AD Synchronization with the DirXML Starter Pack
Novell Cool Solutions: Tip
By Troy Griese
Digg This -
Posted: 21 Apr 2005
This guide helps you set up Microsoft Active Directory synchronization, including passwords, with the DirXML starter pack. It begins with a NetWare 5.1 environment and upgrades to the NetWare 6.5 SP1b overlay.
This setup was tested in the following environment:
- NetWare 5.1 sp5, with eDirectory 22.214.171.124
- Windows NT 4.0 domain
- Windows 2000 DNS
The following resources were used:
- NetWare 6.5 sp1b overlay
- DirXML iso CD from 6.5 install
- Windows 2003
- DirXML 1.1a Plug-in for iManager 2.0.x download (DirXML_Plugins.npm.zip)
- dradcu1 update
- dradpt3 update
This guide assumes that a flat, bi-directional sync of AD (2003) and eDirectory is used. It also assumes that the driver was set up to sync users created in AD to an OU named ADUsers, in the eDir Tree.
Here are the basic setup tasks explained in the guide:
- Do a NAM reverse migration.
- Perform a Windows 2003 upgrade if necessary.
- Install Active Directory.
- Upgrade to NetWare 6.5 if necessary.
- Install the DirXML Engine.
- Install the iManager Plug-ins.
- Prepare the eDirectory certificate for SSL.
- Create the AD structure.
- Create the DirXML Admin user in AD and assign rights.
- Determine the AD GUID.
- Install the Remote Loader on DC.
- Install files from the DRADCUL update.
- Set up RemoteLoader.
- Set up the AD Driver.
- Do miscellaneous setup tasks.
- Customize the driver.
- Test the setup and synchronization.
- Migrate existing AD users.
Task 1: NAM Reverse Migration (on BDCs first)
- Go to Add/Remove Programs and remove the NDS for NT files.
- Reboot as necessary.
- Make sure SAM gets synced after rebooting.
- Remove (power off) one BDC from the network for disaster recovery purposes.
- Repeat all of the above steps for any other BDCs first, then for the PDC.
Task 2: 2003 UPGRADE on PDCInsert the Windows 2003 CD and perform the upgrade. Upon successful 2003 upgrade and boot, the AD Installation Wizard will start.
Task 3: Install Active Directory
- Select Domain in a new forest.
- Supply the Full DNS name for new domain (such as ABC.net).
- Select the Forest Functional level (use Windows Server 2003 interim; i.e., no Windows 2000 domain controllers).
- Use defaults for the database and log folders.
- Use the default Shared System Volume.
- In the DNS Registration Diagnostics, look for "The operation completed successfully."
- Set Permissions compatible with pre-Windows 2000 server operating systems.
- Set the Directory Services Restore Mode Administrator Password.
- Review the Summary data.
- Complete the Active Directory Installation Wizard.
- Restart the server.
- After reboot, choose Log in to Workstation Only and install the 4.9 client (if you're using a 4.83 client, and it fails to start).
Task 4. NetWare 6.5 Upgrade (Master replica holder of Root)
- Install sp6 on the NetWare 5.1 server if necessary.
- To prepare for the new eDirectory version, run NWDEPLOY from 6.5 CD. This extends the schema - make sure it synced properly with the other servers.
- Run the Server Health Utility with NWDEPLOY from 6.5 CD.
- Check the following NetWare 6.5 Upgrade Requirements before continuing:
- After all of the checks, put the upgrade CD in the NetWare server.
- Start the GUI (startx), select the install option and browse to the CD. I chose to back up boot files, not to automatically reboot, not to allow unsupported drivers. I also chose to use a manual upgrade type, overwrite newer files, and select all NMAS methods. Then I installed apache2, iprint, Refresh NFA methods, and iManager.
- Reboot until everything comes up OK.
*NetWare 5.1 sp6 installed
*2GB of available SYS vol space
*200MB of available DOS partition space
*512MB of RAM
*Pentium II or better
*You may need to set FILES=50 BUFFERS=30 in config.sys.
Task 5: Install the DirXML Engine
With the DirXML iso CD install from the NetWare GUI (nw\product.ni), install everything but the Novell iManager Plug-ins for DirXML.
Remove any unnecessary pre-configured drivers. I did not overwrite statuslg.nlm when prompted.
Task 6: Install iManager Plug-ins
- Install the updated DirXML 1.1a Plug-in for iManager 2.0.x (DirXML_Plugins.npm.zip) according to TID 10088503.
- Open a browser from a workstation and go to http://server/nps/iManager.html
- Click Configure.
- In the left pane under Module Configuration, choose Install Module Package.
- Browse to the Plugins for iManager 2.0.x\packages directory on the CD.
- Select the .npm file and click Install.
- Continue until all of the .npm files have been installed.
- Stop (tc4stop) and start (tomcat4) the tomcat web services.
Task 7: Prepare the eDirectory Certificate for SSL
Note: For details, see TID 10083691.
- From the DC, start ConsoleOne from the 6.5 NDS server.
- Select the context where the server exists.
- Select File | New | Object and choose NDSPKI:Key Material.
- Select the appropriate server, name the certificate "DirXML-Cert" and leave it on Standard.
- Export the Trusted Root Certificate.
- View the properties of the certificate.
- Select the Trusted Root Certificate from the Certificates dropdown.
- Click the Export button, check "No" on the Private key, and use the Base64 format (note the location).
Task 8: Create the AD Structure
- Open Active Directory Users and Computers.
- Right-click the Domain Object (ABC.net), select New, and choose Organizational Unit.
- Name it appropriately (I used the tree name) and click OK.
Task 9: Create the DirXML Admin User in AD and Assign Rights
- Open Active Directory Users and Computers.
- Right-click the OU for the user, select New, and choose User.
- Name it "dirxml-admin", give it a password, and select Password Never Expires.
- Open Active Directory Users and Computers again.
- Select Built-in, choose Administrators, add dirxml-admin, click OK and close the app.
- Open the Domain Controller Security Policy from Administrative Tools.
- Add dirxml-admin to Log on as a Service, under User Rights Assignment, under Local Policies.
- Reboot the server to apply the policies.
Task 10: Determine the AD GUID
- From the PC, configure the AD driver (via iManager).
- Run the ADShimDiscoveryTool.exe utility from the DirXML ISO CD (utilities\ad_disc\ADShimDisco?veryTool.exe).
- Choose the Paste the File option after the information has been obtained.
Install the Remote Loader on DC
- Let the DirXML ISO CD auto-run on the DC.
- Select DirXML Remote Loader and Drivers.
- Select the DirXML Remote Loader Service and PasswordSync Agent.
- Choose the Remote Loader and DirXML Driver 2.1.1 for Active Directory options.
Task 11: Update Files from DRADCUL
Note: For details on the DRADCUL update see TID 2964748.
- From the DRADCUL update, copy AD-Driver*.xl* to:
- Run the dvr_ext.sch schema extension from the DRADCUL update (use the NWConfig - directory options).
- Copy addriver.dll from dradpt3 and update to c:\novell\remoteloader
Task 12: RemoteLoader Setup
- Start the DirXML RemoteLoader Configuration Wizard from the desktop of the DC. Accept the defaults until it prompts for the SSL Trusted root file.
- Copy the file you exported for the Trusted root to the c:\novell\remoteloader directory.
- Select that file for this option.
- Change the Trace level to 3.
- Create a directory named c:\novell\remoteloader\log_fil?es
- Supply the Trace file name of c:\novell\remoteloader\log_files\8000trace.log Provide passwords.
- Start the service when prompted.
Task 13: AD Driver Setup
- Open iManager and expand the DirXML Management option in the left pane
- Select Import Drivers and then "In a new driver set"
- Supply a name (DirXML-TREENAME), context MRMC, server name and leave new partition selected
- Select AD Driver Configuration
- Supply the following names for the configuration:
authoritative id: dirxml-ad...@ABC.net
authentication server: (leave blank)
domaind GUID: (from the ADShimDiscoveryTool file on the desktop)
AD base container: OU=TREENAME,DC=ABC,DC=net
eDir base container: .TREENAME. (browse to this)
publisher placement: flat
subscriber placement: flat
driver polling: 1 min
secure authentication: yes
enable passwordsync: yes
remote host: servername.abc.net 8090
exchange 2000: no
- Add appropriate security equivalences and exclude admin roles.
- Finish with the overview.
Task 14: PasswordSync Setup
- Open the Password Synchronization option from the DC Control Panel.
- Supply the Tree name.
- Select the Domain and the DirXML-Driver.
- Accept defaults for the Password Sync Object.
- Select the top of the tree for the container rights screen.
- Install the filter on the domain controller(s).
- Select the domain controller from the list and click the add button.
- Reboot the domain controller.
Important: After rebooting, edit the Novell Password Synchronization Service to "Interact with Desktop"
Task 15: Miscellaneous Setup Tasks
First, you need to assign rights for the AD-Driver object. To do this, add supervisor object and property rights for the AD-Driver-TREENAME object to [Root].
Then add the key parameters for SSL:
- In ConsoleOne (or iManager), edit the properties of the AD-Driver-TREENAME object.
- Remove the Auth ID (dirxml-ad...@acme.net)
- Add kmo="DirXML-Cert - servername" to the end of the Remote Loader.
Next, set up the Connection Parameters:
- Provide the passwords.
- Select the Secure Authentication and SSL option from the Driver Parameters tab.
- Click OK.
Task 16: Customizing the Driver
- Change the AD subscriber channel to put new users in the OULEVEL1\ADUsers context. It should read:
- Add AD-Win2003-OutputTransformSS (see TID 10084602).
- Open ConsoleOne from MIDFS08.
- Select Create a New Application Driver under Wizards.
- Choose the existing Driver Set.
- Select the AD-Win2003-OTS.xml file.
- Provide the CN of the AD Driver (should be AD-Driver-Treename) and the Domain name (acme.net).
After importing chain the StyleSheet,
- In ConsoleOne, open the properties of OutputTransformSS.
- From the Other tab, click Add and choose DirXML-NextTransformation.
- Browse to find the AD-Win2003-OutputTransformSS object.
- Click OK.
Task 17: Testing
Start it up! The DC Remote Loader should be waiting for the SSL connection.
- Start the driver from iManager.
- Verify from DC that it started correctly.
To test the synchronization,
- Create a User in eDirectory and AD.
- Verify that the user copied over correctly.
- Modify the user in eDirectory and AD. Verify that the changes are reflected properly.
- Change the password and verify that it synchs correctly.
Task 18: Migrate Existing Users
First, update the userPrincipalName attribute on AD DC (because NT to AD migration left it blank). See the Microsoft Knowledge Base Article 237677 for details on ldifde.
Then, export the userlist from DC as follows:
ldifde -f c:\ldifout.txt -s ADSERVERNAME -r "(objectCategory=CN=Person,CN=?Schema,CN=Configuration,DC=mid?michigan,DC=net) " -l cn
Finally, create and run the ldifchanger.bat file as follows:
@echo off del c:\ldifimport.txt for /f "tokens=1*" %%i in (c:\ldifout.txt) do ( if "%%i" == "dn:" echo %%i %%j>>c:\ldifimport.txt if "%%i" =="cn:" ( echo changetype: modify>>c:\ldifimport.txt echo add: userPrincipalName>>c:\ldifimport.txt echo userPrincipalName:%%j@ABC.net>>c:\ldifimport.txt echo ->>c:\ldifimport.txt echo.>>c:\ldifimport.txt ) )
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com