This task creates the domain wmq.example.com on
a Windows 2008 domain
controller called sun. It
configures the Domain mqm
global group in the domain,
with the correct rights, and with one user.
In a production scale configuration, you might have to tailor
the configuration to an existing domain. For example, you might define
different domain groups to authorize different shares, and to group
the user IDs that run queue managers.
The example
configuration consists of three servers:
- sun
- A Windows Server 2008 domain controller.
It owns the wmq.example.com domain
that contains Sun, mars,
and venus. For the purposes
of illustration, it is also used as the file server.
- mars
- A Windows Server 2008 used as
the first IBM® WebSphere® MQ server. It contains
one instance of the multi-instance queue manager called QMGR.
- venus
- A Windows Server 2008 used as
the second IBM WebSphere MQ server. It contains
the second instance of the multi-instance queue manager called QMGR.
Replace the italicized names in the
example, with names of your choosing.
Before you begin
- The task steps are consistent with a Windows Server 2008
that is installed but not configured with any roles. If
you are configuring an existing domain controller, you might find
it useful to try out the steps on a new Windows Server 2008.
You can adapt the steps to your domain.
About this task
In this task, you create an Active Directory and DNS domain
on a new domain controller. You then configure it ready to install IBM WebSphere MQ on other servers
and workstations that join the domain. Follow the task if you are
unfamiliar with installing and configuring Active Directory to create
a Windows domain.
You must create a Windows domain
in order to create a multi-instance queue manager configuration. The
task is not intended to guide you in the best way to configure a Windows domain. To deploy
multi-instance queue managers in a production environment, you must
consult Windows documentation.
During
the task you do the following steps:
- Install Active Directory.
- Add a domain.
- Add the domain to DNS.
- Create the global group
Domain mqm
and give it
the correct rights.
- Add a user and make it a member of the global group
Domain
mqm
.
This task is one of a set of related
tasks that illustrate accessing queue manager data and log files.
The tasks show how to create a queue manager authorized to read and
write data and log files that are stored in a directory of your choosing. They
accompany the task, Windows domains and multi-instance queue managers.
For
the purposes of the task the domain controller hostname is sun,
and the two IBM WebSphere MQ servers
are called mars and venus.
The domain is called wmq.example.com.
You can replace all the italicized names in the task with names of
your own choosing.
Procedure
- Log on to the domain controller, sun,
as the local or
Workgroup
administrator. If
the server is already configured as a domain controller, you must
log on as a domain administrator.
- Run the Active Directory Domain Services wizard.
- Click Type dcpromo and click OK.
If the Active Directory binary files are not already installed, Windows installs the
files automatically.
- In the first window of the wizard, leave the Use
advanced mode installation check box clear. Click and
click .
- Type wmq.example.com into
the FQDN of the forest root domain field. Click Next.
- In the Set Forest Functional Level window, select Windows
Server 2003, or later, from the list of .
The oldest level of Windows Server that
is supported by IBM WebSphere MQ is Windows Server 2003.
- Optional: In the Set Domain Functional Level
window, select Windows Server 2003, or later,
from the list of .
This step
is only required if you set the Forest Functional Level to Windows
Server 2003.
- The Additional Domain Controller Options window opens,
with DNS server selected as an additional option.
Click Next and Yes to
clear the warning window.
Tip: If a DNS server
is already installed this option is not presented to you. If you want
to follow this task precisely, remove all the roles from this domain
controller and start again.
- Leave the Database, Log
Files, and SYSVOL directories unchanged;
click Next.
- Type a password into the Password and Confirm
password fields in the Directory Services Restore Mode
Administrator Password window. Click . Select Reboot
on completion in the final wizard window.
- When the domain controller reboots, log on as wmq\Adminstrator.
The server manager starts automatically.
- Open the wmq.example.com\Users folder
- Open .
- Right-click .
- Type a group name into the Group
name field.
Note: The preferred group name
is
Domain mqm
. Type it exactly as shown.
- Calling the group
Domain mqm
modifies the behavior
of the Prepare IBM WebSphere MQ
wizard
on a domain workstation or server. It causes the Prepare IBM WebSphere MQ
wizard
automatically to add the group Domain mqm
to the
local mqm
group on each new installation of IBM WebSphere MQ in the domain.
- You can install workstations or servers in a domain with no Domain
mqm global group. If you do so, you must define a group
with the same properties as Domain mqm group.
You must make that group, or the users that are members of it, members
of the local mqm group wherever IBM WebSphere MQ is installed
in a domain. You can place domain users into multiple groups. Create
multiple domain groups, each group corresponding to a set of installations
that you want to manage separately. Split domain users, according
to the installations they manage, into different domain groups. Add
each domain group or groups to the local mqm group
of different IBM WebSphere MQ installations.
Only domain users in the domain groups that are members of a specific
local mqm group can create, administer, and run
queue managers for that installation.
- The domain user that you nominate when installing IBM WebSphere MQ on a workstation
or server in a domain must be a member of the
Domain mqm
group,
or of an alternative group you defined with same properties as the Domain
mqm
group.
- Leave Global clicked
as the Group scope, or change it to Universal.
Leave Security clicked as the Group
type. Click OK.
- Add the rights, Allow Read
group membership and Allow Read
groupMembershipSAM to the rights of the
Domain
mqm
global group.
- In the Server Manager action bar, click
- In the Server Manager navigation tree, click Users
- In the Users window, right-click
- Click . Type Domain mqm and click .
The Name field
is prefilled with the string, Domain mqm (domain
name\Domain mqm).
- Click Properties. In
the Apply to list, select Descendant
User Objects from the bottom of the list.
- From the Permissions list,
select the Read group membership and Read
groupMembershipSAM Allow check
boxes; click .
- Add two or more users to the
Domain mqm
global
group.
- One user, wmquser1 in
the example, runs the IBM IBM WebSphere MQ service, and
the other user, wmquser2,
is used interactively.
- A domain user is required to create a queue manager that uses
the alternative security group in a domain configuration. It is not
sufficient for the user ID to be an administrator, although an administrator
has authority to run the crtmqm command. The domain
user, who could be an administrator, must be a member of the local
mqm
group
as well as of the alternative security group.
- In the example, you make wmquser1 and wmquser2 members
of the
Domain mqm
global group. The Prepare IBM WebSphere MQ
wizard
automatically configures Domain mqm
as a member of
the local mqm
group where ever the wizard is run.
- You must provide a different user to run the IBM IBM WebSphere MQ service for
each installation of IBM WebSphere MQ on
a single computer. You can reuse the same users on different computers.
- In the Server Manager navigation tree, click
- In the New Object - User window, type wmquser1 into
the User logon name field. Type WebSphere into
the First name field, and MQ1 into
the Last name field. Click Next.
- Type a password into the Password and Confirm
password fields, and clear the User must change
password at next logon check box. Click .
- In the Users window, right-click . Type Domain mqm and
click .
- Repeat steps a to d to add WebSphere
MQ2 as wmquser2.
- Running IBM WebSphere MQ as a service.
If you need to run IBM WebSphere MQ as a service,
and then give the domain user (that you obtained from your domain
administrator) the right to run as a service, carry out the following
procedure:
- Click Start > Run....
Type the command secpol.msc
and click OK.
- Open Security Settings >
Local Policies > User Rights Assignments.
In the list of policies, right-click Log on as a
service > Properties.
- Click Add User or Group...
Type the name of the user you obtained from your domain administrator,
and click Check Names
- If prompted by a Windows Security window,
type the user name and password of an account user or administrator
with sufficient authority, and click OK > Apply > OK.
Close the Local Security Policy window.
Note: On
Windows Vista
and
Windows Server
2008 the User Account Control (UAC) is enabled by default.
The
UAC feature restricts the actions users can perform on certain operating
system facilities, even if they are members of the Administrators
group. You must take appropriate steps to overcome this restriction.