Configuring IDM for Windows Centric Environment

From MicroFocusInternationalWiki
Jump to: navigation, search

Please note: I Have gone through this the hard way and if there are any additions or corrections needed, please make them.


Rough Overview

1) Before you plan out your entire environment, realize that if you split the services up then you will need to configure SSL. This can be problematic if you are a ZENmaster as opposed to a web guru.

2) There's a tutorial in the manual that is very helpful. [1]

3) Get IDM 3 if you have ZENworks 7. It's in SP1 on the second companion disk.

4) Consider virtualization. Microsoft's products are free as is VMWare Server. I still consider VMWare Workstation a superior product, but it costs about $200.

5) If you are going to virtualize the production server, then consider how performance will impact the services. Netware in the past has not performed as well as Windows in a virtualized environment. This is due to the fact that Netware is highly optimized already and therefore virtualization causes more overhead than Windows which already has a hardware abstraction layer.

6) Synchronization for ZEN purposes only will mean that you want to go from AD -> eDir AKA the "Identity Vault"

7) Political considerations -- When a company ditches Novell to go to Microsoft the tendency is to want a pure AD solution no matter what sacrifices in functionality that they make. The next version of ZENworks (ZENworks Configuration Management) will alleviate this as it uses an LDAP directory so you can use AD natively or eDir. There is no eDir requirement AT ALL. Also, keep in mind the following:

  • ALL management systems require some datastore. ZEN uses eDir, SMS uses AD & SQL Server
  • The "threat" of added complexity is mitigated because the sync can be one way only. Therefore you're not jeopardizing the fragile AD environment.
  • Even in the event of some failure in the synchronization, the effects that will be felt on the end users should be mild simply because the ZEN services will still work, just changes to user accounts won't be updated.
  • Consider using the ZEN datastore AKA eDirectory AKA Identity vault for other purposes such as iFolder and Groupwise Messenger. In my experience these products have a high approval by users and make defending eDirectory much easier.
  • Although not an eDir program, deploy ZENworks Asset Management/Inventory (ZAM/ZAI) and show it to the managers. This product is far superior to the traditional ZENworks Inventory and therefore stomps SMS inventory as well.

8) You will need to install the IDM Password Synchronization shim on all DCs. Otherwise, password changes won't get caught because they can go through any DC and IDM can't sync them once the change has been made to AD. However, the shim is very lightweight and hopefully has a small enough footprint to avoid any other politically issues. You can install the shim remotely from your IDM server to any other DC in the domain. A reboot is required. Also, if you install the shim and it keeps wanting to reboot, then try removing it and starting over. This has fixed the issues in our environment.

9)Watch your timesync if you're using Windows Servers. They don't automatically stay in sync with each other (anybody know why not?). I have pointed mine to the same NTP server out on the internet.

10) Weird stuff? DSrepair as always. Also, check the version of eDir you are running. There may be patches or a new version.

11) Novell Security Services box popping up on clients?

 * Make sure password shim is installed on ALL DCs
 * Confirm that IIS is running properly (try logging into the middle tier web console)
 * Remove any and all Novell legacy software not needed
 * Uninstall and reinstall the newest ZEN agent
 * Look for a ZEN agent Hot Patch (or IR)

Back to ZENworks->ZDM/IDM