WIXLIB

Conventions used in this guideChapter 2, “Configuring the basic evaluation environment,” providesstep-by-step instructions for setting up the evaluation environment.Chapter 3, “Exploring additional management tools,” describes thefeatures of Centrify software that reduce complexity and ease theworkload in large organizations.Chapter 4, “Auditing sessions,” describes how you can audit useractivity and search and replay user sessions.Chapter 5, “Frequently asked questions,” provides answers to themost common questions about Centrify products and features.Chapter 6, “Removing software after an evaluation,” describes howto optionally uninstall Centrify software.To complete your evaluation, be sure to review the Evaluation Checklistspreadsheet. The Evaluation Checklist provides a summary of thefeatures that enable you to centrally manage the computers and usersin a complex environment. With the spreadsheet, you can rate andscore features to quantify your evaluation.Conventions used in this guideThe following conventions are used in this guide: Fixed-width font is used for sample code, program names oroutput, file names, and commands that you type at the commandline. When italicized, the fixed-width font is used to indicatevariables.Bold text is used to emphasize commands, buttons, or userinterface text, and to introduce new terms.Italics are used for book titles and to emphasize specific words.Finding more informationCentrify provides extensive documentation targeted for specificaudiences, functional roles, or topics of interest. If you want to learnmore about Centrify and Centrify products and features, start byvisiting the Centrify website. From the Centrify website, you candownload data sheets and evaluation software, view videoAbout this guide7

Contacting Centrifydemonstrations and technical presentations about Centrify products,and get the latest news about upcoming events and webinars.For access to documentation for all Centrify products and services, visitthe Centrify documentation portal. From the Centrify documentationportal, you can always view or download the most up-to-date versionof this guide and all other product documentation.To get to the documentation portal, go to docs.centrify.com or tacting CentrifyYou can contact Centrify by visiting our website, www.centrify.com. Onthe website, you can find information about Centrify office locationsworldwide, email and phone numbers for contacting Centrify sales,and links for following Centrify on social media. If you have questionsor comments, we look forward to hearing from you.Getting additional supportIf you have a Centrify account, click Support on the Centrify website tolog on and access the Centrify Technical Support Portal. From thesupport portal, you can to search knowledge base articles, open andview support cases, download software, and access other resources.To connect with other Centrify users, ask questions, or shareinformation, visit the Centrify Community website to check in oncustomer forums, read the latest blog posts, view how-to videos, orexchange ideas with members of the community.Evaluation Guide for Linux and UNIX8

Chapter 1Preparing hardware and software for anevaluationThis chapter describes the hardware and software you need to preparefor the evaluation of Centrify software. It includes instructions fordownloading Centrify software from the Centrify website if you do nothave the CD and the permissions required to install and configure theevaluation environment.What you need for the evaluationTo follow the instructions in this guide, you need a simpleconfiguration of networked Windows domain computer, WindowsServer domain controller, and a Linux, UNIX, or Mac OS X computer tomanage as illustrated in the following example.To complete this evaluation, you install Centrify software on twophysical or virtual computers: DirectManage Access and Audit components on a Windowscomputer joined to an Active Directory domain.Centrify UNIX agent on a supported Linux-based or UNIX-basedplatform that you want to manage.In most organizations, Centrify software is not installed on the domaincontroller. However, you must be able to connect to a domaincontroller from the other two computers to complete the evaluation.9

What you need for the evaluationWindows computer requirementsYou use the Windows computer where DirectManage Access Manageris installed to perform most of the procedures described in this guide.Before installing on Windows, check that you have a supported versionof one of the Windows operating system product families. Forexample, you can use Windows 7 or later, or Windows 8 or 8.1 forDirectManage components. Alternatively, you can install componentson computers in the Windows Server product family—such asWindows Server 2008 or 2008 R2, or Windows Server 2012 or 2012R2—so that your administrative computer can be configured withadditional server roles.For more detailed information about supported platforms for specificcomponents, see the Resources section on the Centrify website.http://www.centrify.com/resourcesYou should also verify that you have the .NET Framework, version 4.5or later, installed. If the .NET Framework is not installed, the setupprogram can install it for you. Alternatively, you can download the .NETFramework from the Microsoft Download Center, if needed.The Windows computer should have the following minimum hardwareconfiguration:ComponentMinimum requirementCPU speed550 MHZRAM256 MBDisk space1.5 GBYou should also verify that the Windows computer you plan to use forthe evaluation is joined to the Active Directory domain.Note If you are installing the software on virtual computers, see “Usinga virtual environment” on page 13 for additional guidelines.Evaluation Guide for Linux and UNIX10

What you need for the evaluationLinux and UNIX computer requirementsA platform-specific Centrify agent must be installed on each computeryou want to manage through Active Directory. Centrify supportsseveral hundred distributions of popular operating systems, includingAIX, HP-UX, and Solaris versions of the UNIX operating environmentand both commercial and open source versions of the Linux operatingsystem. For the most complete and most up-to-date list of supportedoperating systems and vendors, see the supported platforms listed onthe Centrify website.You can download platform-specific agent packages from the CentrifyCustomer Download Center if you register for a free centrify.comaccount. You can also download agents for free from the CentrifyExpress website.The UNIX or Linux computer must be connected to the same networkas the domain controller.Domain controller requirementsFor the Active Directory domain controller, you should verify that youhave access to a computer with a supported version of theWindows Server product family—such as Windows Server 2008 orWindows Server 2012—and is configured with the domain controllerand DNS server roles.In addition, you should verify that the domain functional level is at leastWindows Server 2003.To determine the domain functional level:1Open Active Directory Users and Computers (dsa.msc).2Select the domain.3Select Action, then click Raise domain functional level.If the current domain functional level is not at least Window Server2003, use the drop down list to raise the level.Chapter 1 Preparing hardware and software for an evaluation11

Verify administrative access for the evaluationVerify administrative access for the evaluationTo prepare for the evaluation, you should confirm that you have thelocal Administrator account and password for the root domain of theActive Directory forest. The forest root Administrator account is theaccount created when you install the first Windows Server in a newActive Directory site.If you set up a separate Active Directory domain for testing purposes,you should have this account information. If you are using an existingActive Directory forest that was not expressly created for theevaluation, you should identify the forest root domain and confirmthat you have an account that is a member of the Domain Adminsgroup on the Windows computer you use for the DirectManage AccessManager console. This ensures that you have all the permissions youneed to perform the procedures in this evaluation.If you are not a member of the Domain Admins group on the Windowscomputer you use for the DirectManage Access Manager console, havethe Active Directory administrator create a separate organizational unitfor Centrify objects and delegate control of that organizational unit tothe user account you are using the for evaluation. For moreinformation about delegating control, see “Delegate control for theCentrify organizational unit” on page 19.You should also verify that Administrative Tools are visible in the Startmenu on the Windows computer you are using for the evaluation. Ifthe Administrative Tools option is not displayed, download and installthe Microsoft Remote Server Administrator Tools from the Microsoftwebsite. For download and installation instructions, see px?id 7887.Checking the DNS environmentDirectManage and the Centrify agent are designed to perform thesame set of DNS lookups that a typical Windows computer performs inorder to find the nearest domain controller for the local site. Forexample, the Centrify UNIX agent looks for service locator (SRV)records in the DNS server to find the appropriate controller for thedomain it has joined.Evaluation Guide for Linux and UNIX12

Using a virtual environmentIn most cases, when you configure the DNS Server role on a Windowscomputer, you configure it to allow dynamic updates for ActiveDirectory services. This ensures that the SRV records published when adomain controller comes online are available in DNS. If your DNSServer is configured to prevent dynamic updates, however, or if youare not using the Window computer as the DNS server, the CentrifyUNIX agent might not be able to locate the domain controller.Do the following to ensure the UNIX computer can look up the SRVrecords in the DNS server for the evaluation environment: Configure the DNS Server role on the Windows computer to Allowsecure dynamic updates.Make sure that each UNIX or Linux computer you are usingincludes the Windows DNS server as a nameserver in the /etc/resolv.conf file.When you configure the DNS Server, you should configure it toperform both forward and reverse lookups and to allow securedynamic updates.Using a virtual environmentTo simplify the hardware requirements, you might find it useful to setup your evaluation environment using either Microsoft Virtual PC orVMware Workstation. To set up a virtual environment, you need acomputer with enough CPU, RAM, and available disk space to run threevirtual machines simultaneously. Centrify recommends the followingminimum configuration: CPU: at least 1.70 GHz RAM: at least 8 GB Available disk space: 15 GBThe virtual environment should also be configured to run as anisolated evaluation environment using Local/Host-only or Shared/NAT networking.In addition, because the virtual environment runs as an isolatednetwork, each virtual machine should be manually assigned its ownstatic TCP/IP address and host name.Chapter 1 Preparing hardware and software for an evaluation13

Downloading Centrify softwareDownloading Centrify softwareIf you do not have the physical media for Centrify software, you candownload all of the files you need for the evaluation from the Centrifywebsite.Downloading Centrify Server SuiteYou can download all of the components for Centrify Server SuiteEnterprise Edition from the Centrify website to your Windowscomputer. Before you begin, be sure you have the email address andpassword you used to register for the evaluation.To download Enterprise Edition1Open a browser on the Windows computer you plan to use for theevaluation.2Click the Support tab and select the Centrify Customer SupportPortal link.3Type your email address for user name and your account password,then click Login.4Click Customer Download Center, then click Centrify Server Suite.5Select the product bundle for Windows computers.6Click Download ISO or Download ZIP and open or save the file todownload the file.7Close the window when the download is complete.Downloading Centrify Linux and UNIX agentsIf you do not have the physical media for Centrify platform-specificagents, you can download individual platform-specific packagesdirectly from the Centrify website to a local Linux or UNIX computer oruse DirectManage Deployment Manager to download the agentpackages to a Windows computer, then deploy agents from thatcentral Windows location to remote Linux and UNIX computers. If youEvaluation Guide for Linux and UNIX14

Verifying you have Active Directory permissionsare using DirectManage Deployment Manager, you can skip thissection.To download platform-specific agent packages1Open a browser on the Linux or UNIX computer you plan to use forthe evaluation.2Click the Support tab and select the Centrify Customer SupportPortal link.3Type your email address for user name and your account password,then click Login.4Click Customer Download Center and locate UNIX/Linux/MacAgents under Centrify Server Suite.5Select either the All Agents Disk or One at a Time link.If you select One at a Time, you can scroll through and select fromthe list of platforms to view the packages available for eachoperating system version. You can then select the specific packagesto download.6At a minimum, select Centrify Agent Installer for the Linux or UNIXcomputers you want to include in the evaluation.7If necessary, copy the downloaded files to the Linux or UNIXcomputer.Verifying you have Active Directory permissionsMany of the procedures in this guide add or modify Active Directoryuser, group, and computer accounts. You should verify you have theappropriate Active Directory permissions to make these kinds ofchanges in the evaluation environment. If you are not an ActiveDirectory administrator or a domain administrator, you might not haveaccess to the domain controller or sufficient permission to modifyActive Directory objects and attributes.To conduct the evaluation, have an Active Directory administratorcreate an organizational unit for you to use and delegate full control ofthe organizational unit to you. For more information about creating anorganizational unit and delegating control, see the following topics:Chapter 1 Preparing hardware and software for an evaluation15

Next steps “Create an organizational unit for Centrify” on page 17 “Delegate control for the Centrify organizational unit” on page 19In addition to the organizational unit for Centrify objects, you need tohave Log on as a service user access rights to start the ZoneProvisioning Agent included in the package.To confirm that your account has “Log on as a service” access rights1Open the Windows Administrative Tools Local Security Policy.2Expand the Local Policies node and select User Rights Assignments.3Scroll down to Log on as a service and double-click to displayproperties for this right.4Click Add User or Group.5Type the user or group name or click Browse to search for andselect your account, then click OK to add this right to your accountin the Local Security Setting.Next stepsThis concludes the site preparation, Centrify software download, andpermissions assessment. You are now ready to install the software andcreate the fundamental elements of the evaluation environment.Evaluation Guide for Linux and UNIX16

Chapter 2Configuring the basic evaluationenvironmentIn this chapter, you install Centrify software on your evaluationcomputers and configure users, groups, roles, and group policies tointegrate the UNIX environment into Active Directory. After youcomplete these steps, your UNIX or Linux computer will be aCentrify-managed computer that is joined to the Active Directorydomain, allowing UNIX users to log in using their Active Directorycredentials.To configure a basic evaluation environment, you will complete thefollowing tasks: Create an organizational unit for Centrify Delegate control for the Centrify organizational unit Install and configure DirectManage Access Install Centrify UNIX agent Add and provision an evaluation user and group Create a UNIX administrator role Create child zones and service administrator role Deploy group policies to UNIX computersYou should perform these tasks in the order listed.Create an organizational unit for CentrifyTo isolate the evaluation environment from other objects in ActiveDirectory, you can create a separate organizational unit for all of theCentrify-specific objects that are created and managed throughout theevaluation. You must be the Active Directory administrator or haveDomain Admins privileges to perform this task.To create an organizational unit for Centrify1Open Active Directory Users and Computers and select the domain.17

Create an organizational unit for Centrify2Right-click and select New Organizational Unit.3Deselect Protect container from accidental deletion.4Type the name for the organizational unit, for example, Centrify,then click OK.Create additional organizational unitsAdditional organizational units are not required for an evaluation. In aproduction environment, however, you might create several additionalcontainers to control ownership and permissions for specific types ofCentrify objects. For example, you might create separateorganizational units for UNIX Computers and UNIX Groups. Toillustrate the procedure, the following steps create an organizationalunit for the Active Directory groups that will be used in the evaluationto assign user access rights to the Centrify-managed computers withinthe top-level organizational unit for Centrify-specific objects.To create an organizational unit for evaluation groups1In Active Directory Users and Computers, select the top-levelorganizational unit you created in “Create an organizational unit forCentrify” on page 17.2Right-click and select New Organizational Unit.3Deselect Protect container from accidental deletion.Evaluation Guide for Linux and UNIX18

4Delegate control for the Centrify organizational unitType the name for the organizational unit, for example, UNIXGroups, then click OK.In later exercises, you will use this organizational unit and add othercontainers to manage additional types of information.Delegate control for the Centrify organizationalunitTo allow another person who is not an Active Directory administratorto perform all of tasks in the evaluation, you can delegate control ofthe Centrify organizational unit to that person. If you are an ActiveDirectory administrator or a member of the Domain Admins group inthe evaluation domain, you can skip this step.To delegate control of the organizational unit for Centrify1Open Active Directory Users and Computers and select the domain.2Select the top-level organizational unit for Centrify objects,Centrify.3Right-click, then select Delegate Control.4In the Delegation of Control wizard, click Next.5Click Add.Chapter 2 Configuring the basic evaluation environment19

Install and configure DirectManage Access6Search for and se

Centrify, DirectControl, DirectAuthorize, DirectAudi t, DirectSecure, DirectControl Express, Centrify User Suite, and Centrify Server Suite are registered trademarks and Centrify for Mobile, Centrify .