User Name Mapping best practices

  • Article

Applies To: Windows Server 2003 R2

Install User Name Mapping on a domain controller.

If you have a large number of user maps, installing User Name Mapping on a domain controller improves performance by reducing network traffic when maps are first created or refreshed.

Create a User Name Mapping server pool.

You can use DNS round robin to create a pool of computers running User Name Mapping. This will provide improved performance on wide area networks as well as provide failover capability when one of the servers is no longer available. For more information, see Creating a User Name Mapping pool.

Configure User Name Mapping on a server cluster.

You can use a User Name Mapping server cluster to provide high availability of User Name Mapping. To ensure proper operation of User Name Mapping on a server cluster, when stopping the server cluster, first stop User Name Mapping, then stop the server cluster. For more information, see Configuring User Name Mapping on a server cluster.

Make sure User Name Mapping can download users from all domains.

In order to download users from a Windows domain, make sure that the User Name Mapping server belongs to a domain that is trusted by the Windows domain which it is trying to access.

If Active Directory was installed with permissions compatible with the Windows Server 2000 Server option, do one of the following:

  • If the computer running User Name Mapping is a member of the domain, add the computer to the Pre-Windows 2000 Compatible Access security group.

  • If the computer running User Name Mapping does not belong to the domain (that is, it belongs to a trusted domain), add the special group Everyone to the Pre-Windows 2000 Compatible Access security group of the Active Directory domain.

Refresh data whenever a user is added or changed.

To ensure that the user will have immediate access to Network File System (NFS) resources, refresh the User Name Mapping database immediately after you add a user or otherwise make changes to the user's Windows or UNIX accounts that would affect the user's mapping. For information about refreshing the database, see Refreshing maps.

Place password and group files on the User Name Mapping server.

If User Name Mapping is configured to use password and group files, these files must be located on a hard drive on the server to ensure that User Name Mapping can access the files whenever it refreshes the mapping database.

Use appropriate permissions to protect password and group files.

Protect password and group files with permissions that allow access only by appropriate users. We recommend that the permissions list contain only entries that grant Full Access to SYSTEM and the Administrators group. Also, do not change the permissions that Microsoft Services for NFS applies to other User Name Mapping configuration files.

Back up complex maps whenever you make changes.

To avoid loss of complex advanced maps in case of system difficulty, or to aid in transferring maps to another server, be sure to back up your User Name Mapping data whenever you change advanced maps.

Ensure consistency of group mapping.

To ensure proper file access, Windows and UNIX groups that are mapped to each other should contain the same users, and the members of the Windows and UNIX groups should be properly mapped to each other.

Specify the computers that can access User Name Mapping.

User Name Mapping requires you to identify the computers that can access User Name Mapping in the .maphosts file. (If the list in this file is empty, only the computer that is running User Name Mapping can access the service.) To maintain a high level of security, you should explicitly specify the computers that can access User Name Mapping, rather than using the plus sign (+) by itself to grant access to all computers. For more information, see Securing access to the User Name Mapping server.