Professional Documents
Culture Documents
Abstract
Server for NIS integrates Windows and Network Information Service (NIS) networks by giving a Windowsbased Active Directory domain controller the ability to act as a master NIS server for one or more NIS domains. This document contains step-by-step procedures for setting up Server for NIS on a domain controller.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2005 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Sun, Sun Microsystems, and the Sun Solaris operating system are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Oracle is a registered trademark of Oracle Corporation. Red Hat is a registered trademark of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. HP-UX Release 10.20 and later, and HP-UX Release 11.00 and later (in both 32 and 64bit configurations) on all HP 9000 computers are Open Group UNIX 95 branded products. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Step-by-Step Guide to Setting Up Server for NIS..............................................................1 Contents............................................................................................................................. 3 Step-by-Step Guide to Setting Up Server for NIS .................................................5 In this Guide.................................................................................................................... 5 Requirements for Installing Server for NIS......................................................................5 Task 1: Install Server for NIS on a Domain Controller ...........................................6 Verify that your computer is a domain controller.............................................................6 Promote your computer to a domain controller...............................................................6 Install Server for NIS....................................................................................................... 8 Continue with Server for NIS Setup..............................................................................10 See Also........................................................................................................................ 10 Task 2: Migrate NIS Maps to Active Directory .....................................................10 Planning for NIS Migration............................................................................................11 Migrate NIS Maps to a Windows-based Server............................................................12 Configure UNIX NIS Servers to use Server for NIS as the Master Server....................15 Creating the Structure of Nonstandard Maps................................................................16 Additional Server for NIS Configuration Steps..............................................................18 See Also........................................................................................................................ 18 Task 3: Set the Frequency of Map Propagation ..................................................19 Change the Frequency of Map Updates to UNIX Subordinate NIS servers..................19 Propagating Maps Immediately....................................................................................21 Completing Server for NIS Configuration......................................................................25 See Also........................................................................................................................ 25 Task 4: Set the Encryption Method for NIS Domains ...........................................25 Setting the Encryption Method for a Domain................................................................26 Completing Server for NIS Configuration Tasks............................................................28 See Also........................................................................................................................ 28
In this Guide
Task 1: Install Server for NIS on a Domain Controller Task 2: Migrate NIS Maps to Active Directory Task 3: Set the Frequency of Map Propagation Task 4: Set the Encryption Method for NIS Domains
Server for NIS is not available for installation except on Active Directory domain controllers. You must install Server for NIS on a partition that is formatted with the NTFS file system. If you are installing Server for NIS as an upgrade to a previous version that was installed on a partition formatted with the FAT file system, you must convert the FAT partition to NTFS before you can perform the upgrade. File system operations on FAT partitions are not supported. Server for NIS requires 5 MB of free hard disk space. It is recommended that the computer have at least 16 MB of RAM in addition to the recommended minimum configuration for the operating system. Server for NIS cannot be run from a network server. All files must be installed on the local computer.
7 Domain controllers and all related topics, in the Active Directory Help before promoting your computer to a domain controller. 1. Click Start, click Run, type dcpromo in the text box, and then click OK. The Active Directory Installation Wizard opens. 2. Click Next. 3. On the Operating System Compatibility page, read the information and then click Next. If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information. 4. On the Domain Controller Type page, click to select one of two options: Additional domain controller for an existing domain
This option requires that you are a member of the Domain Admins group for the target domain. If you choose this option, keep in mind that if Server for NIS is already running as an NIS master server on a domain controller within the existing domain, then Server for NIS must function as an NIS subordinate (also known as slave) server on this computer. Domain controller for a new domain
If you choose this option, you must configure this installation of Server for NIS as the NIS master server, until one or more additional domain controllers are configured within the new domain. 5. Click Next. If you chose Additional domain controller for an existing domain, follow the procedure Create an additional domain controller in the Windows Server 2003 Help, starting with Step 4. If you chose Domain controller for a new domain, go on to the next step in this section. 6. On the Create New Domain page, choose one of the following options: Note If you choose to create a new domain, you must configure this installation of Server for NIS as the NIS master server, until one or more additional domain controllers are configured within the new domain. Child domain in an existing domain tree
8 You must be a member of the Enterprise Admins group to continue with this installation. Domain tree in an existing forest
You must be a member of the Enterprise Admins group to continue with this installation. Domain in a new forest
Creating a new forest requires some advance planning. Before creating a new forest, decide on a practical Domain Name System (DNS) name for this computer, as well as a NetBIOS name. For more information, see Namespace planning for DNS in Windows Server 2003 Help. 1. Click Next. 2. Complete setup using the Windows Server 2003 Help procedure for the domain option you selected in Step 6 of this section. If you selected Child domain in an existing domain tree, follow the steps from Step 5 in Create a new child domain. If you selected Domain tree in an existing forest, follow the steps from Step 5 in Create a new domain tree. If you selected Domain in a new forest, follow the steps from Step 5 in Create a new forest. 3. When you have completed the Active Directory Installation Wizard and successfully configured your domain controller, proceed to Install Server for NIS.
9 1. Click Start, click Control Panel, and then click Add or Remove Programs. 2. Click Add/Remove Windows Components. 3. When the Windows Components Wizard opens, click to fill the Active Directory Services check box. 4. With Active Directory Services highlighted, click Details. 5. When the Active Directory Services dialog box opens, click to fill the Identity Management for UNIX check box. 6. With Identity Management for UNIX highlighted, click Details. 7. When the Identity Management for UNIX dialog box opens, click to fill the Server for NIS check box. Because Administration Components are required for Server for NIS operation, this item is automatically selected for installation when you select Server for NIS. 8. Click OK. The Windows Components Wizard begins installing the Identity Management for UNIX components you selected. 9. If you are prompted to locate files required for Server for NIS installation, insert the Windows Server 2003 R2 product CD, or browse to the network location of your Windows Server 2003 R2 installation files. 10. If NIS map data compatible with Windows Services for UNIX 3.5 is stored in Active Directory, the Server for NIS installation process automatically migrates the data, and uses it to populate Server for NIS maps. 11. When installation completes, restart your computer to begin working with Server for NIS.
10 Note The unattended answer file is a plain text file that Windows Server uses to respond to prompts about your installation preferences. For more information about unattended installations, see Unattended Installation Fundamentals in the Windows Server 2003 Deployment Guide. [Components] Snis=on Psync=on Idmumgmt=on 2. At a command prompt, type the following, and press Enter. synocmgr /i:%windir%\inf\sysoc.inf /u:<answerfile.txt> /q
See Also
Checklist: Installing a domain controller Installing and uninstalling Server for NIS How Unattended Installation Works Unattended Installation Fundamentals
11 Migrate NIS Maps to a Windows-based Server Configure UNIX NIS Servers to use Server for NIS as the Master Server Creating the Structure of Nonstandard Maps Additional Server for NIS Configuration Steps
Server for NIS includes a command-line tool called nis2ad to migrate maps from UNIX-based NIS servers to Active Directorybased Server for NIS. Using the Windows interface
Server for NIS includes a migration wizard that extracts the information necessary to perform the migration. Even when using the migration wizard, however, you must complete steps 2 and 3, which follow. The migration wizard and the nis2ad command read map data from NIS map source files, which are the plain text files from which the NIS map databases are compiled. These source files must be stored in a location that can be accessed by the domain controller during migration, such as on a disk on the domain controller or in a shared directory accessible by the domain controller. If the map you want to migrate is a nonstandard NIS map, create the structure using the procedure Creating the Structure of Nonstandard Maps below. 2. Configure UNIX NIS Servers to Use Server for NIS as the Master Server. After the migration, the original UNIX-based NIS server must send an update of maps to all subordinate NIS servers, with the name of the new master server in the maps. 3. Disable the original NIS server. UNIX-based subordinate NIS servers can continue to work as before; however, they will receive map updates from the Windows-based computer running Server for NIS instead
12 of the UNIX-based computer. Client computers running UNIX-based operating systems can be configured to get NIS maps or data from the new master server.
13 4. Follow the step-by-step directions in the wizard. Note Password file entries with names longer than eight characters will not be migrated. Windows user accounts created as a result of the migration are disabled. After performing the migration, you must enable the accounts. For security reasons, it is recommended that you assign a temporary password to these accounts and instruct the affected users to change their Windows password as soon as possible.
2. At a command prompt, type: nis2ad -y UNIXNISDomain -a ActiveDirectoryNISDomain [Options] MapfileToMigrate The following arguments are required: Argument -y UNIXNISDomain -a ActiveDirectoryNISDomain MapfileToMigrate Description Specifies the name of the NIS domain that contains the map to migrate. Specifies the NIS domain name in Active Directory. Specifies the name of the NIS map source file to migrate. NIS map source files are the plain text files from which the NIS map databases are compiled.
14 Option -m Description Perform the migration. If this option is omitted, the program finds and reports conflicts but does not actually perform the migration. Specifies the file where conflict details are written. Uses a default file (%windir %\idmu\nis\conflicts.log) if not specified. Specifies the target container name. Applicable only when creating a new NIS domain. If not specified, uses the default or uses the container of the target domain. Specifies the name of the log file. If not specified, nis2ad uses a default file (%windir %\idmu\nis2ad.log). Replace object in Active Directory with object being migrated. Default is no. Resolves conflicts by changing the Windows account name in Active Directory. If objects of different types have the same name, the names of both objects are changed before the data is migrated. If needed and if not specified, the user will be prompted. Specifies the path of the directory that contains NIS map source files. Specifies the domain controller server hosting Active Directory. Otherwise use the current server.
-c FileName
-t TargetContainer
-f FileName
-r yes|no -n
15 Option -u User Description Specifies the name of the user having administrator privileges on this computer. If not specified, nis2ad uses the current user. Even if you specify another user by using the -u option, the currently logged-on user must have write permissions for the folder that will contain the log and conflict files. If necessary, modify the permissions on the folder to grant write access to the user who will be running the nis2ad utility, before running the utility.
Note To view the complete syntax for this command, at a command prompt, type nis2ad /? You can migrate only one map at a time using nis2ad. To migrate more than one map at a time, use the NIS Data Migration Wizard. Password file entries with names longer than eight characters will not be migrated. Windows user accounts created as a result of the migration will be disabled. After performing the migration, you must enable the accounts. For security reasons, it is recommended that you assign a temporary password to these accounts and instruct the affected users to change their Windows password as soon as possible.
Configure UNIX NIS Servers to use Server for NIS as the Master Server
To change a UNIX-based NIS server from a master server to a subordinate (also known as slave) server, follow these steps: 1. Migrate NIS maps to a Windows-based computer running Server for NIS. 2. Transfer the maps from the old master server to other subordinate NIS servers by providing the name of the new Server for NIS for each map. At a command prompt, type: ypxfr hnewserver mapname
16 where newserver is the name of the new NIS master server, and mapname is the name of the map to be transferred. 3. Run this command for each map on each of the subordinate servers. After this step, the UNIX subordinate servers will recognize the new Server for NIS master server.
17 4. Follow the step-by-step directions in the wizard. 5. On the NIS Map Selection panel, click New. 6. In the Add Nonstandard Map dialog box, do the following: In the Map name string box, enter the name of the existing nonstandard map you want to migrate to Server for NIS. The map migration process assigns the same name to a new file containing your map structure. In the Separator string box, type the single character you want to use to delimit or separate fields in your map structure. Suggested characters include a semicolon (;) or a dash (-). In the Key field string box, type the number of the column you want to use as the map key. Use Arabic numeral characters; do not spell out the number. Click Next.
7. In the Location of UNIX NIS Map Source Files window, enter the directory path name in which the map file you created in Step 6 is located, and then click Next. 8. Click Finish to start migrating map data from the existing nonstandard map to the new map file. Note Password file entries with names longer than eight characters will not be migrated. Windows user accounts created as a result of the migration are disabled. After performing the migration, you must enable the accounts. For security reasons, it is recommended that you assign a temporary password to these accounts and instruct the affected users to change their Windows password as soon as possible.
18 Note Do not use the hash character (#) as a field separator because this character is used in standard maps to mark the beginning of a comment. The following table shows the acceptable arguments for the nismap create command. Argument fieldNumber "separator" Description The number of the field that contains the key to the map. The character used to separate fields, in quotation marks. To specify a space as a separator, enclose the space in double quotation marks (" "). For example: nismap create i 1 g " " Phones creates a map called Phones in which the key field is the first field and the separator character is a space. Other white-space characters, such as tab, are also accepted. mapName The name of the map.
Note To view the complete syntax for this command, at a command prompt, type: nismap /?
See Also
Migrating NIS to Active Directory Migrating standard and nonstandard maps
19 Remove a nonstandard NIS map Internet Engineering Task Force Web site
20 2. If necessary, connect to the computer you want to manage by right-clicking the Identity Management for UNIX node in the hierarchy pane, and then clicking Connect to another computer. Otherwise, go on to the next step. 3. Click Server for NIS in the hierarchy pane. 4. Open Map Updates by doing one of the following: Right-click the Server for NIS node, and then click Map Updates.
With the Server for NIS node highlighted, click Map Updates in the Actions pane. 5. In the Server for NIS Properties dialog box, type the number of days, hours and minutes you want to lapse between map updates. 6. Click OK to save your changes.
2. At a command prompt, type: nisadmin config pushint=[[days:]hh:]mm [-s Server] [-u User] [-p Password] The following table contains the arguments for the nisadmin command. Argument [[days:]hh:]mm Description Specifies the interval at which the service checks changes to NIS maps in Active Directory and propagates them to secondary NIS servers for all domains, in days, hours, and minutes. If hh is specified, hh must be in the range 023 and mm must be in the range 059. The master server for the domain. The name of the user who has administrative privileges on the server to be started, if different from the current user.
Server User
21 Argument Password Description The password of the user who has administrative privileges on the server to be started, if different from the current user. If you type a user name but omit the password, you will be prompted for the password.
Note To view the complete syntax for this command, at a command prompt, type: nisadmin /?
22 2. If necessary, connect to the computer you want to manage by right-clicking the Identity Management for UNIX node in the hierarchy pane, and then clicking Connect to another computer. Otherwise, go on to step 3. 3. Click Server for NIS in the hierarchy pane. 4. Click Check for updates now.
2. At a command prompt, type: nisadmin [server] syncall [u user [p password]] The following arguments are acceptable with the nisadmin syncall command. Argument syncall server user Description Propagate all maps. The name of the server where the maps are stored. The name of the user who has administrator permissions on the server, if different from the current user. The password of the user who has administrator permissions on the server, if different from the current user. If you type a user name but omit the password, you will be prompted for the password.
password
Note The nisadmin syncall command propagates maps only on UNIX-based NIS subordinate servers. It does not propagate maps on NIS subordinate servers running Windows operating systems. Active Directory updates Windows-based NIS subordinate servers. To view the complete syntax for this command, at a command prompt, type:
23 nisadmin /?
2. On the Identity Management for UNIX dialog box, click Yes to begin map propagation.
24 Click Start, and then click Command Prompt on the Start menu. Click Start, click Run, type cmd into the Open text box, and click OK.
2. At a command prompt, type: yppush [-d ActiveDirectoryNISDomain] [-q] [-t Timeout] [-h Hosts] MapName The following table shows the arguments accepted by the yppush command. Argument -d ActiveDirectoryNISDomain -q Description NIS domain name in Active Directory. Quiet mode. Do not wait for response from subordinate (slave) servers and do not report errors. The number of seconds to wait for a response from the subordinate server before sending the next request. Must be greater than zero. The default value is 30. The hosts to notify of changes. Default is all subordinate servers in the domain. Can be used multiple times for more than one computer. The name of the NIS map to be transferred.
-t Timeout
-h Hosts
MapName
Note The yppush command propagates maps only on UNIX-based NIS subordinate servers. It does not propagate maps on NIS subordinate servers running Windows operating systems. Active Directory updates Windows-based NIS subordinate servers. To view the complete syntax for this command, at a command prompt type: yppush /?
25
See Also
Sending periodic map updates to subordinate (slave) NIS servers Change the frequency of map updates to UNIX subordinate (slave) NIS servers Manage NIS Maps
26
6. In the Encryption Scheme area, click the drop-down menu to select the encryption method used by all UNIX computers in the domain. Note You can select the MD5 encryption method for a UNIX domain that consists exclusively of computers running Linux and using MD5 encryption. Domains that contain one or more computers using the crypt algorithm or that run any other operating system must use crypt. Although Linux versions 6.2 and later support MD5 encryption, Identity Management for UNIX is not supported for versions of Linux prior to version 8.
27
2. At a command prompt, type: nisadmin [computer] encryptiontype -d domain {crypt | md5} [-u usr [-p pword]] Argument computer Description Specifies the remote computer you want to administer. You can specify the computer using a WINS or DNS name, or by Internet Protocol (IP) address. Specifies the name of the domain for which the change is being made. Specifies the user name of the user whose credentials are to be used. It might be necessary to add the domain name to the user name in the form domain\username. Specifies the password of the user specified using the -u option. If you specify the -u option but omit the -p option, you are prompted for the user's password.
domain usr
pword
Note To view the complete syntax for this command, at a command prompt, type: nisadmin /? You can select the MD5 encryption method for a UNIX domain that consists exclusively of computers running Linux and using MD5 encryption. Domains that contain one or more computers using crypt or that run any other operating system must use crypt. Although Linux versions 6.2 and later support MD5 encryption, Identity Management for UNIX is not supported for versions of Linux prior to version 8.
28
See Also
Password encryption Set the encryption method for a domain