Migrating Windows 2003 + SFU 3.5 and Server for NIS to Windows 2008 R2
Most of the domain controllers running on Windows 2003 and serving purpose of Server for NIS for *NIX systems are getting upgraded to Windows 2008 R2 these days. This needs some additional steps to be performed as Services for UNIX 3.5 no longer available on Windows 2008 R2 (as SFU 3.5 does not have any x64 version).
There can be even a mixed environment where some of the Windows 2003 systems will be upgraded on newly installed Windows 2008 R2 systems will be added as domain controllers while the old Windows 2003 DCs will continue to exist.
On Windows 2003 x86 systems you can install Services for UNIX 3.5 freely download from here.
On Windows 2008 R2 we cannot install Services for UNIX; it does not have any x64 bit version. So, we need to enable the Identity Management for UNIX (which includes Server for NIS and Password synchronization) role on the Windows 2008 R2 domain controllers.
To install Identity Management for UNIX components on Windows 2008 R2 Domain Controllers
1. Open Server Manager.
2. In the Roles section, in the list of common tasks, click Add Role Services.
3. On the Select Role Services page of the Add Role Services Wizard, select the Identity Management for UNIX role services you want to install, and then click Next.
4. If the wizard prompts you to install any other role services required by Identity Management for UNIX components, click Yes.
5. Select all the three sub components, Server for NIS, Password sync and Administrative tool and click Install.
You must be a member of the Administrators group on the local computer to install Identity Management for UNIX components.
A major work in this process is to ensure we have password synchronization component installed on all the domain controllers. The reason being, the Pswdsync.dll hooks up with the every password change request for Active Directory users and then encrypts that using an encryption key and the stores that value in unixUserPassword attribute for a user. When a user changes password there is no way to control which Domain controller it will bind to; so we need it on all the domain controllers.
So, on all the Windows 2003 domain controllers we need to install password synchronization from Services for UNIX 3.5. In case of Windows 2008 R2, steps to install Password synchronization is provided above (under heading: To install Identity Management for UNIX components on Windows 2008 R2 Domain Controllers). Or we can use this command line:
ServerManagerCmd.exe - install ADDS-Password-Sync -restart
You need schema administrator privilege to perform this installation.
Next step to ensure that our Windows 2003 domain controllers running Services for UNIX – password sync actually uses the new schema that comes with Windows 2008 R2. This hotfix takes care of this; so need to install these patches on all the Windows 2003 Domain Controllers.
This will update the Pswdsync.dll file on these servers to ensure that SFU 3.5 can use RFC 2307 compliant schema and the attributes. Please ensure we reboot the system after this installation.
At this point we are good to go with a fresh Server for NIS running on a Windows 2008 R2 system. Next step is migrating the existing users UNIX attributes-values from the old attribute to the new one. A very good explanation of these attributes is here
Using Identity Management for UNIX effectively - Part I discussed the different schemas used in Services for UNIX 3.5 and in Windows 2008 (also used in Windows 2008 R2).
The script we need to device: will copy the attributes-values of active directory users from the old attribute to the new attributes. Looks like I have to write that script; will be providing a sample script in my next post.
Regarding password sync; the following changes are needed on all the domain controllers:
§ Install Password sync component on All Domain Controllers. (BTW, you need schema administrator privilege to perform this installation).
§ The default encryption key is changed for password synchronization (we can generate encryption key on one system and then copy it to others for better manageability)
§ The user has a NON NULL value in msSFU30NISDOmain attribute
§ Under “Windows to NIS (AD) Password Sync” “Enable Windows to NIS (AD) Password Sync check box is selected.
This long J post I believe has almost all the steps to migrating a Server for NIS environment from Windows 2003 + SFU 3.5 to Windows 2008 R2 environment. I major part left is the sample script to migrate the users’ UNIX information to new schema.