Creating an Active Directory and DNS domain for IBM WebSphere MQ

This task creates the domain wmq.example.com on a Windows 2008 domain controller called sun. It configures the Domain mqm global group in the domain, with the correct rights, and with one user.

In a production scale configuration, you might have to tailor the configuration to an existing domain. For example, you might define different domain groups to authorize different shares, and to group the user IDs that run queue managers.

The example configuration consists of three servers:
sun
A Windows Server 2008 domain controller. It owns the wmq.example.com domain that contains Sun, mars, and venus. For the purposes of illustration, it is also used as the file server.
mars
A Windows Server 2008 used as the first IBM® WebSphere® MQ server. It contains one instance of the multi-instance queue manager called QMGR.
venus
A Windows Server 2008 used as the second IBM WebSphere MQ server. It contains the second instance of the multi-instance queue manager called QMGR.

Replace the italicized names in the example, with names of your choosing.

Before you begin

  1. The task steps are consistent with a Windows Server 2008 that is installed but not configured with any roles. If you are configuring an existing domain controller, you might find it useful to try out the steps on a new Windows Server 2008. You can adapt the steps to your domain.

About this task

In this task, you create an Active Directory and DNS domain on a new domain controller. You then configure it ready to install IBM WebSphere MQ on other servers and workstations that join the domain. Follow the task if you are unfamiliar with installing and configuring Active Directory to create a Windows domain. You must create a Windows domain in order to create a multi-instance queue manager configuration. The task is not intended to guide you in the best way to configure a Windows domain. To deploy multi-instance queue managers in a production environment, you must consult Windows documentation.

During the task you do the following steps:
  1. Install Active Directory.
  2. Add a domain.
  3. Add the domain to DNS.
  4. Create the global group Domain mqm and give it the correct rights.
  5. Add a user and make it a member of the global group Domain mqm.

This task is one of a set of related tasks that illustrate accessing queue manager data and log files. The tasks show how to create a queue manager authorized to read and write data and log files that are stored in a directory of your choosing. They accompany the task, Windows domains and multi-instance queue managers.

For the purposes of the task the domain controller hostname is sun, and the two IBM WebSphere MQ servers are called mars and venus. The domain is called wmq.example.com. You can replace all the italicized names in the task with names of your own choosing.

Procedure

  1. Log on to the domain controller, sun, as the local or Workgroup administrator.

    If the server is already configured as a domain controller, you must log on as a domain administrator.

  2. Run the Active Directory Domain Services wizard.
    1. Click Start > Run... Type dcpromo and click OK.
    If the Active Directory binary files are not already installed, Windows installs the files automatically.
  3. In the first window of the wizard, leave the Use advanced mode installation check box clear. Click Next > Next and click Create a new domain in a new forest > Next.
  4. Type wmq.example.com into the FQDN of the forest root domain field. Click Next.
  5. In the Set Forest Functional Level window, select Windows Server 2003, or later, from the list of Forest functional levels > Next.

    The oldest level of Windows Server that is supported by IBM WebSphere MQ is Windows Server 2003.

  6. Optional: In the Set Domain Functional Level window, select Windows Server 2003, or later, from the list of Domain functional levels > Next.

    This step is only required if you set the Forest Functional Level to Windows Server 2003.

  7. The Additional Domain Controller Options window opens, with DNS server selected as an additional option. Click Next and Yes to clear the warning window.
    Tip: If a DNS server is already installed this option is not presented to you. If you want to follow this task precisely, remove all the roles from this domain controller and start again.
  8. Leave the Database, Log Files, and SYSVOL directories unchanged; click Next.
  9. Type a password into the Password and Confirm password fields in the Directory Services Restore Mode Administrator Password window. Click Next > Next. Select Reboot on completion in the final wizard window.
  10. When the domain controller reboots, log on as wmq\Adminstrator.

    The server manager starts automatically.

  11. Open the wmq.example.com\Users folder
    1. Open Server Manager > Roles > Active Directory Domain Services > wmq.example.com > Users.
  12. Right-click Users > New > Group.
    1. Type a group name into the Group name field.
      Note: The preferred group name is Domain mqm. Type it exactly as shown.
      • Calling the group Domain mqm modifies the behavior of the Prepare IBM WebSphere MQ wizard on a domain workstation or server. It causes the Prepare IBM WebSphere MQ wizard automatically to add the group Domain mqm to the local mqm group on each new installation of IBM WebSphere MQ in the domain.
      • You can install workstations or servers in a domain with no Domain mqm global group. If you do so, you must define a group with the same properties as Domain mqm group. You must make that group, or the users that are members of it, members of the local mqm group wherever IBM WebSphere MQ is installed in a domain. You can place domain users into multiple groups. Create multiple domain groups, each group corresponding to a set of installations that you want to manage separately. Split domain users, according to the installations they manage, into different domain groups. Add each domain group or groups to the local mqm group of different IBM WebSphere MQ installations. Only domain users in the domain groups that are members of a specific local mqm group can create, administer, and run queue managers for that installation.
      • The domain user that you nominate when installing IBM WebSphere MQ on a workstation or server in a domain must be a member of the Domain mqm group, or of an alternative group you defined with same properties as the Domain mqm group.
    2. Leave Global clicked as the Group scope, or change it to Universal. Leave Security clicked as the Group type. Click OK.
  13. Add the rights, Allow Read group membership and Allow Read groupMembershipSAM to the rights of the Domain mqm global group.
    1. In the Server Manager action bar, click View > Advanced features
    2. In the Server Manager navigation tree, click Users
    3. In the Users window, right-click Domain mqm > Properties
    4. Click Security > Advanced > Add.... Type Domain mqm and click Check names > OK.

      The Name field is prefilled with the string, Domain mqm (domain name\Domain mqm).

    5. Click Properties. In the Apply to list, select Descendant User Objects from the bottom of the list.
    6. From the Permissions list, select the Read group membership and Read groupMembershipSAM Allow check boxes; click OK > Apply > OK > OK.
  14. Add two or more users to the Domain mqm global group.
    • One user, wmquser1 in the example, runs the IBM IBM WebSphere MQ service, and the other user, wmquser2, is used interactively.
    • A domain user is required to create a queue manager that uses the alternative security group in a domain configuration. It is not sufficient for the user ID to be an administrator, although an administrator has authority to run the crtmqm command. The domain user, who could be an administrator, must be a member of the local mqm group as well as of the alternative security group.
    • In the example, you make wmquser1 and wmquser2 members of the Domain mqm global group. The Prepare IBM WebSphere MQ wizard automatically configures Domain mqm as a member of the local mqm group where ever the wizard is run.
    • You must provide a different user to run the IBM IBM WebSphere MQ service for each installation of IBM WebSphere MQ on a single computer. You can reuse the same users on different computers.
    1. In the Server Manager navigation tree, click Users > New > User
    2. In the New Object - User window, type wmquser1 into the User logon name field. Type WebSphere into the First name field, and MQ1 into the Last name field. Click Next.
    3. Type a password into the Password and Confirm password fields, and clear the User must change password at next logon check box. Click Next > Finish.
    4. In the Users window, right-click WebSphere MQ > Add to a group.... Type Domain mqm and click Check Names > OK > OK.
    5. Repeat steps a to d to add WebSphere MQ2 as wmquser2.
  15. Running IBM WebSphere MQ as a service.
    If you need to run IBM WebSphere MQ as a service, and then give the domain user (that you obtained from your domain administrator) the right to run as a service, carry out the following procedure:
    1. Click Start > Run....
      Type the command secpol.msc and click OK.
    2. Open Security Settings > Local Policies > User Rights Assignments.
      In the list of policies, right-click Log on as a service > Properties.
    3. Click Add User or Group...
      Type the name of the user you obtained from your domain administrator, and click Check Names
    4. If prompted by a Windows Security window, type the user name and password of an account user or administrator with sufficient authority, and click OK > Apply > OK.
      Close the Local Security Policy window.
    Note: On Windows Vista and Windows Server 2008 the User Account Control (UAC) is enabled by default.

    The UAC feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. You must take appropriate steps to overcome this restriction.

What to do next

Proceed to the next task, Installing IBM WebSphere MQ on a server or workstation in a Windows domain.