friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0332907f0f
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqpreventingenrollment.htm

101 lines
6.8 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Preventing enrollment and propagation to an integrated Windows server</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahqpreventingenrollment"></a>
<h2 id="rzahqpreventingenrollment">Preventing enrollment and propagation to an integrated Windows server</h2>
<p>There are several reasons why you might want to prevent i5/OS&trade; user profile
propagation to a particular integrated server:</p>
<ul>
<li>If there are multiple integrated servers that belong to the same domain,
and they are all on the same i5/OS partition, user profile enrollment will,
by default, go through all of the integrated servers in that partition. To
reduce network traffic you can turn off enrollment to all integrated servers
on the domain except one. This single integrated server would normally be
the domain controller, if it is in the partition.</li>
<li>If there are multiple integrated servers that belong to the same domain,
but they are all on different i5/OS partitions, there is a risk of the QAS400NT
passwords getting out of synchronization and causing problems with user profile
enrollment. By preventing propagation of the QAS400NT user profiles from all i5/OS partitions except one, you can reduce the risk of enrollment problems.
Notice that the other i5/OS partitions keep sufficient authority to enroll users.
Then, failure to change a password on one of the other partitions prevents
user enrollment from that partition only.</li></ul><p class="indatacontent">There are two methods to prevent i5/OS user profile propagation to a particular
integrated server:</p>
<ul>
<li>Use the Propagate Domain User (PRPDMNUSR) parameter. See below for a description
of how to do this.</li>
<li>Create data areas with the Create data area (CRTDTAARA) command. See below
for a description of how to do this.</li></ul><p class="indatacontent"> <span class="bold">Using the PRPDMNUSR parameter to prevent enrollment
to a domain through a specific integrated server</span></p>
<p>The Propagate domain user (PRPDMNUSR) parameter of the Change network server
description (CHGNWSD) command can be used to prevent user enrollment to a
domain through a specific integrated server. You can also set this parameter
when installing an integrated server using the Install Windows Server (INSWNTSVR)
command. This option may be useful in the case where there is a single i5/OS partition which controls multiple integrated Windows servers that belong
to the same domain, because it can turn off enrollment for all integrated
servers except one.</p>
<p>To use the PRPDMNUSR parameter to prevent user enrollment, proceed as follows:</p>
<ol type="1">
<li>Using the Work with Network Server Description (WRKNWSD) command, select
the integrated server you wish to stop enrollment on. (You do not need to
vary off the server.)</li>
<li>Enter the command: <tt>CHGNWSD NWSD(nwsdname) PRPDMNUSR(*NO)</tt></li></ol><span class="bold">Notes:</span>
<ul>
<li>Do not turn enrollment off for all of the integrated servers on the domain.
Otherwise all your users may go to update pending (*UPDPND) status, and no
further propagation takes place.</li>
<li>You may want to leave two integrated servers enabled for user enrollment
so that you can still make changes if one of the servers is down.</li></ul><span class="bold">Using the CRTDTAARA command to prevent enrollment of
QAS400NT to a specific integrated server</span>
<p>The Create Data Area (CRTDTAARA) command can be used to prevent enrollment
of the QAS400NT user profile only, for the specified integrated server. The
propagation of other user profiles is not affected. This option may be useful
in the case where there are multiple integrated servers that belong to the
same domain, but they are all on different i5/OS partitions. You want to enroll user profiles
from these different i5/OS partitions, but not have multiple QAS400NT user profiles
propagating passwords to the domain. Follow these steps:</p>
<ol type="1">
<li>Choose one i5/OS partition that you wish to use for enrollment of
QAS400NT on the domain. Ensure that QAS400NT is enrolled on this i5/OS partition.</li>
<li>If QAS400NT is enrolled on other i5/OS partitions follow these steps:
<ol type="a">
<li>On the domain controller, add the QAS400NT user account to the OS400_Permanent_Users
group to ensure that it is not deleted.</li>
<li>On the i5/OS partitions where you want to prevent enrollment of QAS400NT, delete
the QAS400NT user profile.</li></ol></li>
<li>On the i5/OS partitions where you want to prevent enrollment of QAS400NT, create
a data area with this command:
<pre class="xmp">CRTDTAARA DTAARA(QUSRSYS/nwsdnameAU) TYPE(*CHAR) LEN(10) VALUE( *NOPROP )</pre> where <span class="bold">nwsdname</span> is the name of the network server
description for the integrated server, and <span class="bold">*NOPROP</span> is
the keyword that signals that QAS400NT user profile parameters (including
the password) are not propagated from this i5/OS partition.</li>
<li>Create and enroll the QAS400NT user profile on each of the i5/OS partitions
you created the data area on. Notice that you still need to keep the QAS400NT
password current (not expired) on all these i5/OS partitions for enrollment of user profiles
(other than QAS400NT) to occur. Because the QAS400NT password is not propagated,
it does not matter what the password is, as long as it is not expired.</li></ol>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink