Integrating Exchange Server 2010 in a Non-Windows Environment : Understanding the Identity Management for UNIX Components

Identity Management for UNIX is an additional role service on a Windows Server 2008 machine that includes three major components as follows:

• Server for Network Information Services (SNIS)— Server for NIS enables a Windows AD DS environment to integrate directly with a UNIX NIS environment by exporting NIS domain maps to AD entries. This enables an AD Domain Controller to act as the master NIS server.

• Password Synchronization— Installing the Password Synchronization role on a server enables for passwords to be changed once and to have that change propagated to both UNIX and AD DS environments.

• Administrative Tools— Installing this role service gives administrators to tools necessary to administer the SNIS and Password Synch components.

The Identity Management for UNIX components have some other important prerequisites and limitations that must be taken into account before considering them for use in an environment. These factors include the following:

• Server for Network Information Services (SNIS) must be installed on an Active Directory domain controller. In addition, all domain controllers in the domain must be running Server for NIS.

• SNIS must not be subservient to a UNIX NIS Server—it can be subservient only to another Windows-based server running Server for NIS. This requirement can be a politically sensitive one and should be broached carefully because some UNIX administrators will be hesitant to make the Windows-based NIS the primary NIS server.

• The SNIS Authentication component must be installed on all domain controllers in the domain in which security credentials will be utilized.

Installing Identity Management for UNIX Components

To install one or all of the Identity Management for UNIX components on a Windows Server 2008 domain controller, perform the following steps:

1.	Open Server Manager (Start, All Programs, Administrative Tools, Server Manager).
2.	Click on the Roles node in the task pane and then click the Add Role Services link in the Active Directory Domain Services section.
3.	Check the box next to Identity Management for UNIX, which should automatically check the remaining boxes as well, as shown in Figure 1. Click Next to continue. Figure 1. Installing the Identity Management for UNIX components.
4.	Review the installation options and click Install to begin the process.
5.	Click Close when complete and choose Yes to restart the server.
6.	After restart, the server should continue with the configuration of the server. Let it finish and click Close when the process is complete.

Configuring Password Change Capabilities

To enable password change functionality, a connection to a UNIX server must be enabled. To set up this connection, perform the following steps:

Adding NIS Users to Active Directory

For users who want their existing NIS servers to continue to provide authentication for UNIX and Linux servers, the SNIS component might not be the best choice. Instead, there is a package of Korn shell scripts downloadable from Microsoft.com that simplifies adding existing NIS users to AD. The getusers.ksh script gets a list of all users in an NIS database including the comment field. This script must be run with an account with the permission to run ypcat passwd. The makeusers.ksh script imports these users to Active Directory. The makeusers.ksh script must be run by a user with domain admin privileges. The –e flag enables accounts because by default the accounts are created in a disabled state. This is a perfect solution for migrations that require the existing NIS servers to remain intact indefinitely.