Home
When you have problems with WebSphere MQ and domain controllers
This section describes problems that can arise with security settings when Windows 2000 servers are promoted to domain controllers.
While promoting Windows 2000 or Windows 2003 servers to domain controllers, you are presented with the option of selecting a default or non-default security setting relating to user and group permissions. This option controls whether arbitrary users are able to retrieve group memberships from the active directory. Because WebSphere MQ relies on group membership information to implement its security policy, it is important that the user ID that is performing WebSphere MQ operations can determine the group memberships of other users.
On Windows 2000, when a domain is created using the default security option, the default user ID created by WebSphere MQ during the installation process (MUSR_MQADMIN) can obtain group memberships for other users as required. The product then installs normally, creating default objects, and the queue manager can determine the access authority of local and domain users if required.
On Windows 2000, when a domain is created using the non-default security option, or on Windows 2003 when a domain is created using the default security option, the user ID created by WebSphere MQ during the installation (MUSR_MQADMIN) cannot always determine the required group memberships. In this case, we need to know:
- How Windows 2000 with non-default security permissions behaves
- How to allow domain mqm group members to read group membership
- How to configure WebSphere MQ Services to run under a domain user
- Windows 2000 domain with non-default, or Windows 2003 domain with default, security permissions
- Configuring WebSphere MQ Services to run under a domain user
Parent topic:
Guidelines for Windows 2000 and Windows 2003
fa13380_
Home