And the Noddy Badge of the day goes to… ME!

I’ve finally given up on trying to using Samba as a primary domain controller (PDC). After spending many many hours trying to configure Samba to work with OpenLDAP as well as many posts on the LinuxQuestions forums I have still not solved the problem. The frustrating thing is that I’m pretty sure that someone with loads of experience in managing this kind of system could solve it in 5 minutes.

So now I am moving to Microsoft Active Directory (AD). Good idea? Probably not but them again, I did manage to get the domain up and running in a morning. This however caused a couple of problems:

  1. When installing Active Directory, Windows locks down everything on the server in order to prevent unauthorized use of the applications installed on it. The idea here is that only administrators should be able to log on as a local user of the server box. This however has had the unfortunate consequence that SharePoint no longer works. According to the error log, the SQL server cannot be contacted. Arg! Now I have to troubleshoot the SQL server.
  2. Active Directory relies heavily on DNS and the recommended solution is to install a DNS server on the AD box and let it use that instead of the normal DNS server. This necessitated the removal and re-installation of AD, this time installing a local DNS server and configuring it to work together with AD. I started an hour a half ago and I was still waiting for DNS to be configured (see screen shot below).

Waiting
Waiting

Well, its a good job I decided to write this because I noticed another little task bar item requesting insertion of the Windows CD. WTF didn’t this pop up? WTF did it simply appear minimized to the taskbar? /swearswindowsloudly

Insert CD
Insert CD

/calmsdownslowlyandtakestendeepbreaths

/hyperventilates

So no I’m on my way again. AD and DNS is installed and the server is restarting. Now I need to configure:

  1. DNS (must reference DNS server running on firewall)
  2. AD (myself as dummy user, I must be able to logon to the domain)
  3. Terminal Server (change group security policy)
  4. SharePoint (fix SQL error although I have no idea how)
  5. Samba (to share home directories on linux server)
  6. OpenLDAP (must talk to AD to authenticate linux boxes)

And then, finally I must rewrite all my how-tos to take account of the new configuration.

Advertisements
Categories: Sysadmin | 2 Comments

Post navigation

2 thoughts on “And the Noddy Badge of the day goes to… ME!

  1. Have fun with that.

    Honestly, it is possible to use OpenLDAP, Samba, OpenSSL and MIT (or Heimdal) Kerberos to do this with Linux. It is worth it, in the long run.

    With Windows Server AD, you are (practically) forced to use Windows DNS and that requires Windows DHCP. I’ve been down this road. I am told that there are ways around it, but they are not pretty.

    Some notes from my network experience: the SQL problem is probably caused by a change in “context” for IIS and SQL – if Windows Authentication is in use. I cannot remember which user IIS runs under (I haven’t used IIS since ’05) but you should find it in the IIS snapin for MMC. You must give that Windows user access to your SQL server and the database in question. (Just make it db_owner, that’s the easiest.)

    Remember to set the Windows DNS to “forward” requests for domains that you do not control! Be warned – it doesn’t work correctly. For some unknown reason, Windows DNS stops forwarding requests randomly.

    Active Directory works on Kerberos. This is good, but it requires all the clocks on your network to synch with the server, within five minutes I think. This forces Windows to act as an NTP server and will work on your LAN. Unfortunately, Windows NTP is “borked” – it won’t synch with public servers on the internet. Your whole network will be in synch with itself but will drift out of time with the rest of the world.

    Read http://web.mit.edu/kerberos/www/dialogue.html

    Finally: AD’s most useful feature is Group Policy. It’s borked too. Be warned: your group policy settings will have an immediate effect on nodes on your network but will randomly be ignored in n-months time.

    Here’s an alternative: don’t use AD at all. Set up a Kerberos KDC on a Linux box and use command-line tools (available on the Windows install disk) to configure Windows clients to authenticate to that. AD is just a bunch of cruft on top of Kerberos. Windows *can* use vanilla-kerberos.

    Good luck.

  2. Pingback: Quote of the day « More or less interesting moments in life

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: