Saturday, 21 December 2013

Installing and configuring Microsoft Active Directory

If you want to use Microsoft(R) Active Directory as your directory server, follow the instructions in this section to ensure that it is installed and configured to meet requirements for use with Tivoli(R) Provisioning Manager.
After you have installed and configured Microsoft Active Directory, you must follow the steps in Configuring a read-only directory server to set it up as a read-only directory server for Tivoli Provisioning Manager.

Requirements

Ensure that the computer meets the hardware and software requirements for Microsoft Active Directory on Windows(R) 2003. Requirements for use with Tivoli Provisioning Manager include:
  • Microsoft Active Directory must be installed on a separate computer.
  • The latest Windows 2003 service pack is installed.
  • The primary network card has a static IP address. This setting is required for the DNS and Active Directory subsystems.
    1. Click Start > Control Panel > Network Connections.
    2. Right-click on the connection that represents your primary network adapter and click Properties.
    3. Select Internet Protocol (TCP/IP), and click Properties.
    4. Ensure that Use the following IP address is selected and enter the IP address and subnet mask for the server. Add a gateway if required.
    5. Enter the IP address of the server in the Preferred DNS server field.
  • Install and configure DNS. If it is not currently installed, perform the following steps:
    1. In the Windows Control Panel, double-click Add or Remove Programs and then click Add/Remove Windows Components.
    2. Click Networking Services in the list of components, but do not select the check box if it was not already selected. Click Details and select the Domain Name System check box.
    3. Click OK and then Next and complete the installation of DNS.

Installing Microsoft Active Directory

To Install Microsoft Active Directory:
  1. Ensure that you log on to the computer with an administrator account to perform installation.
  2. Click electing Start > Administration Tools > Configure your Server.
  3. In the Welcome page, click Next.
  4. In the Operating system compatibility panel, click Next.
  5. On the Domain Controller Type panel, select Domain controller for a new domain and click Next.
  6. On the Create New Domain panel, select Domain in a new forest and click Next.
  7. On the New Domain Name panel, enter the DNS suffix for your new Active Directory. This name will be used during Tivoli Provisioning Manager installation, so make a note of it. Click Next.
  8. On the NetBIOS Domain Name panel, enter the NetBIOS name of the domain. The first part of the DNS name is usually sufficient. Click Next.
  9. On the Database and Logs panel, select the desired folders for the Database and Logs. C:\Windows\NTDS is the default. Click Next.
  10. On the Shared System Volume panel, enter a valid directory for the system volume. C:\Windows\Sysvol is the default. Click Next to continue.
  11. If you configured DNS successfully, the Permissions setting panel is displayed. Select Permissions compatible only with Windows 2000 or Windows Server 2003. Click Next.
  12. On the Directory Services Restore Mode Administrator Password panel, enter a valid password to be used when running the Directory Services in Restore Mode. Click Next
  13. Verify the settings and Click Next to begin the Active Directory configuration. The server will be rebooted as part of the process.

Microsoft Active Directory configuration

This section explains how to configure Microsoft Active Directory after installation.

Installing and configuring LDAP Schema Editor

Ensure that the latest version of Windows LDAP Schema Editor, included with Windows 2003 Service Pack 1, is installed. This tool is needed to extend the Active Directory schema. It is not installed by default.
  • If you installed the schema editor before applying the service pack, it is automatically updated when you apply the service pack.
  • If the service pack is already installed, the best way to install the schema editor is to locate the file adminpak.msi in the folder where the service pack files are extracted.
To install the schema editor:
  1. In the C:\WINDOWS\ServicePackFiles\i386 directory, run adminpak.msi.
  2. In the Welcome page, click Next.
  3. Click Finish to complete the installation.
  4. Once installed, the Active Directory schema editor is not usable by Windows until it has been registered. Open a command window and run the following command:
    regsvr32 schmmgmt.dll
  5. To make the Schema Editor visible to Windows tools it is necessary to add it as a snap-in to the Microsoft Management Console:
    1. Run the following command to start the console:
      mmc /a
    2. Click Console > Add/Remove Snap In.
    3. On the Standalone tab, click Add. The Add/Remove Snap-In window is displayed.
    4. In the Add Standalone Snap-In window, select Active Directory Schema and click Add.
    5. Click Close.
    6. In the Add/Remove Snap-In window, click OK. The Active Directory Schema is added
    7. Save the MMC snap-in as schmmgmt.msc in the C:\Windows\System32 directory.
    8. Create a shortcut to the schema editor for future use. Navigate to C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools. Right-click and click New and then Shortcut. Locate the schmmgmt.msc file and follow the prompts to create the shortcut.
  6. Make the Active Directory schema writable and change the Operations Master.
    1. Open the schema editor using the shortcut you created.
    2. Right-click Active Directory Schema and click Operations Master.
    3. In the Change Schema Master window, click Close
    4. Right-click Active Directory Schema and click Permissions.
    5. Set all AdministratorsEnterprise Domain controllersSchema Admins and System groups to have Full Control.

Change the operating system domain

Change the operating system domain to Native mode.
  1. Click Start > Programs > Administrative tools > Active Directory Domains and Trusts.
  2. Right-click the domain for which you want to add the functionality and then click Raise Domain Functional Level..
  3. In Select an available domain functional level, click Windows Server 2003, and then click Raise.
    Note:
    The current domain functional level is displayed under Current domain functional level in the Raise Domain Functional Level dialog box.

Configuring the LDAP suffix and importing data

If you are not familiar with installing and configuring a directory server, you can use sample data to set up a test directory server. The sample data sets up a base DN and required users.
The LDAP suffix, or base DN, defines the location where the user information is held. When you import the sample data, the base DNOU=TIO,DC=MYCOMPANY,DC=com is created. There are three required users for Tivoli Provisioning Manager. The following two users configured in the sample data that you will import:
wasadmin
The WebSphere(R) Application Server administrator user. This user will replace tioadmin as the WebSphere Application Server administrator when you configure Tivoli Provisioning Manager to use the directory server.
tioappadmin
The administrator for the Tivoli Provisioning Manager Web interface. This user will replace the currently configured Web interface administrator. The default user name after a fresh installation is admin.
To import data:
  1. On the Microsoft Active Directory server, log on as Administrator.
  2. Extract the contents of Tivoli Provisioning Manager Disk 2 to a temporary directory. In these instructions, the directory C:\temp\disk2 is used.
  3. Change to the C:\temp\disk2\tools\ldap\msad directory.
  4. Import the sample data with the following command:
    ldifde -v -i -f tiodata.ldif f -s hostname -c "DC=MYCOMPANY,DC=COM" "base_DN" -t 636
    hostname
    The host name of the
    base_DN
    The LDAP suffix for the domain. For example, Mydomain.Mycompany.com.
    Example:
    ldifde -v -i -f tiodata.ldif f -s msadserver -c "DC=MYCOMPANY,DC=COM" "DC=Mydomain,DC=Mycompany,DC=com" -t 636

Obtaining an SSL certificate

To configure an SSL certificate, you must request an SSL certificate and then import it. The following sections provide general steps for setting up SSL. Refer to your Microsoft documentation for details.

  1. Configure the domain controller to automatically issue a certificate to the computer when it logs on. Set the certificate type as Domain Controller.
  2. Install and configure the certificate services:
    1. Click Start > Control Panel > Add/Remove Programs > Add/Remove Windows components
    2. Select Certificate Services and click Next.
    3. Select Enterprise root CA as the CA type and click Next.
    4. Enter the hostname in the Common name for this CA field and the elements of the DNS suffix as DC=<element1>DC=<element2> in theDistinguished name suffix field. For example, DC=tfrench,DC=org. Click Next.
    5. Accept the defaults and click Next. You might get a message that IIS is not installed but you can ignore it.
    6. The server must be rebooted for it to issue a certificate.
  3. Once the server has restarted the Certificate must be exported. To do this:
    1. Go to the Administration Tools > Certificate Authority application. Expand the server and select Issued Certificates. Select the certificate and double click it to display the certificate.
    2. Select the Details tab.
    3. Select Copy to File and click OK to start the certificate export dialog.
    4. Click Next to continue.
    5. Select Base-64 encoded X.509 and click Next.
    6. Choose a file name with the .cer suffix such as hostname.cer, and save the certificate.
  4. The certificate must be installed on the Active Directory Server. If Tivoli Provisioning Manager is installed on a separate computer, then it must also be installed on that server.
    1. Locate the certificate file. Double-click it to open it.
    2. Click Install Certificate and accept the default values until the certificate is installed.
    3. If Tivoli Provisioning Manager is on a separate server, copy the certificate to the server. Repeat steps 4a and 4b.
  5. Check that auto-enrollment is enabled.
    1. Navigate to the Administrator Tools > Domain Controller Security Policy application and select Public Key Policies.
    2. The auto-enrollment settings can be found in the Public Key Policies section.
    3. Double click Autoenrollment
    4. Select Enroll certificates automatically and click OK.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)