Active Directory Configuration Form
For the default NetWare® 6.5 setup, the driver for Active Directory is installed on the Domain Controller. Additional installation options are explained in Planning Your Installation in the Implementation Guide for the Active Directory Driver.
To synchronize account information for Active Directory users, complete the following sections:
The computer where you will install the Remote Loader and the driver must be running the following software:
You'll need to provide a number of system-specific details when you install and configure the DirXML driver for Active Directory. Some of these details can be collected before you complete the following procedures, and others will be defined during the process.
During the configuration process, you will also need to provide the container names for placement of synchronized objects. For more information about Active Directory placement options, see Default Driver Settings for Active Directory .
IMPORTANT: The data you supply during configuration is used to build DirXML rules. Often, case is significant to a rule. Mirror case when entering the requested data.
| System | Value |
|
|---|---|---|
Authoritative ID Used by the driver to access objects necessary for data synchronization. To create this user, see Creating an Admin User . |
|
|
Authoritative Password Password for the above user. Can be set when Creating an Admin User . |
|
|
Authentication Server The DNS name for the Domain Controller. You might need to ask the Active Directory administrator for this information. |
|
|
Domain GUID This data can be automatically collected and stored in a text file using the ADShimDiscorveryTool. See Identifying the Active Directory Domain GUID . |
ADShimData.txt |
|
Base Container in Active Directory The Active Directory container holding objects to synchronize with eDirectory. If this container does not exist, you must create it before starting the driver. |
|
|
Base Container in eDirectory The eDirectory container holding objects to synchronize with Active Directory. If this container does not exist, you must create it before starting the driver. |
|
|
Remote Host Name and Port Specify the port when Installing and Configuring the Remote Loader and Driver . |
|
|
Driver Password Specify the password when Installing and Configuring the Remote Loader and Driver . |
|
|
Remote Password Specify the password when Installing and Configuring the Remote Loader and Driver . |
|
|
Default Exchange Server To synchronize Exchange 2000 information, you will need to provide values for this and the following prompts. This data can be automatically collected and stored in a text file using the ADShimDiscorveryTool. See Identifying the Active Directory Domain GUID . |
ADShimData.txt |
|
Default Exchange DN This data can be automatically collected and stored in a text file using the ADShimDiscorveryTool. See Identifying the Active Directory Domain GUID . |
ADShimData.txt |
|
Default Exchange MTA This data can be automatically collected and stored in a text file using the ADShimDiscorveryTool. See Identifying the Active Directory Domain GUID . |
ADShimData.txt |
|
Default Exchange MDB This data can be automatically collected and stored in a text file using the ADShimDiscorveryTool. See Identifying the Active Directory Domain GUID . |
ADShimData.txt |
Figure 9
Active Directory Configuration Form
Create a user with administrative privileges to be exclusively used by the driver to authenticate into Active Directory. Doing this keeps the DirXML Admin account isolated from changes to other Admin accounts.
Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
From Active Directory Users and Computers, select the container where you want to add the user, then choose Action > New > User.
Enter the Full Name, which is the AD user object name, and enter the User logon name, which is the AD authentication name.
Figure 15
Creating an Active Directory User for the Driver
Record the logon name plus the domain as the Authentication ID in the table under Required Driver Configuration Information for Active Directory . For example, record novelldirxml@mercury.com. This information will be required later during driver parameter configuration.
Click Next, then set the password for the new user. Mark Password Never Expires so that a password policy won't disable the driver unexpectedly.
Record the password in the table under Required Driver Configuration Information for Active Directory . This information will be required later during driver parameter configuration.
Click Next, review the summary, then click Finish.
In the Tree view, select Builtin, then right-click Administrators. Select Properties, click Members, then click Add.
NOTE: In this scenario, the Builtin Administrators assignment covers the broadest set of possible configurations, but this assignment isn't always necessary. Depending on where you install the driver and how your environment is configured, you might be able to use the Domain Admins group or another administrator equivalent.
Select the full name of the user you created, click Add, then click OK twice.
Close the Active Directory Users and Computers window.
In the Administrative Tools window (Start > Programs > Administrative Tools), select Domain Controller Security Policy.
In the Tree View, select Security Settings > Local Policies > User Rights Assignment.
Open Log On As a Service, then click Add.
NOTE: The admin user must log on as a service only when the driver is installed on the domain controller, as is the case in this scenario. If the driver is installed on a member server, logging on as a service is not required.
Click Browse and select the user you created. Click Add, then click OK three times to return to the Domain Controller Security Policy window.
Close the Domain Controller Security Policy.
Update the machine policy for the domain controller.
You can do this either by rebooting the domain controller or by running the following command at the domain controller command prompt:
secedit /refreshpolicy machine_policy /enforce
Continue with the next section, Identifying the Active Directory Domain GUID .
Use the ADShimDiscoveryTool utility to expedite data gathering required for driver configuration.
At the computer where you will access iManager and administer DirXML, insert the DirXML CD. When the installation program launches, click Cancel.
From the DirXML CD, run utilities\ad_disc\ADShimDiscoveryTool.exe.
Enter the Administrator password in the LDAP User Password field.
Enter the IP address of the AD domain controller that will be synchronizing data through DirXML.
Leave the default setting in the Port field.
Click Discover.
Active Directory configuration information is displayed.
Click Paste to File to copy the following values to a configuration information to a text file on the desktop for later use:
Click Exit, then continue with the next section, Installing and Configuring the Remote Loader and Driver .
The Remote Loader allows you to run the driver on a computer other than the server hosting the DirXML engine.
At the AD computer that will host the driver, insert the DirXML CD into the CD drive. The CD may take a moment to load. Then, at the Welcome page, click Next.
Read the license agreement; if you agree to the terms, click I Accept.
On the Components page, select DirXML Remote Loader and Drivers, then click Next.
Accept the default installation path for the Remote Loader, then click Next.
Mark the following items, then click Next.
Review the Product Summary, then click Finish to install Remote Loader files.
If you are presented with an LDAP warning message, verify that no conflicts exist, then click OK.
When prompted, create a shortcut.
On the Installation Complete page, click Close.
Run the DirXML Remote Loader Configuration Wizard from your desktop.
On the Welcome page, click Next.
Keep the default Command Port number, then click Next.
Keep the default Configuration File Name, then click Next.
On the DirXML Driver page, mark Native, ensure that the addriver.dll file is selected in the drop-down list, then click Next.
On the Connection to DirXML page, leave the default Port settings and Addresses.
If appropriate for your environment, mark Use SSL and browse to the Trusted Root Certificate.
Using SSL with Remote Loader encrypts the communication between the Remote Loader and the DirXML engine. It does not address communication between Active Directory and DirXML. See Active Directory Considerations for more information about secure communication between Active Directory and DirXML.
You can create a Server Certificate object and then export a self-signed root certificate from your Organizational CA as explained in Exporting the Organizational CA's Self-Signed Certificate. Save the certificate file in base64 format and copy it to a local directory on the computer hosting the Remote Loader.
IMPORTANT: If you use SSL, then after the driver configuration is imported you must:
- Use iManager to edit the Authentication section of the Driver Parameters. In the Remote Loader Connection Parameters add a reference to the certificate as shown in the following example:
hostname=192.168.0.1 port=8090 kmo=servernamecert.
- Re-enter the application and the Remote Loader passwords.
Record the port number in the table under Required Driver Configuration Information for Active Directory , then click Next.
This information will be required later during driver parameter configuration.
Set Trace Level to 3 so that you'll get adequate tracking data from the Remote Loader for troubleshooting.
Trace information can include general state information, event information, warning messages, error messages, etc.
Specify a location and filename for the trace file, then click Next.
The default location is c:\Novell\RemoteLoader.
WARNING: The trace file is a tool to help you monitor events during startup or when you are troubleshooting. Messages will be logged to this file continuously, making it grow until it fills the available disk space. Ensure that the location of this file is appropriate for your environment.
After you're satisfied that the driver is running as expected, you can reset the Trace Level to 0. Then use the Windows Event Viewer found under Administrative Tools or the eDirectory Report and Notification Service to monitor events on an ongoing basis.
Ensure that the path you enter actually exists. If the path does not exist, messages will not be logged.
If the path to the trace file includes spaces, enclose the path in quotes. For example, type "c:\documents and settings\Adminstrator\My Documents". If the trace level is greater than 0, trace messages will be written to the log file even if the trace window is not open.
If you are running multiple Remote Loader sessions on a single computer, you should create separate trace files for each session.
Mark Install the Remote Loader Instance as a Service, then click Next.
Installing Remote Loader as a service allows the Remote Loader to continue to run, even when you log off.
Set Remote Loader and Driver Object passwords.
We recommend keeping remote passwords and driver passwords the same across systems and changing them later when you go to production.
Record the passwords in the table under Required Driver Configuration Information for Active Directory . This information will be required later during driver parameter configuration.
Review the summary, then click Finish.
When prompted, start the service.
You will see the Trace screen with messages indicating that Remote Loader is waiting for a DirXML connection.
NOTE: If you close the Trace screen and then want to open it again, you can do so at a command prompt by entering dirxml_remote -window on.
To stop or start the service, locate DirXML Loader in Microsoft Services (Start > Settings > Control Panel > Administrative Tools > Services).
The Active Directory system is prepared to synchronize data. Complete preparation of other participating systems and then proceed to Configuring the DirXML Drivers .
