Steve,

Our IXA used to do a lot more, such as WINS, DNS, DHCP, file serving and a
couple of other odd jobs.  At the time it was the only Windows Server in
the company.  Our IXA is in an older 720, and is an Intel Pentium Pro 333
(if memory serves) so it is getting a bit long in the tooth.  We moved most
of the functions off of the IXA, and onto a newer xSeries server.

As far as the integration between the OS/400 user profiles and the AD user
profiles, the method we use to manage it is still manual.  After the OS/400
user profile is created, we use the CHGNWSUSRA USRPRF(profile)
WNTDMNLST((YourDomainNameHere *NONE *GLOBAL)) to initiate the
synchronization and create the windows user profile.  You could use a user
profile as a template on which to base all of your new profiles (to assign
them to user groups and such), but we don't.  From that point on the OS/400
user profile is the "master" but as far as I can tell, it is a one way
link.  If the OS/400 user profile is disabled, the corresponding AD profile
will be disabled.  Also, when the user needs to change their password, they
need to change it in OS/400, we have not found a way to have it propagate
password changes from windows up to the AS/400 yet.  If the OS/400 user
profile is deleted, the AD profile is also deleted, but it takes a little
while for the changes to propagate across other AD servers, so the profile
may remain behind for a short period of time.

If you are considering implementing this in a large organization, I would
look into it further to see if there are some important elements that we
missed when we originally set this up in v4r4.  We are in the process of
re-evaluating this methodology as I've seen a couple of possibilities in
v5r2 that may allow a different setup.

Ultimately, it's very simple, it does work, and it could be automated
though either some CL or other scripting programming to reduce the number
of manual steps.



Good luck, and I hope that helps,


Keith Blazek
MIS Coordinator


security400-bounces@xxxxxxxxxxxx wrote on 04/06/2004 11:58:49 AM:

>> <keith@xxxxxxxxx> wrote in message
>>
news:OF552344ED.B291AB9E-ON85256E6E.0009BA2D-85256E6E.0009F5B0@xxxxxxxxxxxx
>>
>> "Not sure if you ever got your answer, but we do that here. We have a
>> Windows 2000 Server setup as a (backward compatible) PDC and it runs
active
>> directory. When we disable an AS/400 account it is disabled network
>> wide. Works pretty well, but your windows admins won't like it."
>>
>> Keith -
>
> Does your IXS/IXA do anything other than synchronize security between AD
and
> OS/400?
>
> If you delete an account on your 400, does it also delete the
corresponding
> AD account?
>
> If a user changes their AD password, does it also change the OS/400
> password?
>
> Why won't the Windows admins like it?
>
> Curious,
>
> Steve




This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].