id="rzahqsuepi">The QAS400NT user
You need to set up the QAS400NT user in order to successfully enroll an i5/OS™ user or group profile on a domain or local server in the following cases:
- You are enrolling on a domain through a member server.
- You are enrolling on a local server using a template which specifies a home directory path, as is discussed in the section Specify a home directory in a template).
- You are enrolling on a domain through an i5/OS partition which contains both domain controllers and member servers on the same domain.
You do not need to set up the QAS400NT user in order to successfully enroll an i5/OS user or group profile on a domain or local server in the following cases:
- You are enrolling on a domain through an i5/OS partition which contains a domain controller but no member servers on the same domain.
- You are enrolling on a local server (or locally on a member server) using a template which does not specify a home directory path.
If you need to set up the QAS400NT user, follow these steps:
- Create the QAS400NT user profile on i5/OS with User class *USER. Take note of the password because you need it in the next step. Make sure that the password complies with the rules for Windows passwords if you are enrolling on a domain.
See Password considerations.
- Create the QAS400NT user account on the Windows console of the integrated Windows server you are enrolling through. Note that the i5/OS user profile password and Windows user account password must be the same for the QAS400NT user.
- Setting up QAS400NT on a domain controller
On the domain controller of the domain you are setting up enrollment for, create the QAS400NT user account as follows:
- From the integrated server console
-
- In Windows 2000 Server click Start –> Programs –> Administrative Tools –> Computer Management –> Local Users and Groups.
- In Windows Server 2003 click Start –> Programs –> Administrative Tools –> Computer Management –> System Tools –> Local Users and Groups.
- Select System Tools –> Local Users and Groups.
- Right-click the Users folder (or the folder that the user belongs to), and select New —> User...
- Enter the following settings:
Full name: qas400nt User logon name: qas400nt
- Click Next. Enter the following settings:
Password: (the same password as you used for QAS400NT on i5/OS)
Deselect: User must change password at next logon Select: User cannot change password Select: Password never expires
- Click Next, then Finish
- Right click the QAS400NT user icon and select Properties.
- Click the Member Of tab and then Add.
- Enter Domain Admins in the box and click OK,
then OK again. This gives the QAS400NT user account sufficient rights to create users.
- Setting up QAS400NT on a local server
On the local server (or member server if you are enrolling locally) you are setting up enrollment for, create the QAS400NT user account as follows:
- From the integrated server console
- In Windows 2000 Server click Start —> Programs —> Administrative Tools —> Computer Management —> Local Users and Groups.
- In Windows Server 2003 click Start —> Programs —> Administrative Tools —> Computer Management —> System Tools —> Local Users and Groups.
- Right-click the Users folder, and select New User....
- Enter the following settings:
User name: qas400nt Full name: qas400nt Password: (the same password as you used for QAS400NT on i5/OS)
Deselect: User must change password at next logon Select: User cannot change password Select: Password never expires
- Click Create, then Close.
- Right click the QAS400NT user icon and select Properties.
- Click the Member Of tab and then Add.
- Enter Administrators in the box and click OK, then OK again. This gives the QAS400NT user account rights to the User Administration Service.
- Enroll the i5/OS QAS400NT user profile on the domain or local server using iSeries™ Navigator or the CHGNWSUSRA command. Refer to: Enroll a single i5/OS user to the Windows environment using iSeries Navigator,
for a description of how to do this. Do not try to use a template when enrolling QAS400NT.
- Use iSeries Navigator or the WRKNWSENR command to confirm that QAS400NT has been successfully enrolled. You may now enroll i5/OS user profiles through domain controllers or member servers on the domain.
Notes:
- You may change the QAS400NT password from i5/OS since it is now an enrolled user.
- If there are multiple integrated servers that belong to different domains on a single i5/OS partition, set up QAS400NT for each domain. All QAS400NT user accounts must have the same password as the i5/OS user profile. Alternatively, consider using Active Directory or trust relationships between domains, and enroll users on only a single domain.
- If you have multiple i5/OS partitions and multiple integrated servers,
QAS400NT passwords on different i5/OS partitions can be different as long as each domain does not contain integrated servers on more than one i5/OS partition.
The rule is, all i5/OS QAS400NT user profiles and corresponding Windows user accounts must have the same password for a single domain.
- Be sure not to delete the QAS400NT user profile on i5/OS, or let the password expire. To minimize the risk of the QAS400NT password expiring on one of multiple i5/OS partitions on the same Windows domain, it is recommended that you allow only one i5/OS partition to propagate changes to the QAS400NT user profile. Refer to Preventing enrollment and propagation to an integrated Windows server, for a description of how to do this.
- If you have multiple i5/OS partitions, each with an integrated Windows server on the same domain, failing to keep the QAS400NT password synchronized across all i5/OS partitions can cause enrollment problems. To minimize this problem,
it is recommended that you limit propagation of changes to the QAS400NT password to just one i5/OS partition, but still allow other partitions to keep sufficient authority to enroll users. Then, failure to change a password on one of the other partitions prevents user enrollment from that partition only. Refer to Preventing enrollment and propagation to an integrated Windows server, for a description of how to do this.