In many cases, it might be
necessary to integrate many of the components of an existing UNIX
implementation with the Exchange 2007 forest. In these cases, a tool
most recently provided with Windows Server 2003 R2 Edition known as Services for UNIX (SFU) should be examined.
For many years, UNIX
and Windows systems were viewed as separate, incompatible environments
that were physically, technically, and ideologically different. Over the
years, however, organizations found that supporting two completely
separate topologies within their environments was inefficient and
expensive; a great deal of redundant work was also required to maintain
multiple sets of user accounts, passwords, environments, and so on.
Slowly, the means to
interoperate between these environments was developed. At first, most of
the interoperability tools were written to join UNIX with Windows, as
evidenced by Samba, a method for Linux/UNIX platforms to be able to
access Windows NT file shares. Microsoft tools always seemed a step
behind that available elsewhere. With the release of the new Services
for UNIX tools in Windows Server 2003 R2, Microsoft leapfrogs
traditional solutions, like Samba, and becomes the leader for
cross-platform integration. Long-awaited functionality such as password
synchronization, the capability to run UNIX scripts on Windows, joint
security credentials, and so on were presented as viable options and can
be now be considered as part of a migration to or interoperability
scenario with Windows Server 2003.
Understanding the Development of Services for UNIX
Services for UNIX has
made large strides in its development. From initial skepticism, the
product has developed into a formidable integration and migration
utility that allows for a great deal of interenvironment flexibility.
The first versions of the software, 1.x and 2.x, were limited in many
ways, however. Subsequent updates to the software vastly improved its
capabilities and further integrated it with the core operating system.
A watershed development
in the development of Services for UNIX was the introduction of the 3.0
version of the software. This version enhanced support for UNIX through
the addition or enhancement of nearly all components. Included with
version 3.0 was the Interix product as well, an extension to the POSIX
infrastructure of Windows to support UNIX scripting and applications
natively on a Windows server.
Then,
version 3.5 of SFU was released, which included several functionality
improvements over SFU 3.0. The following components and improvements
have been made in the 3.5 release:
Greater support for Windows Server 2003 Active Directory authentication
Improved utilities for international language support
Threaded application support in Interix
Significant Interix performance increases of up to 100%
Support for the Volume Shadow Copy Service of Windows Server 2003
Finally, we come to the
Windows Server 2003 R2-integrated version of SFU. Besides being
slipstreamed directly into the operating system, some functional changes
have been made as
well. Most important, the structure of SFU has changed considerably.
Here is the structure of major improvements for the R2 SFU offering:
Network
Information Service (NIS) and Active Directory integration with scripts
for populating Active Directory from a NIS database
Extended NIS interoperability, including allowing a Windows Server 2003 R2 system to act as a NIS master in a mixed environment
Network File System (NFS) server functionality expanded to Mac OS X and higher clients
Subsystem
for UNIX Applications (SUA) allows POSIX-compliant UNIX application to
be run on Windows Server 2003 R2, including many common UNIX tools and
scripts
Easier porting of native UNIX and Linux scripts to the SUA environment
Outlining the Components of Services for UNIX
Services for UNIX is
composed of several key components, each of which provides a specific
integration task with different UNIX environments. Any or all of these
components can be used as part of Services for UNIX as the installation
of the suite can be customized, depending on an organization’s needs.
The major components of SFU are as follows:
Each
component can be installed separately or multiple components can be
installed on a single server as necessary. Components are all available
from the Add/Remove Windows Components Wizard in Control Panel. Each
component is described in more detail in the following sections.
Detailing the Prerequisites for Services for UNIX
Services for UNIX R2
interoperates with various flavors of UNIX, but was tested and
specifically written for use with the following UNIX iterations:
Sun Solaris 7.x, 8.x, 9.x, or 10
Red Hat Linux 8.0 and later
Hewlett-Packard HP-UX 11i
IBM AIX 5L 5.2
Apple Macintosh OS X
Note
SFU is not limited to
these versions of Sun Solaris, Red Hat Linux, HP-UX, IBM AIX, and Apple
OS X. It actually performs quite well in various other similar versions
and implementations of UNIX, Linux, and Mac OS X.
Services for UNIX has
some other important prerequisites and limitations that must be taken
into account before considering it for use in an environment. These
factors include the following:
Server for
NIS must be installed on an Active Directory domain controller. In
addition, all domain controllers in the domain must be running Server
for NIS.
Password synchronization requires installation on domain controllers in each environment.
Server
for NIS must not be subservient to a UNIX NIS server—it can only be
subservient to another Windows-based SFU server. This requirement can be
a politically sensitive one and should be broached carefully, as some
UNIX administrators will be hesitant to make the Windows-based NIS the
primary NIS server.
The
Server for NIS authentication component must be installed on all domain
controllers in the domain in which security credentials will be
utilized.
Installing Services for UNIX R2
The installation of
Services for UNIX for Windows Server 2003 R2 is as simple as adding
another Windows component. From Control Panel, go to Add/Remove Programs
and then Add/Remove Windows Components. The various parts that make up
SFU are all available in their appropriate areas.
Note
You will need the Windows 2003 R2 installation CD to add each of the Services for UNIX components.
The installation
of Services for UNIX is straightforward and uses the familiar Microsoft
Add/Remove Windows Components Installation Wizard. After the
prerequisites have been satisfied and the desired functionality has been
identified, you can begin the SFU installation.
To install SFU R2, perform the following steps:
1. | Click the Start menu and select Control Panel.
|
2. | Choose Add/Remove Programs.
|
3. | Choose Add/Remove Windows Components in the left column.
|
4. | Select Subsystem for UNIX-based Applications, and then click Next.
|
5. | You are prompted for the location of the CD or another location for the requested files.
|
6. | The
setup prompts you to download the Utilities and SDK for UNIX-based
Applications. Click Yes to download the package, as illustrated in Figure 1.
Note
The Utilities and SDK
for UNIX-based Applications is fairly large, approximately 180MB. You
can download this package in advance if desired to speed the
installation process. Different packages are available for x86 and AMD
architectures.
|
7. | Click Next through the first few screens, and then accept the license agreement.
|
8. | Click
the Enable Setuid Behavior for SUA Programs check box, as this is an
important function for many UNIX applications. Click the Change the
Default Behavior to Case Sensitive check box, as illustrated in Figure 2, if your UNIX environment is case sensitive.
|
9. | Click Finish for both screens and the installation is complete. You will need to reboot for the components to become active.
|
10. | To install the various Active Directory–related components, again go to the Add/Remove Windows Components menu.
|
11. | Select Active Directory Services, and then click Details. Select Identity Management for UNIX, as shown in Figure 3,
and then click Details again to drill down to the Identity Management
for UNIX (IDMU) options. Select all three options for a full
installation.
|
12. | Click Next to begin the installation.
|
13. | You
are prompted to locate the request files on the CD. After installation,
click Finish to finish the installation. Finally, reboot for the
components to become active.
|
14. | To install the NFS components, again go to the Add/Remove Windows Components menu.
|
15. | The Microsoft Services for NFS are located under Other Network File and Print Services.
|
16. | Select Details under Microsoft Services for NFS, and choose the appropriate options for your installation, as shown in Figure 4.
|
After being installed, the various functionalities can be tested in a lab environment or deployed into production.
Synchronizing User Information Between AD and UNIX
It might be necessary
to maintain and support UNIX accounts and AD/Exchange 2007 mailboxes at
the same time. SFU provides for synchronization between these accounts
with the username mapping and password synchronization capabilities.
Username Mapping
Username mapping
allows specific user accounts in Windows Server 2003 Active Directory to
be associated with corresponding UNIX user accounts. In addition to
mapping identically named user accounts, username mapping allows for the
association of user accounts with different names in each organization.
This factor is particularly useful considering the fact that UNIX user
accounts are case sensitive, whereas Windows accounts are not.
Username mapping
supports the capability to map multiple Windows user accounts to a
single user account in UNIX. This capability allows, for example,
multiple administrators to map Windows Server 2003 Active Directory
accounts with the UNIX root administrator account.
Synchronizing Passwords with IDMU
Going hand in
hand with the username mapping service, password synchronization allows
for those user accounts that have been mapped to automatically update
their passwords between the two environments. This functionality,
accessible from the IDMU MMC administration menu, as illustrated in Figure 5,
allows users on either side to change their passwords and have the
changes reflected on the mapped user accounts in the opposite platform.
