In many cases, it might be necessary to integrate many of the components of an existing UNIX implementation with the Exchange 2007 forest. In these cases, a tool most recently provided with Windows Server 2003 R2 Edition known as Services for UNIX (SFU) should be examined.

For many years, UNIX and Windows systems were viewed as separate, incompatible environments that were physically, technically, and ideologically different. Over the years, however, organizations found that supporting two completely separate topologies within their environments was inefficient and expensive; a great deal of redundant work was also required to maintain multiple sets of user accounts, passwords, environments, and so on.

Slowly, the means to interoperate between these environments was developed. At first, most of the interoperability tools were written to join UNIX with Windows, as evidenced by Samba, a method for Linux/UNIX platforms to be able to access Windows NT file shares. Microsoft tools always seemed a step behind that available elsewhere. With the release of the new Services for UNIX tools in Windows Server 2003 R2, Microsoft leapfrogs traditional solutions, like Samba, and becomes the leader for cross-platform integration. Long-awaited functionality such as password synchronization, the capability to run UNIX scripts on Windows, joint security credentials, and so on were presented as viable options and can be now be considered as part of a migration to or interoperability scenario with Windows Server 2003.

Understanding the Development of Services for UNIX

Services for UNIX has made large strides in its development. From initial skepticism, the product has developed into a formidable integration and migration utility that allows for a great deal of interenvironment flexibility. The first versions of the software, 1.x and 2.x, were limited in many ways, however. Subsequent updates to the software vastly improved its capabilities and further integrated it with the core operating system.

A watershed development in the development of Services for UNIX was the introduction of the 3.0 version of the software. This version enhanced support for UNIX through the addition or enhancement of nearly all components. Included with version 3.0 was the Interix product as well, an extension to the POSIX infrastructure of Windows to support UNIX scripting and applications natively on a Windows server.

Then, version 3.5 of SFU was released, which included several functionality improvements over SFU 3.0. The following components and improvements have been made in the 3.5 release:

. Greater support for Windows Server 2003 Active Directory authentication

. Improved utilities for international language support

. Threaded application support in Interix

. Significant Interix performance increases of up to 100%

. Support for the Volume Shadow Copy Service of Windows Server 2003

Finally, we come to the Windows Server 2003 R2-integrated version of SFU. Besides being slipstreamed directly into the operating system, some functional changes have been made as well. Most important, the structure of SFU has changed considerably. Here is the structure of major improvements for the R2 SFU offering:

. Network Information Service (NIS) and Active Directory integration with scripts for populating Active Directory from a NIS database

. Extended NIS interoperability, including allowing a Windows Server 2003 R2 system to act as a NIS master in a mixed environment

. Network File System (NFS) server functionality expanded to Mac OS X and higher clients

. Subsystem for UNIX Applications (SUA) allows POSIX-compliant UNIX application to be run on Windows Server 2003 R2, including many common UNIX tools and scripts

. Easier porting of native UNIX and Linux scripts to the SUA environment

Outlining the Components of Services for UNIX

Services for UNIX is composed of several key components, each of which provides a specific integration task with different UNIX environments. Any or all of these components can be used as part of Services for UNIX as the installation of the suite can be customized, depending on an organization’s needs. The major components of SFU are as follows:

. Subsystem for UNIX-based applications

. Client for NFS

. Server for NFS . Telnet server

. Telnet client . Server for NIS

. Password synchronization

. NIS domains

Each component can be installed separately or multiple components can be installed on a single server as necessary. Components are all available from the Add/Remove Windows Components Wizard in Control Panel. Each component is described in more detail in the following sections.

Detailing the Prerequisites for Services for UNIX

Services for UNIX R2 interoperates with various flavors of UNIX, but was tested and specifically written for use with the following UNIX iterations:

. Sun Solaris 7.x, 8.x, 9.x, or 10

. Red Hat Linux 8.0 and later

. Hewlett-Packard HP-UX 11i

. IBM AIX 5L 5.2

. Apple Macintosh OS X

NOTE

SFU is not limited to these versions of Sun Solaris, Red Hat Linux, HP-UX, IBM AIX, and Apple OS X. It actually performs quite well in various other similar versions and implementations of UNIX, Linux, and Mac OS X.

Services for UNIX has some other important prerequisites and limitations that must be taken into account before considering it for use in an environment. These factors include the following:

. Server for NIS must be installed on an Active Directory domain controller. In addition, all domain controllers in the domain must be running Server for NIS.

. Password synchronization requires installation on domain controllers in each environment.

. Server for NIS must not be subservient to a UNIX NIS server—it can only be subservient to another Windows-based SFU server. This requirement can be a politically sensitive one and should be broached carefully, as some UNIX administrators will be hesitant to make the Windows-based NIS the primary NIS server.

. The Server for NIS authentication component must be installed on all domain controllers in the domain in which security credentials will be utilized.

Installing Services for UNIX R2

The installation of Services for UNIX for Windows Server 2003 R2 is as simple as adding another Windows component. From Control Panel, go to Add/Remove Programs and then Add/Remove Windows Components. The various parts that make up SFU are all available in their appropriate areas.

NOTE

You will need the Windows 2003 R2 installation CD to add each of the Services for UNIX components.

The installation of Services for UNIX is straightforward and uses the familiar Microsoft Add/Remove Windows Components Installation Wizard. After the prerequisites have been satisfied and the desired functionality has been identified, you can begin the SFU installation.

To install SFU R2, perform the following steps:

1.  Click the Start menu and select Control Panel.

2.  Choose Add/Remove Programs.

3.  Choose Add/Remove Windows Components in the left column. 4.  Select Subsystem for UNIX-based Applications, and then click Next.

5.  You are prompted for the location of the CD or another location for the requested files.

6.  The setup prompts you to download the Utilities and SDK for UNIX-based Applications. Click Yes to download the package.

NOTE

The Utilities and SDK for UNIX-based Applications is fairly large, approximately 180MB. You can download this package in advance if desired to speed the installation process. Different packages are available for x86 and AMD architectures.

7.  Click Next through the first few screens, and then accept the license agreement.tant function for many UNIX applications. Click the Change the Default Behavior to Case Sensitive check box, if your UNIX environment is case sensitive.

9.  Click Finish for both screens and the installation is complete. You will need to reboot for the components to become active.

10.  To install the various Active Directory-related components, again go to the Add/Remove Windows Components menu.

11.  Select Active Directory Services, and then click Details. Select Identity Management for UNIX, as shown in Figure 5.6, and then click Details again to drill down to the Identity Management for UNIX (IDMU) options. Select all three options for a full installation.

12.  Click Next to begin the installation.

13.  You are prompted to locate the request files on the CD. After installation, click Finish to finish the installation. Finally, reboot for the components to become active.

14.  To install the NFS components, again go to the Add/Remove Windows Components menu.

15.  The Microsoft Services for NFS are located under Other Network File and Print Services.

16.  Select Details under Microsoft Services for NFS, and choose the appropriate options for your installation.

After being installed, the various functionalities can be tested in a lab environment or deployed into production.

Synchronizing User Information Between AD and UNIX

It might be necessary to maintain and support UNIX accounts and AD/Exchange 2007 mailboxes at the same time. SFU provides for synchronization between these accounts with the username mapping and password synchronization capabilities.

Username Mapping

Username mapping allows specific user accounts in Windows Server 2003 Active Directory to be associated with corresponding UNIX user accounts. In addition to mapping identically named user accounts, username mapping allows for the association of user accounts with different names in each organization. This factor is particularly useful considering the fact that UNIX user accounts are case sensitive, whereas Windows accounts are not.

Username mapping supports the capability to map multiple Windows user accounts to a single user account in UNIX. This capability allows, for example, multiple administrators to map Windows Server 2003 Active Directory accounts with the UNIX root administrator account.

Synchronizing Passwords with IDMU

Going hand in hand with the username mapping service, password synchronization allows for those user accounts that have been mapped to automatically update their passwords between the two environments.  This functionality, accessible from the IDMU MMC administration menu allows users on either side to change their passwords and have the changes reflected on the mapped user accounts in the opposite platform.

As previously mentioned, password synchronization must be installed on all domain controllers on the Active Directory side because all the domain controllers must be able to understand the UNIX password requests forwarded to them. In addition, password synchronization is only supported out of the box in the following UNIX platforms:

. Solaris 7, 8, and 9

. Red Hat Linux 6.2, 7.0, and 8.0

. HP-UX 11

All other flavors of UNIX require a recompile of the platform, which is made easier by the inclusion of makefiles and SFU source code. SFU R2 also includes the encryption libraries, making it even easier to compile a customized solution.

Adding NIS Users to Active Directory

For users who want their existing NIS servers to continue to provide authentication for UNIX and Linux servers, the NIS Migration Wizard is not the best choice. There is a package of Korn shell scripts downloadable from Microsoft.com that makes this process simple. The getusers.ksh script gets a list of all users in a NIS database, including the comment field. This script must be run with an account with the permission to run ypcat passwd. The makeusers.ksh script imports these users to Active Directory. The makeusers. ksh script must be run by a user with domain admin privileges. The -e flag enables accounts, as by default the accounts are   created in a disabled state. This is a perfect solution for migrations that will require the existing NIS servers to remain intact indefinitely.