Preventing enrollment and propagation to an integrated Windows server

There are several reasons why you might want to prevent i5/OS™ user profile propagation to a particular integrated server:

• If there are multiple integrated servers that belong to the same domain, and they are all on the same i5/OS partition, user profile enrollment will, by default, go through all of the integrated servers in that partition. To reduce network traffic you can turn off enrollment to all integrated servers on the domain except one. This single integrated server would normally be the domain controller, if it is in the partition.
• If there are multiple integrated servers that belong to the same domain, but they are all on different i5/OS partitions, there is a risk of the QAS400NT passwords getting out of synchronization and causing problems with user profile enrollment. By preventing propagation of the QAS400NT user profiles from all i5/OS partitions except one, you can reduce the risk of enrollment problems. Notice that the other i5/OS partitions keep sufficient authority to enroll users. Then, failure to change a password on one of the other partitions prevents user enrollment from that partition only.

There are two methods to prevent i5/OS user profile propagation to a particular integrated server:

• Use the Propagate Domain User (PRPDMNUSR) parameter. See below for a description of how to do this.
• Create data areas with the Create data area (CRTDTAARA) command. See below for a description of how to do this.

Using the PRPDMNUSR parameter to prevent enrollment to a domain through a specific integrated server

The Propagate domain user (PRPDMNUSR) parameter of the Change network server description (CHGNWSD) command can be used to prevent user enrollment to a domain through a specific integrated server. You can also set this parameter when installing an integrated server using the Install Windows Server (INSWNTSVR) command. This option may be useful in the case where there is a single i5/OS partition which controls multiple integrated Windows servers that belong to the same domain, because it can turn off enrollment for all integrated servers except one.

To use the PRPDMNUSR parameter to prevent user enrollment, proceed as follows:

1. Using the Work with Network Server Description (WRKNWSD) command, select the integrated server you wish to stop enrollment on. (You do not need to vary off the server.)
2. Enter the command: CHGNWSD NWSD(nwsdname) PRPDMNUSR(*NO)

• Do not turn enrollment off for all of the integrated servers on the domain. Otherwise all your users may go to update pending (*UPDPND) status, and no further propagation takes place.
• You may want to leave two integrated servers enabled for user enrollment so that you can still make changes if one of the servers is down.

The Create Data Area (CRTDTAARA) command can be used to prevent enrollment of the QAS400NT user profile only, for the specified integrated server. The propagation of other user profiles is not affected. This option may be useful in the case where there are multiple integrated servers that belong to the same domain, but they are all on different i5/OS partitions. You want to enroll user profiles from these different i5/OS partitions, but not have multiple QAS400NT user profiles propagating passwords to the domain. Follow these steps:

1. Choose one i5/OS partition that you wish to use for enrollment of QAS400NT on the domain. Ensure that QAS400NT is enrolled on this i5/OS partition.
2. If QAS400NT is enrolled on other i5/OS partitions follow these steps:
   1. On the domain controller, add the QAS400NT user account to the OS400_Permanent_Users group to ensure that it is not deleted.
   2. On the i5/OS partitions where you want to prevent enrollment of QAS400NT, delete the QAS400NT user profile.
3. On the i5/OS partitions where you want to prevent enrollment of QAS400NT, create a data area with this command:

   CRTDTAARA DTAARA(QUSRSYS/nwsdnameAU) TYPE(*CHAR) LEN(10) VALUE( *NOPROP )

   where nwsdname is the name of the network server description for the integrated server, and *NOPROP is the keyword that signals that QAS400NT user profile parameters (including the password) are not propagated from this i5/OS partition.
4. Create and enroll the QAS400NT user profile on each of the i5/OS partitions you created the data area on. Notice that you still need to keep the QAS400NT password current (not expired) on all these i5/OS partitions for enrollment of user profiles (other than QAS400NT) to occur. Because the QAS400NT password is not propagated, it does not matter what the password is, as long as it is not expired.