Domain Services for

Windows Install
Windows Interoperability
 Agenda

• What is Domain Services for Windows (DSfW)?

• Brief Overview of AD
• Features in DSfW
• Deployment Options
• Future Enhancements
• Installing DSfW
••
Demonstration

2 © Novell, Inc. All rights reserved.

What is Domain Services for Windows
 What is Domain Services for Windows?

• Domain Services for Windows (DSfW) is a suite of

technologies
• Provides AD forest and domain infrastructure
• Provides AD style authentication to users and
applications
• eDirectory users can access AD resources and
™

applications with a cross forest trust in place

• Seamless access to OES services like file and print
services present on NSS or POSIX file systems

4 © Novell, Inc. All rights reserved.

 What is Domain Services for Windows
(continued)?

• Clientless Authentication
• Choice in administration tools
• Supports Group Policies
• Has a sysvol with the same structure as an AD server
• Can execute VB or .bat Login script just like in AD
• Supports Roaming profiles
• Supports Kerberos, NTLM Authentication protocols

5 © Novell, Inc. All rights reserved.

 DSfW: What Does It Achieve?
eDirectory Tree ™ Active
Directory
Forest

Cross Forest Trust

DSfW Server
eDir
Server
DSfW Domain

Child Child
Domain Domain
eDir Edirectory User
Server
eDir Server

DSfW Server DSfW Server

Windows
Member Server

User Management Clientless Access

Windows AD Style Authentication
User Applications
iManager MMC

6 © Novell, Inc. All rights reserved.

 What DSfW can resolve
Active
eDirectory Tree ™
Directory
Forest

Cross Forest Trust

DSfW Server
eDir
Server

DSfW Domain

Child Child
Domain Domain
eDir eDirectory User
Server
eDir Server

DSfW Server DSfW Server

Windows
Member Server

User Management Clientless Access

Windows AD Style Authentication

User Applications
iManager MMC
7 © Novell, Inc. All rights reserved.
A Brief Overview of AD
 Brief Overview of AD

• Security boundary is a “domain”

– Domain  partition(s)
• Domains are contained in a “forest”
– Forest  tree in eDirectory
– Transitive trust (shared secret) between domains
• Native security model is based on shared secrets
– Domain controller contains all users’ keys
– Authentication can be challenge-response (NTLM, Digest)
or Needham-Schroeder (Kerberos)

9 © Novell, Inc. All rights reserved.

 Brief Overview of AD (cont.)

• Users and groups are identified by a “SID”

– Random domain-specific prefix
– Integer suffix, or “relative ID” (like a UID or GID)
• Member server - cannot authenticate users
• Domain Controller – authentication server
– PDC (NT) = FSMO or Operations Manager (AD)
– ADC or Additional Domain Controller
• Group Policy Object (GPO)
• Global Catalog

10 © Novell, Inc. All rights reserved.

Features in DSfW
 Features in DSfW

• Installs into existing eDir trees

• Domain boundaries can encompass multiple
partitions
– Reduces Number of Domains

– Reduces Hardware Needs

– Reduces Administration complexities

– Domains can be more flexible

12 © Novell, Inc. All rights reserved.

 Features in DSfW
•

13 © Novell, Inc. All rights reserved.

 Features in DSfW

14 © Novell, Inc. All rights reserved.

 Features in DSfW

• Name is not restricted to container name

– Domain name does not have to match the container name

• Can install multiple Domain Controllers

– Up to 5 DCs per Domain

• Domain Emulation
– Domain emulates Windows 2003 AD

• Host FSMO roles / Operations Manager

– Like 2003, a DSfW DC performs same FSMO roles

15 © Novell, Inc. All rights reserved.

 Features in DSfW

16 © Novell, Inc. All rights reserved.

 Features in DSfW

• Fault Tolerance and Load Balancing

– Multiple DC's allow logins to be dispersed

– FSMO Roles can be distributed to other DC's

• Authentication
– Supports common authentication protocols

17 © Novell, Inc. All rights reserved.

 Features in DSfW

• AD protocol support
– RPC

– SMB

– Kerberos

• Flexible Management tools

– MMC

– iManager

18 © Novell, Inc. All rights reserved.

 Features in DSfW

• Provisioning Wizard
– Gives more control and management over the DSfW install
process then OES2 SP1

– Gives the opportunity for remedial action if an installation

stage fails. Each stage can be executed multiple times until
successful

– Allows autoYaST to configure a basic OES2 SP2 or higher

system. A Java-based wizard is then used

– Can be scripted if required

19 © Novell, Inc. All rights reserved.

 Features in DSfW

• Windows Member servers are supported

– Windows 2003 (R2)

– Windows 2008 (R2)

• Sysvol replication
– Allows all DC's to provide authentication

• Password Policies
– Retain existing policies or use GPO

• Upgrade

20 © Novell, Inc. All rights reserved.

Components
 Components

• Domain Services for Windows is built on the following

components
– Novell eDirectory 8.8 SP6

– Novell Modular Authentication Services 3.3.3

– MIT Kerberos 2.17

– Active Directory Provisioning Handler (ADPH) is integrated

within eDirectory

– XAD framework 2.3

22 © Novell, Inc. All rights reserved.

 Components Continued

• Domain Services for Windows is built on the following

components Continued
– RPC Subsystems required by Windows

– Novell Samba 3.4

– Novell DNS and GSS extensions

– NTP with Net Logon extensions

23 © Novell, Inc. All rights reserved.

 Components Continued

• ADHP enforces the Security Account Manager in the

agent
– Allocates Security ids to users and groups

– Enable existing eDirectory users to use AD and RFC 2307

authorization

• Global Catalog provides a list to all objects with in the

forest
– allows AD forest wide searches

– Is used doing user principal name (UPN) logons when

multiple domains exist in the forest

24 © Novell, Inc. All rights reserved.

 Components Continued

• Global Catalog (continued)

– Is automatically implemented during the install of the first DC

– Is used doing user principal name (UPN) logons when

multiple domains exist in the forest

– uses port 3268 and 3269

• NMAS Extensions
– GSSLSM and GSSAPI authentication are supported

– SAMSPM generates NTLM and Kerberos key (AD Key

materials) when a user's Universal Password is changed

25 © Novell, Inc. All rights reserved.

 Components Continued

• Global Catalog (continued)

– Is automatically implemented during the install of the first DC

– Is used doing user principal name (UPN) logons when

multiple domains exist in the forest

– uses port 3268 and 3269

• NMAS Extensions
– GSSLSM and GLLAPI authentication are supported

– SAMSPM generates NTLM and Kerberos key (AD Key

materials) when a user's Universal Password is changed

26 © Novell, Inc. All rights reserved.

Deployment Options
 Deployment Options

• There are two types of installs

– First type is a new tree or non-name mapped domain
> The tree is created while installing DSfW

– The second type of install is installing into an existing tree

otherwise called a name mapped install.

• If doing a name mapped install, know were you want

the domain to be placed
• Users have to exist in the domain to be provisioned
for DSfW

28 © Novell, Inc. All rights reserved.

 New Tree
Non-Name Mapped Install
• Characteristics:
– eDirectory tree is new™

– eDirectory Tree Administrator is newly created and the DN is fixed. The AD

Forest Name is created at the Tree Root as a hierarchy of DC objects. User
administrator is created in cn=administrator,cn=users,dc=novell,dc=com. The
dc objects are actual eDirectory objects

Domain

Domain
Controllers server 1 server 2 server 3 server 4 server 5

29 © Novell, Inc. All rights reserved.

 New Tree
Non-Name Mapped Install (cont.)
• Why would this be used
– New Tree just for DSfW.

– Single Server Tree can only be configured in a Non-Name

Mapped configuration

• What is different?
– The eDirectory Tree Administrator is also the DSfW
Administrator. No eDirectory user called admin is
created

– A domain object is used. e.g. domain novell.com is mapped

to container dc=novell,dc=com

30 © Novell, Inc. All rights reserved.

 Into Existing eDirectory™ Trees
Name Mapped Install
• Characteristics
– An existing eDirectory Tree's partitioned container is used to
map the DSfW domain (Name Mapped Install)

– The eDirectory Tree Admin is different from the First Domain

Administrator. Administrator does not have supervisor
rights to the tree

– The domain mapping to eDirectory Tree is managed by the

eDirectory Tree Admin

31 © Novell, Inc. All rights reserved.

 Into Existing eDirectory Trees ™

Name Mapped Install (cont.)

• Why would this be used ?
‒ To add DSfW to an existing eDirectory environment
‒ To allow the use of Novell Workstations without the Novell ®

Client
‒ To allow existing eDir users access through an AD style
trust for Microsoft Applications to Novell Users and Data
‒ To preserve use of existing Novell based applications such
as GroupWise and the Novell Client
®

32 © Novell, Inc. All rights reserved.

 Deployment Options

• Read the Documentation

– The DSfW Documentation

– TID 7002172 Prepare for a DSfW Install

– TID 7002366 Helpful TIDs on DSfW

– TID 7001884 Verify a DSfW Install

• Watch youtube videos on Preparing and Installing

DSfW
– http://www.youtube.com/user/DSFWDude#p/c/97F8FDC5AC
71D051/0/vCewNEY2rnQ

33 © Novell, Inc. All rights reserved.

Future Enhancements
 Future Enhancements

• Bi directional Cross Forest Trust

• Simplified install
• Support external DNS server
• Sites and Subnets
• Windows 2008 Domain support
– AES Encryption
– 2008 R2 Schema

35 © Novell, Inc. All rights reserved.

 Future Enhancements

• Backup and restore

• Co-existence of Novell Client on domain member
workstation
• Mac support with DSfW
– Support 10.6.8 and newer

36 © Novell, Inc. All rights reserved.

Installing DSfW
38 © Novell, Inc. All rights reserved.
39 © Novell, Inc. All rights reserved.
40 © Novell, Inc. All rights reserved.
41 © Novell, Inc. All rights reserved.
42 © Novell, Inc. All rights reserved.
43 © Novell, Inc. All rights reserved.
44 © Novell, Inc. All rights reserved.
45 © Novell, Inc. All rights reserved.
46 © Novell, Inc. All rights reserved.
47 © Novell, Inc. All rights reserved.
48 © Novell, Inc. All rights reserved.
49 © Novell, Inc. All rights reserved.
50 © Novell, Inc. All rights reserved.
51 © Novell, Inc. All rights reserved.
52 © Novell, Inc. All rights reserved.
53 © Novell, Inc. All rights reserved.
54 © Novell, Inc. All rights reserved.
55 © Novell, Inc. All rights reserved.
56 © Novell, Inc. All rights reserved.
57 © Novell, Inc. All rights reserved.
58 © Novell, Inc. All rights reserved.
59 © Novell, Inc. All rights reserved.
60 © Novell, Inc. All rights reserved.
61 © Novell, Inc. All rights reserved.
Demonstration
This document could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein. These changes may be
incorporated in new editions of this document. Novell, Inc. may make improvements
in or changes to the software described in this document at any time.

Copyright © 2011 Novell, Inc. All rights reserved.

All Novell marks referenced in this presentation are trademarks or registered trademarks of
Novell, Inc. in the United States. All third-party trademarks are the property of their respective
owners.