Domain Services for Windows (DSfW) is a product suite bundled with Open Enterprise Server (OES) starting from OES2 SP1 release. Till OES2 SP2 release, the DSfW domain boundary is restricted to a single eDirectory partition. This eDirectory partition is the one that the domain is mapped to. For ex: if domain acme.com is mapped to eDirectory partition ou=acme,o=acme_root, then the domain acme.com covers only the objects (users, groups, containers) of this single partition alone.
Before we get into the DSfW domain boundary enhancement, let's take a look at the mapping of a DSfW domain. Unlike in the Active Directory model, where the domain namespace and the LDAP namespace always overlap i.e. acme.com is mapped to dc=acme,dc=com, it is different with DSfW. This difference brings in a lot of flexibility in DSfW. Thus a domain namespace can be mapped to any eDirectory namespace (given that the conditions are met). One of the conditions is that the mapping of a child domain is always below and within the subtree of the parent domain mapping. For Ex: if acme.com is mapped to ou=acme,o=acme_root, then child domain engg.acme.com should be mapped to some partition that lies below ou=acme,o=acme_root i.e. ou=…,ou=…,ou=acme,o=acme_root.
By now it is obvious that a DSfW domain is mapped to an eDirectory partition. For a non-name mapped kind of installation, this mapping is implicit. However, for this discussion, the non-name mapped kind can be ignored.
Starting from OES2 SP3, a DSfW domain can be extended beyond the mapped eDirectory partition. What this means is a single DSfW domain can cover more than one eDirectory partition. These additional partitions that a DSfW domain can cover should be continuous, hierarchical and under the subtree of the mapped eDirectory partition. The list of eDirectory partitions covered under a DSfW domain can change reflecting the current needs of an enterprise.
In the above diagram, till OES2 SP2 release, a DSfW domain can cover just one partition. Hence there are 3 domains to cover the 3 partitions of the subtree. With OES2 SP3, it is possible to cover the whole subtree with 3 partitions in a single DSfW domain.
The ability to cover all of the subtree in a single DSfW domain provides a lot of benefits. A few mentioned below are
Reduced number of domains
Reduced Administration – only one domain to manage
DSfW domain boundary management
We looked at the details and benefits of the DSfW domain boundary enhancement. In this section, let's take a look at how to manage the DSfW domain boundary.
The DSfW domain boundary can be managed using the command line tool – domaincntrl. This tool is located at /opt/novell/xad/sbin/domaincntrl.
This tool has 3 basic operations
add – adds a new eDirectory partition to the DSfW domain
remove – removes an existing eDirectory partition from the DSfW domain
list – lists the current set of eDirectory partition of a DSfW domain
Let's run through an example, to get an understanding of the domaincntrl tool
Failed to get the handle, probably the kerberos ticket is not available, Local error
The above command fails as the Kerberos ticket cache is empty as shown in the below command
bfrd:~ # klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Get the kerberos ticket for the domain administrator bfrd:~ # kinit administrator Password for administrator@TWOW.EDC:
bfrd:~ # domaincntrl --list
The partitions that are part of the domain twow.edc are: dc=twow,dc=edc
The command now lists the current eDirectory partition set. It contains only the mapped eDirectory partition.
bfrd:~ # domaincntrl --add
Select one of the partition to add it to the domain name space.
Enter 'q' to escape the operation. Choose the partition:1 Validating the partition for addition. Verifying if ou=bldg1,dc=twow,dc=edc is a partition. Verifying if ou=bldg1,dc=twow,dc=edc is under domain root partition. Verifying if ou=bldg1,dc=twow,dc=edc is part of any other domain. Verifying that all the domain controllers of twow.edc hold the replica of the partition ou=bldg1,dc=twow,dc=edc. Verifying if addition of this partition ou=bldg1,dc=twow,dc=edc will introduce gaps in the domain name space. Verifying if dc=twow,dc=edc is a partition. Verifying if dc=twow,dc=edc is already a domain partition. The selected partition dc=twow,dc=edc is a domain partition Waiting for domain boundary change information to sync Successfully extended the domain partition boundary with ou=bldg1,dc=twow,dc=edc Verifying if the partition ou=bldg1,dc=twow,dc=edc is associated with a password policy. Samifying the partition ou=bldg1,dc=twow,dc=edc
The 'domaincntrl –add' lists the list of eDirectory partitions that can be added to the DSfW domain. The list here has one entry. On selecting the eDirectory partition, after a set of validations, the eDirectory partition is added to the DSfW domain which is reflecting in the below command.
bfrd:~ # domaincntrl --list
The partitions that are part of the domain twow.edc are: dc=twow,dc=edc ou=bldg1,dc=twow,dc=edc