Complete Contents
Introduction
Chapter 1 Preparing for Installation
Chapter 2 Using Express and Typical Install
Chapter 3 Using Custom Install
Chapter 4 Silent Installation
Chapter 5 Installing and Configuring the Synch Service
Chapter 6 Upgrading and Migrating the Directory Server
Chapter 7 Troubleshooting
Previous Next Contents Index


Chapter 5 Installing and Configuring the Synch Service

When you install a Directory Server under Windows NT, you are given the option of installing the NT Synchronization Service. The NT Directory Synchronization Service allows you to synchronize the entries in your Windows NT directory with your Directory Server entries. Windows NT users, groups, and passwords can be synchronized. As entries are created, modified, or deleted in one directory, the synchronization service makes the corresponding change to the other directory.

The NT Synchronization Service and the Netscape Directory Server do not have to be installed on the same machine. Also, you can use the synchronization service with a Netscape Directory Server for Unix.

This chapter contains information about:


Installing the Synchronization Service
To install the synchronization service, do the following:

  1. While not required, it is strongly recommended that you use SSL with the synchronization service. Therefore, your first step should be to create a certificate database for use by the synchronization service. The easiest way to do this is to simply use the certificate database that you created when you set up SSL for your Directory Server. If your Directory Server is running on the same machine as your synchronization service, then you can just point the synchronization service at that same database. Otherwise, copy the Directory Server's certificate database to the machine where the synchronization service is running.
  2. If you do not want to use the Directory Server's certificate database, you can create a certificate database for the NT synchronization service using Communicator 4.x. When you do this, you only need to trust the Directory Server's Certificate Authority (you do not need to obtain any client or server certificates).

    For information on setting up SSL for the Directory Server, or for information on how to create certificate databases for LDAP clients, see the Netscape Directory Server Administrator's Guide.

  3. Log in to Windows NT with administrator privileges.
  4. If you have not already done so, download the product binaries file to the installation directory.
  5. Double-click the self-extracting archive. This automatically starts the setup program.
  6. When you are asked what you would like to install, select the default, Netscape Servers.
  7. When you are asked what type of installation you would like to perform, select the default, Typical Installation.
  8. For server installation root, enter a full path to the location where you want to install the synchronization service. The location that you enter must be some directory other than the directory from which you are running setup. If the directory that you specify does not exist, setup creates it for you. By default, setup installs the synchronization service in the following directory:
  9. <NSHOME>/dssynch

    where <NSHOME> is the location where your Directory Server is installed.

  10. For Components, select "Netscape Server Family Core Components" and "Netscape Directory Server 4.1 Synch Service."
  11. Once the synchronization service is installed, the Synchronization Service Configuration Tool is launched. To successfully synchronize your Windows NT entries with the Netscape Directory Server, you must do two things:

  12. Once you have finished installing and configuring the synchronization service, you must reboot the machine.
The following sections describe configuring the synchronization service in detail. To learn more about the Netscape NT Synchronization Service, see the Netscape Directory Server Administrator's Guide.

Configuration on a Non-Primary Domain Controller

The NT Synchronization Service can be installed on any NT machine on which a domain privileged account can login. Usually you use the NT Primary Domain Controller (PDC), but your NT network may be configured so that an account on another machine has domain privileges. If this is the case, then you can install the NT synchronization service on that alternate machine.

Netscape recommends that you install the synchronization service on a PDC. However, if you choose to install on a non-PDC system, NT passwords will not be synchronized to the Directory Server and you must do the following so that the service can manage the NT domain's SAM file:

  1. Locate an NT account that has domain privileges.
  2. From the Service Control Panel, select the NT Directory Synchronization Service.
  3. Click "Startup."
  4. In the "Log On As:" section, click "This Account."
  5. Overwrite "LocalSystem" with the NT user name that has domain privileges.
  6. Enter and confirm the user account's password.
  7. Click OK.

Configuring the Directory Server for NT Synchronization
Before you can use the NT Synchronization Service, you must configure your Directory Server for use with the synchronization service. This involves doing the following:


Configuring the Synchronization Service
You use the synchronization service configuration tool to configure your synchronization service. This tool is described in the Netscape Directory Server Administrator's Guide and in the help system available through the configuration tool. Complete the following in order to successfully start synchronization:

Step 1: Configure Service Settings

In the Service Settings tab:

  1. Enter the name of the domain that the synchronization service will manage, or the name of the Primary Domain Controller (PDC) that manages the domain.
  2. If you are installing the synchronization service for test purposes on a Windows NT Workstation that is not a domain member, enter the workstation hostname and the synchronization service will use the SAM file/directory of this workstation.

    This field should default to the correct value unless you are installing the synchronization service on a machine that is not the PDC. If you are not installing on the PDC, see "Configuration on a Non-Primary Domain Controller" for additional setup information.

  3. Enter the port number on your local Windows NT system that the configuration tool uses to communicate with the synchronization service. Enter a unique port number in this field. The default port number is 5007. The port number can be any number between 1 and 65535 that is not in use by other TCP/IP applications.
  4. Enter the location of the synchronization service event log file. This logfile is used by the synchronization service to record significant events and problems. Each time a user or group is added, deleted, modified, or renamed in the Windows NT domain, the synchronization service records the event to this file.
  5. Indicate whether you want to use SSL for synchronization. You are strongly recommended to use SSL for synchronization because the synchronization service is transmitting user passwords to the Directory Server.
  6. Enter the location of the certificate database file. This field is required if you are using SSL.
  7. If you have a certificate database that you created for your Windows  NT-based Netscape Directory Server, then it is sufficient to reference that database in this field. If the Directory Server is installed on a Unix system, just copy the Directory Server certificate database to the synchronization service's host machine.

    The database must be on a local disk, so even if your Directory Server is installed on a Windows NT machine, you may still have to physically copy the Directory Server's certificate database to the synchronization service's Windows NT host.

    Alternatively, you can use Netscape Communicator 4.x to create a certificate database for use with your NT synchronization service (if you do this, you only need to trust your Directory Server's certificate authority; you do not need to obtain any kind of a server or client certificate).

    For information on how to create certificate database files for use with Directory Server clients, see the Netscape Directory Server Administrator's Guide.

Step 2: Configure Directory Server Settings

In the Directory Server Settings tab, identify the following:

Note. If the name of the directory subtree you want to use as the directory base for either users or groups contains a comma, you must escape the comma with a backslash (\) when you enter the value in the directory base field. For example, to use the Airius Bolivia, S.A. subtree as the directory base, you would enter Airius Bolivia\, S.A. in the directory base field.

Step 3: Configure NT-to-Directory Synchronization

If you are supporting NT-to-directory synchronization go to the Synchronization Schedule tab and examine the schedule configured there. Directory-to-NT synchronization is not affected by this schedule; that form of synchronization occurs over the non-LDAP port immediately upon a relevant change being made to the directory.

Step 4: Configure Account Details

If you are supporting NT-to-directory synchronization, the are two options you can select on the Accounts tab:


Starting and Stopping the NT Synchronization Service
To start the synchronization service, go to the Status tab in the configuration tool and click Start or reboot the system. The synchronization service is configured to start whenever the Windows NT host is started.

When you first install and configure the synchronization service, you must reboot the synchronization service's host machine to start the synchronization service.

If you do not want the synchronization service to start when the Windows NT host is booted, you must change the service's startup state from Automatic to Manual. You do this using the Windows NT Services control panel.

 

© Copyright 1999 Netscape Communications Corporation, All Rights Reserved.