Windows Server 2008 : Understanding the Identity Management for UNIX Components

2/8/2011 9:20:13 AM
The goal of Single Sign-On (SSO), in which users on a network log on once and then have access to multiple resources and environments, is still a long way off. It is common for a regular user to maintain and use three or more separate usernames and associated sets of passwords. Windows Server 2008 R2 UNIX Integration goes a long way toward making SSO a reality, however, with the Identity Management for UNIX role service.

Identity Management for UNIX is an additional role service on a Windows Server 2008 R2 machine that includes three major components, as follows:

  • Server for Network Information Services (SNIS)— Server for NIS allows a Windows AD DS environment to integrate directly with a UNIX NIS environment by exporting NIS domain maps to AD entries. This allows an AD domain controller to act as the master NIS server.

  • Password Synchronization— Installing the Password Synchronization role on a server allows for passwords to be changed once, and to have that change propagated to both the UNIX and AD DS environment.

  • Administrative Tools— Installing this role service gives administrators the tools necessary to administer the SNIS and Password Synchronization components.

The Identity Management for UNIX components have some other important prerequisites and limitations that must be taken into account before considering them for use in an environment. These factors include the following:

  • Server for Network Information Services (SNIS) must be installed on an Active Directory domain controller. In addition, all domain controllers in the domain must be running Server for NIS.

  • SNIS must not be subservient to a UNIX NIS server—it can only be subservient to another Windows-based server running Server for NIS. This requirement can be a politically sensitive one and should be broached carefully, as some UNIX administrators will be hesitant to make the Windows-based NIS the primary NIS server.

  • The SNIS authentication component must be installed on all domain controllers in the domain in which security credentials will be utilized.

Installing Identity Management for UNIX Components

To install one or all of the Identity Management for UNIX components on a Windows Server 2008 R2 server, perform the following steps from a domain controller:

Open Server Manager (Start, All Programs, Administrative Tools, Server Manager).

Expand the Roles node in the tasks pane, and select Active Directory Domain Services.

Right-click the Active Directory Domain Services role, and select Add Role Services. Check the box next to Identity Management for UNIX, which should automatically check the remaining boxes as well, as shown in Figure 1. Click Next to continue.

Figure 1. Installing the Identity Management for UNIX components.

Review the installation options, and click Install to begin the process.

Click Close when complete, and choose Yes to restart the server.

After restart, the server should continue with the configuration of the server before allowing you to log on. Let it finish and click Close when the process is complete.

Configuring Password Change Capabilities

To enable password change functionality, a connection to a UNIX server must be enabled. To set up this connection, perform the following steps:

Open the MMC Admin console (Start, All Programs, Microsoft Identity Management for UNIX, Microsoft Identity Management for UNIX).

In the node pane, navigate to Password Synchronization, UNIX-Based Computers.

Right-click on UNIX-based Computers, and choose Add Computer.

Enter a name in the Computer Name text box, and specify whether to sync passwords to/from UNIX. Enter the port required for password sync and an encryption key that is mutually agreed upon by the UNIX server, similar to what is shown in Figure 2. Click OK.

Figure 2. Configuring password sync to UNIX systems.

Click OK to confirm the addition of the UNIX system.

Adding NIS Users to Active Directory

For users who want their existing NIS servers to continue to provide authentication for UNIX and Linux servers, the SNIS component might not be the best choice. Instead, there is a package of Korn shell scripts downloadable from that simplifies adding existing NIS users to AD. The getusers.ksh script retrieves a list of all users in a NIS database, including the comment field. This script must be run with an account with the permission to run ypcat passwd. The makeusers.ksh script imports these users to Active Directory. The makeusers.ksh script must be run by a user with domain admin privileges. The –e flag enables accounts—by default, the accounts are created in a disabled state. This is a perfect solution for migrations that will require the existing NIS servers to remain intact indefinitely.

Video tutorials
- How To Install Windows 8

- How To Install Windows Server 2012

- How To Install Windows Server 2012 On VirtualBox

- How To Disable Windows 8 Metro UI

- How To Install Windows Store Apps From Windows 8 Classic Desktop

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
programming4us programming4us