Clarification regarding the status of Identity Management for Unix (IDMU) & NIS Server Role in Windows Server 2016 Technical Preview and beyond

Note: The original blog article has been updated to address a number of questions we received and to further clarify what has been removed and what remains. Due to the Active Directory Documentation Blog being retired in October 2015, the comments have been removed. Please post your questions/comments in the Directory Services TechNet Forum .

With Windows Server 2012 R2, Microsoft announced the deprecation of the Identity Management for Unix (IDMU) and NIS Server role which will not be included starting with Windows Server 2016 Technical Preview. This has been documented in a couple of places:

In this blog article we will go into further detail and answer questions on what this means to you when you are migrating/upgrading to Windows Server 2016 and are using Identity Management for Unix/NIS Server with Windows Server today.

 

Why did Microsoft remove IDMU/NIS Server role from Windows Server?

After carefully reviewing and considering the feature usage, industry trends, availability of native Active Directory options on Linux/Unix and security concerns of NIS in general, the decision was made to remove the functionality from Windows Server. We announced the deprecation in the development phase of Windows Server 2012 R2 and have removed it from Windows Server 2016.

 

What IDMU/NIS Server components are removed from Windows Server 2016?

IDMU/NIS Server has been removed, specifically the following components are no longer included with Windows Server 2016:

- Network Information Service (NIS) Windows Server role

- The Unix Attributes plug-in for the Active Directory Users and Computers Management Console (MMC) snap-in

Note: RFC2307 attributes (e.g. GID/UID etc.) in Active Directory continue to exist. See below for further details.

I am using Windows Server IDMU/NIS Server role today, what should I do?

We recommend to start planning for alternatives, for example: native LDAP, Samba Client, Kerberos or other non-Microsoft options. Existing Windows Server 2012 R2 or earlier deployments will continue to be supported in accordance with the Microsoft Support lifecycle.

 

What happens when I have the NIS Server Role installed and try to upgrade to Windows Server 2016?

If you try upgrade to Windows Server 2016 from a Windows Server that runs any of the Identity Management for Unix (IDMU) components, the upgrade will stop and you will be prompted to remove the IDMU components as explained in “Installing or removing Identity Management for UNIX by using a command line”.

 

Can I continue to use the GID/UID (RFC 2307) attributes I am using today with Active Directory after I upgrade to Windows Server 2016?

Active Directory does not remove the populated UID/GID Active Directory attributes during the upgrade to Windows Server 2016 from Windows Server 2012 R2. The attributes will remain part of your Active Directory setup. These attributes were introduced as part of RFC 2307 support that was added in Windows Server 2003 R2.  

For example, you may require the RFC 2307 attributes in combination with Network File System (NFS) Server (which does not require NIS Server role to be installed on Windows Server) to map the identity.

 

How do I continue to edit the GID/UID RFC 2307 attributes now that the Unix Attributes Plug-in is no longer available for the Active Directory Users and Computers MMC snap-in?

There are a couple of ways to continue to administer the attributes:

1. Active Directory Users and Computers MMC snap-in

1.       Open Active Directory Users and Computers.

2.       From the dropdown menu, select View -> Advanced Features:

3.       Open the properties of a User, Group or Computer Object

4.       Navigate to “Attribute Editor” tab to edit the following attributes:

    1.                                                              uidNumber
    2.                                                              gidNumber
    3.                                                              Loginshell
    4.                                                              unixHomeDirectory
    5.                                                              MemberUid
    6.                                                              ipHostNumber

2. Active Directory Administrative Center

1.       Open Active Directory Administrative Center

2.       Navigate to a User, Group or Computer Object

3.       Navigate to Extensions

4.       Navigate to “Attribute Editor” tab to edit the following attributes:

    1.                                                              uidNumber
    2.                                                              gidNumber
    3.                                                              Loginshell
    4.                                                              unixHomeDirectory
    5.                                                              MemberUid
    6.                                                              ipHostNumber

3. Scripts (preferred method for bulk operations and automation)

· Using Active Directory PowerShell Cmdlet:

o Below is sample code to query/configure the various attributes

Import-Module ActiveDirectory

#To query Unix Properties of a User Object

$username = "guest"

Get-ADUser $username -Properties * | Select SamAccountName, msSFU30NisDomain,uidNumber, unixHomeDirectory, loginShell, gidnumber, @{Label='PrimaryGroupDN';Expression={(Get-ADGroup -Filter {GIDNUMBER -eq $_.gidnumber}).SamAccountName}}

#To query Unix Properties of a Group object

$groupname = "Unix Sample Group"

Get-ADGroup $groupname -Properties * | Select SamAccountName, msSFU30NisDomain,gidnumber, @{Label='Members';Expression={(Get-ADUser -Filter {GIDNUMBER -eq $_.gidnumber}).SamAccountName}}

#To query Unix Properties of a Computer Object

$computername = "server123"

Get-ADComputer $computername -Properties * | Select SamAccountName, msSFU30NisDomain,ipHostNumber, msSFU30Aliases

#Set unixHomeDirectory on a user (replace this with any of the attributes you’d like to set)

$username = "guest"

set-ADUser $username -Replace @{unixHomeDirectory="/usr/sbin/guest"}

 

o Below, is sample output from the sample code above

Sample output from the PowerShell Script:

SamAccountName : Guest

msSFU30NisDomain : woodgrove

uidNumber : 10001

unixHomeDirectory : /usr/sbin/guest

loginShell : /bin/sh

gidnumber : 10001

PrimaryGroupDN : Unix Sample Group

 

SamAccountName : Unix Sample Group

msSFU30NisDomain : woodgrove

gidnumber : 10001

Members : {Administrator, Guest}

 

SamAccountName : Server123

msSFU30NisDomain : woodgrove

ipHostNumber : {10.2.2.2}

msSFU30Aliases : {bla, unixtestclient}

 

· Using NFS PowerShell CmdLet Set-NfsMappedIdentity:  Please see the following page for more information: Set-NfsMappedIdentity.

· Using VBScript: There is also a TechNet blog article from a while back that has some additional detail to configure and populate the attributes in Active Directory https://blogs.technet.com/b/dsix/archive/2009/04/16/integrating-unix-client-in-active-directory-using-ldap-part-i.aspx.

 

What Active Directory Attributes did the Unix Attribute tabs expose in the Active Directory Users and Computers MMC snap-in prior to Windows Server 2016?

The following Active Directory Attributes were configurable from the Unix Attributes tabs in Active Directory Users and Computers prior to Windows Server 2016. This table is provided as a reference and with Windows Server 2016 all of these attributes can be modified using the methods described as part of this blog article above:

Dialog name AD Attribute RFC2307 attribute Example User object Group object Computer object
UID uidNumber X 1000 X    
Login Shell Loginshell X /bin/bash X    
Home Directory unixHomeDirectory X /home/username X    
Primary Group name/GID gidNumber X 10002 X X  
Members MemberUid X Administrator   X  
iphostnumber ipHostNumber X 10.2.2.2     X
NIS Domain maSFU30NisDomain   “example” X X X
Members msSFU30PosixMember   CN=Group,CN=Schema, CN=Configuration, DC=Woodgrove,DC=Local   X  
Name msSFU30Name   “Server123” or “Administrator” or “unix group” X X X
Computer Aliases msSFU30Aliases   Alias1; alias2     X

 

Thank you for reading this article!

Note: Questions and comments are welcome. However, please DO NOT post a request for troubleshooting by using the comment tool at the end of this post. Instead, post a new thread in the Directory Services Technet forum. Thank you!