Using Services for Unix to Integrate Unix Environments with Exchange Server 2003

In addition to the MIIS 2003 directory synchronization tools available for synching to Unix-based directory systems, a series of tools is available from Microsoft to supply this functionality as well. The tools are known as Services for Unix (SFU), as illustrated in Figure 6.4, and include advanced functionality that can be used to integrate Unix systems into an Exchange Server 2003 environment.

Services for Unix Defined

For many years , Unix and Windows systems were viewed as separate, incompatible environments that were physically, technically, and ideologically different. Over the years, however, organizations found that supporting two completely separate topologies within their environments was inefficient and expensive; much redundant work was also required to maintain multiple sets of user accounts, passwords, environments, and so on.

Slowly, the means to interoperate between these environments was developed. At first, most of the interoperability tools were written to join Unix with Windows, as evident with Samba, a method for Linux/Unix platforms to be able to access Windows NT file shares. Other interoperability tools were developed as well, but Microsoft was accused of pretending that Unix did not exist, and subsequently its Unix interoperability tools were not well developed.

The development of SFU for Windows Server 2003 signaled a change to this strategy. Microsoft developers spent a great deal of time developing tools for Unix that not only focused on migration, but also on interoperability. Long-awaited functionality ”such as password synchronization, Unix scripts on Windows, joint security credentials, and the like ”were presented as viable options and can be considered as part of a migration to, or interoperability scenario with, Windows Server 2003.

SFU is composed of several key components, each of which provides a specific integration task with different Unix environments. Any or all of these components can be used as part of SFU because the installation of the suite can be customized, depending on an organization's needs. The major components of SFU are as follows :

• Interix

• Gateway for NFS

• NFS Client

• NFS Server

• User Name Mapping

• Password Synchronization

• NIS Domains

Each component can be installed separately, or multiple components can be installed on a single server, as required. Each component is described in more detail in the following sections.

Understanding Services for Unix Prerequisites

SFU interoperates with various "flavors" of Unix but was tested and specifically written for use with the following Unix iterations:

• Sun Solaris 2.7

• Red Hat Linux 7.0

• Hewlett-Packard HP-UX 11

• IBM AIX 4.3.3

SFU has some other important prerequisites and limitations that must be taken into account before considering it for use in an environment:

• The Server for NIS must be installed on an Active Directory domain controller.

• The NFS Client and Gateway for NFS components cannot be installed on the same server.

• Password synchronization requires installation on domain controllers in each environment.

• The Server for NIS Authentication component must be installed on all domain controllers in the domain in which security credentials will be used.

Outlining the Role of Interix As a Component of Services for Unix

There is one major change to the new version of SFU. Interix, a previously standalone product from SFU 2.0, has been integrated into the Services for Unix package. Interix is an extension to the Windows POSIX subsystem that enables the native execution of Unix scripts and applications in a Windows environment. Interix is not an emulation product, and all applications and scripts run natively in the built-in POSIX subsystem of Windows Server 2003.

Interix fills the gap between development on Unix platforms and development in Windows. It was written to enable programmers familiar with Unix to continue to use the most familiar programming tools and scripts, such as grep , tar , cut , awk , and many others. In addition, with limited reprogramming efforts, applications that run on Unix-based systems can be ported over to the Wintel platform, building on the low cost of ownership of Windows while retaining software investments from Unix.

Understanding Interix Scripting

The Korn and C Shells are both available in the Interix environment, and both behave exactly as they would in Unix. SFU also supports the single-rooted file system through these shells , which negates the need to convert scripts to support drive letters .

Outlining Interix Tools and Programming Languages

Interix supports all common Unix tools and utilities, with all the familiar commands such as grep , man , pr , nice , ps , kill , and many others. Each tool was built to respond exactly the way it is expected to behave, and Interix users can build or import their own customizable tools using the same procedures that they would in a Unix environment.

SFU streamlines the sharing of information between Unix and Windows Server 2003, allowing users from both environments to seamlessly access data from each separate environment, without the need for specialized client software. Using the Gateway for NFS, Server for NFS, and NFS Client enables this level of functionality and provides a more integrated environment.

Synchronizing Users with SFU

The goal of single sign-on, in which users on a network log in once and then have access to multiple resources and environments, is still a long way off. It is common for a regular user to maintain and use three or more separate usernames and associated sets of passwords. SFU goes a long way toward making Single Sign-on a reality, however, with the User Name Mapping and Password Synchronization capabilities.

Detailing User Name Mapping in SFU

User Name Mapping enables specific user accounts in Windows Server 2003 Active Directory to be associated with corresponding Unix user accounts. Because Exchange Server 2003 uses AD, it becomes easier to integrate Unix user accounts with their corresponding mailboxes in Exchange. In addition to mapping identically named user accounts, User Name Mapping enables the association of user accounts with different names in each organization. This factor is particularly useful considering the fact that Unix user accounts are case-sensitive, whereas Windows accounts are not. User Name Mapping, along with many components of Services for Unix, can be installed on a standalone server. In addition, User Name Mapping supports the ability to map multiple Windows user accounts to a single user account in Unix. This capability enables, for example, multiple administrators to map Windows Server 2003 Active Directory accounts with the Unix root administrator account.

Performing Password Synchronization with SFU

Going hand in hand with the User Name Mapping service, password synchronization enables those user accounts that have been mapped to automatically update their passwords between the two environments. This functionality allows users on either side to change their passwords and have the changes reflected on the mapped user accounts in the opposite platform.

As previously mentioned, password synchronization must be installed on all domain controllers on the Active Directory side because all the DCs must be able to understand the Unix password requests forwarded to them. In addition, password synchronization is supported "out of the box" in only the following Unix platforms:

• Solaris 7 and 8

• Red Hat Linux 6.2 and 7.0

• HP-UX 11

All other flavors of Unix require a recompile of the platform, which is made easier by the inclusion of make files and SFU source code.