wiki:AuthenticationServers

Authentication Servers

Infrastructures.org authentication servers page

For Kerberos and AD, we'll need to ensure time synchronization first. So this is slightly out of order from infrastructures.org's pages, that primarily relied on NIS.

Here's where we install a Windows Server 2008r2 system and set up an Active Directory domain. We use the hostname dc for the server by default. We have a 2008r2 ISO already loaded in a VMware datastore (worf02, maybe?).

It takes forever to install 2008r2 on a VM. Maybe we do other things while that's running.

Need to install puppet agent on the Windows server. Installing anything over the web is a pain until IE enhanced security is disabled. Maybe we make an ISO available somewhere with a copy of Google Chrome on it? Or is there a way of mapping the guests to a share with open read-only permissions?

Checklist

  • Add extra DNS entries on student router. Doing this ahead of time may keep dcpromo from complaining that there's no AD-integrated DNS server that it can manipulate. This will also ensure that clients not using the Windows server for DNS will be able to join the domain normally. Edit dns-regen as shown, where dc is the name of the Windows server:
    DNS_DB_POSTAMBLE="""
    # Put any CNAME or other non-address entries below
    _udp.% ns dc.% ~
    _tcp.% ns dc.% ~
    _msdcs.% ns dc.% ~
    _sites.% ns dc.% ~
    forestdnszones.% ns dc.% ~
    domaindnszones.% ns dc.% ~
    
  • We may have other issues with dcpromo making the Windows server use localhost (or the IPv6 equivalent) for its DNS.
  • Make an AD client on Windows 7.
  • Make an AD client on Debian with winbind and Kerberos.
Last modified 5 years ago Last modified on Mar 17, 2013, 2:30:03 PM