Front cover
IBM Eserver iSeries Windows
Server Integration for Small and
Medium Businesses:
An Application-Serving Network Example Using
Citrix Access Suite Presentation Server on
Integrated xSeries Systems
Helping the iSeries-trained understand
Windows application serving
iSeries integration with Windows Servers:
an application serving example
Example infrastructure for
you to build on
Richard Pineda
Frank Boerner
Jim Cook
ibm.com/redbooks
Redpaper
International Technical Support Organization
IBM Eserver iSeries Windows Server Integration for
Small and Medium Businesses:
An Application-Serving Network Example Using Citrix
Access Suite Presentation Server on Integrated
xSeries Systems
October 2005
Note: Before using this information and the product it supports, read the information in “Notices” on
page vii.
First Edition (October 2005)
This edition applies to Version 5, Release 3, Modification 0 of IBM i5/OS, Microsoft Windows 2003, Citrix
Presentation Server as part of the complete Citrix Access Suite set of products.
© Copyright International Business Machines Corporation 2005. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Contents
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
The team that wrote this Redpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x
Chapter 1. Introduction to iSeries and Windows server integration and application
serving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Scope of this practical example Redpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 iSeries integration for Windows servers: advantages summary . . . . . . . . . . . . . . . . . . . 4
1.2.1 Centralized Windows server management from an iSeries . . . . . . . . . . . . . . . . . . 5
1.3 Synchronized user administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Exceptional storage management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Virtual Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.6 Consolidated backup and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.7 Flexible, reliable server deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.8 Software products used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.9 Hardware products used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.9.1 IXS features used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.9.2 IXA attached xSeries servers used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2. Planning your network and server infrastructure . . . . . . . . . . . . . . . . . . . .
2.1 Initial consideration: network and server availability . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Size your current iSeries and Windows workloads . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2.1 Integrated IBM eServer xSeries performance benchmark for Citrix Access Suite
2.3 Hardware and software inventory for your environment . . . . . . . . . . . . . . . . . . . . . . . .
2.3.1 iSeries hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2 iSeries software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.3 Our example network infrastructures: brief description. . . . . . . . . . . . . . . . . . . . .
2.4 Licensing considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4.1 i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4.2 Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4.3 Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4.4 Citrix Access Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.5 Naming conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.5.1 Components and names used in our example . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.6 Planning your sites, WAN and LAN infrastructure, firewall, DNS, and DHCP. . . . . . . .
2.6.1 Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.6.2 WAN infrastructure and firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.6.3 Domain Name System (DNS) and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.7 Planning your Windows Environment and Active Directory . . . . . . . . . . . . . . . . . . . . .
2.7.1 Disk space and drive mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.7.2 Plan the parts of Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.8 User propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.8.1 Prepare User Profiles for our test scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
17
18
19
19
19
20
20
21
23
23
24
24
24
25
25
27
27
29
29
32
32
34
35
35
iii
2.9 Planning infrastructure to distribute Microsoft service packs and hotfixes . . . . . . . . . .
2.10 Planning for Citrix (MetaFrame) Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . .
2.11 Planning the applications to use with Citrix Presentation Server . . . . . . . . . . . . . . . .
2.11.1 iSeries Access for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.11.2 Microsoft Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.12 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.13 Backup, recovery, and failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
44
44
45
45
45
45
Chapter 3. Installing and customizing Windows Server 2003 in our example network .
47
3.1 I5/OS tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.1.1 Installing your Windows server under i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.1.2 Setting up your network storage spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.2 Windows server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.2.1 Install necessary device drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.2 Configure the disk drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.3 Setting up virtual Ethernet on the Windows servers . . . . . . . . . . . . . . . . . . . . . . . 59
3.3 Install additional components on the Windows servers . . . . . . . . . . . . . . . . . . . . . . . . 61
3.4 Domain controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.4.1 Windows components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.4.2 Network printer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.4.3 Set up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.5 Additional infrastructure server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.5.1 Windows components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.5.2 Citrix MetaFrame Access Suite Licensing Services . . . . . . . . . . . . . . . . . . . . . . . 66
3.5.3 Install and configure Microsoft SQL Server 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.5.4 Microsoft Software Update Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.6 Windows Terminal Server to use for Citrix MetaFrame Presentation Server 3.0 . . . . . 80
3.6.1 Windows components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 4. Customizing Active Directory and the infrastructure . . . . . . . . . . . . . . . . . 85
4.1 Setting up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.1.1 Run DCPROMO on the first domain controller . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.1.2 Additional configuration for the DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.1.3 Activate Terminal Server Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.1.4 Change the Site configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.1.5 Create the organizational units (OU) structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.1.6 Create accounts for Windows services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
4.1.7 Create and configure group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.2 Configure the DHCP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.3 Adding Windows servers and clients to the Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 114
4.4 Creating the folder structure on JFSRV001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.5 Move Active Directory objects to the appropriate OU . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.6 Active Directory chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
iv
Chapter 5. Installing and customizing applications on Windows Terminal Servers
5.1 Install applications on Windows Terminal Server Services and Citrix. . . . . . . . . . . . .
5.2 iSeries Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Microsoft Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
121
122
122
132
Chapter 6. Installing and customizing Citrix Presentation Server . . . . . . . . . . . . . . .
6.1 Install Citrix Presentation Server 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.1.1 Set up the database environment for Citrix Presentation Server . . . . . . . . . . . .
6.1.2 Install the Citrix products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
135
136
136
136
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6.2 Configure Citrix MetaFrame Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.1 Configure ICA Client Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.2 Basic configurations in the Citrix Management Console. . . . . . . . . . . . . . . . . . .
6.3 Client access to the Citrix server farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.3.1 Citrix ICA Client for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.3.2 Citrix Web Interface access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4 Citrix Access Suite Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
151
152
154
168
168
174
178
Chapter 7. Set up the backup system for increased availability. . . . . . . . . . . . . . . . . 181
7.1 Configure the backup iSeries system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.2 Install additional components on the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.3 Set up an additional domain controller on JFSRV101 . . . . . . . . . . . . . . . . . . . . . . . . 182
7.3.1 Run DCPROMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.3.2 Install and activate Windows Terminal Server licensing . . . . . . . . . . . . . . . . . . . 182
7.3.3 Site configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.3.4 Configure DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.3.5 Configure DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.4 Install the applications on JFSRV111 and JFSRV112 Windows servers . . . . . . . . . . 186
7.5 Install Citrix MetaFrame Presentation Server 3.0 on JFSRV111 and JFSRV112 Windows
servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.6 Backup and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Chapter 8. Backup and recovery possibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1 Daily file-level backups using Windows backup utilities . . . . . . . . . . . . . . . . . . . . . . .
8.2 Planning for backup using i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3 Back up the Network Server Storage spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4 Save the Windows user data on file level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5 Back up and restore without file-level backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
187
188
188
191
192
197
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
201
201
201
201
202
202
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Contents
v
vi
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are
inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring
any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and
distribute these sample programs in any form without payment to IBM for the purposes of developing, using,
marketing, or distributing application programs conforming to IBM's application programming interfaces.
© Copyright IBM Corp. 2005. All rights reserved.
vii
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX®
AIX 5L™
AS/400®
Domino®
DB2®
DFS™
Eserver®
Eserver®
eServer™
i5/OS™
IBM®
iSeries™
Lotus®
Netfinity®
NetServer™
Notes®
OS/400®
POWER™
POWER5™
pSeries®
Redbooks™
Redbooks (logo)
ServerGuide™
Tivoli®
TotalStorage®
WebSphere®
xSeries®
z/OS®
zSeries®
™
The following terms are trademarks of other companies:
Active Directory, InfoPath, Microsoft, Outlook, Visio, Windows Server, Windows, and the Windows logo are
trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel, Pentium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
viii
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Preface
There are proven advantages of running Microsoft® Windows® Terminal Services and Citrix
applications on IBM® iSeries™ IXS (xSeries® server on a card under the iSeries hardware
enclosure) and IXA (xSeries server externally attached to the iSeries via external iSeries
system cabling). Base documentation already exists in the iSeries Information Center and
related IBM Redbooks™ about iSeries and Windows integration. The objective of this
Redpaper is to make it easier to get such a network up and running. This paper is intended for
iSeries-trained personnel who are responsible for getting a Windows applications-serving
environment, managed by Citrix applications, up and running—and taking advantage of
iSeries integration facilities.
We give specific examples using a sample network with an iSeries system and multiple
integrated xSeries servers using Windows Terminal Services, Citrix applications, and
Windows-based applications.
We build primarily on the contents of the redbook Microsoft Windows Server 2003 Integration
with iSeries, SG24-6959, extending the environment to Windows application serving. The
contents are presented in the following categories:
򐂰 Expanded planning considerations
򐂰 Setup of an example networking infrastructure
򐂰 Examples of setting up Microsoft Terminal Services, Active Directory®, and Software
Update Services
򐂰 Examples of setting up Citrix Presentation Server and Citrix Access Suite support to
manage some Windows-based applications including iSeries Access for Windows.
This Redpaper cannot make an iSeries-trained administrator self-sufficient in setting up such
a network that uses iSeries integration advantages. It does, however, facilitate getting such a
network up and running with the help of appropriate Windows and Citrix trained personnel.
The team that wrote this Redpaper
This Redpaper was produced by a team of specialists from around the world working at the
International Technical Support Organization, Rochester Center.
Frank Boerner is an IT Specialist from IBM Germany. He has 14 years of experience with
AS/400® Server, iSeries Server, and integrated operating environments, and more than eight
years of experience in Windows NT/2000/2003 and Citrix Presentation Server integration. He
also is an MCSE for Windows 2000.
Richard Pineda is an AS/400 Advisory IT Specialist at Tecnologia Avanzada del Ecuador, He
is a Technical Support specializing in Windows 2000 and 2003, Active Directory, and Terminal
Services. He is a Citrix Certified Administrator (CCA) and Citrix Certified Enterprise
Administrator (CCEA). His areas of expertise include Client/Server Application development
on AS/400 systems and Windows servers.
Jim Cook is a Consulting IT Specialist in the IBM ITSO Rochester Center. He leads teams
that produce a set of iSeries Technical Overview announcement presentations that are
available at each major iSeries announcement on CD-ROM and at the IBM support Web site
(http://www.ibm.com/servers/eserver/support/iseries/index.html) under the Technical
© Copyright IBM Corp. 2005. All rights reserved.
ix
Databases link. Jim also presents internationally at ITSO iSeries Technical forums and
produces ITSO Redbooks about various iSeries-related topics.
Thanks to the following people for their contributions to this project:
George Gaylord
IBM Systems &Technology Group, iSeries Product Marketing - Integrated xSeries Solutions
Bob Schuster
IBM Sales & Distribution, Operations, iSeries Advanced Technical Support (ATS)
Kyle Wurgler
Mike Schambureck
IBM Systems &Technology Group, System Sales, iSeries Technology Center (iTC)
Become a published author
Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with
specific products or solutions, while getting hands-on experience with leading-edge
technologies. You’ll team with IBM technical professionals, Business Partners, and/or
customers.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus,
you’ll develop a network of contacts in IBM development labs, and increase your productivity
and marketability.
Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about this
Redpaper or other Redbooks in one of the following ways:
򐂰 Use the online Contact us review redbook form found at:
ibm.com/redbooks
򐂰 Send your comments in an e-mail to:
redbook@us.ibm.com
򐂰 Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. JLU, Building 107-2
3605 Highway 52N
Rochester, Minnesota 55901-7829
x
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
1
Chapter 1.
Introduction to iSeries and
Windows server integration and
application serving
This chapter provides:
򐂰 A description of the scope of this Redpaper
򐂰 An expanded summary of the advantages for Windows server integration and
consolidation in an IBM ^® iSeries environment
򐂰 Summary descriptions of the hardware and software products used in our practical
example of setting up the infrastructure for managing a network of IBM eServer™ iSeries
and xSeries systems supporting integrated i5/OS™ and Windows server-based
applications.
© Copyright IBM Corp. 2005. All rights reserved.
1
1.1 Scope of this practical example Redpaper
Server consolidation is a hot topic in the industry. Logical partitioning (LPAR) is provided on
zSeries®, pSeries®, and iSeries systems and the supported operating systems:
򐂰 z/OS®
򐂰 AIX® 5 Versions 5.2 and 5.3 or later
򐂰 OS/400® starting with V4R5, and now in V5R3, rebranded as i5/OS V5R3.
򐂰 Linux® for POWER™. Specific Linux distribution levels are certified by the distributors to
run on POWER. When this Redpaper was written, this included:
– SUSE LINUX Enterprise Server 9 for POWER
– Red Hat Enterprise Linux AS4 for POWER
For several years, iSeries Integration for Windows server support (no-charge licensed
program 5722-WSV) has supported several Windows operating systems, such as Windows
2000 Server and Windows Server™ 2003, on an iSeries Integrated xSeries server (IXS) or an
xSeries server connected via an Integrated xSeries Adapter (IXA).
Regarding Linux (not the subject of this Redpaper) note that during 2004 and early 2005,
specific releases of Intel®-based Linux distributions from Red Hat and SUSE also were
enabled to run on an iSeries IXS or IXA. The specific Linux release distributions enabled on
iSeries IXS/IXA include:
򐂰 Selected xSeries servers attached via the iSeries IXA: Red Hat Enterprise Linux 3.0 ES
Edition, Red Hat Enterprise Linux 3.0 AS Edition, SUSE LINUX Enterprise Server 8, and
SUSE LINUX Enterprise Server 9
򐂰 On IXS servers: SUSE LINUX Enterprise Server 9 and Red Hat Enterprise Linux 3
For the latest information about iSeries integration with Windows servers, refer to:
http://www.ibm.com/servers/eserver/iseries/integratedxseries/
This Web site includes a link to a white paper titled A Simpler Way to Manage Windows
Server, written by an industry analyst.
For the latest information about iSeries integration with Linux, refer to:
http://www.ibm.com/servers/eserver/iseries/linux/
Given the resources available to develop this Redpaper, its scope is to:
򐂰 From an iSeries person’s viewpoint, demonstrate a basic running network of real
Windows-based applications consolidated onto iSeries integrated xSeries systems, with
the applications managed by Windows Terminal Services and Citrix Access Suite’s Citrix
Presentation Server.
򐂰 Point the reader to available sizing guidance for the IXS or xSeries servers attached via
the IXA, running Windows applications and managed by Citrix Presentation Server.
Note that the IXS hardware is a single processor capacity. Supported xSeries systems
attaching via the IXA can be 1, 2-way, 4-way, up to 8-way systems.
The iSeries has two IXA model types: 1519-100 and 1519-200. The 1519-200 is required on
specific xSeries systems, and the 1519-100 is required on other xSeries systems attaching to
the iSeries system. Descriptions supported xSeries systems via an IXA can be found at:
http://www.ibm.com/eserver/iseries/integratedxseries/xseriesmodels/
2
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Important:
In this Redpaper, we describe enough to demonstrate capabilities and provide planning
steps and tips we identified while writing it.
We assume that you have, or can obtain the services of people with, sufficient skills in the
areas needed, including Microsoft Active Directory and Terminal Services, TCP/IP
networking capabilities (such as Domain Name Services [DNS]), Citrix (MetaFrame)
Presentation Server, and, most likely, Symantec anti-virus product capabilities.
For more information about Symantec products, refer to:
http://www.symantec.com
We used these capabilities and products and more in the network we implemented for this
Redpaper.
At the appropriate place in this document, we cross-reference other documentation
containing more details. We assume that you have access to the redbook Microsoft
Windows Server 2003 Integration with iSeries, SG24-6959, which is based on OS/400
Version 5 Release 2. We build on that content by adding i5/OS-level (OS/400 V5R3)
capabilities. i5/OS (and AS/400) runs on both the POWER5™-based IBM eServer i5
systems and non-POWER5-based technology iSeries systems. The Redpaper Best
Practices for Microsoft Windows and Linux Integration in iSeries Systems, REDP4000,
should also be reviewed. Its information includes a methodology for sizing and migrating
Windows servers and best practices for managing these on an iSeries system.
For ease of reading we primarily use the single phrase iSeries system throughout this paper
to include both POWER5-based and pre-POWER5-based systems, except where noted as
something unique to one of the technologies.
Despite the use of Windows-based anti-virus products, keep in mind that a virus could be
stored (but not executed) within the i5/OS Integrated File System (IFS). It might be
appropriate to perform virus detection and correction on a file within the IFS. You could
write your own i5/OS program or install a product that takes advantage of the new with
V5R3 i5/OS real-time anti-virus scanning enablers. Essentially you specify through new file
system “object” property values and i5/OS system values to call a program when certain
functions are performed, such as restoring an object to i5/OS.
The programs could be written to perform virus detection and take appropriate action.
Third-party products that can take advantage of these real-time virus detection enabler
functions include:
򐂰 The StandGuard AntiVirus product from Bytware Inc. For further information refer to
their Web site at:
http://www.bytware.com
򐂰 A product from Raz-Lee Security Ltd. For further information, refer to their Web site at:
http://www.razlee.com
Read about how to use these i5/OS V5R3 real-time anti-virus enabler functions in:
򐂰 The iSeries Information Center PDF IBM eServer iSeries Tips and Tools for Securing
Your iSeries, SC41-5300-07
򐂰 IBM eServer iSeries Security Guide: IBM i5/OS Version 5 Release 3, SG24-6668
Chapter 1. Introduction to iSeries and Windows server integration and application serving
3
Attention: As this paper was being produced, Citrix renamed and repackaged some of
their Citrix Presentation Server capabilities. A new release level became available as this
Redpaper was being published. You will see some screen captures that demonstrate the
previous names and some with the new names. To assist you in understanding some of
these names, we offer this:
򐂰 Citrix Presentation Server corresponds to the older Citrix Metaframe Presentation
Server terminology. Although most of this Redpaper was developed using the Citrix
Metaframe Presentation Server product, we use the newer Citrix Presentation Server
terminology wherever possible.
This Redpaper’s primary focus is on the Citrix (MetaFrame) Presentation Server 3.0
release level product.
򐂰 Depending on the function being described, some of the windows shown will use the
Citrix Presentation Server terminology, some will use Citrix Metaframe terminology, and
some will use the term Citrix Access Suite terminology. We drop the use of the word
Metaframe in most topic headings even though the figure may show a window heading
that uses the word Metaframe.
򐂰 When this Redpaper was published, the current level of Citrix Access Suite was 4.0.
Citrix Access Suite 4.0 bundles into a scalable, flexible access platform the next
generation of three Citrix product lines: Citrix Presentation Server™ 4.0, Citrix Access
Gateway™ 4.0, and Citrix Password Manager™ 4.0
The content of this Redpaper is based on our experiences using two iSeries servers: an IBM
iSeries model 830 and an eServer i5 550 model. We used a combination of older and newer
technology IXS and IXA attached servers.
Later topics and chapters provide more information about our planning, network
infrastructure, and products used.
1.2 iSeries integration for Windows servers: advantages
summary
In this section we provide an expanded summary of Windows consolidation and integration
on iSeries systems.
The advantages of running Windows servers and associated Windows-based products within
an iSeries system configuration can be summarized into the following categories:
򐂰 Centralized Windows server management from an iSeries using the graphical iSeries
Navigator interface or an i5/OS command interface
򐂰 Centralized administration of users accessing data and applications on both i5/OS and a
Windows operating system
򐂰 Virtual Ethernet LAN that enables fast, secure communications among Windows servers
running via IXS/IXA and i5/OS, AIX, or Linux logical partitions operating within the same
iSeries system.
򐂰 Centralized virtual storage management, including virtual disks, DVD, and tape resources
provided by i5/OS
򐂰 Flexible server deployment
򐂰 Consolidated data and program backup
4
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
You can use a staged approach to consolidate specific applications and infrastructure of your
Windows network into the iSeries and xSeries environment. Select a functional area of the
network and pilot its consolidation on the iSeries. When you are satisfied with that area,
perform a similar process for another area.
The typical software and hardware areas initially considered for iSeries Windows
consolidation include:
򐂰 Selected mission-critical, line-of-business Windows applications
򐂰 Hot spare, testing, backup, and recovery
򐂰 Applications performing heavy I/O applications
򐂰 Storage virtualization (disk, tape or CD)
򐂰 Multiple servers performing the same function; for example, file, print, or Microsoft
Exchange serving
򐂰 Applications running on older-technology Intel processor-based servers that would benefit
from changing to the latest xSeries technology and capabilities
򐂰 Infrastructure servers (such as DNS, DHCP, or WINS)
1.2.1 Centralized Windows server management from an iSeries
Windows operating system functions and Citrix Presentation Server functions running under
any Intel-based server provide significant multi-server management capabilities. You can
continue to use them exactly the same on any Intel-based servers, including those xSeries
systems integrated with iSeries IXS/IXA support.
With the IBM iSeries Integration for Windows Server, 5722-WSV, installed you can perform
Windows server start and shutdown, user profile administration, and disk management
through OS/400 commands provided with 5722-WSV.
With 5722-WSV as a base you can use iSeries Navigator (included with iSeries Access for
Windows, 5722-XE1) for corresponding management capabilities and more, from a single
graphical user interface (GUI) PC workstation. Multiple IXS or IXA attached xSeries server
systems (as well as Intel-based Linux servers) can be managed from a single workstation.
Figure 1-1 depicts most available functions.
Chapter 1. Introduction to iSeries and Windows server integration and application serving
5
Figure 1-1 Window administration by iSeries Navigator: controlling the server example
As depicted here, the Windows servers managed on system Rchasm01 (our model 830) with
the prefix of Jfsrv are the ones we used in this Redpaper as described in later chapters.
Review the text descriptions shown in our example for our Jfsrvxxx Windows servers.
Running Windows commands, synchronizing integration software
As shown as a menu option in Figure 1-1, you can submit and run any valid Windows
command on the selected started Windows server. Being able to submit and run commands
opens up an array of possibilities for increased centralized management of applications and
data. You can submit a command from either the iSeries Navigator graphical user interface or
the i5/OS character-based Submit Network Server Command (SBMNWSCMD) command.
If desired, you can automate running the SBMNWSCMD by putting it in an i5/OS Control
Language (CL) program and using an i5/OS-based job scheduling facility to run the
SBMNWSCMD without human intervention. i5/OS comes with a job-scheduling function
accessed via the Work with Job Schedule Entries (WRKJOBSCDE) and Add Job Scheduler
Entry (ADDJOBSCDE) commands.
The additional charge Advanced Job Scheduler for iSeries, 5722-JS1, is also available.
The CL program can be written to retrieve variables from, for example, a data area, which
could contain a list of target Windows server host names.
With the V5R3 Synchronize iSeries Integration Software option shown in Figure 1-1 on
page 6, you can take the iSeries Integration for Windows Server software (5722-WSV) that is
currently installed on i5/OS partition and download and install it on the selected integrated
Windows server.
You would want to perform this operation under the following conditions:
򐂰 Release V5R3 or later has been installed on your iSeries system and you already have
Windows servers up and running under a previous release of OS/400. When a new
OS/400 or i5/OS release is installed, it contains a new version of iSeries Integration for
Windows Server software. Parts of this new software must be downloaded and installed
on each integrated Windows server.
6
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
򐂰 A new service pack for the iSeries Integration for Windows Server software has been
installed on your iSeries system via an i5/OS set of program temporary fixes (PTFs). This
latest service pack software must be downloaded and installed on each integrated
Windows server.
򐂰 Something is wrong with your iSeries Integration for Windows Server (5722-WSV)
software and you need to remove a service pack from the integrated Windows server. This
happens rarely but should be planned for. You would first remove the service pack PTF on
i5/OS and then perform the synchronize task to remove the service pack from the
integrated Windows server.
V5R2 and earlier releases included the same functions but with different iSeries Navigator
interfaces:
򐂰
򐂰
򐂰
򐂰
Install latest version
Install latest service pack
Install latest version and service pack
Uninstall latest service pack
Monitoring Windows operating system messages
Within this central management topic we also highlight the mirroring of Windows server
messages to i5/OS, if desired. Window messages can be sent to i5/OS message queues,
including QSYSOPT, as well as to the appropriate i5/OS job’s job log.
This enables real-time monitoring of these messages by either a human or by programmed
message queue functions. If QSYSOPR is used there is a single message queue for viewing
and acting upon i5/OS messages and Windows operating system messages: centralized
message handling of the iSeries and network of Windows servers.
Sending Windows messages to a specific i5/OS message queue enables programmed
automated actions for a message when it is appropriate for your environment.
You set this up when you create the iSeries Window server description object with the Install
Windows Server (INSWNTSVR) command. You can change your Windows message
mirroring option later using the iSeries Navigator Windows server’s Messages properties
interface (when the server is varied off or shut down).
This support includes Windows operating system messages and event log error messages
associated with the Windows server. These messages are mirrored from the Windows event
log.
As shown in Figure 1-2, if you select to mirror messages you can choose from several other
message-handling options including:
򐂰 Types of messages to mirror
򐂰 Placing the appropriate messages on a user-specified message queue or QSYSOPR or
the job log of the associated i5/OS Windows server job
򐂰 Mirror server messages to QSYSOPR and non-server messages to the associated i5/OS
Windows server’s job log
Chapter 1. Introduction to iSeries and Windows server integration and application serving
7
Figure 1-2 iSeries Windows server message options for i5/OS
The lower area of the Messages properties window shows the three types of Windows
messages that can be mirrored.
1.3 Synchronized user administration
One of the main reasons for Windows server consolidations on iSeries is the centralized
administration of users accessing both OS/400 and Windows workstation data and
applications.
When a user is added to i5/OS, the user profile can be specified to automatically add this user
to the Windows environment (network domain or local server) with proper authorities. When
this user changes their i5/OS password, this change is propagated to the corresponding
account in the Windows environment.
This happens with a the i5/OS user profile that was added to a group profile that was already
enrolled to Windows. Otherwise, it is a manual step to enroll the user to the Windows server
or domain.
This is the simplest way to initially get a new Windows server on an integrated xSeries system
up and running within the iSeries environment. This is because it typically uses processes
you already have in place. This is the way we set up our example network described in this
Redpaper.
You can extend user participation to a single signon environment, where you want a user to
sign on only once anywhere in a network and be able to use only authorized functions on
multiple operating systems. This requires an investment in planning, ensuring that the
necessary products are installed and configured on multiple systems, and typically uses
Kerberos protocol for user authentication.
V5R3 no-charge i5/OS Enterprise Identity Mapping (EIM) support extends its V5R2
capabilities in this area by building on two new i5/OS user profile parameters (“local password
management” parameter of *NO and “automatically create an EIM association” value of YES)
that can identify a user as being managed from within Windows.
8
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Single signon can reduce user maintenance efforts and helps improve security by handling
different IDs on each system for the same user (for example, user JPUBLIC has user ID
JIMPUB on system 1 and JPUBLIC0 on system 2) and by reducing the number of passwords
required in a single signon within a multiple operating systems environment.
From an iSeries viewpoint, you need to:
򐂰 Set up Kerberos support using iSeries Navigator Security → Network Authentication
Services configuration wizard.
򐂰 Set up Enterprise Identify Mapping domain and registry configuration using iSeries
Navigator Network → Enterprise Identity Mapping. You can do complete EIM user
identifier and associations setup through this interface, as well as take advantage of the
previously described new V5R3 user profile parameters to simplify this setup.
The following references offer additional information regarding single signon, Kerberos-based
authentication, and EIM:
򐂰 iSeries Information Center
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp
Select V5R3 and the desired topic, such as Security → Single signon or EIM.
򐂰 V5R2 level redbook: Windows-based Single Signon and the EIM Framework on the IBM
eServer iSeries Server, SG24-6975.
򐂰 V5R3 Security level information: V5R3 iSeries Security Reference, SC41-5302-07 or later.
You can find this at iSeries Information Center under Security.
1.4 Exceptional storage management
Instead of having to manage separate disk devices for each PC server workstation, you can
have Windows (as well as AIX or Linux) access virtual disks stored within an i5/OS partition
and tape and DVD resources managed by the i5/OS partition.
In addition to the advantages of using i5/OS virtual DVD and tape resources, each Windows
server gets extended advantages in the virtual disk area. Each Windows server can benefit
from having multiple disks as well as from the performance of iSeries single-level storage
architecture and using multiple iSeries disks. This support also provides the capability to add
a new virtual disk, as necessary, without having to shut down the Windows server.
Within an i5/OS partition, each Windows disk volume is actually an i5/OS network storage
space object associated with the Windows server through a Network Server Description
object. As part of i5/OS, these objects can be stored within an iSeries System Auxiliary
Storage Pool (System ASP) or, optionally, within user-defined ASPs. Specific disk devices
can be assigned to a user ASP. By default, the System ASP gets all of the configured disk
devices not explicitly assigned to a user ASP.
An i5/OS disk storage pool (ASP) can be defined across iSeries internal disks as well as
external disks. The use of external or internal disks is transparent to the Windows operating
system on the iSeries integrated xSeries configurations.
From an iSeries viewpoint, external disk support includes all supported IBM Enterprise
Storage Servers, including the new IBM TotalStorage® DS6000 and DS8000 - Enterprise
Storage Servers models. The ESS configuration enables yet another level of abstraction and
virtualization of physical disks.
Chapter 1. Introduction to iSeries and Windows server integration and application serving
9
Up to 32 i5/OS storage spaces can be created and linked to each to each IXS or IXA server.
Each storage space can be up to 1 terabyte (TB) in size, for a maximum of 31 TB per xSeries
server.
Multiple storage spaces assigned to a Windows server can be linked together for large
Windows volume sets. As previously stated, these storage spaces (disks) can be added
dynamically to an xSeries server using i5/OS Windows/Linux integration 5250 commands or
the iSeries Navigator interfaces.
Note that i5/OS user-defined ASPs can be of two types: dependent or independent. An
independent ASP (IASP) typically would be used to switch its set of disk hardware to another
iSeries system as part of a “higher availability” environment. For example: System A is doing
the work and has specific applications or data stored within an IASP. System A has be shut
down for some period of time, so its IASP is switched to another iSeries system that can run
the same application using the same data.
All of this makes centralized virtual storage management rather straightforward, It also
facilitates centralized backup and more efficient use of storage resources.
Figure 1-3 on page 10 shows examples of an iSeries Navigator Windows Administration view
of disk storage space properties information for virtual disks we had assigned to our Citrix
Presentation server Jfsrv012, which was shown in Figure 1-1 on page 6.
Figure 1-3 iSeries Navigator Windows administration - virtual disk/storage space example
The upper-left properties window shows the three disk drives (system, installation, and
programs) defined for this server. (This server is described later in this Redpaper.)
10
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
The middle General properties window for the Jf012pgm disk shows file system, formatting
status, i5/OS disk pool, and how the access to the drive has been specified. The Quorum
resource No value indicates that the disk is not being used with Microsoft Clustering Service,
which iSeries Integration for Windows Server software supported starting with V5R2.
The lower-left Capacity properties window provides a graphical image of disk space
utilization. The original maximum capacity (as well other disk attributes) was specified using
either the Create Network Server Storage Space (CRTNWSSTG) command or the iSeries
Navigator Windows Administration → Disk Drives → New disk option.
1.5 Virtual Ethernet
The iSeries Virtual Ethernet LAN support enables high-speed communications between
i5/OS, Linux, and AIX partitions as well as between IXS and IXA attached xSeries servers
running as a Windows server.
This enables fast Virtual Ethernet LAN speeds (up to 1 Gbps), with very high levels of security
and reliability, because for each Virtual Ethernet connection there is no additional physical
adapter, cable, or outside LAN data traffic involved. Use of Virtual Ethernet connections can
reduce network complexity, increase flexibility, and enhance management of the network
being used for application communication.
Up to five Virtual Ethernet connections can be defined for each Integrated xSeries server
attached to an iSeries system.
Typically, just considering Windows servers consolidated onto iSeries IXS/IXA hardware (not
considering the partition-to-partition communication), a point-to-point Virtual Ethernet line is
configured for use by iSeries Integration for Windows Server support and the Windows server
itself. When multiple consolidated Windows servers are involved on the same i5/OS partition,
typically a second Virtual Ethernet line is configured for the Windows server operating system
and applications to communicate among themselves and with the i5/OS partition.
A third real, physical Ethernet LAN adapter and line is used for other workstations to
communicate with each Windows server per the normal customer workplace enterprise. If
you do not wish the Windows server to have its own physical LAN adapter, i5/OS can be
configured to have its own LAN adapter route data to and from the Windows servers over the
virtual LAN.
See Figure 1-4 on page 12 for a generalized example of what we just described. We show
three partitions on an iSeries or i5 system. The left and right i5/OS partitions each have their
own Windows server, though each i5/OS partition could have multiple Windows servers.
The greyed-out partition text shows i5/OS, Linux, or AIX operating systems that could be
configured, but we focus here only on the two i5/OS partitions shown in dark text.
The small white squares illustrate physical LAN adapters and ports that connect to a real
(physical) LAN network. This requires a real physical LAN adapter hardware feature and
associated cables. These connections are primarily used by the network workstations, such
as when a client workstation connecting to a specific Citrix server.
The violet-checked squares and solid blue squares represent virtual (non-physical) LAN
adapters and ports. The violet rectangle illustrates the point-to-point Virtual LAN configuration
connection used between i5/OS and the Windows operating system—the support provided
with iSeries Integration for Windows Server support (5722-WSV).
Chapter 1. Introduction to iSeries and Windows server integration and application serving
11
The solid blue rectangles illustrate the virtual adapter and ports that communicate with each
other outside of the iSeries Integration for Windows Server support over the blue solid line
representing the Virtual LAN network. These virtual connections may be used for
server-to-server application communication, such as Telnet, FTP, among Citrix servers,
among Microsoft Terminal Services (MTS) servers, Symantec Live Update functions
performed on these servers, and other server-to-server functions.
iSeries or i5 server
i5/OS partition
i5/OS, AIX,
Linux partition
i5/OS partition
Virtual Ethernet LAN
IXS or IXA attached
xSeries servers
Windows
server
Windows
server
External LANs
Virtual adapter with pt-pt IP address
Virtual adapter with IP address
External LAN adapter/port with IP address
Figure 1-4 Virtual LAN configuration example with Windows servers
Our example network used a physical LAN adapter on each Windows server.
You will see this configuration in more detail for our example network in the following chapter.
1.6 Consolidated backup and recovery
You can use Windows commands and procedures or a Windows backup product exactly the
same way you are used to for Windows servers consolidated onto a single iSeries system.
You can take advantage of i5/OS tape devices in a staged time period for backing up each
Windows server. If your iSeries has multiple tape devices within an IBM tape data library
server, consider how to use individual tape devices. If you are using Windows operating
system backup procedures, you can use the tape device within the media library in manual
and sequential mode, but not in random mode.
Remember that you can submit any Windows command from either the iSeries Navigator
interface or the i5/OS command interface. Consider applying this capability to your backup
procedures for Windows. This Windows command submission is discussed in “Running
Windows commands, synchronizing integration software” on page 6, including the ability to
schedule and automate the submission of commands.
12
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
When evaluating your Windows backup procedures, you may determine that you can have
sufficient backup and recovery procedures by backing up the integrated xSeries server
objects—network descriptions and network storage spaces. If this is viable you can
consolidate i5/OS and the Windows backup process through standard i5/OS save and restore
commands or, in a more automated way, under the Backup, Recovery, and Media Services
(BRMS), licensed program 5722-BR1. BRMS has both a command-level interface and a
graphical interface when installed as a plug-in to iSeries Navigator.
With this approach you can integrate your i5/OS objects and Windows server backup
process. if your i5/OS partition has a multiple-device tape data library server and you have
BRMS installed, you take full advantage of the tape data library server functions for backing
up both i5/OS non-Windows-related objects and Windows objects.
With either a traditional Windows-only backup process or an integrated Windows and i5/OS
backup process, i5/OS tape devices, under proper control procedures, can back up each
Windows server as well as i5/OS objects.
There may be environments where combinations of both this consolidated i5/OS and
Windows backup integration as well as separate Windows operating system backup
capabilities and procedures are the best approach for your environment. This can help
facilitate recovery time objectives for shared application environments where data may be
stored in both i5/OS (DB2® UDB for iSeries, for example) and Windows.
You can minimize human intervention for a variety of backup processes. i5/OS save/restore
commands, BRMS commands, the BRMS plug-in to iSeries Navigator, or combinations of
these tools can be used to accomplish all of this.
Compare this to many other environments having multiple servers and perhaps a tape device
on each server. If you have a powerful tape data library server available to the iSeries system,
you really minimize human intervention for a variety of backup processes.
Note that for Windows servers the most frequently used save/restore “object” is at the iSeries
Windows storage space (entire “disk”) level. You can also save and restore individual files.
1.7 Flexible, reliable server deployment
Integrated xSeries server descriptions and virtual storage space objects offer significant
reliability and recoverability options. These objects can be copied and distributed to assist in
remote system deployment and generate a test environment that is as identical as possible to
the production mode environment.
In one example, you could have several server configurations: one for production servers, one
for development servers, and one for test servers. Each of the configurations has its own set
of software and device drivers. With a standalone Windows server environment, testing and
deploying changes across multiple servers can cause difficulties because of the number of
unique configurations and features.
A test server may have to be made available for any of a multiple of these production
configurations. A single physical IXS or xSeries server attached via an IXA can be used to
support these multiple configurations. This is done by simply assigning a different set of i5/OS
network server description and network storage space descriptions to it. In this way, a
consistent set of hardware, drivers, and features can easily aid in reducing errors due to
variables in the configurations.
Chapter 1. Introduction to iSeries and Windows server integration and application serving
13
Extending this to a higher availability environment, you could have ordered a “hot spare”
IXS/IXA server that is physically the same as another IXS/IXA you typically use. If the active
server fails, you can assign the configured server description and storage space objects to
the hot spare server and thus continue running the necessary applications.
One spare could be used to protect multiple production servers.
Earlier we stated (like almost all i5/OS objects) IXS/IXA server descriptions and storage
spaces can be defined and placed into an i5/OS dependent or independent storage pool.
Typically a dependent storage pool is a method of restricting certain objects to certain disk
drives, primarily to “fence” disk I/O operations. Note, however, in addition to the hot-spare
scenario previously described, we can use an independent storage pool to increase
application availability among multiple iSeries systems. An independent storage pool (and all
the objects within it) can be switched from one iSeries system to another, should the original
system become unavailable.
The independent storage pool’s contained network server description objects and network
storage space objects can then be assigned to identically configured xSeries server on the
second system. An IXS card can reside in the switchable IO tower, so it also can be switched
to the backup iSeries.
As a V5R3 extension to getting the application up and running on a secondary iSeries
system, the independent storage pool can be mirrored real time to a copy of another
independent storage pool on the second iSeries system. This speeds up the process to
enable the second system to run the Windows applications on the second system’s integrated
xSeries servers.
1.8 Software products used
Here are the principal software products we used in our example network and applications, in
addition to i5/OS (OS/400 V5R3M0):
򐂰 On the IBM eServer iSeries 830 and IBM eServer i5 550 systems:
– No-charge TCP/IP Communication Utilities, 5722-TC1
– IBM iSeries Integration for Windows Server, licensed program 5722-WSV with option 2
- Integration for Windows 2000 and 2003
– iSeries Access for Windows, 5722XE1
򐂰 On selected IXS and IXA attached xSeries servers:
– Windows Server 2003, including Active Directory functions
– Windows Terminal Services
– Windows SQL Server
– Windows Update Services
– Citrix MetaFrame Access Suite (integrated packaging of necessary components, which
includes, for example, Citrix MetaFrame Presentation Server 3.0 (latest level during our
residency) and Citrix Access Suite Console)
– Applications:
14
•
Lotus® Notes® Client
•
iSeries Access for Windows 5250 emulation and iSeries Navigator
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
򐂰 On the client workstations:
– Windows XP
– Windows 2000
Note: The following Windows operating system levels are supported on IXS and xSeries
server models attached via the IXA:
򐂰
򐂰
򐂰
򐂰
򐂰
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced server
1.9 Hardware products used
As previously mentioned, we used two iSeries systems. The iSeries model 830 was on our
primary network, and an IBM eServer i5 model 550 was used on our secondary network.
Both systems had multiple partitions, and one partition on each system “owned” our IXS/IXA
hardware and contained our Windows server description and storage space objects.
The following older and newer IXS and IXA attached xSeries servers were used in our
example network.
1.9.1 IXS features used
The IXS features we used were:
򐂰 #2890-002 PCI Integrated xSeries Server, which contains a single 850 MHz processor
򐂰 #2892-001 PCI Integrated xSeries Server, which contains a single 1.6 GHz processor
򐂰 #2892-002 PCI Integrated xSeries Server, which contains a single 2.0 GHz XEON
hyperthreading processor
Additionally we provide a list of other IXS features, available on iSeries and i5 model systems:
򐂰 #2890-003 PCI Integrated xSeries Server, which contains a single 1.0 GHz processor
򐂰 #4810 PCI Integrated xSeries Server, which contains a single 2.0 GHz processor
The #4811/#4812/#4813/9812/#9813 PCI-X Integrated xSeries Server, which contains a
single 2.0 GHz Pentium® M processor. These have a single 2.0 GHz processor but are
physically packaged differently from the #4810.
The #4811 is supported in the IBM eServer i5 520 processor enclosure. The #4812 is
supported in the IBM eServer 550 processor enclosure and the model 595, 800, 810, 825,
870, and 890 system towers and in the #0588, #0595, #5088, #5095, #5074, #5079,
#5094, and #5294 expansion towers.
The #4813 is supported in the 570 system tower and in the 5790 expansion unit.
Other older technology IXS features (or older Integrated Netfinity® servers) may also work
but, depending on the workload given to run on them, may encounter maximum performance
or maximum memory (main storage) limitations.
Chapter 1. Introduction to iSeries and Windows server integration and application serving
15
1.9.2 IXA attached xSeries servers used
The IXA fits within selected xSeries servers and attaches to the iSeries and i5 High Speed
Link (HSL) bus, with the appropriate HSL cables.
The IXA occupies two card positions in the xSeries server but plugs into only one 64-bit
66 MHz slot. The specific slot location depends on the xSeries model being attached to the
iSeries system via the HSL loop.
There are two models of the IXA: feature codes 1519-200 and 1519-100. These two IXA
models provide the same function, but they are designed to work with different xSeries
models, depending on the internal technologies of the specific xSeries system. Make sure
you use the IXA featured code that is designed to work with your choice of xSeries server.
For the latest IXA, xSeries servers supported as well as latest cabling and software update
requirements always consult the iSeries xSeries integration Web site at:
http://www.ibm.com/eserver/iseries/integratedxseries
To get directly to the IXA and supported xSeries servers you can use:
http://www.ibm.com/servers/eserver/iseries/integratedxseries/xseriesmodels/
IXA features and attached xSeries servers we used in this Redpaper included:
򐂰 IXA 1519-100:
2-way xSeries 350
򐂰 IXA 1519-200:
xSeries 346, with two 3.6 GHz processors. We attached this to our i5 model 550, which
has HSL-2 adapters. This requires an HSL to HSL-2 cable. We used cable feature number
#1475 (10 meters).
Note that the integrated xSeries Web site also lists Intel-based Linux distribution release
levels supported on iSeries IXS/IXA hardware features.
16
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2
Chapter 2.
Planning your network and
server infrastructure
As stated in 1.1, “Scope of this practical example Redpaper” on page 2, we could not cover
every possible planning topic. However, we do cover several planning topics in this chapter:
򐂰 Hardware environment
򐂰 Site planning with DNS, DHCP, and general firewall protection
򐂰 Licensing
򐂰 Active Directory and the Windows environment
򐂰 User propagation
򐂰 Distribution of Microsoft service packs and hotfixes
򐂰 Citrix Presentation Server
򐂰 Application to publish in the Citrix environment
򐂰 Printing
Attention: The redbook Microsoft Windows Server 2003 Integration with iSeries,
SG24-6959, contains significant planning step information that should be used in addition
to the planning documentation in this chapter. This Redpaper builds on SG24-6959 (which
is OS/400 V5R2-based), extending it in the areas of i5/OS V5R3 capabilities and providing
more information in using Microsoft Terminal Services and Citrix MetaFrame in the context
of running these products on iSeries Integrated xSeries servers and xSeries servers
connected to the iSeries via the Integrated xSeries Adapter.
For information beyond the scope of this Redpaper, see the following Web sites:
򐂰
򐂰
http://www.microsoft.com
http://www.citrix.com
© Copyright IBM Corp. 2005. All rights reserved.
17
2.1 Initial consideration: network and server availability
Note: Recall that our use of the term iSeries system can mean an IBM eServer i5 model
server or pre-POWER5 technology servers.
We assume that there is a primary (or only) iSeries system on which you are doing Windows
server consolidation. You could choose a single i5/OS partition to run no other i5/OS
functions other than host and manage Windows servers. In our network, however, we also
can run some i5/OS applications in that same partition.
There can be multiple Windows servers managed by a single i5/OS partition or multiple i5/OS
partitions, each hosting one or more Windows servers and i5/OS applications in real-world
environments. The work you assign to each partition is up to you. Note that for ease of
description in this Redpaper, we primarily use the term partition to mean one i5/OS partition,
or the system when partitioning is not configured.
A very important decision you must make at the beginning of your consolidation planning is
how long you can live without some applications or infrastructure services being active.
Simple examples would include no Domain Name Services (DNS) function or an i5/OS
partition that provides your virtual I/O support that might have to be shut down to perform
significant hardware maintenance or software fixes installation.
Detailed planning in this higher-availability environment is beyond the scope of this Redpaper,
but if you plan on a secondary system and perhaps network, you should keep that in mind as
you make decisions during your planning process. Our example network does include a
secondary network of an iSeries server and set of Windows servers, and we address the
TCP/IP network and keeping up to date with software changes. We do not get into detailed
planning and coverage such as replicating data between iSeries and Windows servers and
automating application “take over” to the secondary server and network.
If you decide that a few hours is to long to go without some applications or important
infrastructure function being up and running, you should definitely plan for a backup system
and some level of automated takeover.
For higher-availability planning considerations that include use of i5/OS clustering support
and high-availability software products from iSeries IBM business partners, start here:
http://www.ibm.com/eserver/iseries/availability/
http://www.ibm.com/servers/eserver/iseries/ha/
Starting with OS/400 V5R2, iSeries Integration for Windows Server support included
Windows Clustering Services support. The redbook Microsoft Windows Server 2003
Integration with iSeries, SG24-6959, includes additional clustering information on this.
To get started on finding out more about Windows Clustering Services, search on “clustering
and service” at:
http://www.microsoft.com/windows/default.mspx
In this paper, we provide some basic planning and setup for increased availability using a
second system and network (Site_B) in Chapter 7, “Set up the backup system for increased
availability” on page 181. See also Chapter 8, “Backup and recovery possibilities” on
page 187. There we give an overview and some references for additional information about
backing up your iSeries system’s Windows environment, as much as possible, during normal
business operations.
18
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2.2 Size your current iSeries and Windows workloads
You need to obtain current performance statistics on the utilization of processor, memory, and
disk I/O activity for the iSeries system or partition onto which you plan to consolidate.
Perform similar performance statistics gathering for each of the Windows servers you plan on
consolidating. This way you can make a base assessment of the number of IXS or IXA
attached xSeries servers you need for the consolidation.
You also must estimate some additional workload growth.
iSeries processor utilization (separate from the IXS or IXA processor utilizations) are
dependent on the amount of:
򐂰 Disk activity required by the Windows server application
򐂰 Virtual LAN data transfer activity between integrated servers
There are several iSeries-based sizing tools. The simplest one to use is the IBM eServer
Workload Estimator, available at:
http://www.ibm.com/eserver/iseries/perfmgmt
2.2.1 Integrated IBM eServer xSeries performance benchmark for Citrix
Access Suite
Sizing the performance (transactions and response time) of any applications running on any
server is a task that should be conducted beforehand, even though it is driven by many
computer resource, network activity, and application implementation differences. To assist in
understanding baseline performance using Citrix Presentation Server running on IBM
eServer xSeries servers connected to an iSeries system via the Integrated xSeries Adapter
(IXA), IBM and Citrix have conducted some baseline benchmark tests.
The test results are documented in a white paper called Integrated IBM eServer xSeries for
iSeries Benchmark for Citrix Access Suite, which you can find at:
http://www.ibm.com/servers/eserver/iseries/integratedxseries/pdf/citrixbenchmark.pdf
2.3 Hardware and software inventory for your environment
First, you should make an inventory of all iSeries hardware and software you may have or
want to have on your consolidated iSeries system or partition. Second, you must collect the
corresponding inventory for your current Windows servers.
Then you need to consider any near-term future iSeries or Windows software you do not
currently have but want to add to your consolidated network.
One example is to consider the cross-platform IBM Director server and agent products.
Although it is beyond the scope of this Redpaper, consider using the IBM Director server
component in an i5/OS partition and agent components in any other i5/OS, POWER Linux, or
AIX 5L™ V5.3 partitions and on the Windows servers and clients. Over time, by taking
advantage of many of the IBM Director capabilities, you have significant management
capabilities in the areas of multiple operating system hardware and software management
and performance monitoring.
You can find more information at:
http://publib.boulder.ibm.com/eserver
Chapter 2. Planning your network and server infrastructure
19
2.3.1 iSeries hardware
As described in preceding sections, you should use any previously gathered sizing or
resource utilization information to determine the processing power, number of disk drives, and
main storage required to run any i5/OS applications (or Linux or AIX partition applications).
This should ensure that you know what hardware you have or may need to add.
We specifically discuss LAN adapters in “LAN adapters and IP ports in the iSeries server and
Windows servers” on page 20.
IPCS, INS, Integrated xSeries server, IXA attached xSeries server
You must decide which kind of xSeries server you want to use.
If you need only 1 processor’s worth of capacity per Windows server, we suggest using an
Integrated xSeries Server.
For Windows server workloads that you estimate will require multiple processor capacities, an
xSeries server attached via an IXA is the appropriate choice. Consider this, especially for a
Windows server on which you want to run multiple Windows applications and use Citrix
MetaFrame Presentation Server for management.
Disk space on the iSeries
To set up Windows servers in iSeries, you must assess the need for additional disk space that
would be occupied by network server description objects and network server storage spaces.
Find some general recommendations in 2.7.1, “Disk space and drive mapping” on page 32.
LAN adapters and IP ports in the iSeries server and Windows servers
You should plan a minimum of one Ethernet LAN adapter for the i5/OS partition itself and one
Ethernet LAN adapter for each Windows server. You could potentially do without a Windows
server LAN adapter and route incoming requests to the Windows server through the iSeries
LAN adapter over the virtual Ethernet LAN, but you would need to assume a moderate to light
amount of data traffic in this case.
You may have multiple active i5/OS applications concurrently within your partition (for
example, HTTP serving and Lotus Domino® functions). In those cases, consider additional
LAN adapters for the i5/OS partition.
Also, take care to examine the IP ports that the different products may default to within the
same operating system. For example, depending on software release levels, the i5/OS
operating system Directory Services (LDAP) support might default to using port 389, which
some Domino functions also may default to.
2.3.2 iSeries software
Software planning includes TCP/IP software infrastructure components and software
applications you will be using.
Network TCP/IP infrastructure
You need to lay out the typology of your network and determine which servers should be set
up to perform the following TCP/IP-based functions:
򐂰 Domain Name Services (DNS) host name to IP address resolution
򐂰 Dynamic Host Configuration Protocol (DHCP) IP address assignment
򐂰 Domain controller functions
20
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Application software considerations
You need to determine which applications run on which server: an i5/OS partition or a
Windows server. The applications included in this example network have been listed
previously but are also listed here.
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
Windows 2000 Server, Windows Server 2003
SQL server
Windows Update Server
File and Print services
Windows Terminal Services
Citrix Access Suite License Server
Citrix Presentation Server
Citrix Web interface
Windows applications on a server or on a client workstation
You should extend this list as your application environment dictates. Examples here could
include Notes client components or Microsoft Office Outlook® and Exchange components, a
firewall product, how you keep the Windows software updated, and so forth.
In the remainder of this planing chapter we expand on some of the areas listed above, but first
we give you a brief description of our server and network example set up. This includes initial
naming examples to help identify the “component or primary function” being set up.
2.3.3 Our example network infrastructures: brief description
For our scenario we used two iSeries servers, each with its own set of IXS and IXA attached
xSeries servers. Client workstations send work to both (or either) iSeries servers and
attached xSeries servers. One of the iSeries servers and its Windows servers and LAN
configuration are set up to be a secondary network that could, when necessary, enable the
workstations that are normally connected to the primary iSeries server to do their work while
connected to the secondary iSeries server.
This is shown in Figure 2-1 on page 22. This figure is a simplified drawing compared to the
more detailed Figure 2-2 on page 28, which is used as the base reference in upcoming topics
that provide more detailed planning information, using naming conventions to help identify
what we are discussing.
Note that “JF” is simply the prefix we selected to use in the naming conventions we
established for our example network.
Chapter 2. Planning your network and server infrastructure
21
Site_A
(Primary)
AS01
Linux
Virtual Ethernet
HSL Loop
JFSRV001
JFSRV002
JFSRV011
JFSRV012
Ethernet
Internet
Router
Ethernet
Site_B
(Secondary) AS55
JFSRV101
JFSRV111
JFSRV112
HSL Loop
Linux
Virtual Ethernet
Figure 2-1 Overview of iSeries and Windows network
The horizontal red lines in the middle of Figure 2-1 represent a physical Ethernet LAN. The
heavier red lines at the top and bottom represent a virtual LAN (inside the iSeries server).
In our simplified network drawing, note:
򐂰 The adapters shown within the iSeries systems represent physical LAN adapters, not IXS
features. They are not the primary focus of this Redpaper but represent one or more
network connections that would typically be in the iSeries configuration along with the IXS
or IXA xSeries Servers and their LAN connections.
򐂰 Linux is shown simply to call attention to the possibility of running a Linux application in
this network for functions such as a firewall or a mail support structure to replace Microsoft
Exchange, but we do not address additional planning considerations for Linux in this
paper. The Linux application could run either in a Linux partition or a supported IXS or IXA
xSeries server. Note that a firewall product could also run within an AIX partition on the i5
model system or as a Windows-base application on an IXS or IXA xSeries server.
򐂰 JFSRV001, JFSRV002, and JFSRV101 are IXS xSeries server “cards” running a Windows
operating system as depicted in more detail in Figure 2-2 on page 28.
򐂰 JFSRV011 and JFSRV012 are xSeries servers attached via IXAs to the primary iSeries
server AS01 via an HSL loop.
򐂰 JFSRV111 and JFSRV112 are xSeries servers attached via IXAs to the secondary iSeries
server AS55 via an HSL loop.
For system AS01 we depict, in green, the virtual disk (i5/OS network storage space object) for
the IXS and IXA xSeries servers using iSeries Integration for Windows software.
As we discuss later, using Figure 2-2 on page 28, we have used the IXS Windows servers as
domain controllers and for infrastructure services such as DNS, DHCP, file and print services.
We use the IXA attached xSeries servers as Windows Terminal Server with Citrix MetaFrame.
22
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Although we did not have time to implement it or provide some planning considerations, we
strongly recommend that you consider a firewall product in a real-life environment. A firewall
product could be run on any of its supported hardware or operating systems except i5/OS. In
our network diagrams that follow, we indicate possibly using a Linux partition on the iSeries or
a supported Linux running on an IXS or IXA attached xSeries server.
As far as we could investigate during the Redpaper residencies, StoneGate is the only
commercial firewall product that can be used across IBM xSeries, iSeries, and zSeries
machines. If a WebSphere® environment or other parts of the environment are consolidated
inside an iSeries or zSeries machine, you can use StoneGate firewall on those machines, as
well. You do not need an external firewall, because StoneGate firewall operates as a virtual
firewall inside an iSeries or zSeries machine.
For more information about the StoneGate product running on an iSeries system, refer to:
http://www/stonesoft.com/products/IBM_iSeries
For details about all Stonesoft firewall solutions visit their Web site at:
http://www.stonesoft.com/
Many external firewall products are commercially available. You must investigate these to see
what product fits the needs of your network.
Although this Redpaper does not provide any additional information about using any
Linux-based product, consider reviewing the contents of Secure your e-mail server on IBM
eServer I5 with Linux, REDP-4012. This provides additional firewall information from an
iSeries viewpoint and includes information about the Stonegate firewall product running in an
iSeries Linux partition.
2.4 Licensing considerations
Software is protected by copyright law, which says that the copyright holder has all of the
rights, and your rights are limited to those you have been granted specifically.
2.4.1 i5/OS
Here is a short list of planning issues for i5/OS-based products. The commands Display
Software Resources (DSPSFWRSC) and Work with License Information (WRKLICINF) assist
you in seeing what licensing your have.
򐂰 i5/OS is 5722SS1 with several options required, such as option 12 host servers. You need
an i5/O license for each logical partition. Initially, the system can be ordered with nn
processors activated upon delivery and an i5/OS license for that number of nn processors.
If you get a system with additional capacity on demand processors and you activate those
additional processors you may need additional processor licenses. Activating processors
may also put the system into a higher-priced software tier, which could affect your cost for
use of the additional processors. Consult your legal agreement with IBM to understand
your actual cost structure.
򐂰 TCP/IP support via no charge TCP/IP Connectivity Utilities for iSeries, 5722TC1. This is
included with i5/OS license.
򐂰 HTTP server support via no-charge IBM HTTP Server for iSeries, 5722DG1. This is
included with i5/OS license.
Chapter 2. Planning your network and server infrastructure
23
򐂰 iSeries Access for Windows, via 5722. You need licenses to this product to use 5250
emulation and Data Transfer functions. Two licensing options are available:
– Processor-Based: Purchase price based on i5/OS processor performance-rated
software tier, connect unlimited numbers of users.
– User-Based: Purchase price grouping for only a specific number of users who will be
concurrently connected.
򐂰 IBM iSeries Integration for Windows Server via 5722-WSV.
򐂰 Consider using Backup Recovery and Media Services for iSeries, 5722-BR1, for
automating your i5/OS and consolidated Windows servers.
2.4.2 Windows Server 2003
This section includes some Windows Server 2003 considerations.
Licensing per server / per seat
If you have more than one server, we recommend licensing per seat, because you need only
one Windows Server 2003 license per client endpoint regardless of how many servers this
client uses.
򐂰 Windows 2003 Server
One server license is required for each copy of the server software installed. In addition, a
Windows Server 2003 Client Access License (CAL) is required for each user or device (or
combination of both) that accesses or uses the server software.
򐂰 Windows 2003 Terminal Server
Windows Server 2003 Terminal Server requires that you install a license server before the
terminal server can function. In addition, a Windows 2003 Terminal Server CAL is required
for each user or device that accesses the Terminal Servers. A license server is a computer
on which Terminal Server Licensing is installed.
We install Citrix MetaFrame in all Terminal Servers as shown in the Figure 2-19 on page 44.
2.4.3 Microsoft SQL Server
Microsoft SQL Server can be licensed per user or per processor. In our example network we
installed using per processor.
See the following URL to get more information in Microsoft's documentSQL2Klic.doc at:
http://www.microsoft.com/sql/howtobuy/sqlserverlicensing.asp
2.4.4 Citrix Access Suite
The following editions are available:
򐂰 Enterprise Edition
Enterprise Edition provides the ultimate access infrastructure solution for large
organizations and multi-national corporations. This edition offers extensive scalability,
rapid application deployment and comprehensive management and monitoring
capabilities that large organizations need to manage access to Windows-based
applications.
24
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
򐂰 Advanced edition
This edition builds on the features of Standard Edition to provide additional scalability,
manageability and application availability for growing organizations. MetaFrame
Presentation Server 3.0, Advanced Edition is the ideal access infrastructure solution for
small-to medium-sized organizations that need to effectively manage and deploy
applications and easily scale as organizational needs require.
򐂰 Standard Edition
Standard Edition delivers the level of control that departments, workgroups and small
organizations need to extend the reach of Windows 2000 and 2003 Servers to any device.
This edition is oriented to small organizations can centralize IT management and control
and provide workers with secure access to applications anytime, anywhere over any
connection.
For more information, see Chapter 6, “Installing and customizing Citrix Presentation Server”
on page 135, or go to:
http://www.citrix.com/English/ps2/products/product.asp?contentID=12752
2.5 Naming conventions
Any network of systems is best managed with a pre-planned naming convention of key
systems, networking, and other components. This section describes the ones we used for our
example.
We give you examples of the names and naming conventions we used. Use these as a model
for your own names and components.
2.5.1 Components and names used in our example
If you want to set up a similar environment, you can use similar naming conventions or select
your own.
Table 2-1 shows that we used the prefixes JF, JF_ITSO, and JFSRV in most of our names. JF
is a random prefix acronym we chose for our naming convention in our example network.
Table 2-1 Example component and names used
Component
Names used in our scenario
Sites
Site_A
Site_B
iSeries systems
AS01
AS55
DNS-zone names
ITSO.COM
JF.ITSO.COM
Active Directory Root domain name
JF.ITSO.COM
Domain NetBIOS name
JF
Chapter 2. Planning your network and server infrastructure
25
26
Component
Names used in our scenario
Windows server names
JFSRV001
JFSRV002
JFSRV011
JFSRV012
JFSRV101
JFSRV111
JFSRV112
i5/OS network storage names
servername1
servername2
JF001PGM (PGM represents our “C” drive)
JF001DATA (DATA represents our “D” drive)
JFnumberPGM
JFnumberDATA
JF002REST
Windows disk drive labels
servername_System
servername_Programs
servername_data
Organizational unit (OU) names
JF_ITSO
JF_ITSO\Groups
JF_ITSO\Servers
JF_ITSO\Service_Accounts
JF_ITSO_TerminalServers
JF_ITSO\Users
JF_ITSO\Workstations
Group Policy Objects (GPO) names
JF_ITSO_TerminalServers
JF_ITSO_Users
DHCP scope names
Site_A__Ethernet
Site_B__Ethernet
i5/OS group names
JFGRP1
JFGRP2
Windows user templates for user propagation
temp_JFGRP1
temp_JFGRP2
Windows user accounts for Windows Services
backup_service
citrix_service
sql_service
i5/OS user names
JCOOK
FBOERNER
AS0301
AS0302
AS0303
AS0304
AS0305
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Component
Names used in our scenario
File shares
JFSRV001\DFS_Root_JF
JFSRV001\Home$
JFSRV001\Profiles$
JFSRV001\Group_Shares
JFSRV001\userdata
JFSRV101\DFS_Root_JF
JFSRV101\Home$
JFSRV101\Profiles$
JFSRV101\Group_Shares
JFSRV101\userdata
JFSRV002\CID
JFSRV002\Symantec_Updates
Network printer names
SiteA_IP40_R231
SiteB_HP5L_R007
Citrix server farm name
JFs Serverfarm
Server farm zones
9.5.92.0
9.5.192.0
SQL Server databases
MetaFrame
MF_Resource
2.6 Planning your sites, WAN and LAN infrastructure, firewall,
DNS, and DHCP
In this topic we address considerations for physical locations, sites, the Wide Area Network,
Local Area Network, Domain Name Services, and Dynamic Host Configuration Protocol (for
example, assigning IP addresses). Firewall planning is important, but we did not include this
in the Redpaper.
2.6.1 Sites
To make defining one “site” (that is, a network) easier we chose to define one location as a
network. If we have other locations now or later, we will define each as a separate location:
site/network.
If you are serious about planning for high availability and both iSeries systems have to be in
one physical location, such as a city or area within a city, you should create two or more
different sites for this location and place each iSeries system in a different site.
Figure 2-2 on page 28 shows the sites and servers we used in our scenario. We also show
you which services run on which servers and how we distributed these services between the
sites to have a better availability, even though we do not cover additional iSeries and Windows
server planning topics to achieve high levels of availability.
Chapter 2. Planning your network and server infrastructure
27
Site_A
(Primary)
AS01
Virtual Ethernet
HSL Loop
Linux
JFSRV001
JFSRV002
JFSRV011
JFSRV012
Zone A
Internet
I5/OS V5R3
User Admin
DNS
Active Directory/DFS Replication
I5/OS High Availability Solution/
Lotus Domino Replication
Ethernet
Windows 2003
Domain Controller
DNS
DHCP
File Services
Print Services
Windows 2003
SQL Server
Windows Update
Server
Citrix Access Suite
License Server
Windows 2003
Terminal Services
Citrix Metaframe
Citrix Webinterface
JFs
Serverfarm
Router
Ethernet
Zone B
Site_B
(Secondary) AS55
JFSRV101
JFSRV111
JFSRV112
HSL Loop
Linux
Virtual Ethernet
Figure 2-2 More detailed network drawing - the services running in our scenario
When starting your iSeries-based Windows server consolidation you probably will not start
out with two iSeries servers and the secondary site network infrastructure shown in
Figure 2-2. Also you may have smaller locations where only one iSeries server is reasonable.
In that case, consider the network shown in Figure 2-3.
Site_A
(Primary)
AS01
Linux
Virtual Ethernet
HSL Loop
JFSRV001
JFSRV002
JFSRV011
JFSRV012
Zone A
Internet
Active Directory/DFS Replication
Ethernet
Windows 2003
Domain Controller
DNS
DHCP
File Services
Print Services
Windows 2003
SQL Server
Windows Update
Server
Citrix Access Suite
License Server
Windows 2003
Terminal Services
Citrix Metaframe
Citrix Webinterface
JFs
Serverfarm
Ethernet
Zone B
JFSRV101
JFSRV111
JFSRV112
HSL Loop
Figure 2-3 Services running in our scenario - an alternative
28
Router
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
In this example, servers JFSRV101, JFSRV111, and JFSRV112 are actual physical PC
workstations, connected over the external LAN to the iSeries server and consolidated
Windows servers attached to the iSeries server via an IXS or IXA.
Important: If you install and use stand-alone Windows servers, back them up. We
recommend using Veritas BackupExec to perform the backup.
Attention: Although we do not cover it in detail in this document, it is important to
anticipate the amount of data to be transmitted across the network for printing. This is often
a significant amount of data, so your planning must include considerations for the impact of
printing data on other applications that are active at the same time.
2.6.2 WAN infrastructure and firewall
To reduce the WAN traffic, each necessary service (such as DNS, DHCP, and so on) should
be available in every location. We recommend a minimum of one Active Directory domain
controller for each location. If you use Active Directory integrated DNS zones, which we
recommend, the DNS service will be available in every location automatically. If you use more
than one DNS server we recommend setting up a minimum of one DNS server per location.
Each DNS server can then hold its own set of secondary zones.
Router
We recommend prioritizing the RDP or ICA traffic when routing over low-bandwidth links. If
you are using Cisco routers, you can see more detail at:
http://support.citrix.com/servlet/KbServlet/download/4728-102-11557/Cisco_Networking_Integr
atio.pdf
Note
򐂰 Remote Desktop Protocol (RDP) is the Microsoft protocol used to implement its
Windows 2000 Terminal Services functions between servers and clients.
򐂰 Citrix Independent Computing Architecture (ICA) is the protocol used between Citrix
clients and Citrix servers that supports running an application on the server as if it were
installed on the client. This protocol manages screen data and user input separate from
the rest of the application.
Ethernet segments and switches
eServer i5 and iSeries systems provide virtual Ethernet LAN ports and segments to allow
high-speed connection among i5/OS (and AIX 5L 5.3 and POWER Linux) logical partitions
and Windows servers running on IBM xSeries via IXS/IXA features.
Firewall and proxy
You must consider protecting your internal LAN using a certificated firewall as well as a proxy
server that can serve as a central point for accessing the Internet. Thorough coverage of
firewall protection is beyond the scope of this paper. One reference for additional information
from an iSeries viewpoint suggested is the Redpaper Secure your e-mail server on IBM
eServer I5 with Linux, REDP-0412.
2.6.3 Domain Name System (DNS) and DHCP
We now discuss choosing platforms (operating systems) and systems for your DNS services.
Chapter 2. Planning your network and server infrastructure
29
DNS servers normally have a primary zone that will be updated and one or more secondary
zones that hold only a copy of the primary zone.
The main reason we use and recommend the Microsoft DNS on the Windows platform is that
typically Microsoft DNS services are already configured and running in your existing Windows
server-based network. You are probably already using Active Directory integrated zones,
which means that you are used to making changes on every copy of the zone databases, and
the replication is included in the Active Directory replication.
The DNS service is one of the important services in the whole environment. Without DNS, the
Active Directory is not accessible and no user can log on. You should be sure that at any time
one DNS server configured in DHCP or in the Ethernet configuration can be connected to.
If you use Microsoft DNS with Active Directory integrated zones and you allow dynamic
updates, all Windows server and client IP addresses will be stored in the DNS server
automatically.
Note: Remember to add every non-Windows system with a manually configured IP
address to the correct DNS zones as shown in 4.1.2, “Additional configuration for the DNS
server” on page 91.
Figure 2-4 depicts our network, focusing on DNS and IP addressing. The internal virtual disk
is removed from this figure so you can focus on the DNS support. In our scenario we used the
iSeries Server DNS for name resolution for the DNS zone ITSO.COM and created a subzone
JF.ITSO.COM, which is hosted on Windows DNS and will be used for the Windows name
resolution and Active Directory.
Site_A
(Primary)
AS01
Virtual Ethernet
192.168.192.85
JFSRV001
3
Zone Copy
5
9.5.192.nn
9.5.92.86
DNS Server
(Active Directory
Integrated Zone
JF.ITSO.COM)
1
4
DNS Server
(Secondary Zone
ITSO.COM)
3
JFSRV011
9.5.92.85
9.5.92.21
DNS Server
(Primary Zone
ITSO.COM)
JFSRV002
Zone
Replication
9.5.92.nn
Internet
192.168.192.88
192.168.192.88
HSL Loop
Linux
5
192.168.192.86
DNS Server
(Active Directory
Integrated Zone
JF.ITSO.COM)
9.5.192.21
JFSRV012
9.5.92.88
9.5.92.89
ClientA
2
Ethernet
9.5.92.1
Depending on
DHCP scope options:
1 – Preferred DNS Server
2 – Alternate DNS Server
Router
9.5.192.1
1
ClientB
9.5.192.86
9.5.192.88
Ethernet
9.5.192.89
Site_B
(Secondary) AS55
JFSRV101
JFSRV111
JFSRV112
HSL Loop
Linux
192.168.192.85
192.168.192.88
Figure 2-4 DNS name resolution in our scenario
30
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
192.168.192.89
Virtual Ethernet
Now, we give a brief summary of how the DNS servers resolve the host name:
1. The first DNS request goes to the (Preferred) DNS server in the same site. The preferred
DNS server is set up for each client workstation through the DHCP scope options.
2. If the (Preferred) DNS server in the same site did not respond, the client routes its request
to the (Alternate) DNS server in another site.
3. If the Windows DNS server cannot resolve the host name, it forwards the request to the
iSeries DNS server in the same site. We defined this in the DNS settings among the
client’s TCP/IP properties and the Windows DNS server.
4. If this DNS server did not respond the forward request goes to the iSeries DNS in another
site.
5. If the iSeries DNS cannot resolve the host name, then the DNS will be forwarded to
another DNS server from the service provider or to one of the Internet DNS root servers.
The forwarding of the request to resolve the host name continues until the host name IP
address is found or an error occurs. You should plan your network to determine how the client
workstations get the TCP/IP configuration. If you do not want to configure every workstation
with a unique IP address, you should use DHCP, which assigns an IP address within a range
your network administrator determines. It is typical that certain servers need a specific IP
address always assigned to it. Examples would include the iSeries systems, the DNS server,
and the DHCP server itself. You configure these IP addresses manually.
There are also devices, for example printers, that always need the same IP address. As an
alternative to manually assigning an IP address, consider using the Reservation function in
DHCP. This means that you configure an IP address to a MAC address and the system
always gets the same IP address from the DHCP server. Consider using this if, in your
environment, the IP addresses have to change in the cases where your network configuration
is changing and you need to reconfigure the Ethernet IP address ranges. The risk of using
this technique is that if the DHCP server is not available, the device is not reachable.
Another situation to consider if you use the Reservation function is if you change the Ethernet
card but forget to change the reservation entry to fit the new MAC address.
Our example network DHCP servers, scope and IP address ranges are shown in Table 2-2.
Table 2-2 DHCP scopes used in our scenario
DHCP server
Scope
IP addresses lease
JFSRV001
Site_A__Ethernet
9.5.92.100 - 9.5.92.120
JFSRV001
Site_B__Ethernet
9.5.192.200 - 9.5.192.249
JFSRV101
Site_A__Ethernet
9.5.92.200 - 9.5.92.249
JFSRV101
Site_B__Ethernet
9.5.192.100 - 9.5.192.199
In Figure 2-5 on page 32, we show where we placed the DHCP servers and scopes. In this
figure we have removed the internal disk and DNS information to focus on the DHCP
configuration.
Chapter 2. Planning your network and server infrastructure
31
Site_A
(Primary)
AS01
Virtual Ethernet
192.168.192.85
Linux
9.5.92.nn
192.168.192.86
192.168.192.88
JFSRV001
9.5.92.21
JFSRV002
9.5.92.85
JFSRV011
9.5.92.86
JFSRV012
9.5.92.88
DHCP Server
Scope:
Site_A__Ethernet 70% addresses for Site_A (9.5.92.xx)
Site_B__Ethernet 30% addresses for Site_B (9.5.192.xx)
Internet
192.168.192.88
HSL Loop
9.5.92.89
ClientA
(DHCP
Client)
Ethernet
9.5.92.1
Router
DHCP Server
Scope:
Site_A__Ethernet 30% addresses for Site_A (9.5.92.xx)
Site_B__Ethernet 70% addresses for Site_B (9.5.192.xx)
9.5.192.nn
9.5.192.21
9.5.192.86
ClientB
(DHCP
Client)
9.5.192.1
Ethernet
9.5.192.88
9.5.192.89
Site_B
(Secondary) AS55
JFSRV101
JFSRV111
JFSRV112
HSL Loop
Linux
192.168.192.85
192.168.192.88
192.168.192.89
Virtual Ethernet
Figure 2-5 DHCP servers and scopes used in our scenario
2.7 Planning your Windows Environment and Active Directory
You should refer to Microsoft Windows Server 2003 Integration with iSeries, SG24-6959 in
the text for Windows Server 2003 considerations.
The following sections address additional steps you should consider prior to setting up your
first Windows server,
2.7.1 Disk space and drive mapping
It is very important to plan for the amount of disk space required to run your environments.
After you have installed the server and use the disks for awhile it harder to enlarge storage
spaces, so we recommend creating them with a size that you are fairly certain will meet your
requirements. Note that the C and D drives are not expandable after configuration. If you
create volumes on additional drives, these drives are easily expanded over their original size.
In our test scenario we used the sizes for network server storage spaces shown in Table 2-3
on page 33. If you are going to use a lot of functions that continually add to the amount of disk
storage used, you should consider increasing some of the sizes shown and carefully monitor
disk storage consumed as you put more activity into production. Consider also some amount
of additional disk space for future software fixes.
Additional disk space considerations for activity logging and future fixes are often forgotten
during the planning period.
32
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Table 2-3 Storage space sizes used in our scenario
JFSRV001
JFSRV002
JFSRV011
JFSRV012
C: System
6 GB
6 GB
6 GB
6 GB
D: Install Source Partition
1 GB
1 GB
1 GB
1 GB
E: Program Partition
4 GB
4 GB
10 GB
10GB
F: Data Partition
10 GB
10 GB
none
none
In a real customer environment, these sizes probably are not large enough.
We recommend starting with the sizes shown in Table 2-4 but, again, this is only a
recommendation for small to moderate data volumes.
Table 2-4 Storage space sizes recommended
Domain controllers
Additional
infrastructure
server
Windows Terminal
Servers with Citrix
MetaFrame
C:System partition
20 GB (depends on the size
of the Active Directory)
10 GB
10 GB
D:Install Source
Partition
1 GB
1 GB
1 GB
E:Program Partition
10 GB
10 GB
10 GB
F:Data Partition
Depends on your volume of
data, minimum 30GB
for Microsoft
SUS 40 GB
none
G:Data Partition2
Same as F: on DC 30 GB
(see Note1 below)
space for F: on
DC 30 GB (see
Note 2 below)
none
Total per kind of server
91 GB
91 GB
21 GB
Note 1: In a more complex network than our example you may set up to use Microsoft Distributed File System (DFS). In this environment you would need approximately twice the
amount of storage you specify here. DFS is not covered in this Redpaper. Consult your Microsoft expert for further considerations.
Note 2: This space is needed only if you follow our backup/restore procedure in 8.5, “Back
up and restore without file-level backup” on page 197. You do not need to create an additional backup i5/OS network storage space during your initial network setup. You can create
the additional network storage space later and add it to your Windows network server.
We built the following systems based on the classifications of servers used in our scenario:
򐂰 Domain controllers
– JFSRV001
– JFSRV101
򐂰 Additional infrastructure server
– JFSRV002
򐂰 Windows Terminal Server with Citrix MetaFrame
– JFSRV011
– JFSRV012
Chapter 2. Planning your network and server infrastructure
33
– JFSRV111
– JFSRV112
If you want to store the installation files for programs, drivers and so on in the data partition of
the infrastructure server, which is a good idea, you should add the necessary disk space.
You also need to plan the drive mappings for the workstation’s users.
Decide which drive letter to use for the user’s home directory. Our experience is that a lot of
customers use drive H: as the home directory. However sometimes this letter is used on
another local drive. Therefore, for a home directory we recommend using a higher letter. In
our scenario, we use Y for the users home directory.
2.7.2 Plan the parts of Active Directory
For planning, refer to Microsoft Windows Server 2003 Integration with iSeries, SG24-6959, in
the appendix about Active Directory.
Sites
The site configuration in Active Directory should be based on your planning in 2.6.1, “Sites”
on page 27.
Our scenario has two locations, Site_A and Site_B as described in “Sites” on page 27. Site_A
is the primary iSeries system and Site_B is the location for the backup iSeries system. Each
has its own Ethernet subnet and one internal virtual Ethernet subnet, which is accessible only
for iSeries Integrated Windows servers within the same iSeries.
DNS/DHCP
Active Directory is based upon the DNS service being set up correctly and being active.
Refer to “Domain Name System (DNS) and DHCP” on page 29.
Organizational units (OU)
Organizational units is the term used to cover all of the “addressable objects” (servers,
workstations, printers, users and user groups, and more). The OUs represent a hierarchy in
the network, and we recommend creating an OU structure that is based on the Active
Directory. Each OU can contain different objects and each domain can have its own grouping
logic in OUs; for example, for JF_ITSO:
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
JF_ITSO\Groups
JF_ITSO\Servers
JF_ITSO\Service_Accounts
JF_ITSO_TerminalServers
JF_ITSO\Users
JF_ITSO\Workstations
Group Policy Objects (GPO)
Group Policy Objects are an important part of Active Directory. You can create a set of GPOs
and attach these objects to OUs.
Each Group Policy includes two parts: one with computer settings, the other one with user
settings. You can and should define only the settings you want to enable.
34
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
You can download an Excel file named Group Policy Settings Reference from the Microsoft
Download Center at:
http://www.microsoft.com/downloads/search.aspx?displaylang=en
Search for “Group Policy Settings Reference.” This Excel file lists possible settings for GPOs.
2.8 User propagation
We prefer to propagate only the user profiles from i5/OS that will be needed in the Windows
environment.
A way to do this is to create one or more i5/OS group profiles with WRKUSRPRF *ALL then
use option 1 (create). You should create more than one group profile because you can have
only one user template in the Windows environment per I5/OS group profile to create users. If
you want to use different templates in Windows to create the accounts, you have to create
different group profiles in i5/OS.
Reasons include:
򐂰 Different login scripts
򐂰 Different group membership
2.8.1 Prepare User Profiles for our test scenario
In our scenario, we use two i5/OS group profiles for the user propagation:
򐂰 JFGRP1, which we use to create Domain Administrators in Windows
򐂰 JFGRP2, which we use to create Domain Users in Windows
If you want to create an i5/OS group profile in i5/OS within a 5250 session interface instead of
the iSeries Navigator interface, you have to create a user profile first. This profile is made a
group profile by being specified in the group profile parameter in another i5/OS user profile.
Using iSeries Navigator you can explicitly create a profile as a group profile.
In this section we used the i5/OS 5250 session and the Create User Profile (CRTUSRPRF)
command. Figure 2-6 on page 36 shows the command we used to create the group profiles.
Chapter 2. Planning your network and server infrastructure
35
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
User profile . . . . . . . . . . > JFGRP1
User password . . . . . . . . . *NONE
Set password to expired
Status . . . . . . . . .
User class . . . . . . .
Assistance level . . . .
Current library . . . .
Initial program to call
Library . . . . . . .
Initial menu . . . . . .
Library . . . . . . .
Limit capabilities . . .
Text 'description' . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Name
*NO
*ENABLED
*USER
*SYSVAL
*CRTDFT
*NONE
*NO, *YES
*ENABLED, *DISABLED
*USER, *SYSOPR, *PGMR...
*SYSVAL, *BASIC, *INTERMED...
Name, *CRTDFT
Name, *NONE
Name, *LIBL, *CURLIB
MAIN
Name, *SIGNOFF
*LIBL
Name, *LIBL, *CURLIB
*NO
*NO, *PARTIAL, *YES
Group Profile 1 for user propagation
Bottom
Figure 2-6 Create a user profile to use as a group profile
After you create the group profiles in i5/OS, you have to change every existing user profile
that should be propagated to Windows and add one of these group profiles as shown in the
next two figures (Figure 2-7 on page 37 and Figure 2-8 on page 37).
We added the following users to the groups:
򐂰 JFGRP1
– JCOOK
– FBOERNER
򐂰 JFGRP2
– AS0301
– AS0302
– AS0303
– AS0304
– AS0305
36
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Change User Profile (CHGUSRPRF)
Type choices, press Enter.
User profile . . . . . . . . . . > JCOOK
User password . . . . . . . . . *SAME
Set password to expired
Status . . . . . . . . .
User class . . . . . . .
Assistance level . . . .
Current library . . . .
Initial program to call
Library . . . . . . .
Initial menu . . . . . .
Library . . . . . . .
Limit capabilities . . .
Text 'description' . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Name
*NO
*SAME, *NO, *YES
*ENABLED
*SAME, *ENABLED, *DISABLED
*SECOFR
*SAME, *USER, *SYSOPR...
*INTERMED
*SAME, *SYSVAL, *BASIC...
*CRTDFT
Name, *SAME, *CRTDFT
QCMD
Name, *SAME, *NONE
*LIBL
Name, *LIBL, *CURLIB
MAIN
Name, *SAME, *SIGNOFF
*LIBL
Name, *LIBL, *CURLIB
*NO
*SAME, *NO, *PARTIAL, *YES
'Jim Cook 3-9011 **'
More...
Figure 2-7 Add group profile to existing user profile - 1 of 2
Press F10 and go to the group profile section.
Change User Profile (CHGUSRPRF)
Type choices, press Enter.
Keyboard buffering . . . . . . .
Maximum allowed storage . . . .
Highest schedule priority . . .
Job description . . . . . . . .
Library . . . . . . . . . . .
Group profile . . . . . . . . .
Owner . . . . . . . . . . . . .
Group authority . . . . . . . .
Group authority type . . . . . .
Supplemental groups . . . . . .
+ for more values
Accounting code . . . . . . . .
Document password . . . . . . .
Message queue . . . . . . . . .
Library . . . . . . . . . . .
Delivery . . . . . . . . . . . .
*SYSVAL
*NOMAX
3
QDFTJOBD
QGPL
jfgrp1
*USRPRF
*NONE
*PRIVATE
*NONE
'618934897'
*SAME
JCOOK
QUSRSYS
*NOTIFY
*SAME, *SYSVAL, *NO...
Kilobytes, *SAME, *NOMAX
0-9, *SAME
Name, *SAME
Name, *LIBL, *CURLIB
Name, *SAME, *NONE
*SAME, *USRPRF, *GRPPRF
*SAME, *NONE, *ALL...
*PRIVATE, *PGP, *SAME
Name, *SAME, *NONE
Name, *SAME, *NONE
Name, *SAME, *USRPRF
Name, *LIBL, *CURLIB
*SAME, *NOTIFY, *BREAK...
More...
Figure 2-8 Add group profile to existing user profile - 2 of 2
Assuming that the group profiles already exist, add the group profile.
Create templates in Windows
Using templates for user propagation is optional. However, we used them and found them
very useful.
Chapter 2. Planning your network and server infrastructure
37
Our next step for the user propagation is to create the templates in the Windows environment.
You can do this after you have created the first domain controller with the DCPROMO function
(refer to 4.1, “Setting up Active Directory” on page 86) and you have created the file sharing
environment as described in 4.4, “Creating the folder structure on JFSRV001” on page 116.
Configure one template for each i5/OS group profile you want to use for user propagation. In
our case, we created and configured two templates:
򐂰 temp_JFGRP1
򐂰 temp_JFGRP2
To create these templates, use the Active Directory Users and Computers console. As shown
in Figure 2-9, click Users → New → User.
Figure 2-9 Create and configure user template in Windows - 1 of 8
This opens the New Object - User window shown in Figure 2-10.
Figure 2-10 Create and configure user template in Windows - 2 of 8
38
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
We show the configuration of template temp_JFGRP1 in the following sequence of figures.
Use similar parameters for temp_JFGRP2.
1. Specify a password you can remember. As shown in Figure 2-11, you should disable the
account because nobody should be able to log on with this account; it is only a template to
create user accounts.
Figure 2-11 Create and configure user template in Windows - 3 of 8
2. After you have created the account, change the properties for the template accounts to fit
your environment. Note that we set the password and account to never expire.
Figure 2-12 Create and configure user template in Windows - 4 of 8
Note: In this Redpaper, we show only the tabs that we think are most important to edit. You
should examine the other tab windows to determine whether they are also important to
your environment.
Chapter 2. Planning your network and server infrastructure
39
Figure 2-13 and Figure 2-14 on page 41 show the two ways to access the files for the
roaming profile and the users home directory.
During the creation process of users in Windows, every user account gets a System Identifier
(SID), which is unique. All rights (for example, NTFS rights) are based on this SID.
Important: If you delete the user account, change the template, and re-create the user
account, the account gets a different SID and the user cannot access his existing files.
After creating the user, getting its unique SID, and performing functions that create files,
changes require a great deal of time and energy. It is much better to plan your users and
consider each user or group of user’s range of capabilities before starting to configure
them!
The most important settings to configure are:
򐂰 Profile path
This path points to the folder where the roaming profile files will be stored. This is
necessary in order to have the same desktop and environment on each PC where the
user logs on.
򐂰 Logon script
You should use the logon script to map necessary shares (for example, group shares)
where the files for the workgroup should be saved. The access right to the files in the
group share structure are assigned with NTFS rights.
򐂰 Home directory
This path is where all owned files of the user should be stored. It is very important for your
backup strategies to have all files on the file server.
The window in Figure 2-13 shows the access if you do not want to use Distributed File
System (DFS™). The window in Figure 2-14 on page 41 shows the access parameter values
if you want to use the DFS. You can choose only one possibility, and you make this decision
before you start enrolling the users, because the template is used only once.
Figure 2-13 Create and configure user template in Windows - 5 of 8
40
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 2-14 Create and configure user template in Windows - 6 of 8
If you want different settings for the roaming profile or the home directory for sessions on the
Terminal server, you can specify a different location in the Terminal Services Profile tab
properties as shown in Figure 2-15.
Figure 2-15 Create and configure user template in Windows - 7 of 8
Chapter 2. Planning your network and server infrastructure
41
On the Member Of tab you can specify the Windows groups in which the user should be
included. Figure 2-16 includes the value to propagate our users so they have Domain Admin
rights in the Windows domain.
Figure 2-16 Create and configure user template in Windows - 8 of 8
Enroll the users
For more background about the user template on the Windows side, refer to Microsoft
Windows Server 2003 Integration with iSeries, SG24-6959.
For every pair of i5/OS group profiles and Windows templates, use the i5/OS Change
Network Server User Attributes (CHGNWSUSRA) command to enroll the users.
Change NWS User Attributes (CHGNWSUSRA)
Type choices, press Enter.
User profile . . . . . . . . . . > JFGRP1
Profile type . . . . . . . . . . > *GROUP
Prompt control . . . . . . . . . > *WINDOWSNT
Propagate group members . . . . *ALL
Default server type . . . . . . *NWSA
Windows server domain list:
Domain . . . . . . . . . . . . JF
User template . . . . . . . . temp_JFGRP1
Group type . . . . . . . . . . *global
+ for more values
Windows local server list:
Server . . . . . . . . . . . . *NONE
User template . . . . . . . .
+ for more values
Name, *CURRENT
*USER, *GROUP
*ALL, *NETWARE, *WINDOWSNT
*SAME, *ALL, *MBRONLY
*SAME, *NWSA, *NETWARE...
*GLOBAL, *LOCAL
Bottom
Figure 2-17 CHGNWSUSRA screen
42
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
After this command has completed successfully, you should use the Work with Network
Server Enrolled Users (WRKNWSENR) to verify the enrollment status for every user profile.
All user profiles you want to enroll should have the status *CURRENT.
Note: Because the default settings in a Windows 2003 domain have strict password rules,
you probably need to change the Default Domain Group Policy as shown in “Default
Domain Policy” on page 103. The password settings in Windows should correspond as
much as possible to the i5/OS profile and password rules.
2.9 Planning infrastructure to distribute Microsoft service
packs and hotfixes
Figure 2-18 shows our configuration to distribute Microsoft Windows hotfixes and service
packs. We used our additional infrastructure server (JFSRV002) to run the Windows Update
Services and to download, store, and distribute the hotfixes and service packs to all Windows
servers and client in our domain.
We do not show how to do this. If you need help, contact any certified Windows specialist.
Note: In this section we discuss Microsoft Windows-based fixes. Though not covered in
this Redpaper you also should plan for software fixes to the iSeries Integration for Windows
Server software (5722-WSV). We discuss this generally in “Running Windows commands,
synchronizing integration software” on page 6. For more about this iSeries-based subject,
refer to Microsoft Windows Server 2003 Integration with iSeries, SG24-6959.
Site_A
(Primary)
Internet
www.Microsoft.com
AS01
Virtual Ethernet
Linux
JFSRV001
JFSRV002
JFSRV011
JFSRV012
Windows Update Files
Ethernet
JFCLIENTA
JFCLIENTB
JFCLIENTA
JFCLIENTB
Router
Ethernet
Site_B
(Secondary) AS55
JFSRV101
JFSRV111
JFSRV112
Linux
Figure 2-18 Microsoft Windows Update Services infrastructure
Chapter 2. Planning your network and server infrastructure
43
2.10 Planning for Citrix (MetaFrame) Presentation Server
Citrix provides extended documentation in this area, as well as a calculator program on its
Web site, You can access it at:
http://www.acecostanalyzer.com
A few product documents are available on the Internet; for example, the book Getting Started
with MetaFrame Presentation Server. Search for it at:
http://support.citrix.com/
In Chapter 3, “Installing and customizing Windows Server 2003 in our example network” on
page 47 and Chapter 6, “Installing and customizing Citrix Presentation Server” on page 135,
we provide summary-level installation and application serving setup examples.
Site_A
(Primary)
AS01
Virtual Ethernet
HSL Loop
Linux
JFSRV001
JFSRV002
JFSRV011
JFSRV012
Internet
Site_B
(Backup)
I5/OS V5R3
User Admin
DNS
Active Directory/DFS Replication
I5/OS High Availability Solution/
Lotus Domino Replication
Zone:
9.5.92.0
Windows 2003
Domain Controller
DNS
DHCP
DFS
File Services
Print Services
Windows 2003
SQL Server
Windows Update
Server
Symantec Live
Update Server
The Most
Preferred
Data
Collector
Ethernet
Windows 2003
Terminal Services
Citrix Metaframe
Citrix Webinterface
JFs
Serverfarm
Ethernet
Zone:
9.5.192.0
AS55
JFSRV101
JFSRV111
JFSRV112
The Most
Preferred
Data
Collector
HSL Loop
Linux
Virtual Ethernet
Figure 2-19 Citrix MetaFrame structure
2.11 Planning the applications to use with Citrix Presentation
Server
Decide which applications you want to install and run on Windows Terminal servers with Citrix
Presentation Server. We recommend initially installing the products that most users need. It is
important to verify that all applications you install on this kind of server work together without
problems. The applications we used in our scenario are common and work together fine.
44
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Important: Most applications work well within the Microsoft Terminal Servers and Citrix
MetaFrame application server environments, but it is important to test each application as
it is added, including using other applications at the same time from multiple users on a
single terminal server. When validated, you can deploy to multiple servers.
In addition to the Windows applications we used developing this paper, we experienced
successful deployment of the following IBM products on iSeries IXS and IXA attached
xSeries servers:
򐂰 IBM Tivoli® Storage Manager products for Windows
򐂰 IBM Director products for Windows
Another important point is that the installation of all terminal servers should be the same. In
larger environments, you can use Citrix Installation Manager to create packages and
distribute it to all Citrix MetaFrame servers. In general, we recommend using this only if you
have more than eight Citrix MetaFrame servers to install. In this paper we do not cover Citrix
Installation Manager. For information about its use, it refer to the Citrix documentation.
2.11.1 iSeries Access for Windows
In “iSeries Access” on page 122, we will install the following components:
򐂰 5250 Display and Printer Emulation
򐂰 iSeries Navigator
򐂰 Data File Transfer
2.11.2 Microsoft Office
In “Microsoft Office” on page 132, we will install the following applications:
򐂰 Office 2003 Professional
– Access
– Excel
– Powerpoint
– Outlook
– Publisher
– Word
– InfoPath®
򐂰 Office Project 2003 Professional
򐂰 Frontpage 2003
򐂰 Visio® 2003 Professional
2.12 Printing
In “Network printer configuration” on page 62, we will install the printers planned for in
Table 2-1 on page 25.
2.13 Backup, recovery, and failover
Refer to Chapter 7, “Set up the backup system for increased availability” on page 181 and
Chapter 8, “Backup and recovery possibilities” on page 187.
Chapter 2. Planning your network and server infrastructure
45
46
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3
Chapter 3.
Installing and customizing
Windows Server 2003 in our
example network
This chapter provides:
򐂰 The principal i5/OS tasks before installing Microsoft Windows server in the integrated
xSeries servers
򐂰 The principal Windows operating system related tasks such as setting up disk drives and
device drivers
򐂰 Installing additional components on the Windows server
򐂰 Installing Citrix MetaFrame Access Suite Licensing Services on our JFSRV002 server
򐂰 Installing Microsoft SQL Server for the Citrix MetaFrame Data Store and Resource
Manager Database
© Copyright IBM Corp. 2005. All rights reserved.
47
3.1 I5/OS tasks
Before you can install the first Windows operating system on an IXS/IXA server, you have to
connect all necessary devices to the integrated xSeries servers, including Ethernet, display,
keyboard, and mouse. Then determine the iSeries hardware resources you want to use by
running the i5/ OS Work with Hardware Resources command - communications resources,
WRKDHDWRSC *CMN.
Figure 3-1 shows an example from our model 830 AS01 iSeries system.
The integrated xSeries server has the resource CC01 for the Communication Processor, but
the INSWNTSVR requires the File Server IOA resource, LIN10. Below the LIN10 File Server
IOA you see the installed network cards, assuming it is an integrated xSeries server: one
virtual port to use for the Virtual Ethernet PTP and up to 10 Ethernet ports, which are used for
the Virtual Ethernet.
Work with Communication Resources
System:
Type options, press Enter.
5=Work with configuration descriptions
Opt Resource
CMN40
CMN41
CMB08
LIN24
CMN161
LIN23
CMN160
CC01
LIN10
CMN124
CMN42
CMN43
CMN44
CMN45
CMN46
Type
2745
2745
2843
2838
2838
2838
2838
2892
2892
2838
6B00
6B01
6B01
6B01
6B01
Status
Not detected
Not detected
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
AS01
7=Display resource detail
Text
Comm Port
Comm Port
Combined function IOP
LAN Adapter
Ethernet Port
LAN Adapter
Ethernet Port
Comm Processor
File Server IOA
Ethernet Port
Virtual Port
Ethernet Port
Ethernet Port
Ethernet Port
Ethernet Port
More...
Figure 3-1 An example of WRKHDWRSC *CMN
For a hardware overview of the current adapter types, refer to 1.9, “Hardware products used”
on page 15.
Perform the following procedures for every Windows server you want to install.
You should create and use a different message queue (MSGQ) for each Windows server to
make it easier to find messages later. Figure 3-2 on page 49 shows the Create Message
Queue (CRTMSQ) command we used for an i5/OS message queue that is assigned to our
Windows server on iSeries. We named the queue the same as the associated server name.
48
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Create Message Queue (CRTMSGQ)
Type choices, press Enter.
Message queue . . . . . . . . . > JFSRV001
Name
Library . . . . . . . . . . . >
QGPL
Name, *CURLIB
Text 'description' . . . . . . . > 'Messege Queue for JFSRV001'
Additional Parameters
Force to auxiliary storage
Queue size:
Initial storage size . .
Increment storage size .
Maximum increments . . .
Authority . . . . . . . .
Allow alerts . . . . . . .
Coded character set ID . .
Message queue full action
. . .
*NO
*NO, *YES
.
.
.
.
.
.
.
3
1
*NOMAX
*LIBCRTAUT
*NO
*HEX
*SNDMSG
Kilobytes
Kilobytes
Number, *NOMAX
Name, *LIBCRTAUT, *CHANGE...
*NO, *YES
1-65535, *MSG, *HEX, *JOB
*SNDMSG, *WRAP
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Figure 3-2 Create Message Queue for JFSRV001
Consider increasing some of the default values for this Create Message Queue command
and some i5/OS system values if your configuration supports IXS and IXA attached xSeries
systems. For the message queue used by a Windows server, consider:
򐂰 Increasing the default initial storage size above 3 KB and the increment storage size
above 1 KB. For example, specify 6 KB for initial size and 2 KB for increment storage size.
There can be many Windows events generated, resulting in messages during normal
operation. Increasing values above the defaults just reduces the times i5/OS goes through
the overhead of increasing the message queue storage. This queue space extension
causes a small amount of system overhead each time it is performed. You can view and
remove these messages through the iSeries Navigator Messages interface or the
character-based Display Message (DSPMSG) command.
򐂰 Consider changing the default of Coded character set ID from *HEX (hexadecimal) to
either 65535 or some other value according to your country’s character set. If you use
*HEX the message will certainly be viewable, but few people can read the message.
򐂰 Consider changing the Message queue full action to *WRAP. You can extend the message
queue “forever” with the *NOMAX value as shown in Figure 3-2, but you probably have
more than one Windows server and in an abnormal environment, messages could take up
excessive space. Specifying a maximum number of increments lets you control this and in
an environment where the message queue is not cleared of old messages, the *WRAP
function helps you view lots of messages and overlay the oldest messages with new ones.
Also consider verifying or changing some i5/OS system values, as they have additional
considerations in the Windows server environment. For more complete information refer to
Microsoft Windows Server 2003 Integration with iSeries, SG24-6959, and the i5/OS system
value text in the following shaded box.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
49
Important:
1. The value QRETSVRSEC has to be set to 1.
2. The system values QTIME and QDATE must be set correctly initially for your iSeries
system. Note that you can set up the system value QTIMZON (new in V5R3) initially
according to your plus or minus hours from Greenwich Mean Time (GMT) and indicate
whether you change between standard and Daylight Saving Time during the year. If you
do this, V5R3 i5/OS automatically changes the QTIME value and the QUTCOFFSET
value when a change occurs between standard and Daylight Saving Time.
With V5R3, i5/OS provides a list of acronyms representing all world-wide time zones
and which indicates whether changes between standard time and Daylight Saving Time
is going to be used. Then you can specify the time of day and date when changing
between standard time and Daylight Saving Time should occur.
You can specify this through the 5250 i5/OS command interface, but it is much easier
using the iSeries Navigator interface. Select System name → Configuration and
Service → Time Management → Time Zones. To specify the date and time of day to
change between standard and Daylight Saving Time, select the Edit button on the
window displaying the QTIMZON values that can be selected.
Prior to V5R3, you had to change the QTIME and QUTCOFFSET system values
manually or via programming. With V5R3 QUTCOFFSET can no longer be explicitly
set.
This V5R3 automatic switching between standard time and Daylight Saving Time
applies all applications running under i5/OS, not just the Windows operating system
software running on IXS and IXA attached xSeries servers.
We suggest editing the IBM-provided start-up programs (or your own version) to start the
Windows servers you want started.
Figure 3-3 shows the start-up program we used, with lines added to the start-up program
provided with i5/OS. Because in the Windows environment it is important that the domain
controller is up first, we used a few DLYJOB commands to be sure. It is also important that the
Citrix MetaFrame database is available before the first Citrix MetaFrame server comes up. In
our scenario, this database is based on JFSRV002.
0045.00
0046.00
0047.00
0047.01
0047.02
0048.00
0049.00
0050.00
0051.00
0052.00
0053.00
0054.00
0055.00
0056.00
0057.00
QSYS/STRTCP
MONMSG
MSGID(CPF0000)
DLYJOB
DLY(120)
QSYS/STRDOMSVR SERVER(jfdomino)
MONMSG
MSGID(CPF0000)
QSYS/VRYCFG CFGOBJ(JFSRV001) CFGTYPE(*NWS)
MONMSG
MSGID(CPF0000)
DLYJOB
DLY(400)
QSYS/VRYCFG CFGOBJ(JFSRV002) CFGTYPE(*NWS)
MONMSG
MSGID(CPF0000)
DLYJOB
DLY(400)
QSYS/VRYCFG CFGOBJ(JFSRV011) CFGTYPE(*NWS)
MONMSG
MSGID(CPF0000)
QSYS/VRYCFG CFGOBJ(JFSRV012) CFGTYPE(*NWS)
MONMSG
MSGID(CPF0000)
STATUS(*ON)
STATUS(*ON)
STATUS(*ON)
STATUS(*ON)
Figure 3-3 Additional lines in the start program
Next, you can install your Windows servers.
50
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3.1.1 Installing your Windows server under i5/OS
Note on the first screen (Figure 3-4) of the Install Windows Server (INWNTSVR) command
that you can only configure the TCP/IP port if you install it on an Integrated xSeries server.
For an IXA attached xSeries server, you should follow the ServerGuide™ Install process. You
will configure the Ethernet port later in this install process or later within the Windows
operating system itself.
The resource name, LIN10, was obtained from the screen output of the Work with Hardware
Resources (WRKHDWRSC) command *CMN parameter that we used earlier. You are
responsible for defining the appropriate IP address, subnet mask, and any gateway address
you use in your environment.
Install Windows Server (INSWNTSVR)
Type choices, press Enter.
Network server description
Installation type . . . .
Resource name . . . . . .
Domain role . . . . . . .
Windows server version . .
Windows source directory .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Install option . . . . . . . . .
TCP/IP port configuration:
Port . . . . . . . . . . . . .
Windows internet address . . .
Windows subnet mask . . . . .
Windows gateway address . . .
+ for more values
>
>
>
>
>
>
JFSRV001
Name
*FULL
*FULL, *BASIC
LIN10
Name
*SERVER
*DMNCTL, *SERVER
*WIN2003
*WIN2000, *WIN2003
'/windows2003/Enterprise/
*INSTALL
>
>
>
>
*INSTALL, *UPGRADE
1
*NONE, 1, 2, 3, 4
'9.5.92.85'
'255.255.255.128'
'9.5.92.1'
More...
Figure 3-4 JFSRV001 - 1 of 7
Chapter 3. Installing and customizing Windows Server 2003 in our example network
51
Specify the MSGQ you want to use (our previously created JFSRV001 message queue in our
example). The Virtual Ethernet Port configuration will be done later.
Install Windows Server (INSWNTSVR)
Type choices, press Enter.
Virtual ethernet port:
Port . . . . . . . . . . . . . > *NONE
Windows internet address . . .
Windows subnet mask . . . . .
Associated port . . . . . . .
+ for more values
TCP/IP local domain name . . . . *SYS
TCP/IP name server system . . .
+ for more values
Server message queue . . . . . .
Library . . . . . . . . . . .
Event log . . . . . . . . . . .
+ for more values
*NONE, *VRTETH0, *VRTETH1...
Name, *NONE
*SYS
JFSRV001
qgpl
*ALL
Name, *JOBLOG, *NONE
Name, *LIBL, *CURLIB
*ALL, *NONE, *SYS, *SEC, *APP
More...
Figure 3-5 JFSRV001 2 of 7
We include (from Microsoft Windows Server 2003 Integration with iSeries, SG24-6959) the
caution to use care if the QSYSOPR message queue is specified. This is because the volume
of Windows event log messages is unpredictable and could be quite large.
52
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
In Figure 3-6, specify the partition sizes for the Windows System drive and for the drive that
holds the installation files used later. These drives are C: and D: by default. Plan the size for
the Windows System drive carefully, as discussed in 2.7.1, “Disk space and drive mapping”
on page 32.
We recommend that you install every Windows server consolidated on an iSeries IXS/IXA
xSeries server as a stand-alone server first and use the Windows functionality to add it to the
domain later. Otherwise the command may fail if the domain controller is not running or is in a
different subnet.
Install Windows Server (INSWNTSVR)
Type choices, press Enter.
Server storage space sizes:
Install source size . . .
System size . . . . . . .
Storage space ASP:
Install source ASP . . . .
System ASP . . . . . . . .
Server storage ASP device:
Install source ASP device
System ASP device . . . .
Convert to NTFS . . . . . .
To workgroup . . . . . . . .
To domain . . . . . . . . .
Full Name . . . . . . . . .
. . > 1000
. . > 6000
500-2047, *CALC
1024-1024000, *CALC
. .
. .
1-255
1-255
.
.
.
.
.
.
1
1
.
.
. > *YES
. JF
.
. JF 4731
Organization . . . . . . . . . .
Name
Name
*NO, *YES
IBM ITSO
More...
Figure 3-6 JFSRV001 3 of 7
Chapter 3. Installing and customizing Windows Server 2003 in our example network
53
In Figure 3-7, enter the type, client, and terminal services licensing you have for the server.
We explained the licensing modes in 2.7.2, “Plan the parts of Active Directory” on page 34.
You also should base the Shutdown timeout value on your experience with the time it takes to
shut down your Windows configuration on external workstation servers. iSeries has to know
how long to wait when it attempts to shut down a server, for example, using the iSeries
Navigator interface Network → Windows Administration → Integrated xSeries Servers.
The time value is used to ensure that the shut down Windows request from i5/OS can
continue if the Windows operating system shutdown process encounters a problem.
This is a good time to mention that you should never shut down an xSeries server attached to
the iSeries via the IXA by simply powering it off. This stops the internal communication over
the HSL loop between the system and the xSeries server before the necessary shutdown
communication can be completed. Shutdown should be requested from i5/OS using either the
iSeries Navigator interface or using the 5250 command interface to vary off the xSeries
server—for example, using the Work with Configuration Status (WRKCFGSTS) command.
Install Windows Server (INSWNTSVR)
Type choices, press Enter.
Language version . . . . .
Synchronize date and time
Propogate domain user . .
Windows license key . . .
.
.
.
.
.
.
.
.
.
.
.
.
License mode:
License type . . . . . . . . .
Client licenses . . . . . . .
Terminal services . . . . . .
Restricted device resources . .
+ for more values
Shutdown timeout . . . . . . . .
Text 'description' . . . . . . .
*PRIMARY
*PRIMARY, 2911, 2922, 2923...
*YES
*YES, *NO
*YES
*YES, *NO
xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
*PERSEAT
50
*NONE
*NONE
*PERSEAT, *PERSERVER
5-9999, *NONE
*NONE, *TSENABLE...
Name, *NONE, *ALL...
3
2-45
JFSRV001 Domain Controller, Port1=Eth
More...
Figure 3-7 JFSRV001 4 of 7
For all other values we take the default values.
The command is issued from the iSeries 5250 session but you need to complete the task on
the Windows server console:
򐂰 Accept the license agreement.
򐂰 Insert the password for the local Administrator.
򐂰 Change the time zone.
For IXA attached xSeries, configure the Ethernet adapter and specify the Ethernet address.
You must install the necessary drivers before you can do this. Use the ServerGuide CD, which
has these drivers on it.
If you do not have the necessary drivers on CD, you can download them from:
http://www.ibm.com/servers/eserver/support/xseries/allproducts/downloading.html
54
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Next we describe how to use i5/OS virtual Ethernet support for communicating with the
IXA/IXA servers and logical partitions using i5/OS, Linux, and AIX 5L V5.3.
The following Create Line Ethernet Description (CRTLINETH) command shows how to add a
virtual IP address to a Network server description (NWSD). The naming convention used for
the name is very important. You should run this command for every Windows server you have
created. In our scenario we want to have only one Virtual Ethernet on each iSeries with all
xSeries servers on this system participating in our example network connected over one
Virtual Ethernet. The Resource name of *NWSD and the NWSD name and port tie this line to
its associated Windows server description.
To insert the Frame Size, press F10 - Additional Parameters.
Create Line Desc (Ethernet) (CRTLINETH)
Type choices, press Enter.
Line description . . . . . . . . > JFSRV001V1
Resource name . . . . . . . . . > *NWSD
Vary on wait . . . . . . . . . . *NOWAIT
Network server description:
> JFSRV001
Port number . . . . . . . . . > *VRTETH1
Associated port resource name . *NONE
Local adapter address . . . . . *ADPT
Exchange identifier . . . . . . *SYSGEN
Ethernet standard . . . . . . . *ALL
Line speed . . . . . . . . . . . > 1G
Duplex . . . . . . . . . . . . . > *FULL
Maximum frame size . . . . . . . > 8996
Name
Name, *NWID, *NWSD
*NOWAIT, 15-180 seconds
Name, *NONE
1-2, *VRTETHPTP, *VRTETH0...
Name, *NONE
020000000000-FEFFFFFFFFFF...
05600000-056FFFFF, *SYSGEN
*ETHV2, *IEEE8023, *ALL
10M, 100M, 1G, *AUTO
*HALF, *FULL, *AUTO
1496-8996, 1496, 8996
Figure 3-8 Create a LIND for the virtual Ethernet
Note: Run this command for each Windows server on the iSeries Server with the same
extension in the Line description (in our example, V1). Assign an address to the virtual
Ethernet configuration using the Change Network Server Description (CHGNWSD)
command, then vary off and on the server to get the connection configured automatically
on the Windows server.
3.1.2 Setting up your network storage spaces
As explained in 2.7.1, “Disk space and drive mapping” on page 32, you should use additional
partitions for the Windows server. You create these as follows. You can run this command
independent from the INSWNTSVR command, but the network server storage spaces should
be created and initially linked as soon as possible. The actual sizes and the names you enter
depend on your planning requirements.
In Figure 3-9 on page 56, we create the network server storage space for the Windows
programs.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
55
Create NWS Storage Space (CRTNWSSTG)
Type choices, press Enter.
Network server storage
Size . . . . . . . . .
From storage space . .
Format . . . . . . . .
Auxiliary storage pool
ASP device . . . . . .
space
. . .
. . .
. . .
ID .
. . .
.
.
.
.
.
.
. > JF001PGM
. 4000
. *NONE
. *NTFS
. 1
.
Name
*CALC, 1-1024000 megabytes
Name, *NONE
*NTFS, *FAT, *FAT32, *OPEN...
1-255
Name
Figure 3-9 Create the network server storage space for the programs
In Figure 3-10, we create the Network Server Storage space for the data.
Create NWS Storage Space (CRTNWSSTG)
Type choices, press Enter.
Network server storage
Size . . . . . . . . .
From storage space . .
Format . . . . . . . .
Auxiliary storage pool
ASP device . . . . . .
space
. . .
. . .
. . .
ID .
. . .
.
.
.
.
.
.
. > JF001DATA
. 10000
. *NONE
. *NTFS
. 1
.
Name
*CALC, 1-1024000 megabytes
Name, *NONE
*NTFS, *FAT, *FAT32, *OPEN...
1-255
Name
Figure 3-10 Create the network server storage space for the data
You can verify all of your network server storage spaces with the Work with Network Storage
(WRKNWSSTG) command.
To make the Windows server operational, add one or more network server storage spaces to
the Windows server you created starting with Figure 3-4 on page 51. To do this for your initial
Windows server configuration on an IXS or IXA, we recommend shutting down the Windows
server through any of the following interfaces:
򐂰 iSeries Navigator: Windows Administration → Integrated xSeries Servers → <select a
server> → Shutdown
򐂰 i5/OS Windows Network Server Description (WRKNWSD) command and then selecting
option 8, followed by option 2 (vary off)
򐂰 i5/OS Work with Configuration Status (WRKCFGSTS) command CFGTYP (*nws),
followed by option 2 (vary off)
You should add the links in the same sequence that you will want to use the drive letters in
Windows. That is, C: and D: are already created through INSWNTSVR, then we add the
programs drive (which gets E:) and the data drive (which gets F:) later through Windows
commands.
Important: Fixed links (dynamic storage link (*NO)) storage links are “seen” by Windows
before dynamic links (dynamic storage link (*YES). This sequencing determines which disk
drive letter is assigned to the storage link within Windows.
56
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Add Server Storage Link (ADDNWSSTGL)
Type choices, press Enter.
Network server storage space
Network server description .
Dynamic storage link . . . .
Network server type . . . .
Access . . . . . . . . . . .
Drive sequence number . . .
.
.
.
.
.
.
. > JF001PGM
. > JFSRV001
. *NO
. *NWSD
. *UPDATE
. *CALC
Name
Name
*NO, *YES
Character value
*UPDATE, *READ, *SHRUPD
1-64, *CALC, *QR
Figure 3-11 Add a link for the Network Server Storage space
After you have added all storage links to the server you can start it (vary it on) using the three
interfaces just listed to shut down (vary off) the server. For example, the i5/OS Windows
Network Server Description (WRKNWSD) command, select option 8, then option 1 (vary on).
After the Windows server is active (varied on using the 5250 command interface or started
using the iSeries Navigator interface), you can configure the virtual Ethernet adapter and the
additional disk spaces on the Windows server. The VE adapter should be configured
automatically after a reboot of the Windows server.
iSeries support includes the Dynamic storage link option, which enables you to add the
Network server storage space link without shutting down the Windows server. This is done
using the ADDNWSSTGL command with DYNAMIC(*YES) or the iSeries Navigator interface
Windows Administration → Disk Drives → Add link.
Using this dynamic interface is best after your initial configuration is up and running. You can
do this at any point after the install.
3.2 Windows server tasks
In the Windows operating system, you find the management consoles in Administrative Tools.
For the next steps we execute the computer management console as shown in Figure 3-12.
Figure 3-12 Accessing the Computer Management console
Chapter 3. Installing and customizing Windows Server 2003 in our example network
57
3.2.1 Install necessary device drivers
In some cases, usually with IXA attached xSeries servers, you have to install additional
device drivers.
Normally you find these drivers on the ServerGuide CD. If you need a driver that is not on the
CD or you want a newer version of a driver, you can download drivers from:
http://www.ibm.com/servers/eserver/support/xseries/allproducts/downloading.html
3.2.2 Configure the disk drives
Next, configure the additional disk drives you created in 3.1, “I5/OS tasks” on page 48.
Figure 3-13 shows the Disk Management view after the default installation; only drive C: and
D: are created and available. We recommend changing drive letters for CD-ROM drives first.
We used drive R: for the first CD drive.
Figure 3-13 Disk management
Then you can create additional partitions for the network server storage spaces you have
already created and linked manually in i5/OS. We choose an extended partition because you
do not want to boot from this partition. You can create more than one logical drive (as
described in the Description text in Figure 3-14 on page 59) for disk 2 and disk 3.
58
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 3-14 Creating a partition
After you have created the extended partition, you can create one or more logical drives. See
2.7.1, “Disk space and drive mapping” on page 32 for information about the partitions we use
in our example network. Figure 3-15 shows creation of JFSRV001_Programs.
Figure 3-15 Creating a logical partition
We also recommend changing the name for the system drive. In our example network we
choose servername_System (JFSRV001_System) for this.
3.2.3 Setting up virtual Ethernet on the Windows servers
The virtual Ethernet in an iSeries server offers a significant advantage for communications
between i5/OS, xSeries servers on IXS/IXA, and any logical partitions within the iSeries
system itself. Virtual Ethernet provides speeds at least equal to 1 Gbps. It also is not
vulnerable to hardware and networking errors or security attacks from outside the system.
You must configure virtual Ethernet correctly to fully utilize this high-speed, server-to-server
network. Use the external hardware LAN-based network, ports, and IP addresses for normal
client workstation communications to the servers in the network.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
59
All of this means that you must have planned carefully for your network settings and DNS. It is
not so easy to run multihomed (multiple IP addresses available on the same LAN adapter)
Windows servers, especially with Citrix on it. If you follow our instructions and make small
changes to adapt your specific environment, you should not run into problems in this area.
Study the IP addresses, subnet masks, and gateway addresses that we used in our example
network for our primary AS01 iSeries system (Table 3-1) and our secondary AS55 iSeries
system (Table 3-2) and adapt them to your environment.
Table 3-1 IP addresses used on the primary iSeries AS01
Network adapter
JFSRV001
JFSRV002
JFSRV011
JFSRV012
IBM iSeries
Virtual Ethernet
Point-to-Point
IP address
Subnet mask
Gateway
192.168.10.2
255.255.255.0
192.168.18.8
255.255.255.0
192.168.3.4
255.255.255.0
192.168.5.4
255.255.255.0
IBM iSeries
Virtual Ethernet 1
IP address
Subnet mask
Gateway
192.168.92.85
255.255.255.0
192.168.92.86
255.255.255.0
192.168.92.88
255.255.255.0
192.168.92.89
255.255.255.0
Ethernet port
IP address
Subnet mask
Gateway
9.5.92.85
255.255.255.128
9.5.92.1
9.5.92.86
255.255.255.128
9.5.92.1
9.5.92.88
255.255.255.128
9.5.92.1
9.5.92.89
255.255.255.128
9.5.92.1
Table 3-2 IP addresses used on the secondary iSeries AS55
Network adapter
JFSRV101
JFSRV111
JFSRV112
IBM iSeries
Virtual Ethernet
Point-to-Point
IP address
Subnet mask
Gateway
192.168.8.2
255.255.255.0
192.168.6.2
255.255.255.0
192.168.10.2
255.255.255.0
IBM iSeries
Virtual Ethernet 1
IP address
Subnet mask
Gateway
192.168.192.85
255.255.255.0
192.168.192.88
255.255.255.0
192.168.192.89
255.255.255.0
Ethernet port
IP address
Subnet mask
Gateway
9.5.192.85
255.255.255.128
9.5.192.1
9.5.192.88
255.255.255.128
9.5.192.1
9.5.192.89
255.255.255.128
9.5.192.1
In Figure 3-16 we show a Windows Network Connections window for one of our Windows
servers, JFSRV002. This shows the three different Ethernet adapters (two of them virtual
adapters) using the JFSRV002 column entries shown in Figure 3-1.
Figure 3-16 Ethernet configuration on JFSRV002
60
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Example 3-1 shows the Windows command window IPCONFIG /all IP address and network
properties for the JFSRV002 server Ethernet connections shown in Figure 3-16 on page 60.
Example 3-1 IP CONFIG /all for the JFSRV002 Ethernet connections
Windows
IP
Configuration
Ethernet adapter Virtual Ethernet PTP:
Connection-specific DNS Suffix
.
:
IP Address . . .
. . . . . :
Subnet Nask . . . . . . . . . :
Default Gateway
. . . . . . . :
192.168.18.8
255.255.255.0
Ethernet adapter Virtual Ethernet :
Connection-specific DNS Suffix
.
: jf.itso.ibm.com
IP Address . . .
. . . . . : 192.168.92.86
Subnet Nask . . . . . . . . . : 255.255.255.0
Default Gateway
. . . . . . . :
Ethernet adapter Ethernet :
Connection-specific DNS Suffix
.
: jf.itso.ibm.com
IP Address . . .
. . . . . : 9.5.92.29
Subnet Nask . . . . . . . . . : 255.255.255.128
Default Gateway
. . . . . . . : 9.5.92.21
3.3 Install additional components on the Windows servers
A Windows server requires several different services to perform the functions we typically
need, such as DNS, DHCP, and Terminal Services. We have three types of Windows servers
in our scenario.
򐂰 Domain controller
This Windows server holds the Active Directory and the Terminal Services Licensing
Service and provides the DNS/DHCP service.
򐂰 Additional infrastructure server
This Windows server provides add-on services for the whole environment. These are
Microsoft SQL Server 2000 (to use for Citrix MetaFrame), Citrix Licensing Server, and
Microsoft Windows Update Server.
򐂰 Windows Terminal Server
This is the Windows server running the Terminal Services, which are necessary for Citrix
MetaFrame.
Reviewing our example network, note that the Infrastructure Server exists only once. This is
because we are not initially focused on higher availability, as we can live with Citrix
MetaFrame remaining able to work for 120 hours without its configuration database. We also
accept for our example network that the update services for Windows fix packs and anti-virus
signatures need not be highly available.
If you want to update your setup for higher availability, consult those with appropriate
Microsoft and Citrix expertise.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
61
3.4 Domain controller
This topic describes the domain controller example network that was set up using DNS and
DHCP capabilities.
3.4.1 Windows components
We do not need every possible component we chose for our scenario, but the options we did
choose should be considered “best practices” from the experiences of the residents who
created this Redpaper.
Install the DNS Service on the domain controller with Active Directory integrated DNS zones.
In our scenario we also use the DHCP service on the domain controllers. These services are
chosen under Windows Network Services.
We recommend also installing the Print Services for UNIX® on each system; this adds the
LPR service for remote printing.
We also need to install the Terminal Server Licensing service on each domain controller. This
service requires a path to store its files, so we choose the default.
To add additional Windows components, open the Control Panel and click Add or Remove
Programs, then Add/Remove Windows Components. For the Application Server, note
some of the example application subcomponents we used, as shown in Figure 3-17.
Figure 3-17 Choose components to install on JFSRV001
3.4.2 Network printer configuration
In our scenario, each domain controller also acts as a print server.
We recommend configuring each network printer on all print servers with the same settings.
1. We installed two printers, one for each site. To configure these printers, we used the Add a
Printer wizard as shown in Figure 3-18 on page 63 through Figure 3-24 on page 65.
62
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 3-18 Configure a network printer - one of 6
2. We used an LPR printer port to configure the network printer. There are several different
possibilities to configure network printers, as each company (IBM, Lexmark, HP, and so
on) has its own tool. However, LPR is the industry standard that every printer port
understands.
Figure 3-19 Configure a network printer - 2 of 6
Attention: To use LPR, you must install the Print Services for UNIX.
3. The value for Name of printer or print queue depends on the printer you use. For printers
from IBM, the default is ibmncp_direct; the default for printers from HP is pass.
Figure 3-20 Configure a network printer - 3 of 6
Chapter 3. Installing and customizing Windows Server 2003 in our example network
63
4. If the driver is not included in Windows Server 2003, install the necessary driver from a CD
or download it from the Internet.
5. Choose the printer name based on a naming convention such as the one we used in
Table 2-1 on page 25. We recommend selecting to share the printer with the same name.
Figure 3-21 Configure a network printer - 4 of 6
6. We also recommend inserting the Location value. This makes it easier for the users to
search printers in the Active Directory as shown in Figure 3-24 on page 65.
Figure 3-22 Configure a network printer - 5 of 6
7. Enter the location of the printer (Figure 3-23) to be helpful to users. Click Next.
Figure 3-23 Configure a network printer - 6 of 6
64
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
8. In our scenario we also installed a second printer, an HP5L for Site_B.
If you configure the printer as we did, it will be published in the Active Directory by default.
Using Windows Server 2003, you can search for the printer using Start → Search → for
printers and then connect and use them from every client in the domain.
Figure 3-24 Find network printers
3.4.3 Set up Active Directory
You must set up the Active Directory, because the following sections in this Redpaper depend
on the appropriate Active Directory entries being set up.
Important: See 4.1, “Setting up Active Directory” on page 86. Go through that entire
section.
3.5 Additional infrastructure server
In our scenario we have only one additional infrastructure server (JFSRV002) on the primary
iSeries and no equivalent on the secondary system. As stated earlier in this chapter, we are
not setting up a highly available network. For example, Citrix MetaFrame can run 120 hours
without access to the database and license information, because this information is cached
on the Citrix MetaFrame servers.
The sequence to install the products does not matter except that the Windows components
should be installed first, and then the Microsoft SQL Server must be installed before the
Microsoft Windows Update Server.
3.5.1 Windows components
The Internet Information Services (IIS) are a base function needed for many other Windows
services, such as Windows Update Services.
Install the Internet Information Services (IIS) in the domain controller. See “Domain controller”
on page 62.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
65
3.5.2 Citrix MetaFrame Access Suite Licensing Services
Citrix changed its licensing method with Citrix MetaFrame Presentation Server 3.0. In earlier
versions the licenses would be installed and activated in the Management Console. Now
Citrix has its own licensing server, which can be used for the whole enterprise.
For additional information, refer to:
http://support.citrix.com/docs/
On the infrastructure server you only have to install the MetaFrame Access Suite Licensing
Server and License management console.
Note: Microsoft IIS must be installed on this system before the Licensing Service can be
installed.
1. From MetaFrame Presentation Server Setup, select MetaFrame Access Suite licensing
installation. The component Citrix License Server is selected by default, as shown in
Figure 3-25. Click Next.
Figure 3-25 Installing Citrix Licensing services - 1 of 5
66
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. We recommend changing the installation drive as shown in Figure 3-26. Click Next.
Figure 3-26 Installing Citrix Licensing services - 2 of 5
3. By default the License Management Console and the License Server software are
installed. Review other possibilities and click Next.
Figure 3-27 Installing Citrix Licensing services - 3 of 5
Chapter 3. Installing and customizing Windows Server 2003 in our example network
67
4. You need the license_20041118161300.lic file, which you can find in a folder such as the
one shown in the Figure 3-28. Click Next.
Note: You can download the license file for your products from the MyCitrix portal. Click
the link for MyCitrix on the Citrix Web site:
http://www.citrix.com
Figure 3-28 Installing Citrix Licensing services - 4 of 5
5. In the next window (Figure 3-29) select OK to restart IIS. Click Next and the installation
starts copying the program files to the directory you specified.
Figure 3-29 Installing Citrix Licensing services - 5 of 5
68
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6. After you have installed the license file or files, start and run the License Management
console as shown in Figure 3-30 (Programs → Citrix → Management Consoles →
License Management Console) through Figure 3-33 on page 71.
Refer to the Citrix documentation for additional license management information.
Figure 3-30 Running License Management Console
7. Figure 3-31 shows the main License Management Console window. Select Configure
License Server.
Figure 3-31 Citrix Licensing services - 1 of 3
Chapter 3. Installing and customizing Windows Server 2003 in our example network
69
8. This opens a window (not shown) that leads to the window shown in Figure 3-32,which
displays the license file information we copied using the License Files Location window
(Figure 3-28 on page 68).
Review the license file information, such as how to add or update licenses and specifying
file locations and threshold options (not discussed in this Redpaper). The text to the
upper-right reminds us that we are working with the license server JFSRV002.
Click Complete License Inventory.
Figure 3-32 Installing Citrix Licensing services - 2 of 3
70
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
9. This displays the license inventory information shown in Figure 3-33.
Figure 3-33 Installing Citrix Licensing services - 3 of 3
Now that we have set up the necessary Citrix product licensing information, we set up the
Microsoft SQL Server that will provide the necessary database for Citrix MetaFrame to
perform and manage its functions.
3.5.3 Install and configure Microsoft SQL Server 2000
In our scenario, we use Microsoft SQL Server 2000 with Service Pack 3a.
If you decide to use Microsoft SQL Server as your database server (very typical) for Citrix
MetaFrame, you should follow the steps in this section to set it up.
Note: You can use Microsoft Access or the Microsoft SQL Server 2000 Desktop Engine
(MSDE) if your server farm is small or mid-sized.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
71
1. To start the installation, insert the SQL Server CD into your CD drive and select Install
Database Server as shown in Figure 3-34.
Figure 3-34 Install SQL Server 2000 - 1 of 10
2. Installing on the Local Computer is the default option, which we use, as shown in
Figure 3-35.
If you select Remote Computer, you must enter a computer (host) name or click the
Browse button to locate a remote computer.
Virtual Server is the default if a cluster is detected. We are not using a cluster in this
Redpaper.
As stated, in our example we use the default local computer. Click Next.
Figure 3-35 Install SQL Server 2000 - 2 of 10
72
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3. We select Create a new installation of SQL Server 2000 and click Next.
Figure 3-36 Install SQL Server 2000 - 3 of 10
4. Enter a name of your choice. (We used JF4731.) Enter a company name. Both names are
required. Click Next.
Figure 3-37 install SQL Server 2000 - 4 of 10
Chapter 3. Installing and customizing Windows Server 2003 in our example network
73
5. The Installation Definition window (Figure 3-38) shows three options
򐂰 Client Tools Only
Installs only tools for administering SQL Server client connectivity components.
򐂰 Server and Client Tools
Installs server and client tools to create a relational database server.
򐂰 Connectivity Only
Provides connectivity tools only, including MDAC.
We select the Server and Client Tools option, and click Next.
Figure 3-38 Install SQL Server 2000 - 5 of 10
6. The Default check box for Instance Name is shown because a default SQL Server
instance is not installed. Click Next.
Figure 3-39 Install SQL Server 2000 - 6 of 10
74
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
7. Figure 3-40 shows the Setup Type window. We select a Typical installation and change
the installation drive to the Programs disk drive we set up earlier when adding storage
links to the iSeries IXA/IXA Windows server.
Click Next.
Figure 3-40 Install SQL Server 2000 - 7 of 10
8. In the Services Accounts window, we recommend using the Local System account to
autostart the SQL Server Service (includes SQL server agent services) as shown in
Figure 3-41. Click Next.
Figure 3-41 Install SQL Server 2000 - 8 of 10
Chapter 3. Installing and customizing Windows Server 2003 in our example network
75
9. In the Authentication Mode window, we recommend using Windows Authentication
Mode as shown in Figure 3-42. This option enables users to connect through a Microsoft
Windows user account. The SQL server validates the account name and password, using
information in the Windows operating system. Click Next.
Figure 3-42 Install SQL Server 2000 - 9 of 10
10.In the Choose Licensing Mode window, select the Licensing Mode of your choice. In our
example we choose Processor License and click Continue.
Figure 3-43 Install SQL Server 2000 - 10 of 10
After some processing, SQL Server 2000 installation completes.
Important: Immediately install the latest service pack for SQL Server 2000. In our example
scenario, this is Service Pack (level) 3a. Then reboot the server.
After the reboot, you the SQL Server Enterprise Manager to create the databases.
76
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Create MetaFrame and MF_Resource databases
Create two databases: one for the Citrix configuration Data Store and one for the data from
the Citrix Resource Manager. The Data Store provides a repository of persistent information
about the server farm that each server can reference.
Expand the Microsoft SQL Server as shown in Figure 3-44. (During the creation of the
databases we took all the default values. Therefore we do not show the windows that would
be used for this function.)
Figure 3-44 Configure SQL Server 2000 for Citrix MetaFrame - 1 of 2
Figure 3-45 shows the results of the MetaFrame and MF_Resource database created using
the defaults.
Figure 3-45 Configure SQL Server 2000 for Citrix MetaFrame - 2 of 2
We use these databases later when setting up Citrix MetaFrame Presentation Server 3.0, as
described in Chapter 6, “Installing and customizing Citrix Presentation Server” on page 135.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
77
3.5.4 Microsoft Software Update Services
Software Update Services (SUS) provides a very useful automatic distribution of critical
updates to servers and workstations. Servers and workstations can be configured via Group
policies as shown in 4.1.7, “Create and configure group policies” on page 101 to
automatically install the critical updates at a specific date and time.
Note: In software updates that followed those used to produce this Redpaper, Microsoft
introduced a follow-on to the SUS support we used: Microsoft Windows Server Update
Services (WSUS). WSUS specifically enables information technology administrators to
deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows
Server 2003, and Windows XP operating systems.
You can review the Microsoft Web site by searching for either “SUS” or “WSUS” to
determine which software update product you want to use.
In this paper we used SUS V1.1 as described in the following sections.
Microsoft Software Update Services Version 1.1
First of all you need to download the SUS program from Microsoft.
1. Search for SUS at:
http://www.microsoft.com/downloads/search.aspx?displaylang=en
Choose Software Update Services 1.0 with Service Pack 1.
2. Run SUS10SP1.exe and follow the installation instructions shown in the windows. Click
Next in the first wizard window as shown in Figure 3-45 on page 77.
Figure 3-46 Install Microsoft SUS - 1 of 2
78
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3. The setup type options are shown in the window in Figure 3-47. We recommend a Custom
Installation, so select Custom and click Next.
Figure 3-47 Install Microsoft SUS - 2 of 2
We do not show the default custom installation windows. This is a summary of the options we
selected:
򐂰 Whether to install the updates on a local directory (default) or redirect to a remote
Windows Update server: We recommend specifying the local directory.
򐂰 You can choose the languages for downloading and distributing the fixes and service
packs. You can always modify this, but we initially selected English and German.
򐂰 On the Windows addressing “handling new versions of previously approved updates,” we
selected manual approved.
Important: The link http://jfsrv002 is to be used in the Group Policy configuration as
shown in “Default Domain Policy” on page 103. The link http://jfsrv002/SUSAdmin is to
be used for your administration and approval process. This link starts the SUS Admin Tool.
Before you start Internet Explorer and go to this link, you have to authenticate as an
Administrator.
Do not forget that you must first set the options to get access to the Internet.
Enter the URL as shown in Figure 3-48 on page 80. We check Welcome and follow the
instructions as they appear in the next set of windows. (We do not show examples of these
windows.)
For more information you can refer to:
http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
Chapter 3. Installing and customizing Windows Server 2003 in our example network
79
Figure 3-48 Configure Microsoft SUS
We must specify how updates are distributed. We show how to do this in “Default Domain
Policy” on page 103.
Now, we move on to setting up Windows Terminal Server on our example network IXS/IXA
servers. To recall our example network configuration, you can refer to:
򐂰 Table 2-1 on page 22
򐂰 Figure 2-2 on page 28
3.6 Windows Terminal Server to use for Citrix MetaFrame
Presentation Server 3.0
It is important to realize that sometimes you cannot install a software application on a
Windows Server 2003 with Terminal Services installed. Sometimes the application itself runs
well but the Install wizard does not run.
If you experience problems in this area contact your certified Microsoft or Citrix specialist.
3.6.1 Windows components
We select some components and subcomponents as shown from Figure 3-49 on page 81
through Figure 3-52 on page 82.
1. You should install the Internet Information Server (IIS) because we use it with Citrix Web
Interface as shown in 6.1.2, “Install the Citrix products” on page 136. We recommend
using the Citrix Web Interface for managing Citrix functions.
80
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. In the Application Server window, review the applications we have selected and click OK.
Figure 3-49 Choose additional Windows components - 1 of 5
3. We recommend also installing the Print Services for Unix as shown in Figure 3-50. This
file and print service provides support for LPR TCP/IP network printing. Click OK.
Figure 3-50 Choose additional Windows components - 2 of 5
Chapter 3. Installing and customizing Windows Server 2003 in our example network
81
4. In Figure 3-51, we deselected the Internet Explorer Enhanced Security Configuration
because it would cause conflicts when using the Citrix Web Interface. Click Next.
Figure 3-51 Choose additional Windows components - 3 of 5
5. We selected the Update Root Certificates and Terminal Server components as shown
in Figure 3-52. Terminal Services is a prerequisite for Citrix MetaFrame Presentation
Server. We do not need the Terminal Server Licensing component, because this was
installed in 3.5.1, “Windows components” on page 65. Click Next.
Figure 3-52 choose additional Windows components - 4 of 5
82
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6. In the Terminal Server Setup permissions window of the Windows Components Wizard
shown in Figure 3-53, we always recommend selecting Full Security. Click Next.
Figure 3-53 choose additional Windows components - 5 of 5
Installation of Terminal Services proceeds and completes. After the installation has
completed, you must reboot your workstation.
Chapter 3. Installing and customizing Windows Server 2003 in our example network
83
84
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
4
Chapter 4.
Customizing Active Directory
and the infrastructure
The Active Directory is a distributed, hierarchical, and secure directory service. It offers a
network-based object store and service that locates and manages resources and makes
these resources available to authorized users and groups. The directory information can be
replicated to produce more local processing and to enable higher availability for Active
directory-based functions. An underlying principle of the Active Directory is that everything is
considered an object—people, servers, workstations, printers, documents, and devices. Each
object also has certain attributes and its own security Access Control List (ACL). Objects can
be organized within the Active Directory in a special kind of object known as a container,
which can be used on a very granular level.
This chapter contains information in the following areas that was sufficient for getting our
example network up and running:
򐂰 Setting up Active Directory
򐂰 Additional configuration for the DNS server
򐂰 Activate Terminal Server Licensing
򐂰 Create organizational units structure
򐂰 Create accounts for Windows services
򐂰 Create and configure group policies
Note: We strongly recommend contacting a certified Microsoft specialist to perform the
actual setup of your network’s Active Directory configuration. The objective of this chapter
is to provide the iSeries person sufficient understanding of the basics of Active Directory
capabilities to work efficiently with the Active Directory specialist in setting up the network
that meets the customer’s requirements—in as short a time as possible.
We use the network described in Chapter 2, “Planning your network and server
infrastructure” on page 17 as examples for appropriate configuration. For details about the
full range of Active Directory capabilities, refer to:
http://www.microsoft.com
© Copyright IBM Corp. 2005. All rights reserved.
85
4.1 Setting up Active Directory
The process of installing an Active Directory domain is straightforward. Here are some
recommendations:
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
Use the Windows Server 2003 CD media.
Configure an NTFS partition with enough free space.
Have an agreed-upon Administrator’s user name and password.
Have a Network Interface Card.
Properly configure TCP/IP.
Have an operational DNS server that can be installed on the domain controller itself.
Determine the domain name that you want to use.
You can get more information at:
http://www.microsoft.com/windows2000/techinfo/reskit/dpg/chapt-9.asp
It is important to read the text in the Windows screen captures shown in this chapter. Your
network environment and user authorizations (security) may require different choices.
4.1.1 Run DCPROMO on the first domain controller
Starting with Windows Server 2000 you can promote each server to a domain controller. You
also can downgrade each domain controller to a member server. The utility to do this is
DCPROMO from a command prompt.
1. We select Domain Controller for a new domain option (Figure 4-1) and click Next.
Figure 4-1 Set up Active Directory on the first server - 1 of 10
Note: On all additional domain controllers in the same domain, choose Additional
domain controller for an existing domain.
86
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. In Figure 4-2, select Domain in a new forest and click Next.
Figure 4-2 Set up Active Directory on the first server - 2 of 10
3. Enter the full DNS name. (We use JF.ITSO.COM for the new domain.) Click Next.
Figure 4-3 Set up Active Directory on the first server - 3 of 10
Chapter 4. Customizing Active Directory and the infrastructure
87
4. Enter JF, per our example network naming convention, for NetBIOS domain name. Click
Next.
Figure 4-4 Set up Active Directory on the first server - 4 of 10
5. In our example, we use the default path for the domain controller database as shown in
Figure 4-5. For an enterprise Windows environment you must use a different disk drive.
Click Next.
Figure 4-5 Set up Active Directory on the first server - 5 of 10
88
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6. On the Shared System Volumes topic, accept the default Sysvol folder location as shown
in Figure 4-6 (unless you want to change it, of course). The location of the files is by
default %systemroot%\SYSVOL.
You should not change it unless you have performance concerns based on experiences in
setting up a large network. This folder must be on an NTFS partition. This folder will hold
all of the Group Policy Objects (Gaps) and scripts you will create and will be replicated to
all other domain controllers. Click Next.
Figure 4-6 Set up Active Directory on the first server - 6 of 10
7. If you do not use an existing DNS server, we recommend creating the DNS environment
through the DCPROMO wizard. In Figure 4-7 we select Install and configure the DNS
server on this computer. You can change the settings to fit your environment later as
described in 4.1.2, “Additional configuration for the DNS server” on page 91.
Figure 4-7 Set up Active Directory on the first server - 7 of 10
Chapter 4. Customizing Active Directory and the infrastructure
89
8. If you not need to communicate with Windows NT4 level servers, you should use the
stronger permission for Windows 2000 or 2003 compatibility, as shown in In Figure 4-8.
Click Next.
Figure 4-8 Set up Active Directory on the first server - 8 of 10
9. In Figure 4-9, the restore mode password is necessary if you later downgrade the domain
controller with the DCPROMO wizard. The domain database will be removed and the
server returns to being a member server.
Enter the password twice and record the value in a safe place. Click Next.
Figure 4-9 Set up Active Directory on the first server - 9 of 10
90
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
10.Review the settings summary in Figure 4-10. You can click the Back button to change any
values, if necessary. When finished reviewing, click Next.
Figure 4-10 Set up Active Directory on the first server - 10 of 10
Important: After clicking Next, we see the wizard going through the various stages of
Active Directory installation. Never click Cancel. This will make your computer essentially
unusable. If you see that you made a mistake and want to undo it, you should let the
installation finish and then run it again to undo the Active Directory you just installed.
You must reboot for the Active Directory to function according to our setup.
4.1.2 Additional configuration for the DNS server
As described in 4.1.1, “Run DCPROMO on the first domain controller” on page 86, you must
change the DNS server configuration if you used the DCPROMO wizard to create the DNS
configuration.
The following steps are based on our scenario and example network settings we planned
based on 2.6, “Planning your sites, WAN and LAN infrastructure, firewall, DNS, and DHCP”
on page 27. You may have slightly different changes for your network.
To use the DNS Manager, select Start → Programs → Administrative Tools → DNS
Manager.
For reverse-resolving the host names (IP address to host name mapping), you have to create
a reverse lookup zone for each subnet you use.
In our scenario we create the following reverse lookup zones (same as our subnets):
򐂰
򐂰
򐂰
򐂰
9.5.92.0
192.168.92.0
9.5.192.0
192.168.192.0
Chapter 4. Customizing Active Directory and the infrastructure
91
We show the zone setup for 192.168.92.0 in the following steps. Repeat these steps for the
other zone addresses listed.
1. For your DNS server, right-click Reverse Lookup Zones and select New Zone.
Figure 4-11 Configuring the reverse lookup zones - 1 of 5
2. Choose Primary zone to create a master copy of a reverse lookup zone. Click Next.
Figure 4-12 Configuring the reverse lookup zones - 2 of 5
92
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3. As shown in Figure 4-13, for Active directory Zone Replication Scope, select To all
domain controllers in the Active Directory domain (JF.ITSO.COM, in our example).
Click Next.
Figure 4-13 configuring the reverse lookup zones - 3 of 5
4. In the Figure 4-14 we enter 192.168.92.0 to translate IP addresses into DNS Names. Click
Next.
Figure 4-14 Configuring the reverse lookup zones - 4 of 5
Chapter 4. Customizing Active Directory and the infrastructure
93
5. As shown in Figure 4-15 you can configure a list of authorized servers to initiate dynamic
updates. Click Next.
Figure 4-15 Configuring the reverse lookup zones - 5 of 5
6. At this point you should add all DNS entries that will not be created automatically through
Windows servers and clients. This includes:
– Host entries for all iSeries, Domino servers, and all other non-Windows systems
– Alias entries, if necessary
Note: For each entry, you must select Create associated pointer (PTR) record for
reverse lookup, as shown using our iSeries system As01 example in Figure 4-16.
Figure 4-16 Add DNS entry
When you have finished adding reverse lookup zone entries for all of your other host names
(our example network has a total of four) as described above for “.168.92.00,” you are ready
to move on to activate Terminal Server Licensing.
94
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
4.1.3 Activate Terminal Server Licensing
You must activate each Terminal Server Licensing Server:
1. To start the Terminal Services Licensing window, click Start → Programs →
Administrative Tools → Terminal Services Licensing.
If you cannot locate Administrative Tools by using the previous steps, use Terminal
Services Licensing in the Control Panel window to get to the window shown in
Figure 4-17.
Figure 4-17 Activate Terminal Server Licensing - 1 of 6
2. Right-click the license server you want to activate. In our example this is JFSRV001. Click
Activate Server to start the Licensing Wizard, as shown in Figure 4-18.
Figure 4-18 Activate Terminal Server Licensing - 2 of 6
Chapter 4. Customizing Active Directory and the infrastructure
95
3. There are at least four ways to activate a license server:
– With a fax
– With the telephone
– With the World Wide Web
– With the Internet
In our example, we chose Automatic connection through the Internet. Click Next.
Figure 4-19 Activate Terminal Server Licensing - 3 of 6
4. In Figure 4-20 we provide the required information. Click Next.
Figure 4-20 Activate Terminal Server Licensing - 4 of 6
96
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
5. You must use the Terminal Server Client Licensing Wizard to add your client licenses to
the Terminal Server Licensing service. In our example we used only temporary licenses.
Click Next to start installing client licenses, as shown in Figure 4-21.
Figure 4-21 Activate Terminal Server Licensing - 5 of 6
Important: If you do not add Terminal Server Client Licenses you get only temporary
licenses for 120 days. After this time period the client can no longer access any Windows
Terminal Server.
As you can see in Figure 4-22, we used only temporary licenses.
Figure 4-22 Activate Terminal Server Licensing - 6 of 6
Now we need to make some changes to the Active Directory site configuration.
Chapter 4. Customizing Active Directory and the infrastructure
97
4.1.4 Change the Site configuration
Select Start → Programs → Administration Tools → Active Directory Sites and Services
to use the Active Directory Sites and Services snap-in for Microsoft Management Console
(MMC).
We recommend changing the name for the first site (Default-First-Site-Name, Figure 4-23) to
the chosen name for this site (Site_A, shown in Figure 2-19 on page 44).
Note that in the instructions that follow we do not show each window in the sequence. We
show enough of the windows to enable you to perform the task.
1. Right-click Default-First-Site-Name and change it to Site_A.
Figure 4-23 Change the site configuration - 1 of 4
2. Add all other sites you have planned (only Site_B in our example network).
When you have finished specifying site names, your window should look similar to the one
shown in Figure 4-24.
Figure 4-24 Change the site configuration - 2 of 4
3. Add all subnets you use to the correct site. These are the same ones that you used for
reverse lookup zones creation in 4.1.2, “Additional configuration for the DNS server” on
98
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
page 91. This is important for the performance of your network because the clients locate
the closest service through these entries.
Right-click and select New Subnet as shown in Figure 4-25. Add each subnet.
Figure 4-25 Change the site configuration - 3 of 4
When finished, your subnet list in the left pane should look similar to our example shown in
Figure 4-26.
Figure 4-26 Change the site configuration - 4 of 4
4.1.5 Create the organizational units (OU) structure
Select Start → Programs → Administration Tools → Active Directory Users and
computers to open the Active Directory Users and Computers console. Use the console to
create the OUs that we planned for in Table 2-1 on page 25.
Chapter 4. Customizing Active Directory and the infrastructure
99
Figure 4-27 Create OU structure
We do not show the windows used to create OUs JF_ITSO through JF_ITSO\Workstation.
Follow the instructions in the text on the windows shown.
4.1.6 Create accounts for Windows services
We need to start some services using Windows user accounts that we planned for in
Table 2-1 on page 25, where the password never expires. There are a lot of services you can
run with special accounts. You see these service accounts already listed in the right pane in
Figure 4-28 on page 101.
100
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 4-28 Create an account - 1 of 2
We enter the password and select User cannot change password for each service account
we create. Record this password in a safe place. Click Next.
Figure 4-29 Create an account - 2 of 2
4.1.7 Create and configure group policies
Now we create and configure group policies. A group policy enables you to define which
actions a user is and is not allowed to perform on the network and on their own computer. For
additional details refer to:
http://www.microsoft.com/downloads/search.aspx?displaylang=en
At this site, search for “Group Policy Settings Reference.” Download to an Excel sheet with all
possible settings.
Chapter 4. Customizing Active Directory and the infrastructure
101
Group Policy Management console
To manage group policies more easily, you should download and install the Group Policy
Management console (GPMC). This tool enables you to see the Group Policy Results for a
special user on a special PC.
Note: Group Policy Results are created only if the user had already logged on and off on
this special workstation or server. The tool gets the data from the user profile stored on this
workstation or server. If you change Group Policy settings the user needs to log on and log
off again before these results are shown in the GPMC.
To download the software, search for “GPMC” at:
http://www.microsoft.com/downloads/search.aspx?displaylang=en
After you have installed the GPMC you have a new console in the Administrative tools folder;
this is Group Policy Management.
Select Start → Programs → Administration Tools → Group Policy Management. Select
the Default Domain Policy folder to get the window as shown in Figure 4-30.
Figure 4-30 Group Policy Management console
Reviewing the information shown by selecting Details, Settings, and Delegation provides a
good review of your current default domain policy settings.
You must change the default Active Directory policies and to create and configure additional
policies as shown in “JF_ITSO_TerminalServers Group Policy” on page 109.
First, however, you need to change the Default Domain Policy.
102
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Default Domain Policy
Note: It is important to set the Password Policy settings to match the i5/OS profile
password before you try to propagate users. You can review various i5/OS system values
associated with password by using the Work with System Values command as shown:
WRKSYSVAL SYSVAL(QPWD*)
1. To see the Windows password settings window shown in Figure 4-31, start by
right-clicking the Default Domain Policy folder and select the Edit option. This brings up
the left pane show in Figure 4-31. To see the right pane, select the Password Policy
folder in the left pane.
Figure 4-31 Default Domain Policy - 1 of 5
2. We also recommend defining the Event log settings for the whole domain to be identical to
those shown in Figure 4-32.
Figure 4-32 Default Domain Policy - 2 of 5
Chapter 4. Customizing Active Directory and the infrastructure
103
3. Configure the settings for the Windows Update Services, and change the entries that are
shown as enabled in Figure 4-33.
Figure 4-33 Default Domain Policy - 3 of 5
4. Select Configure Automatic Updates. We recommend selecting the options as shown
for Automatic Update in Figure 4-34. Click Next.
Figure 4-34 Default Domain Policy - 4 of 5
104
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
5. In Figure 4-35 we configure the intranet Microsoft update service location. Our JFSRV002
Windows server is listed as our Windows Update Server per our example network as
described in Chapter 2, “Planning your network and server infrastructure” on page 17 and
Figure 2-3 on page 28.
Figure 4-35 Default Domain Policy - 5 of 5
6. Click Apply and then OK.
JF_ITSO_User Group Policy
We recommend that you set the default home page as shown in Figure 4-36 through
Figure 4-37 on page 106 and the proxy settings as shown in the Figure 4-38 on page 106. If
something changes later, you will have to make the change in only one place (here).
1. We start configuring the default home page by clicking URLs in the left pane of
Figure 4-36, to get the right pane.
2. Double-click Important URLs.
Figure 4-36 JF_ITSO_User Group Policy - 1 of 7
Chapter 4. Customizing Active Directory and the infrastructure
105
3. Enter the default home page, as shown in the Figure 4-37.
Figure 4-37 JF_ITSO_User Group Policy - 2 of 7
4. In Figure 4-38 we start configuring the proxy settings. Click Connection in the left pane,
then double-click Proxy settings in the right pane. Enter the appropriate proxy settings for
your network.
We do not show proxy settings for our example network in this Redpaper. In your network,
you should consult with a TCP/IP network specialist to determine any special proxy
settings you need.
Figure 4-38 JF_ITSO_User Group Policy - 3 of 7
Another important setting is the redirection for the user’s home directories. This setting
changes the My Documents folder to the file server, which is important for the backup of
the user files. The backup is normally configured to run only on the servers and not on
client workstations.
106
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
5. In Figure 4-39, we expanded Windows Settings → Folder Redirection. Right-click My
Document and select Properties.
Figure 4-39 JF_ITSO_User Group Policy - 4 of 7
6. The Properties window is shown in Figure 4-40. Select the options as shown and click
Apply.
Figure 4-40 JF_ITSO_User Group Policy - 5 of 7
Chapter 4. Customizing Active Directory and the infrastructure
107
7. Click the Settings tab and select options as shown in Figure 4-41. Click Apply and OK.
Figure 4-41 JF_ITSO_User Group Policy - 6 of 7
8. Configure basic settings of the desktop, Start menu, and taskbar for the JF_ITSO_User
Group Policy users. Figure 4-42 shows the settings for Start Menu and Taskbar. We have
enabled a “starter set.” Review all settings and make changes per your requirements.
Figure 4-42 JF_ITSO_User Group Policy - 7 of 7
108
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
JF_ITSO_TerminalServers Group Policy
Figure 4-43 shows the Group Policy Object Editor window and some settings for User Rights.
Details regarding setting each of the policies shown with the appropriate Policy Setting values
are beyond the scope of this Redpaper.
Figure 4-43 JF_ITSO_TerminalServers Group Policy
Important: However, we call your attention to the Shut down the system policy, as there is
an important additional consideration to “typical” customer requirements when the
Windows server product (your Windows system) is running on an xSeries server attached
to the iSeries over an HSL loop via the Integrated xSeries Adapter (IXA).
You should not shut down (physically power off) an IXA attached xSeries server on the
same HSL loop with other devices active, such as I/O towers containing disk drives actively
being used by the iSeries system or an i5/OS partition. This is because physically
powering off the xSeries server essentially breaks the communication between the xSeries
server and the iSeries on the loop. This can prohibit communication between the system
and any disk I/O devices in I/O towers or drawers in the HSL loop, depending on the
physical set up of the HSL loop in your configuration. If this occurs, the communication
problem may not be correctable until the iSeries system or partition is restarted.
To minimize this from happening, you should limit this shutdown system (xSeries server)
policy only to Domain Administrators.
Note that the Windows server user can select shutdown with restart, which does not
physically power off the xSeries server.
You can, of course, shut down (and shut down with restart) the Windows operating system
running on this xSeries server from the iSeries side. This shutdown is a logical power off, not
a physical power off. You can do this either through the i5/OS Vary Configuration (VRYCFG)
command or iSeries Navigator interface: Network → Windows Administration →
Integrated xSeries Servers.
Chapter 4. Customizing Active Directory and the infrastructure
109
The logical power off keeps the communication up and running between i5/OS and other
devices on the HSL loop.
Tip: An i5/OS user with system service tools (SST) authority can use the concurrent
maintenance function on the IXA resource name to actually power off and on the attached
xSeries server. Authority to perform this SST function requires a system service tools user
ID and password (separate and independent of any i5/OS user IDs and passwords), with
proper authentication to use concurrent maintenance.
Start service tool → Hardware service manager → Packaging hardware
resources → choose the hardware to power off → Concurrent maintenance
iSeries SST details are described in iSeries Information Center at:
http://www.ibm.com/eserver/iseries/infocenter
Select Security → Service tools user IDs and passwords
A similar concurrent maintenance function is provided through a Hardware Management
Console (HMC) device on POWER5 systems being managed by an HMC.
4.2 Configure the DHCP service
Setting up the Dynamic Host Configuration Protocol service is important, so we demonstrate
setting this up for our Site_A.
In our example, we configure one zone for each real subnet, one for Site_A (9.5.92.0) and
one for Site_B (9.5.192.0). If you have a second DHCP server on Site_B do the same on this
DHCP server, but use different addresses for the leases to prevent conflicts.
For the values that we use, refer to 2.6.3, “Domain Name System (DNS) and DHCP” on
page 29.
1. Open the DHCP console as shown in Figure 4-44 by selecting Start → Programs →
Administrative Tools → DHCP.
2. Authorize the DHCP server in Active Directory as shown in Figure 4-44.
Figure 4-44 Set up the DHCP - 1 of 9
110
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3. To support clients in other subnets we create a New Scope as shown in detail, starting
with Figure 4-45.
Figure 4-45 Set up the DHCP - 2 of 9
4. In the Name field, enter Site_A_Ethernet. Description field text is optional. Click Next.
Figure 4-46 Set up the DHCP - 3 of 9
Chapter 4. Customizing Active Directory and the infrastructure
111
5. Figure 4-47 shows the start and end IP addresses for the scope, as we defined in
Chapter 2, “Planning your network and server infrastructure” on page 17 and Table 2-2 on
page 31. Click Next.
Figure 4-47 Set up the DHCP - 4 of 9
6. In Figure 4-48, we select one day as the lease duration. Click Next.
Figure 4-48 Set up the DHCP - 5 of 9
112
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
7. We configure the default gateway for all Windows users by selecting the Yes option as
shown in Figure 4-49. Click Next.
Figure 4-49 Set up the DHCP - 6 of 9
8. Enter the IP address to specify the router (default gateway) and click Next.
Figure 4-50 Set up the DHCP - 7 of 9
Chapter 4. Customizing Active Directory and the infrastructure
113
9. In the window shown in Figure 4-51, specify the parent domain and the DNS servers’ IP
addresses for all Windows users. Click Next.
Figure 4-51 Set up the DHCP - 8 of 9
10.In Figure 4-52, we activate the scope of IP addresses we previously specified, so the
clients can obtain an IP address. Click Next.
Figure 4-52 Set up the DHCP - 9 of 9
11.You can set additional scope options through the wizard as required for your network.
When done, click Finish.
4.3 Adding Windows servers and clients to the Domain
We use the same procedure for adding workstations and or a Windows server to the domain
controller.
1. Right-click My Computer and select Properties.
114
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. Select the Computer Name tab (Figure 4-53) and click Change.
Figure 4-53 Adding the servers to the domain - 1 of 2
3. This opens the Computer Name Changes window shown in Figure 4-54. We enter our
example server JFSRV002 as the computer name and its domain, and click OK.
Figure 4-54 Adding the servers to the domain - 2 of 2
Chapter 4. Customizing Active Directory and the infrastructure
115
4. Enter the name and the password of an account that has permission to join the domain. In
our example, we use the Administrator account and its associated password. Click OK.
Figure 4-55 Adding the servers to the domain - 1 of 2
5. If the account and password are correct, we see a window similar to the one shown in
Figure 4-56. Click OK on that window.
Figure 4-56 Adding the servers to the domain - 2 of 2
6. Now, we reboot the computer to make all changes effective.
There are just a few more Active Directory related changes to be done for our example
network.
4.4 Creating the folder structure on JFSRV001
The folder structure is very important to define because we need to propagate the users from
the iSeries to the appropriate clients and servers.
In the data partition defined in Chapter 2, “Planning your network and server infrastructure”
on page 17 and Table 2-3 on page 33, we share the following folders:
򐂰
򐂰
򐂰
򐂰
DFS_Root_JF
DFS_Root_JF\Group_Shares
DFS_Root_JF\Home
DFS_Root_JF\Profiles
Following the Microsoft convention, the $share name enables the object to be shared but not
visible in screens showing the Microsoft Windows Network.
In Figure 4-57 on page 117 we specify to share DFS_Root_JF folder. (We do not show all the
possible security settings in this Redpaper.) Repeat this process for the other folders we listed
above.
116
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 4-57 Creating the necessary file shares
4.5 Move Active Directory objects to the appropriate OU
We move the objects to the appropriate OU that we created in “Create the organizational
units (OU) structure” on page 99. The group policies cannot work until we do this.
Another reason for moving the objects to the appropriate OU is to ease the administration of
the Active Directory.
1. To move objects, select Start → Programs → Administrative Tools → Active Directory
Users and Computers console.
2. Click Computers to open the Computers list in the right pane. Select the computer
(JFSRV002 in our example). Right-click Servers and select Move Here to move the
JFSRV002 computer object from Computers to Servers.
Figure 4-58 Move to Member Server objects
Chapter 4. Customizing Active Directory and the infrastructure
117
3. In Figure 4-59, using a similar select-and-click sequence, we move the JFSRV011 and
JFSRV012 computer objects from Computers to TerminalServers.
Figure 4-59 Move to Terminal Server objects
4. In Figure 4-60 we move JFCLIENTA and JFCLIENTB computer objects from Computers
to Workstations. JFCLIENTA and JFCLIENTB are two client workstations used in our
example network. (See Figure 2-18 on page 43.) We have not shown these client
workstation computers in previous OU-related figures. You must move your workstation
computers to the Workstations class for proper management.
Figure 4-60 Move computer objects
118
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
5. In Figure 4-61 we open the Users folder (lowest folder in the left pane) to get the right
pane. We move fboerner and jcook user objects from Users to the Users OU.
Figure 4-61 Move user accounts
We should repeat this for Site_B as discussed in Chapter 7, “Set up the backup system for
increased availability” on page 181.
4.6 Active Directory chapter summary
We have attempted to provide sufficient information to enable an iSeries-knowledgeable
customer without significant experience with Microsoft Active Directory to assist the Microsoft
Active Directory people in setting up an efficient network infrastructure as quickly as possible.
This should lead to a productive network for both iSeries users and Windows server users
that can be made even more productive after getting the initial network infrastructure up and
running. The following chapters address installing and managing applications running on
Microsoft Windows servers consolidated on iSeries IXS and xSeries servers attached via
HSL loop cables to an iSeries Integrated xSeries Adapter.
Chapter 4. Customizing Active Directory and the infrastructure
119
120
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
5
Chapter 5.
Installing and customizing
applications on Windows
Terminal Servers
These chapter shows you how to install and customize applications on Windows 2003 (or
Windows XP) with Microsoft Terminal Services in Application mode. For more information
about the special settings to install the software on a Windows Terminal Server refer to the
documentation for each software.
For this Redpaper, we installed:
򐂰 iSeries Access for Windows
򐂰 Microsoft Office
© Copyright IBM Corp. 2005. All rights reserved.
121
5.1 Install applications on Windows Terminal Server Services
and Citrix
Until a few years ago it was very complicated to install software on a terminal server that
could be accessed by clients as if the software resided on the client’s workstation.
During the past two years installation has gotten much easier and is nearly the same as an
application installation on a Windows client. For sure, as you roll out your network, you need
to consider issues such as performance tuning.
In this Redpaper, however, we are focused on demonstrating only the settings, which are
most important to get up and running productively.
Using our example network we are installing applications on each Citrix server as shown in
Figure 2-19 on page 44.
Attention: Remember to change the drive letter to E where you install most applications.
Note: In a Citrix environment it is very important to test each application you want to use.
Our selection is only a base set that works fine together and which is very common in
customer environments.
5.2 iSeries Access
It is always important to use the same iSeries Access for Windows version and fix level on the
client and the iSeries server. Although using different Version 5 release levels works for most
functions, you occasionally find some release dependencies.
The process of updating software for iSeries Access for Windows on both the iSeries system
(server) and the Windows client workstation is only generally addressed in this Redpaper. For
more complete information, refer to:
http://www.ibm.com/servers/eserver/iseries/integratedxseries
Note: We recommend installing iSeries Access from the iSeries NetServer™.
Examples of specific reasons for keeping the same level of iSeries Access for Windows on
the iSeries server and the PC workstations include:
򐂰 It is the best way to install all additional plug-ins for the iSeries Navigator component.
򐂰 With each PTF for iSeries Access for Windows that is installed on the iSeries server, the
client update can set up to run automatically from that server, enabling the server and all
clients to be at the same software level.
It is better not to use a mapped network drive for this installation because the same drive will
be used for the updates and sometimes it may not be connected. Figure 5-1 on page 123
shows the iSeries NetServer path. Double-click SETUP.EXE.
Attention: The automatic update feature should not be used on a Terminal Server,
because you need to install these updates from Windows Add/Remove Programs. These
updates should be initiated from the Administrator manually.
122
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 5-1 Install iSeries Access - 1 of 6
iSeries Access for Windows offers four installation types:
򐂰 Typical: Installs the components containing the most common functions.
򐂰 PC5250 User: Installs the minimum support needed for printer emulation and PC5250
display emulation.
򐂰 Custom: Enables you to select which components you want to install.
򐂰 Full: Installs all iSeries Access for Windows components available in the source directory.
An experienced iSeries Access for Windows administrator will find the following wizard quite
familiar. Remember, we are installing iSeries Access for Windows on an application-serving
Windows server.
1. We recommend using Custom installation to change the installation path and to select
additional plug-ins for the iSeries Navigator. Click Custom.
Figure 5-2 Install iSeries Access - 2 of 6
Chapter 5. Installing and customizing applications on Windows Terminal Servers
123
2. The Select Destination Directory window opens with the default destination folder. We
recommend changing the drive letter to E as shown in Figure 5-3.
Figure 5-3 Install iSeries Access - 3 of 6
3. Deselect any components you do not want included in the installation on the Windows
application server. If you clear a component that other components depend on, a message
displays indicating that these components will also have to be removed. Click Next.
Figure 5-4 Install iSeries Access - 4 of 6
124
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
4. Click Next.
Figure 5-5 Install iSeries Access - 5 of 6
5. The Start Copying Files window opens, showing the components you selected as shown
in the Figure 5-6. After you are satisfied with the components selected, click Next.
Figure 5-6 Install iSeries Access - 6 of 6
After several minutes you see an “Installation completed successfully” message window.
Now, configure iSeries Access for Windows for the way you want to perform the functions you
installed.
1. First, you have to change the iSeries Access for Windows Properties.
After iSeries Access for Windows has been installed, double-click its icon on the desktop
and select iSeries Access for Windows Properties. The General tab window appears
initially, showing the software service level.
Chapter 5. Installing and customizing applications on Windows Terminal Servers
125
2. Figure 5-7 shows the PC5250 tab in the properties windows with our example’s
recommended values:
– User specified path for emulator files (Y:\PCOM5250)
Note: It is very important to select the User specified path option (Figure 5-7)
because on a Terminal Server work a lot of clients that want to run the same
program but use different settings.
As noted in “Create templates in Windows” on page 37, we planned to use “Y” as
the Home directory for the users.
– Customized workstation profile from iSeries Navigator (Y:\PCOM5250|AS01.WS)
– Automatic migration of workstation profiles (when originally created on an earlier
software release)
Figure 5-7 Configure iSeries Access - 1 of 7
126
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3. On the Service tab shown in Figure 5-8, we specify:
– Never check for any iSeries Access for Windows service level. You may chose
automatic checking options shown.
– Install option source directory
\\<server-name>\qibm\Proddata\Access\Windows\Install. Precede the qibm folder with
your iSeries system host name or IP address.
Figure 5-8 Configure iSeries Access -2 of 7
After you have finished these basic settings, you can start the iSeries Navigator.
1. The first thing you must do for iSeries Navigator is to configure at least one connection to
an iSeries server.
Figure 5-9 Configure iSeries Access -3 of 7
Important: You must verify that you have already added all iSeries IP addresses to the
DNS server; otherwise the name resolution will fail.
Chapter 5. Installing and customizing applications on Windows Terminal Servers
127
You should start with your primary system (AS01 in our example network). Figure 5-10
shows the information window when iSeries Navigator first starts, indicating that you have
no connections yet defined.
Figure 5-10 Configure iSeries Access -4 of 7
2. If there are more plug-ins or you installed iSeries Access from CD you can install these
plug-ins at this moment.
3. Figure 5-11 shows defining the type of user authentication you want to use to connect to
the iSeries system acting as your server. This is standard iSeries Navigator support. You
would specify to use Kerberos principal name only if you have set up a single signon
network using a Kerberos Key Distribution Center that contains the principals (users) and
associated “authentication tickets.”
Figure 5-11 Configure iSeries Access - 5 of 7
In our network we used Prompt every time or the Windows user name and password,
no prompting options on different Windows servers. This gave us maximum flexibility in
our test level example network. Click Next.
128
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Note: Describing how to set up Kerberos and associated i5/OS Enterprise Identity
Mapping is beyond the scope of this Redpaper. However, if you have this set up and
select to use the Kerberos principal, you would not see a sign on prompt window, but go
directly to the first iSeries Navigator window. If you were using PC5250 emulation you
would see the first i5/OS command screen or an application screen, based upon your
workstation’s user ID and associated i5/OS user profile.
For more information on using Kerberos on iSeries refer to:
򐂰 V5R3 iSeries information center:
http://www.ibm.com/eserver/iseries/infocenter
򐂰 V5R-2 based single signon redbook at:
http://www.redbooks.ibm.com/abstracts/sg246975.html
4. iSeries Navigator provides a set of connection tests to various iSeries Access for Windows
server functions. When done with the test click Finished.
Now you can add all additional iSeries systems to the iSeries Navigator. Figure 5-12 shows
an example of optional plug-ins that can be installed.
Figure 5-12 Configure iSeries Access - 6 of 7
Chapter 5. Installing and customizing applications on Windows Terminal Servers
129
Figure 5-13 shows that we installed the Backup Recovery and Media Services plug-in. This
figure displays the usual iSeries Navigator window after a valid user authentication and, in our
example, after only AS01 has been defined as a connection.
Figure 5-13 Configure iSeries Access - 7 of 7
After you have configured all iSeries system connections in the iSeries Navigator, you can
create the 5250 emulation sessions:
1. Double-click the iSeries Access for Windows desktop icon and select Emulator. In our
example network we created, as a minimum, one 5250 session to each iSeries system.
2. Only some of the available 5250 emulation (treated as a Telnet workstation by i5/OS)
setup parameters are shown in Figure 5-14 and the following figures.
Select which Workstation ID syntax naming convention is to be used for this “virtual
workstation.” We select 27x132 to more easily review spooled output, which is typically
132 characters per line. Click OK to establish the first 5250 session to the iSeries system
(AS01 in our example, shown in Figure 5-16 on page 131).
Figure 5-14 Configure 5250 session - 1 of 3
Attention: It is very important to save all configuration files to the same home directory
path to which the each user gets mapped later.
130
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 5-15 Configure 5250 session - 2 of 3
3. Enter a meaningful (to you) file name as shown in Figure 5-16. Click Save.
Figure 5-16 Configure 5250 session - 3 of 3
Note: You can also change the default keyboard settings, such as whether there is an
“erase to end of field” key combination. If you change the keyboard settings you should
save that keyboard map file in the same directory as the session configuration files.
After finishing these configurations, the configuration files must be copied to each user’s
home directory. For larger enterprises it would be helpful to use a script for this.
Chapter 5. Installing and customizing applications on Windows Terminal Servers
131
5.3 Microsoft Office
For our scenario we also installed the following elements of the Microsoft Office 2003 suite:
򐂰 Office 2003 Professional
– Access
– Excel
– Powerpoint
– Outlook
– Publisher
– Word
򐂰 Office Project 2003 Professional
򐂰 Frontpage 2003
򐂰 Visio 2003 Professional
The following figures show how we installed Microsoft Office 2003 in our example network.
1. We install Microsoft Office into the E drive (as shown in Figure 5-17); click Next to install.
Figure 5-17 Install Microsoft Office 2003 - 1 of 4
132
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. Install only the applications that your clients will be using. When all are selected, click
Next.
Figure 5-18 Install Microsoft Office 2003 - 2 of 4
3. We install the applications as shown in Figure 5-18 and Figure 5-19, clicking Next to move
to the next application selection window.
Figure 5-19 Install Microsoft Office 2003 - 3 of 4
Chapter 5. Installing and customizing applications on Windows Terminal Servers
133
4. We chose a complete installation for other products as shown in Figure 5-20. Click Next.
Figure 5-20 Install Microsoft Office 2003 - 4 of 4
For Microsoft Office 2003, no additional configuration is necessary.
This ends our example application installation on our application server. You may have your
own set of applications to be installed. Remember to test them while several are running at
the same time before fully deploying them for general client workstation usage.
134
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6
Chapter 6.
Installing and customizing Citrix
Presentation Server
Citrix Presentation Server is designed to enable central management of virtually any
heterogeneous set of applications and to deliver access to any authorized user, essentially
anytime, anywhere, and using any network.
Citrix Presentation Server 3.0 is certified to run on Microsoft Windows 2000 Server and
Windows Server 2003 into a centralized mainframe concept infrastructure. This significantly
expands the range of capabilities that are available when using only Microsoft Terminal
Services. Citrix Presentation Server 3 provides extended functionality, scalability, and secure
access solutions that help to further reduce computing costs and increase the utility of the
information systems within a network.
This chapter includes such information as:
򐂰 How to install Citrix Presentation Server 3.0
򐂰 Installing the Citrix products
򐂰 Configuring Citrix Presentation Server 3.0
As with the Microsoft Active Directory chapter, the information in this chapter is not meant to
be a thorough treatment of Citrix Presentation Server capabilities. Rather, using our example
network as a base, the information we provide should be sufficient to enable the
iSeries-trained person to work efficiently with a certified Citrix specialist to get the Citrix
managed applications up and running on a network of servers and clients in as short a time
as possible.
Note: In the Attention box just before 1.2, “iSeries integration for Windows servers:
advantages summary” on page 4, we discussed dropping the word “Metaframe” from
heading topics even though most of windows shown in figures include the word
“Metaframe.” It is in this chapter this can be most confusing. Just remember, the function
being described is the same when we describe the function without the word “Metaframe”
and the window shown in the figure contains Metaframe.
© Copyright IBM Corp. 2005. All rights reserved.
135
6.1 Install Citrix Presentation Server 3.0
In our example we use the databases initially created in “Create MetaFrame and
MF_Resource databases” on page 77.
6.1.1 Set up the database environment for Citrix Presentation Server
Citrix Presentation Server 3.0 uses the database environment to perform and manage its
functions.
Database servers that can be used by Citrix Presentation Server 3.0 include:
򐂰
򐂰
򐂰
򐂰
򐂰
Microsoft Access
Microsoft SQL Server 2000 Desktop Engine (MSDE)
Oracle
IBM DB2 for Windows and UNIX
Microsoft SQL Server
Microsoft SQL Server 2000 is the most commonly used database server, and we use it for our
example network. For more information about our SQL Server configuration, refer to 3.5.3,
“Install and configure Microsoft SQL Server 2000” on page 71.
6.1.2 Install the Citrix products
1. Insert the CD in the CD drive and choose Product installations as shown in Figure 6-1.
Figure 6-1 Install Citrix MetaFrame on Windows Terminal Services - 1 of 29
136
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. Select Install MetaFrame Presentation Server and its components.
Figure 6-2 Install Citrix MetaFrame on Windows Terminal Services - 2 of 29
3. Figure 6-3 shows the default components selected. The Citrix License Server component
is already deselected because we already installed it on our additional server JFSRV002.
Click Next.
Figure 6-3 Install Citrix MetaFrame on Windows Terminal Services - 3 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
137
4. In Figure 6-4 we select I already have a Citrix License Server; click Next.
Figure 6-4 Install Citrix MetaFrame on Windows Terminal Services - 4 of 29
5. The first Citrix Presentation Server component installed is the Citrix Web Interface, which
is sometimes referred to as NFUSE. Before installing the Citrix Web Interface, you must
first install Microsoft Internet Information Services (which we have already done; see
3.6.1, “Windows components” on page 80.) Click Next.
Figure 6-5 Install Citrix MetaFrame on Windows Terminal Services - 5 of 29
Note: Citrix Independent Computing Architecture (ICA) is the protocol used between
Citrix client and Citrix servers that supports running an application on the server as if it
were installed on the client.
6. The Citrix client workstation can have the full Citrix ICA Client installed. You can install this
from a CD or download the full Citrix ICA Client from:
http://www.citrix.com./download
If the Citrix Web client workstation does not have the full Citrix ICA Client installed, you
can install the ICAWEB client code to, as a minimum, run published applications on a
Citrix Presentation Server.
138
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
ICAWEB can be downloaded to the server. As shown in Figure 6-6 we install (copy)
ICAWEB into our server. Click Next.
Figure 6-6 Install Citrix MetaFrame on Windows Terminal Services - 6 of 29
In 6.3.1, “Citrix ICA Client for Windows” on page 168 we give an example of a client using the
ICA Client for Windows, and in 6.3.2, “Citrix Web Interface access” on page 174, we give an
example of a client using ICAWEB.
The next step, which shows setting the default Web page, is not as important in our example
network as it could be. This is because we recommend setting the default Web page with the
Group Policies to the Citrix MetaFrame Logon Page as shown in “JF_ITSO_TerminalServers
Group Policy” on page 109.
However, we show setting the default in Figure 6-7. Click Next.
Figure 6-7 Install Citrix MetaFrame on Windows Terminal Services - 7 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
139
7. Now, we are ready to install MetaFrame Presentation Server 3.0. Click Next in the first
setup window, shown in Figure 6-8.
Figure 6-8 Install Citrix MetaFrame on Windows Terminal Services - 8 of 29
8. The next window starts the installation of Presentation Server. You should choose the
product edition that you have licensed. You can see more information about available
editions at:
http://www.citrix.com/products
For our example network, we select Enterprise Edition (Figure 6-9). Click Next.
Figure 6-9 Install Citrix MetaFrame on Windows Terminal Services - 9 of 29
140
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
9. We recommend changing the target directory to install Citrix components into the E
partition as shown in Figure 6-10. We already created the E partition earlier in this
Redpaper, only for installing programs or applications. Click Next.
Figure 6-10 Install Citrix MetaFrame on Windows Terminal Services - 10 of 29
10.Pass-Through Authentication (Figure 6-11) is a Citrix Presentation Server feature that
enables use of the Windows logon credentials in Citrix without a separate logon. We
select Yes and click Next.
Figure 6-11 Install Citrix MetaFrame on Windows Terminal Services - 11 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
141
11.In most Citrix MetaFrame environments you create a server farm when you first set up the
Citrix Presentation Server by choosing Create a new farm as shown in Figure 6-12.
Note: A Citrix server farm is a group of servers housed together in a single location. A
server farm is sometimes called a server cluster.
In our example we select Join an existing farm. Click Next.
Figure 6-12 Install Citrix MetaFrame on Windows Terminal Services - 12 of 29
142
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
12.In the next window, choose Connect directly to the database using ODBC. We show
this as the default data store connection database server because we created this
database in “Create MetaFrame and MF_Resource databases” on page 77. We use
Microsoft SQL Server in our installation.
For the zone name it is important to use the segment address of the Ethernet port.
If you choose to use Microsoft Access as the Citrix MetaFrame database, select Connect
to a database on this server instead of a SQL Server via ODBC. If you use this as the
database, you do not need to create a Microsoft Access database. This is because
Microsoft Access is built-in when you install the first server farm.
Click Next.
Figure 6-13 Install Citrix MetaFrame on Windows Terminal Services - 13 of 29
In the following step-by-step procedures, we show the installation of Citrix MetaFrame to
use Microsoft SQL Server 2000.
Note: When using an existing database server to be accessed via ODBC (as we are
doing) this database server must be started and active while performing the next steps.
13.Enter the description and the server running SQL Server (Figure 6-14). Click Next.
Figure 6-14 Install Citrix MetaFrame on Windows Terminal Services - 14 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
143
14.Select the MetaFrame database and click Next.
Figure 6-15 Install Citrix MetaFrame on Windows Terminal Services - 15 of 29
15.Enter an existing user name and password with the rights to act as a service. We created
this user account in 4.1.6, “Create accounts for Windows services” on page 100. Click
Next.
Note: You can also use the Administrator account at this time, but you may change this
capability later with the command line utility DSMAINT CONFIG.
Figure 6-16 Install Citrix MetaFrame on Windows Terminal Services - 16 of 29
144
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
16.You need to refer a Citrix license server, because the client workstation needs a Citrix
connection license. You can set the name of the Citrix license server now or later in the
Citrix Management Console properties of the farm settings. The license server must be
configured before users can connect to the server.
We select the default options as shown in Figure 6-17. Click Next.
Figure 6-17 Install Citrix MetaFrame on Windows Terminal Services - 17 of 29
17.In Figure 6-18, the default option is “Allow shadowing of user sessions on this server”
without any suboptions selected.
Important: If you override the defaults as we do here in Figure 6-18, you cannot
change these values later in the configuration. If you need to change these values, you
must first uninstall Citrix MetaFrame Presentation Server and to install it again.
Figure 6-18 Install Citrix MetaFrame on Windows Terminal Services - 18 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
145
18.As shown in Figure 6-19, configure the Citrix XML Service port to share the default TCP/IP
communication port (8080) with Microsoft Information Services. This service port is used
to supply servers running the Citrix Web interface and TCP/IP-connected ICA Clients with
the names of published applications that are available in a server farm. Figure 6-59 on
page 172 through Figure 6-62 on page 174 show examples of server farm properties.
Note: All servers in the farm must use the same TCP port for the Citrix XML service.
After selecting to share the port, click Next.
Figure 6-19 Install Citrix MetaFrame on Windows Terminal Services - 19 of 29
19.To connect remotely to MetaFrame servers running on Windows Server 2003, the users
must be members of the Remote Desktop Users groups.
In Figure 6-20, we add all users’ accounts and also anonymous users. Carefully read the
text about skipping this step and security. Click Next.
Figure 6-20 Install Citrix MetaFrame on Windows Terminal Services - 20 of 29
146
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
20.In most cases you have to change some security settings for Citrix to run, as indicated by
the Installer Information window shown in Figure 6-21. Click Yes to perform these
changes.
Figure 6-21 Install Citrix MetaFrame on Windows Terminal Services - 21 of 29
21.Figure 6-22 shows Launch the ICA Client Distribution wizard selected. This is used for
client update functions.
However, the first installation on each client must be installed by hand or using some other
systems management software such as Tivoli Software Distribution or Microsoft SMS.
We uncheck this option and click Close.
Figure 6-22 Install Citrix MetaFrame on Windows Terminal Services - 22 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
147
22.Now we have to install Citrix ICA Client Distribution. We choose Typical installation at this
time, which means that all ICA clients on the CD will be installed.
Click Next.
Figure 6-23 Install Citrix MetaFrame on Windows Terminal Services - 23 of 29
23.The next step is the installation of the Access Suite Console. As shown in Figure 6-24,
click Next.
Figure 6-24 Install Citrix MetaFrame on Windows Terminal Services - 24 of 29
148
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
24.Change the installation path to the same path used for Citrix MetaFrame, as shown in
Figure 6-25. Click Next.
Figure 6-25 Install Citrix MetaFrame on Windows Terminal Services - 25 of 29
25.Figure 6-26 shows all Access Suite Console Setup options with several extended
functions that can be installed. We recommend selecting all extensions to be installed.
Click Next.
Figure 6-26 Install Citrix MetaFrame on Windows Terminal Services - 26 of 29
Chapter 6. Installing and customizing Citrix Presentation Server
149
26.This starts the installation the Citrix Management Console. This is the tool you use to
configure Citrix MetaFrame. Click Next.
This begins a series of console installation wizard windows, starting with Figure 6-27.
Follow the wizard instructions, clicking Next as necessary to proceed to the next window.
Figure 6-27 Install Citrix MetaFrame on Windows Terminal Services - 27 of 29
27.After installing the Management Console, the last Citrix MetaFrame Presentation Server
installation option is to install the Document Center, which offers a single point of access
to all administrator’s guides.
We installed it in the same path as the other Citrix products.
Figure 6-28 shows the initial Welcome to Document Center Setup window. Click Next, as
necessary, to go through the Document Center setup.
Figure 6-28 Install Citrix MetaFrame on Windows Terminal Services - 28 of 29
150
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
28.Figure 6-29 shows the Citrix MetaFrame Presentation Server installation summary,
displaying Successful status for all components we installed in this chapter.
Recall that:
– In our example network, as shown in Table 2-2 on page 28, we installed all of the Citrix
MetaFrame Presentation Server components shown as successful on Windows
servers JFSRV011 and JFSRV012 for Site_A.
– We also installed the Citrix Access Suite License Server on Windows server
JFSRV002 for Site_A in 3.5.2, “Citrix MetaFrame Access Suite Licensing Services” on
page 66.
Click Finish.
Figure 6-29 Install Citrix MetaFrame on Windows Terminal Services - 29 of 29
After the installation is complete, you must reboot the server. Now you can configure the Citrix
MetaFrame Presentation Server.
6.2 Configure Citrix MetaFrame Presentation Server
After installing the Citrix MetaFrame Presentation Server, we have many configuration steps
to do and consider. This section shows you what the Redpaper writers consider as the base
necessary configuration steps.
For further information refer to the Citrix documentation.
Chapter 6. Installing and customizing Citrix Presentation Server
151
6.2.1 Configure ICA Client Update
The MetaFrame taskbar is on the right side of the window as shown in Figure 6-30. Select the
icon representing the ICA Client Update tools to first configure the ICS Client Update function.
Figure 6-30 Citrix Client Update configuration - 1 of 4
Figure 6-31 through Figure 6-33 on page 153 show the settings for the full version of the ICA
32-bit Windows client, which we recommend using.
Using Properties as shown in Figure 6-31, you can configure (for each kind of ICA Client)
which version should be installed and used on all clients. This is only an Update function; the
first installation has to be done separately.
Figure 6-31 Citrix Client Update configuration - 2 of 4
152
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
We recommend changing the settings to be as shown in Figure 6-32:
򐂰 Notify user when a client download is to be performed
򐂰 Update only older client versions
򐂰 Allow downloads to run in the background
The options we have selected ensure that the client workstations have the latest code level
and that the workstation can be used during the download.
Figure 6-32 Citrix Client Update configuration - 3 of 4
Click the Event Logging tab. We select both logging options as shown in Figure 6-33. Click
Apply, then click OK. This returns you to the window shown in Figure 6-31 on page 152.
Figure 6-33 Citrix Client Update configuration - 4 of 4
Chapter 6. Installing and customizing Citrix Presentation Server
153
6.2.2 Basic configurations in the Citrix Management Console
We use the Citrix Management Console tool to configure the Citrix environment, This tool can
be selected from the MetaFrame taskbar as shown in Figure 6-34.
Figure 6-34 Change server farm properties - 1 of 5
1. We recommend setting the server farm properties first, as shown in the Figure 6-35.
Figure 6-35 Change server farm properties - 2 of 5
154
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. Select the MetaFrame license server JFSRV002 and specify a default port of 27000. Click
OK.
Note: The license server was defined in 3.5.2, “Citrix MetaFrame Access Suite
Licensing Services” on page 66.
Figure 6-36 Change server farm properties - 3 of 5
Chapter 6. Installing and customizing Citrix Presentation Server
155
3. Select Zones as shown in Figure 6-37.
Figure 6-37 Change server farm properties - 4 of 5
4. For each zone (subnet), select the server that should act as data collector for this subnet.
Our data collector server JFSRV012 is referred to in Figure 2-19 on page 44.
As shown in Figure 6-38, right-click the server and select Most Preferred. Click OK.
Figure 6-38 Change Server farm properties - 5 of 5
156
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Note: For Zone 9.5.192.0 (Site_B), we repeat this for JFSRV112 as Most Preferred Data
Collector Server as shown in Chapter 7, “Set up the backup system for increased
availability” on page 181,
Add administrators to use Citrix Management Console
You need to add users accounts or even group accounts from Windows to designate who
should be able to manage server farms as administrators.
In Figure 6-39, right-click MetaFrame Administrators and select Add MetaFrame
Administrator.
Figure 6-39 add accounts to use Citrix Management Console
If you do not want to create your own group account for the Citrix Administrators within the
Windows operating system, we recommend at least adding the Domain Administrators group.
Publish applications
Applications must be published to be usable by ICA client workstations. In this section we
show how to publish applications in our Citrix MetaFrame environment.
The example we show is an iSeries Access for Windows 5250 emulation (Telnet) session.
There are special options you must use for the configuration file.
Note: Perform the following steps for each application you want to publish.
Chapter 6. Installing and customizing Citrix Presentation Server
157
1. In Figure 6-40, right-click Applications and select Publish Application.
Figure 6-40 Publish applications - 1 of 10
158
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
2. In the Application Publishing Wizard Welcome window shown in Figure 6-41, enter the
application name displayed to ICA Client users through the Web interface or the Program
Neighborhood.
The application description is optional and can be different from the Display Name field
contents. You need to know the application name (write down the application name you
entered) as you will select it in a later window, in the correct order.
After you have entered and recorded the application name and, optionally, entered the
description, click Next.
Figure 6-41 Publish applications - 2 of 10
Chapter 6. Installing and customizing Citrix Presentation Server
159
3. The next window (Figure 6-42) shows three application types:
– Application
Select this option to publish an application installed on one or more MetaFrame
Presentation Servers.
– Desktop
Publishes the entire Windows desktop of a MetaFrame Presentation Server.
– Content
Publishes media, Web pages, and documents.
We select the Application option. You must change the Command Line field to point to
your session configuration file.
Note: We created the session configuration file y:\PCOM5250\as01.ws in 5.2, “iSeries
Access” on page 122 and Figure 5-7 on page 126.
Click Next.
Figure 6-42 Publish applications - 3 of 10
160
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
4. In the Program Neighborhood Settings window (Figure 6-43), we recommend a Program
Neighborhood folder structure for ease of management. Our folder structure is shown in
6.3.2, “Citrix Web Interface access” on page 174.
In our example we specify iServer Access for the Program Neighborhood folder and Start
Menu folder. We also specify adding the shortcut to the client’s desktop. Note the default
icon and that you can change the icon by using the Change Icon button. Click Next.
Figure 6-43 Publish applications - 4 of 10
Chapter 6. Installing and customizing Citrix Presentation Server
161
5. Now, define how the application appears to the ICA Client user.
In the windows shown in Figure 6-44 through Figure 6-47 on page 164, we specify:
–
–
–
–
–
Application appearance to the client workstation
Application security including data encryption
The number of concurrent instances and CPU priority level
The MetaFrame servers that these applications can run on
Which user accounts or group accounts can run the applications
Read the text in each window carefully and use the Help button for additional details. You
must follow these steps for each application you want clients to have access to.
Figure 6-44 Publish applications - 5 of 10
162
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6. Click Next.
Figure 6-45 Publish applications - 6 of 10
7. We do not limit the concurrent instances. Click Next.
Figure 6-46 Publish applications - 7 of 10
Chapter 6. Installing and customizing Citrix Presentation Server
163
8. In the Specify Servers window (Figure 6-47), you can see only two server farms: Site_A
and Site_B. We will install the other server farm in Chapter 7, “Set up the backup system
for increased availability” on page 181; after that, the servers will appear in this window.
You should add each server farm where the application is installed. Use this window to set
up additional servers later. For now, click Next.
Figure 6-47 Publish applications - 8 of 10
164
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
9. In the Specify Users window (Figure 6-48), specify which user accounts or group accounts
from your Windows operating system can access the applications. For general security
considerations, we recommend never selecting “Allow Anonymous Connections.”
Select the users who can access this application. When satisfied, click Next and then click
Finish.
Figure 6-48 Publish applications - 9 of 10
Chapter 6. Installing and customizing Citrix Presentation Server
165
The Management Console in Figure 6-49 shows the list of applications in our JFS server farm
that we specified to publish while developing this Redpaper.
Those familiar with iSeries Access for Windows should note the 5250 emulation session to
AS01 and iSeries Access Navigator (the name we used). You can also see that we do
application serving for Lotus Windows applications.
Figure 6-49 Publish applications - 10 of 10
Configure load balancing
Citrix MetaFrame enables you to set up load balancing among its server farm servers to
provide a level of optimized resource utilization.
Either choose a load evaluator to use or create a new one to configure as you want. For our
scenario we choose the default load evaluator provided with Citrix MetaFrame.
Attention: Do not forget to configure load balancing for every MetaFrame Presentation
Server. The evaluator for each one must be configured with the same rules.
Configure the resource manager
We used Resource Manager to manage resources on Citrix MetaFrame servers. This
provides collecting, storing, displaying, and analyzing applications, user activity, and system
performance.
To use the Citrix Resource Manager, create an ODBC DSN configuration for the connection
to the created database for this Resource Manager set of functions. Use the ODBC Data
Source Administrator to create this DSN.
Note: The name for this DSN must be rmsummarydatabase.
166
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Go to the Citrix Documentation Center for more information. We discuss installing the
Documentation Center in the text describing Figure 6-28 on page 150.
After the DSN is created, you can configure the Resource Manager function in the Citrix
Management Console as shown in Figure 6-50.
Note: You should specify a different user account to access the database.
Next we configure the Summary Database. In the window shown in Figure 6-50, select the
Resource Manager folder → Summary Database tab → Configure.
Figure 6-50 Configure the Resource Manager data collection - 1 of 2
Chapter 6. Installing and customizing Citrix Presentation Server
167
This opens the Summary Database Configuration window shown in Figure 6-51. We specify
to enable the summary database to JFSRV012 using the administrator’s user account and
password and take the defaults for the other parameters.
Review the details for each parameter shown. When satisfied with your parameter values,
click OK to apply the values.
Figure 6-51 Configure the Resource Manager data collection - 2 of 2
This returns us to the Management Console window shown in Figure 6-50 on page 167.
6.3 Client access to the Citrix server farm
There are two principal ways to access a Citrix server farm:
򐂰 Citrix ICA Client for Windows
򐂰 Citrix ICA Client for Web Access
We recommend using client Web access because you do not have to configure it; you merely
install it. Download the ICA Client at:
http://www.citrix.com/download
In our example we downloaded the ICA32Pkg.msi file.
We show both interfaces in the next sections.
6.3.1 Citrix ICA Client for Windows
First, install the ICA Client for Windows. The version you initially install and use is not
important because we have set up to use the Update function in Citrix MetaFrame.
Note: If you do not want to configure the ICA Client for each user, you can create a
distribution ICA Client by using the Citrix ICA Client Distribution Wizard.
168
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
We install the ICA Client manually to show you the steps.
1. Run the ICA32Pkg.msi file.
2. Figure 6-52 is the MetaFrame Presentation Server Client Setup wizard’s first window.
Review the text and click Next.
Figure 6-52 Citrix ICA Client installation - 1 of 11
3. We install all clients for 32-bit Windows as shown in Figure 6-53. Click Next.
Figure 6-53 Citrix ICA Client installation - 2 of 11
Chapter 6. Installing and customizing Citrix Presentation Server
169
4. In Figure 6-54, we enter the URL for the server running the Web interface to display
shortcuts on the user’s desktop to the published applications. Click Next.
Figure 6-54 Citrix ICA Client installation - 3 of 11
5. In the Client Name window (Figure 6-55), each client computer must have a unique client
name because Citrix MetaFrame will used the name to manage mainly client printers. Our
default value (JFSRV002) is shown in Figure 6-55. Click Next.
Figure 6-55 Citrix ICA Client installation - 4 of 11
170
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
6. In Figure 6-56, we specify to use your local user account and password.
You should use this function for easier access for your users; otherwise the user has to log
on again. Click Next.
Figure 6-56 Citrix ICA Client installation - 5 of 11
7. If you start the Citrix ICA Client and it does not find a valid configuration or a Citrix
MetaFrame server on the LAN, you should configure the Client settings or the Application
Set Settings and add the IP addresses for at least three server farms. These may be in
different physical sites. Figure 6-60 on page 173 shows an example.
In this Redpaper we assume that the server farm is found; you have to log on.
8. In Figure 6-57 we enter our example user ID and password and click OK.
Figure 6-57 Configure the Citrix client - 6 of 11
Chapter 6. Installing and customizing Citrix Presentation Server
171
9. Figure 6-58 shows the server farm applications we have the rights to use.
Figure 6-58 Configure the Citrix client - 7 of 11
10.Configure some settings in the application set to connect to server farms.
Right-click the Application Set Manager icon to open the menu shown in Figure 6-59.
Select Application Set Settings to change properties for our configured Application set.
Figure 6-59 Configure the Citrix client - 8 of 11
Figure 6-60 on page 173 through Figure 6-62 on page 174 show the Application Set
Settings we are going to view or change.
172
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
11.Select the Connections tab to show the properties in Figure 6-60. Ensure that the values
match your network, or enter values if necessary. This figure is valid for our network.
Figure 6-60 Configure the Citrix client - 9 of 11
12.Review the values in our example. In our example network we have all the values we want
and need. Click the Default Options tab to display the window shown in Figure 6-61.
Figure 6-61 Configure the Citrix client - 10 of 11
Chapter 6. Installing and customizing Citrix Presentation Server
173
13.Click the Logon Information tab. We accept the values shown in Figure 6-62 on
page 174. You may want to use Help to review the parameter details before proceeding.
When finished, click OK.
Figure 6-62 Configure the Citrix client - 11 of 11
The ends our example of using the Citrix ICA Client for Windows.
6.3.2 Citrix Web Interface access
Another way to access the published applications is using the Citrix Web Interface.
We assume that you have installed the function and set the Group Policy settings to point to
this function as shown in “JF_ITSO_TerminalServers Group Policy” on page 109.
Figure 6-63 on page 175 shows the default home page. Enter the URL shown in the figure,
and a valid name and password. Click Log In.
174
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 6-63 Using the Citrix Web Interface - 1 of 5
Figure 6-64 shows the applications that FBOERNER is authorized to access.
Figure 6-64 Using the Citrix Web Interface - 2 of 5
Chapter 6. Installing and customizing Citrix Presentation Server
175
Figure 6-65 through Figure 6-67 on page 178 show examples using Microsoft Office and
iSeries Access for Windows 5250 emulation.
Figure 6-65 shows the folder structure for Microsoft Office that was selected in Figure 6-64 on
page 175.
Figure 6-65 Using the Citrix Web Interface - 3 of 5
176
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 6-66 shows the folder structure we set up for iSeries Access that we selected from the
browser window shown in Figure 6-64 on page 175.
Figure 6-66 using the Citrix Web interface - 4 of 5
You can start a 5250 emulation session to AS01. You can also start an iSeries Access
Navigator session to one of our example network iSeries systems AS01 and AS55.
Chapter 6. Installing and customizing Citrix Presentation Server
177
Figure 6-67 shows the 5250 signon window, as we selected the 5250 session icon in
Figure 6-66 on page 177.
Figure 6-67 Using the Citrix Web Interface - 5 of 5
6.4 Citrix Access Suite Console
Citrix Access Suite is a set of integrated products that provides a wide range of functions
including:
򐂰 Management of multiple farms, applications, sessions, servers, and licenses
򐂰 Easy and instant access simplifying their management
򐂰 Deployment in heterogeneous computing environment
Citrix access infrastructure software, delivered through the Access Suite, is the easiest way
for organizations to build an on demand enterprise where information is accessible from
anywhere, any time, using any device over any properly configured network.
Figure 6-68 on page 179 shows the Citrix Access Suite Console we used in our example
network.
178
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 6-68 Citrix Access Suite Console
Note: If you run two Access Suite Console sessions simultaneously on a machine with the
same account credentials, when changes are saved on one session the changes overwrite
changes made on the other Access Suite Console session.
Chapter 6. Installing and customizing Citrix Presentation Server
179
180
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
7
Chapter 7.
Set up the backup system for
increased availability
We need to reduce the amount of downtime of our Windows applications and improve our
Windows recoverability and resiliency utilizing our iSeries systems.
In this chapter, we discuss the primary steps for setting up Site_B as a backup site. We cover
the details needed to set up the system and network for higher availability. Most of the steps
we cover are based upon information and steps covered in other chapters of this Redpaper.
We refer to the other chapter information where appropriate.
© Copyright IBM Corp. 2005. All rights reserved.
181
7.1 Configure the backup iSeries system
Refer to 3.1, “I5/OS tasks” on page 48, to set up the basic settings and system values, create
all network server descriptions (*NWSD) and the additional network storage spaces, and
change the i5/OS start program. This backup server and network is represented by Site_B in
Figure 2-2 on page 28.
7.2 Install additional components on the servers
Follow 3.2, “Windows server tasks” on page 57 to configure the Ethernet settings. After this,
go to 4.3, “Adding Windows servers and clients to the Domain” on page 114, to add the
servers to the domain.
Next, install all necessary software on the IXS/IXA server. Refer to 3.4, “Domain controller” on
page 62 and 3.6, “Windows Terminal Server to use for Citrix MetaFrame Presentation Server
3.0” on page 80 for your designated Citrix MetaFrame servers.
7.3 Set up an additional domain controller on JFSRV101
We presume that you have already completed the site configuration, DNS configuration, and
so on for all sites and subnets. Thus it is easy to add domain controllers to the environment.
7.3.1 Run DCPROMO
To promote a server to domain controller, run the DCPROMO wizard. Select Additional
domain controller for an existing domain as shown in Figure 7-1.
Figure 7-1 Configure an additional domain controller
7.3.2 Install and activate Windows Terminal Server licensing
To set up and activate Windows Terminal Server Licensing, refer to 4.1.3, “Activate Terminal
Server Licensing” on page 95.
182
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
7.3.3 Site configuration
Normally the connection documents are created automatically if the servers are on the same
subnet. We recommend deleting the default entries and creating new ones to make
replication optimal between the domain controllers. We use Microsoft Management Console
and perform this on the JFSRV001 server, as shown in Figure 7-2 through Figure 7-4 on
page 184. Repeat these steps for the JFSRV101 server.
Note: Afterwards, we move the JFSRV101 server to Site_B.
Figure 7-2 Configure sites - 1 of 6
1. In Figure 7-3, select a domain controller. We select the JFSRV101 server and click OK.
Figure 7-3 Configure sites - 2 of 6
Chapter 7. Set up the backup system for increased availability
183
2. In Figure 7-4, confirm the server selection. Click OK.
Figure 7-4 Configure sites - 3 of 6
3. After the first replication between the domain controllers have completed, you can move
the new domain controller to the Site_B.
Select JFSRV101 in Site_A and move it to Site_B as shown in Figure 7-5.
Figure 7-5 configure sites - 4 of 5
184
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
4. By default, the Global Catalog service is not configured on additional domain controllers,
so we configure it as shown in Figure 7-6 and Figure 7-7.
Figure 7-6 configure sites - 5 of 6
5. Users throughout the domain controllers (forest) need fast access to information about
every object in the forest, so we check the parameter Global Catalog, as shown in the
Figure 7-7, and click OK.
Figure 7-7 configure sites - 6 of 6
Now, we are ready to configure DNS.
Chapter 7. Set up the backup system for increased availability
185
7.3.4 Configure DNS
You can refer to 4.1.2, “Additional configuration for the DNS server” on page 91 for
information, but you should only have to verify the replication between the DNS servers. No
additional steps are necessary.
7.3.5 Configure DHCP
Refer to 4.2, “Configure the DHCP service” on page 110, but make sure that DHCP
distributes each available IP address only once in the whole environment.
7.4 Install the applications on JFSRV111 and JFSRV112
Windows servers
Refer to Chapter 5, “Installing and customizing applications on Windows Terminal Servers” on
page 121.
7.5 Install Citrix MetaFrame Presentation Server 3.0 on
JFSRV111 and JFSRV112 Windows servers
Refer to Chapter 6, “Installing and customizing Citrix Presentation Server” on page 135 and
follow the instructions to join an existing server farm.
7.6 Backup and recovery
For backup and recovery, refer to Chapter 8, “Backup and recovery possibilities” on page 187.
186
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
8
Chapter 8.
Backup and recovery
possibilities
In this chapter we describe only the important steps for a complete backup.
You can use different functions or programs to save the data:
򐂰 i5/OS functionality
򐂰 Backup Recovery and Media Services (BRMS)
򐂰 Tivoli Storage Manager (TSM)
We show only the i5/OS operating system functionality to stay within the scope of this book.
To configure and use one of these license programs, see its documentation.
In 8.5, “Back up and restore without file-level backup” on page 197, we show the fastest way
to save and restore user data on iSeries.
For more information, we recommend the backup and recovery chapter in Microsoft Windows
Server 2003 Integration with iSeries, SG24-6959.
© Copyright IBM Corp. 2005. All rights reserved.
187
8.1 Daily file-level backups using Windows backup utilities
You can use the same Windows backup utilities as you use today on PC-based servers, but
target an iSeries attached tape device. i5/OS tape support provides good performance that
varies depending on other i5/OS activities going on and the tape drive technology.
Supported Windows backup utility tools include:
򐂰 Windows Server integrated backup applet
򐂰 Veritas and Computer Associates (Cheyenne) ARCserver for Windows Server
While using Windows tape support the i5/OS tape device must be in varied-off state, which is
not available to i5/OS applications. In the varied-off status, the tape device must be “locked”
from the Windows server operating system before use by Windows backup tool.
Backup of i5/OS objects and files cannot be mixed on the same tape as files backed up by the
Windows utilities.
All of the tape drives commonly sold today as attachable to an iSeries and supported by
i5/OS can be use by the Windows-based backup tools. This includes 3570 and 3580
technology devices.
LTO drives require iSeries integration Service Pack on V5R1 or later. OS/400 V5R2 added
Auto Cartridge Loader (ACL) support for the 3570, 3580, and 3590 family of tape devices and
tape libraries.
Note that 3480, 3490, and 3490e and reel-to-reel tape devices are not supported.
8.2 Planning for backup using i5/OS
You can use i5/OS commands available with IBM iSeries Integration for Windows Server to
backup the associated Windows files and related objects. You can also use the iSeries
Navigator interface to these functions.
Using iSeries Navigator (Figure 8-2 on page 189), you can see our Network Server Storage
spaces by selecting File systems → Integrated File System → Root → QFPNWSSTG.
188
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 8-1 Network Server Storage spaces in the IFS
Figure 8-2 shows the Network Server Storage spaces we created in 3.1.2, “Setting up your
network storage spaces” on page 55 (Figure 3-9 on page 56).
Figure 8-2 Network Server Storage spaces in the IFS
If the Windows server is up and running, you also see the Windows server file structure as
shown in Figure 8-3 on page 190 by selecting File systems → Integrated File System →
QNTC → JFSRV001.
You must be logged on to i5/OS with a user ID and password that matches a local Windows
account and password. This account must be a member of the Administrator’s group.
Chapter 8. Backup and recovery possibilities
189
Figure 8-3 Files in the IFS when the Windows server is running
There are two ways to save the data for the Windows server:
򐂰 Saving the Network Server Storage spaces
򐂰 Saving the files within the QNTC file system
Important: To save the Network Server Storage space, the Network Server Description
must be in varied off (unavailable) status. For this you can use iSeries Navigator.
To save the files within the QNTC file system, the Network Server Description must be in
varied on (available, iSeries Navigator “Started”) status and the Windows server itself must
be up and running.
The most important data to save are the Network Server Storage spaces as described in 8.3,
“Back up the Network Server Storage spaces” on page 191. You need to decide a strategy for
saving them. We recommend:
򐂰 Once a week, save all Network Server storage spaces.
򐂰 Daily, save the user data Network Server Storage spaces.
With the backup of the Network Server Storage spaces you can restore the whole server very
easily, but you cannot restore a single file, only a whole partition.
Attention: In the Active Directory, tombstone values exist for 30 days. You may run into
problems if you try to restore a domain controller system drive with a backup that is older
than 30 days. For more information about tombstone, refer to Microsoft Document Center.
190
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
8.3 Back up the Network Server Storage spaces
For each Network Server Storage space, you have to run the following i5/OS command:
VRYCFG CFGOBJ(XXXXXXXX) CFGTYPE(*NWS) STATUS(*OFF).
Figure 8-4 shows use of the VRYCFG command (for our example XXXXXXXX is JFSRV012).
Note: For your backup CL program, you should use the logical sequence in the startup
program in 3.1, “I5/OS tasks” on page 48 (Figure 3-3 on page 50).
Vary Configuration (VRYCFG)
Type choices, press Enter.
Configuration object . . . . . . > JFSRV012
+ for more values
Type . . . . . . . . . . . . . . > *NWS
Status . . . . . . . . . . . . . > *OFF
Asynchronous vary off . . . . . *yes
Forced vary off . . . . . . . . *NO
Job description . . . . . . . . QBATCH
Library . . . . . . . . . . .
*LIBL
Name, generic*, *ANYNW...
*NWS, *NWI, *LIN, *CTL...
*ON, *OFF, *RESET...
*NO, *YES
*NO, *YES, *LOCK
Name
Name, *LIBL
Bottom
Figure 8-4 Example for varying off a Windows server
Next, use the SAV command to save the Network Server Storage spaces as shown in
Figure 8-5. This command saves all Network Server Storage spaces on the iSeries disk.
Save Object (SAV)
Type choices, press Enter.
Device . . . . . . . . . . . . . > '/qsys.lib/tap01.devd'
+ for more values
Objects:
Name . . . . . . .. . . . . . > '/qfpnwsstg/*'
Include or omit . . . . . . .
+ for more values
Name pattern:
Pattern . . . . . . . . . . .
*INCLUDE
Include or omit .
+ for
Directory subtree .
Save active . . . .
*INCLUDE
*INCLUDE, *OMIT
*ALL
*NO
*ALL, *DIR, *NONE, *OBJ, *STG
*NO, *YES, *SYNC
More...
. . . . . .
more values
. . . . . .
. . . . . .
*INCLUDE, *OMIT
'*'
Figure 8-5 Save all Network Server Storage spaces
Chapter 8. Backup and recovery possibilities
191
If you want to save only one partition, extend the Name parameter. For example, to save the
user data partition, in Figure 8-5 on page 191 you would specify for the Name parameter:
'/qfpnwsstg/JF001DATA/*'
8.4 Save the Windows user data on file level
To save the Windows data on a file level, the Windows server has to be up and running.
1. In Figure 8-6 we create an i5/OS user profile to backup only, which you also have in the
Windows environment to use for backup.
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
User profile . . . . . . . . . .
User password . . . . . . . . .
Backup
xxxxxxxx
Set password to expired
Status . . . . . . . . .
User class . . . . . . .
Assistance level . . . .
Current library . . . .
Initial program to call
Library . . . . . . .
Initial menu . . . . . .
Library . . . . . . .
Limit capabilities . . .
Text 'description' . . .
*NO
*ENABLED
*USER
*SYSVAL
*CRTDFT
*NONE
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Name
*NO, *YES
*ENABLED, *DISABLED
*USER, *SYSOPR, *PGMR...
*SYSVAL, *BASIC, *INTERMED...
Name, *CRTDFT
Name, *NONE
Name, *LIBL, *CURLIB
MAIN
Name, *SIGNOFF
*LIBL
Name, *LIBL, *CURLIB
*NO
*NO, *PARTIAL, *YES
Userprofile for Windows Backup the QNTC
Bottom
Figure 8-6 Create a user profile for the backup the QNTC - 1 of 2
2. From the CRTUSRPRF screen, press F10 for additional parameters (shown in Figure 8-7
on page 193) to insert the group profile for user propagation. For our example we enter
JFGRP1.
192
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
Additional Parameters
Special authority . . . . . . .
+ for more values
Special environment . . . . . .
Display sign-on information . .
Password expiration interval . .
Local password management . . .
Limit device sessions . . . . .
Keyboard buffering . . . . . . .
Maximum allowed storage . . . .
Highest schedule priority . . .
Job description . . . . . . . .
Library . . . . . . . . . . .
Group profile . . . . . . . . .
*ALLOBJ
*SAVSYS
*SYSVAL
*SYSVAL
*SYSVAL
*YES
*SYSVAL
*SYSVAL
*NOMAX
3
QDFTJOBD
*LIBL
jfgrp1
*USRCLS, *NONE, *ALLOBJ...
*SYSVAL, *NONE, *S36
*SYSVAL, *NO, *YES
1-366, *SYSVAL, *NOMAX
*YES, *NO
*SYSVAL, *YES, *NO
*SYSVAL, *NO, *TYPEAHEAD...
Kilobytes, *NOMAX
0-9
Name
Name, *LIBL, *CURLIB
Name, *NONE
More...
Figure 8-7 Create a user profile for the backup the QNTC - 2 of 2
3. Use the i5/OS command WRKNWSENR. If the user gets the status *CURRENT, this
means that the user is active in the Windows domain.
4. Using the Microsoft Management Console as shown in Figure 8-8, we move the user
“backup into the OU Service_account.
Figure 8-8 Move the backup user account to the proper OU
5. For each partition you want to save on a file level, create a share. We recommend you do
so only for the data partition with user data. In our example network this is drive F: on
JFSRV001 and JFSRV101. We use the share name userdata.
Important: It is necessary that the user account has NTFS rights to all folders and files
in the structure below the userdata share. To do this, we recommend FULL ACCESS
rights. Verify this in the backup job log on the iSeries, minimum once a week.
Chapter 8. Backup and recovery possibilities
193
6. Add all Windows shares you want to use for file level backup as members to the i5/OS file
QAZLCSAVL. The QAZLCSAVL file in QUSRSYS enables you to specify the shares to be
backed up. In our example is only one share name, userdata.
7. Run the i5/OS command ADDPFM as shown in Figure 8-9.
Add Physical File Member (ADDPFM)
Type choices, press Enter.
Physical file . .
Library . . . .
Member . . . . . .
Text 'description'
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
qazlcsavl
Name
*LIBL
Name, *LIBL, *CURLIB
userdata
Name
Drive F: on JFSRV001
Figure 8-9 Add shares as members for backup to QAZLCSAVL
8. To verify the entry (userdata), run the i5/OS command EDTF as shown in Figure 8-10.
Edit File (EDTF)
Type choices, press Enter.
Stream file, or
. . . . . . . .
Data base file . . . . . . . . .
Library . . . . . . . . . . .
qazlcsavl
qusrsys
Name
Name, *LIBL, *CURLIB
Figure 8-10 Verify the entry in the file QAZLSAVL - 1 of 2
9. In Figure 8-11, we can edit the data for the added member.
Figure 8-11 Verify the entry in the file QAZLSAVL - 2 of 2
10.Next, verify that the iSeries NetServer is in the same Windows domain. If not, change it to
fit as shown in Figure 8-12 on page 195. Right-click and select Properties.
Tip: Our experience is that this step is not necessary. We recommend having the
iSeries NetServer in the same Windows domain.
194
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Figure 8-12 Change the NetServer settings - 1 of 2
11.This opens the Properties window. Review the General tab domain information as shown
in Figure 8-13. If you need to change any current settings, select Next Start.
Figure 8-13 Change the NetServer settings - 2 of 3
Chapter 8. Backup and recovery possibilities
195
12.Figure 8-14 shows the parameters you can change. When you are sure what values you
want, click OK.
Figure 8-14 Change the NetServer settings - 3 of 3
13.We stop and start NetServer by right-clicking iSeries NetServer and selecting Stop, then
Reset and Start.
14.Now you can run the SAV command as shown in Figure 8-15 on page 197. You must be
signed on as the backup user profile. (We discuss setting up the i5/OS backup user profile
in the text describing Figure 8-7 on page 193 and Figure 8-8 on page 193.)
Restriction: This command cannot save open files.
196
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Save Object (SAV)
Type choices, press Enter.
Device.. . . . . . . . . . . . > '/qsys.lib/tap02.devd'
+ for more values
Objects:
Name . . . . . . . . . . . . . > '/qntc/jfsrv001/userdata/*'
Include or omit . . . . . . .
+ for more values
Name pattern:
Pattern . . . . . . . . . . .
*INCLUDE
Include or omit .
+ for
Directory subtree .
Save active . . . .
*INCLUDE
*INCLUDE, *OMIT
*ALL
*NO
*ALL, *DIR, *NONE, *OBJ, *STG
*NO, *YES, *SYNC
More...
. . . . . .
more values
. . . . . .
. . . . . .
*INCLUDE, *OMIT
'*'
Figure 8-15 Save the user data on file level
Attention: You have to verify the job log on the iSeries to determine the default of the save
operation. If there are entries with missing access rights to folders or files, add the NTFS
rights to the backup user in Windows.
This command runs much longer then the save of the Network Server Storage spaces in 8.3,
“Back up the Network Server Storage spaces” on page 191.
We describe both this file-level technique and the non-file level technique in the next section
to help you identify where you should consider using either or both, based on your specific
network environment requirements.
8.5 Back up and restore without file-level backup
In this section, we describe a significant advantage when you have consolidated a Windows
server on iSeries systems.
This advantage is to restore the whole Network Server Storage space, which includes a quick
way to recover the user data to a different folder and link it to a different Windows server.
Then, you can restore the necessary files just with the copy command.
To do this:
1. Create the folder for the restore to a different location once. Use these i5/OS commands in
the following order:
– CD QFPNWSSTG
– MD JF001REST (folder name for our example)
We are ready to restore the Network Server Storage space in the JF001REST folder. Use
the RST command, as shown in Figure 8-16 on page 198.
Chapter 8. Backup and recovery possibilities
197
Restore Object (RST)
Type choices, press Enter.
Device . . . . . . . . . . . . . > '/qsys.lib/tap01.devd'
+ for more values
Objects:
Name . . . . . . . . . . . . . > '/qfpnwsstg/jf001data/*'
Include or omit
New object name
. . . . . . . > *INCLUDE
*INCLUDE, *OMIT
. . . . . . . > '/qfpnwsstg/JF001REST'
+ for more values
Name pattern:
Pattern . . . . . . . . . . .
Include or omit . . . . . . .
+ for more values
'*'
*INCLUDE
*INCLUDE, *OMIT
More...
Figure 8-16 Restore command to another directory
2. Add a link to the *NWSD. In some cases we may need to shut down the server during this
procedure. We use the ADDNWSSTL command, as shown in Figure 8-17.
Important: When using a Windows 2003 Server, you must link the drive to a different
Windows server than the one it came from. If you do not do this the drive will come up
with duplicate SIDs and Windows will not let you access the drive.
Add Server Storage Link (ADDNWSSTGL)
Type choices, press Enter.
Network server storage space
Network server description .
Dynamic storage link . . . .
Access . . . . . . . . . . .
Drive sequence number . . .
.
.
.
.
.
. > JF001REST
. > JFSRV002
. > *YES
. *UPDATE
. *CALC
Name
Name
*NO, *YES
*UPDATE, *READ, *SHRUPD
1-64, *CALC, *QR
Bottom
Figure 8-17 Add the Network Server Storage space dynamically to JFSRV002
198
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
3. Add a drive letter for this new Windows drive. For this we use Microsoft Computer
Management, as shown in Figure 8-18.
Figure 8-18 Adding a drive letter - 1 of 2
4. We assign the drive letter “G” as shown in Figure 8-19 and click OK.
Figure 8-19 Adding a drive letter - 2 of 2
5. Now, the drive is available and you can recover the missing files to the normal file server
(JFSRV002) with a simple copy. Use a copy command that includes the file’s permissions.
After you have restored all necessary files, you can remove the Network Server Storage
Space link.
Chapter 8. Backup and recovery possibilities
199
Attention: To remove the Network Server Storage space link, you must vary off the
Windows server.
If both of the following conditions are satisfied, you can unlink the drive dynamically without
varying off (shutting down) the server:
򐂰 You are on i5/OS V5R3 with a cumulative PTFs pack dated on or after June 2005, or on
a later i5/OS release.
򐂰 The drive is not part of a volume set.
Tip: You do not have to remove this Network Server Storage space. We recommend
running the RST command from Figure 8-16 on page 198 every night after the SAV
command is finished. This means that every day the user data from the last day online is
available.
200
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Related publications
The publications listed in this section are considered particularly suitable for a more detailed
discussion of the topics covered in this Redpaper.
IBM Redbooks
For information about ordering these publications, see “How to get IBM Redbooks” on
page 202. Some of the documents referenced here may be available in softcopy only.
򐂰 Deploying Citrix MetaFrame on IBM eServer BladeCenter using FAStT Storage, REDP-3583
򐂰 IBM eServer iSeries Security Guide: IBM i5/OS Version 5 Release 3, SG24-6668
򐂰 Implementing Linux on Integrated xSeries Solutions for iSeries, SG24-6379
򐂰 Microsoft Windows Server 2003 Integration with iSeries, SG24-6959
Other publications
These publications, which are available from the iSeries Information Center Web site, are also
relevant as further information sources:
򐂰 IBM eServer iSeries Security Reference, Version 5 SC41-5302-07
򐂰 IBM eServer iSeries Tips and Tools for Securing Your iSeries, SC41-5300-07
Online resources
These Web sites and URLs are also relevant as further information sources:
򐂰 iSeries Information Center
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp
Two important links are Networking and Security for detailed topics relevant to this
Redpaper. For example, Networking → Windows environment on iSeries
򐂰 iSeries high availability topics
http://www.ibm.com/eserver/iseries/ha
򐂰 iSeries performance-related topics
http://www.ibm.com/eserver/iseries/perfmgmt
򐂰 iSeries integration with xSeries systems
http://www.ibm.com/eserver/iseries/integratedxseries
򐂰 Symantec Corporation (security and virus protection products)
http://www.symantec.com/
򐂰 Bytware, Inc. (iSeries security and virus protection products)
http://www.bytware.com
򐂰 Raz-Lee Security Ltd. (iSeries security and virus protection products)
http://www.razlee.com
© Copyright IBM Corp. 2005. All rights reserved.
201
򐂰 Stonesoft Corporation (firewall solutions)
http://www.stonesoft.com/
򐂰 Microsoft SQL Server 2000 pricing and licensing
http://www.microsoft.com/sql/howtobuy/sqlserverlicensing.asp
򐂰 Citrix products and licensing
http://www.citrix.com/
򐂰 Integrated IBM eServer xSeries performance benchmark for Citrix Access Suite
http://www.ibm.com/servers/eserver/iseries/integratedxseries/pdf/citrixbenchmark.pdf
How to get IBM Redbooks
You can search for, view, or download Redbooks, Redpapers, Hints and Tips, draft
publications and Additional materials, as well as order hardcopy Redbooks or CD-ROMs, at
this Web site:
ibm.com/redbooks
Help from IBM
IBM Support and downloads
ibm.com/support
IBM Global Services
ibm.com/services
202
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Index
A
C
activate a license server 96
activate Windows Terminal Server licensing 182
Active Directory 30, 65, 190
adding subnets 98
installation
caution 91
moving objects to an OU 117
setting up 65
setup 85
site configuration changes 97
Active Directory Sites and Services snap-in 98
Active Directory Users and Computers console 38, 99
add disk link to Windows 2003 Server 198
add drive to Windows server 199
add Windows servers and clients to the Domain 114
additional components 182
additional domain controller 182
ADDPFM command 194
Administrator account 144
Administrator authentication for SUS 79
Administrator user name and password 86
Allow Anonymous Connections 165
anti-virus 3
application
publishing 160
application installation
Microsoft Office 132
Application Set Settings 171–172
applications
installing on JFSRV111 and JFSRV11 186
publishing 157
authentication tickets 128
automatic update 122
certified Microsoft specialist recommendation 85
change default Active Directory policies 102
change Default Domain Policy 102
Change Network Server User Attributes (CHGNWSUSRA) command 42
Citrix
Enterprise Edition 140
Citrix Access Suite 2, 4
License Server 151
terminology 4
Citrix Access Suite Console session 179
Citrix connection license 145
Citrix ICA Client Distribution 148
Citrix ICA Client for web access 168
Citrix ICA Client for Window 168
Citrix ICA Client for Windows 168
Citrix Installation Manager 45
Citrix License Server 137, 145
Citrix Management Console 145
add administrators 157
basic configurations 154
resource manager 167
Citrix MetaFrame
application serving iSeries Navigator 166
installation 136
load balancing 166
planning and testing 44
resource manager 166
Update function 168
Citrix MetaFrame Access Suite 14, 24
Citrix MetaFrame Access Suite Console 148, 178
Citrix MetaFrame Access Suite Console Setup extensions
149
Citrix MetaFrame Access Suite Licencing Service 47
Citrix MetaFrame Access Suite Licensing Service 66
Citrix MetaFrame data collector 156
Citrix MetaFrame Data Store and Resource Manager database 47
Citrix MetaFrame License Server 155
Citrix MetaFrame Presentation Server 14, 77, 135
components on JFSRV011 and JFSRV012 for Site_A.
151
uninstall 145
Citrix MetaFrame Presentation Server 3.0
installing on JFSRV111 and JFSRV112 186
Citrix MetaFrame taskbar 152
Citrix Presentation Server 2, 4
Citrix Presentation Server terminology 4
Citrix Resource Manager 77
Citrix server farm 142, 168
client access 168
Citrix Web Interface 80, 82, 138
access 174
B
back up
Network Server Storage spaces 191
user files 106
using i5/OS 188
using i5/OS tape 188
back up and restore without file-level backup 197
backup
daily file-level 188
strategies 40
Backup Recovery and Media Services 187
Backup Recovery and Media Services plug-in 130
backup user 193
backup user profile 196
backup, recovery, and failover 45
BRMS 187
Bytware Inc. 3
Index
203
Citrix Web site 68
Citrix XML Service 146
Citrix XML service 146
client access to the Citrix Server farm 168
client settings 171
components
additional 182
configure DHCP 186
configure DNS 186
configure ICA Client Update 152
configure load balancing 166
configure the DHCP service 110
copying 5250 emulation display and keyboard mappings
131
create MetaFrame and MF_Resource databases 77
create MetaFrame database 77
creating folder structure on Active Directory server 116
EDTF command 194
enrolling the user in i5/OS and Windows 42
Enterprise Identity Mapping 129
enterprise Windows environment 88
Event log settings 103
extended partition 59
F
File Server IOA resource 48
firewall 22–23
fixed links 56
forest 185
FULL ACCESS rights 193
Full Security setting in Terminal Services 83
G
D
daily file-level backup 188
data collector 156
Data Store 77
database server 143
date setting 50
DCPROMO 38, 86, 182
promote each server to a domain controller 86
wizard 89
Default Domain Policy
changing 102
Default Domain Policy folder 103
default Web page
setting 139
desktop settings 108
device drivers 58
DFS_Root_JF folder 116
DHCP 31–32
configuring 110
DHCP servers and scopes used in our scenario 32
disk space considerations 32
disk storage considerations - activity logging, fixes 32
DNS server 86, 89
additional configuration 91
changing configuration 91
DNS zones 29
Document Center 150
Documentation Center 167
Domain Administrator 109
Domain Administrators group 157
domain controller 86, 182
additional 182
domain name 86
drive mapping 32
DSMAINT CONFIG 144
DSN 166
dynamic drive unlink 200
Dynamic storage link 57
dynamic storage link 56
204
E
Global Catalog service 185
GPMC 102
software download 102
Group Policy
Object Editor 109
Web page 139
group policy 101
Group Policy configuration 79
Group Policy Management 102
Group Policy Management console 102
Group Policy Results 102
H
Hardware Management Console (HMC) device 110
home directory 40–41, 106
important backup consideration 40
home page
setting default 105
HSL loop (IXA attachment) 109
I
i5/OS 23
group profile 38
user ID and local Windows account requirement 189
IBM Director 19
IBM Director products for Windows 45
ICA Client 168
and Citrix XML Service port 146
distribution wizard 147
workstation 157
ICA Client Update 152
ICA32Pkg.msi file 168
IFS 3
InfoPath 45
Integrated File System (IFS) 3
integrated zones 30
Internet Information Server (IIS) 80
Internet Information Services (IIS) 65
intranet Microsoft update service location 105
iSeries Access for Windows 45, 121–122
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
5250 Display and Printer Emulation 45
5250 emulation 176
custom installation 123
Data File Transfer 45
installation types 123
iSeries Navigator 45
iSeries Navigator 128
plugins 128
Prompt every time 128
Windows user name and password 128
iSeries NetServer 122
and Windows domain 194
J
job log 197
K
Kerberos 128
Key Distribution Center 128
L
License Management Console 67
License Management console 69
License Server 67
Automatic connection 96
Licensing 76
considerations 23
Linux 22
load balancing 166
load evaluator 166
logical drive 59
logon Script 40
LPR printer port 63
LPR TCP/IP network printing 81
M
message queue for each Windows server 48
message queue size 49
MF_Resource databases 77
Microsoft Active Directory 119
Microsoft Computer Management 199
Microsoft DNS services 30
Microsoft Document Center 190
Microsoft hotfixes 43
Microsoft Information Services 146
Microsoft Internet Explorer Enhanced Security Configuration 82
Microsoft Internet Information Services 138
Microsoft Management Console (MMC) 98, 183, 193
Microsoft Office 45, 121, 176
Access 45, 71, 143
Excel 45
Frontpage 2003 45
Office 2003 Professional 45, 132
Outlook 45
Powerpoint 45, 132
Project 2003 Professional 45, 132
Publisher 45, 132
Visio 2003 Professional 45, 132
Word 45
Microsoft Service Packs 43
Microsoft SMS 147
Microsoft Software Update Services (SUS) 78
Microsoft SQL Server 24, 47, 65
Enterprise Manager 76
licensing 76
validation 76
Microsoft SQL Server 2000 71, 143
Microsoft SQL Server 2000 Desktop Engine (MSDE) 71
Microsoft Terminal Services in Application Mode 121
Microsoft Windows Update Server 65
MyCitrix 68
N
NetServer
starting and stopping 196
Network Interface Card 86
Network Printer configuration 62
network printing 81
Network Server Storage space 56, 188, 197
saving 190
network storage space 55
NFUSE
Citrix Web interface 138
NT4 level servers 90
NTFS partition 89
NTFS rights 40, 193
O
ODBC DSN configuration 166
organizational units (OU) 26, 99
P
Pass-Through Authentication 141
Password Policy settings and i5/OS password rules 103
pdate Root Certificates 82
performance 99
planning
network and server infrastructure 17
Windows environment and Active Directory 32
plug-ins 129
Presentation Server terminolgy 4
Primary zone 92
Print Services for UNIX 63, 81
printing 45
profile path 40
Program Neighborhood 159
Prompt every time 128
proxy settings 105
publishing an application
application 160
Command Line 160
desktop 160
Q
QAZLCSAVL file 194
Index
205
QDATE 50
QNTC file system
saving files 190
QTIME system value and Windows server time 50
QTIMZON 50
QTIMZON system value and Windows server time 50
QUSRSYS library 194
R
Raz-Lee Security Ltd. 3
recovering a file - use a copy command with permissions
199
Redbooks Web site 202
Contact us x
Remote Desktop Users group 146
replication 183
Reservation function of DHCP 31
reverse lookup zone 91
rmsummarydatabase 166
roaming profile 41
S
SAV i5/OS command 191
saving files in QNTC file system 190
saving Network Server Storage spaces 190
saving Windows user data on file level 192
search for printers 65
security settings - change for Citrix 147
server cluster 142
server farm 142
administrators 157
creating 142
properties 172
setting properties 145
ServerGuide CD 54
Service Pack - SQL Server 76
Service Pack 3a SQL Server 2000 71
Service Pack1 for Software Update Services (SUS) 78
service port 146
setting the default Web page 139
Shared System Volumes 89
sharing 116
Shut down the system (policy) 109
shutdown 54
IXA attached xSeries server consideration 109
shutdown with restart 109
shutting down the IXS/IXA attached xSeries servers 109
site configuration
changing 98
Site_A 110
Site_B 110, 181
Software Update Services (SUS) 78
StandGuard AntiVirus 3
start menu and taskbar 108
Start service tool 110
startup program 191
StoneGate 23
storage link 56
subnet 110
206
Summary Database Configuration 168
SUS 78
languages supported 79
Version 1.1 78
SUS Admin Tool 79
Synchronize iSeries Integration Software 6
system identifier (SID) 40
system service tools (SST) 110
system service tools user ID and password 110
T
temp_JFGRP1 (Windows user template) 38
templates for user propigation 37
templates in Windows 37
temporary licenses 97
Terminal Server
adding client licenses 97
user specified path 126
Terminal Server Client Licensing Wizard 97
Terminal Server Licensing 82
activation 94
Terminal Servers Group Policy 109
Terminal Services
prerequisite for Citrix Presentation Server 82
Terminal Services Profile 41
time 50
setting 50
Tivoli Software Distribution 147
Tivoli Storage Manager 187
Tivoli Storage Manager products for Windows 45
tombstone values 190
TSM 187
U
unlink a drive 200
Update function 152
user account change considerations 40
user account that acts as a service 144
User Group Policy 105, 108
user rights 109
user template change considerations 40
user-specified path option 126
V
Veritas and Computer Associates (Cheyenne) ARCserver
for Windows Server 188
virtual disks 4
virtual Ethernet and Windows servers 59
virus detection 3
virus scan 3
W
Web interface 159
Windows 2003 domain strict password rules 43
Windows 2003 Server
adding a disk link 198
Windows Add/Remove Programs 122
Windows Authentication Mode 76
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Windows backup utilities 188
Windows components and Terminal Services 80
Windows logon credentials 141
Windows operating system shutdown 54
Windows server
adding a drive 199
installing under i5/OS 51
Windows Server 2003 24
Windows Server integrated backup applet 188
Windows Terminal Server 80
and Citrix Presentation Server 80
installing and customizing applications 121
Windows Terminal Services 2
Windows Update Server and Microsoft SQL Server 65
Windows Update Services 65
group policies 104
Work with Hardware Resources (WRKHDWRSC) command 51
work with System Values - password rules 103
workstation computers and operational units 118
WRKNWSENR command 193
X
XA resource name 110
xSeries Adapter 119
Z
zone name 143
Index
207
208
IBM eServer iSeries Windows Server Integration for Small and Medium Businesses
Back cover
®
IBM Eserver iSeries Windows
Server Integration for Small and
Medium Businesses:
An Application-Serving Network Example Using Citrix Access Suite
Presentation Server on Integrated xSeries Systems
Helping the
iSeries-trained
understand Windows
application serving
iSeries integration
with Windows
Servers: an
application serving
example
Example
infrastructure for you
to build on
There are proven advantages of running Microsoft Windows
Terminal Services and Citrix applications on IBM iSeries IXS
(xSeries server on a card under the iSeries hardware enclosure)
and IXA (xSeries server externally attached to the iSeries via
external iSeries system cabling). Base documentation already
exists in the iSeries Information Center and related IBM Redbooks
about iSeries and Windows integration. The objective of this
Redpaper is to make it easier to get such a network up and
running. This paper is intended for iSeries-trained personnel who
are responsible for getting a Windows applications-serving
environment, managed by Citrix applications, up and
running—and taking advantage of iSeries integration facilities.
We give specific examples using a sample network with an
iSeries system and multiple integrated xSeries servers using
Windows Terminal Services, Citrix applications, and
Windows-based applications.
We build primarily on the contents of the redbook Microsoft
Windows Server 2003 Integration with iSeries, SG24-6959,
extending the environment to Windows application serving.
This Redpaper cannot make an iSeries-trained administrator
self-sufficient in setting up such a network that uses iSeries
integration advantages. It does, however, facilitate getting such a
network up and running with the help of appropriate Windows
and Citrix trained personnel.
Redpaper
INTERNATIONAL
TECHNICAL
SUPPORT
ORGANIZATION
BUILDING TECHNICAL
INFORMATION BASED ON
PRACTICAL EXPERIENCE
IBM Redbooks are developed
by the IBM International
Technical Support
Organization. Experts from
IBM, Customers and Partners
from around the world create
timely technical information
based on realistic scenarios.
Specific recommendations
are provided to help you
implement IT solutions more
effectively in your
environment.
For more information:
ibm.com/redbooks