drive to the sysvol and specify the domain. Do not specify the server when mapping the drive.

● example of mapping a drive to a domain called novell.com: ● \\novell.com\sysvol● Right click on the domain folder. In this example it would be novell.com● Select the DFS tab● Select PDC and set as active




● Run sysvolsync to synchronization the sysvol on the First Domain controller (ADPH) to the Additional Domain Controllers.

● From the First Domain controller (ADPH) run gposync.sh and see if there are any errors reported. The GUID for the GPO will be displayed for each GPO

● Check the permissions for netlogon and sysvol in the /etc/samba/smb.conf

● Check that the acls are correct for the /var/opt/novell/xad/sysvol see TID 7009748




●



801.861.7000 (Worldwide)800.453.1267 (Toll-free)

Corporate Headquarters1800 South, Novell PlaceProvo, Utah 84606

Join us on:www.novell.com



http://www.novell.com/

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Novell, Inc. may make improvements in or changes to the software described in this document at any time. Copyright © 2011 Novell, Inc. All rights reserved. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States. All third-party trademarks are the property of their respective owners.


Documents

Configuring File Servers and Active Directory with · PDF fileCopying all or part of this manual, or dist ributing such copies, is strictly prohibited. To report suspected copying,