Active Directory Integrated DNS Zones, replicate only to specific domain controllers

Similar Messages

• Tutorial: Azure Active Directory integration with Igloo Software

  Click reply and tell us what you think:
  Tutorial: Azure Active Directory integration with Igloo Software
  Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

  Hello
  Can you be little clear, what you have tested with Airwatch MDM cloud?.. which scenarios?.. 
  1) Device Enrollment ?
  2) Access to Airwatch console?
  3) Access to Airwatch self service portal?
  By following the steps We do not get it working at all. by the way some of the steps in this tutorial are unclear and outdated;  
  I finally personally figured out how things should look like, and  make it work but only with Device Enrollment scenarios from the mobile devices itself. not from the pc and browsers or from the Access panel.

• Help with Active Directory Integration and kerberos

  Hello,
  I’m encountering a bug preventing me to use Active Directory integration with kerberos :
  Our domain name is CORP.DOMAIN.COM.
  When we request the GC in this domain :
  bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
  Server: 1.2.1.6
  Address: 1.2.1.6#53
  ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
  there is no answer.
  But when we request without corp, we find the servers :
  bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
  gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
  gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
  bash-3.00#
  Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
  Thank you.

  Hello
  the domain.com domain exist, but it's not our domain.
  so, when I put domain.com, it search with no result (nothing appends).
  our kdc.conf :
  [kdcdefaults]
  kdc_ports = 88,750
  [realms]
  CORP.DOMAIN.COM = {
  profile = /etc/krb5/krb5.conf
  database_name = /var/krb5/principal
  admin_keytab = /etc/krb5/kadm5.keytab
  acl_file = /etc/krb5/kadm5.acl
  kadmind_port = 749
  max_life = 8h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +preauth
  krb.conf
  [libdefaults]
  default_realm = CORP.DOMAIN.COM
  default_checksum = rsa-md5
  [realms]
  CORP.DOMAIN.COM = {
  kdc = dc01.corp.domain.com
  kdc = dc02.corp.domain.com
  [domain_realm]
  .corp.domain.com = CORP.DOMAIN.COM
  corp.domain.com = CORP.DOMAIN.COM
  in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
  Thank you,

• Active Directory integration: Invalid Token Error in Verification Service

  I'm having problems with Active Directory integration. I'm able to browse users in the task routing slip in JDeveloper. But I'm unable to login to the worklist application.
  Getting an "Invalid Token Error in Verification Service" error. Any pointers?
  <2007-06-12 21:40:36,843> <ERROR> <default.collaxa.cube.services> <PCException::<init>> Identity Service Configuration error.
  <2007-06-12 21:40:36,843> <ERROR> <default.collaxa.cube.services> <PCException::<init>> Identity Service Configuration file has error.
  <2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <PCRuntimeException::<init>> Identity Service Configuration error.
  <2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <PCRuntimeException::<init>> Identity Service Configuration file has error.
  <2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <::> WorkflowService:: VerificationService.destroyContext: invalid token: c9pHcmBFtc4q7/EY3xGAv/6hhfa6Hf5tllCb8ZYKtdSA/8/y0exRcwpjy0vWiWGgBPzuIh5Ur+l+ZHDNe0PKb9KiFScsKAG3JK1y+nIJtC827Rljhn8E+/BoF+ZIN6GFYn/iyo/6Mrlmz02Pg4QtetftO7eHJ01rEV5MmZFTXsg8iV6LQPnkAPjqmmsq+5bVYGGfSFpHX7FXk/0FrSabClKy6DKiwt/1Kp2Ldbj2RY8=
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> ORABPEL-30503
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Invalid Token Error in Verification Service.
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Invalid Token Error in Verification Service. Received invalid token c9pHcmBFtc4q7/EY3xGAv/6hhfa6Hf5tllCb8ZYKtdSA/8/y0exRcwpjy0vWiWGgBPzuIh5Ur+l+ZHDNe0PKb9KiFScsKAG3JK1y+nIJtC827Rljhn8E+/BoF+ZIN6GFYn/iyo/6Mrlmz02Pg4QtetftO7eHJ01rEV5MmZFTXsg8iV6LQPnkAPjqmmsq+5bVYGGfSFpHX7FXk/0FrSabClKy6DKiwt/1Kp2Ldbj2RY8= in destroyContext
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Check the underlying exception and correct the error. Contact oracle support if error is not fixable.
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.bpel.services.workflow.verification.impl.VerificationService.destroyContext(VerificationService.java:667)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.bpel.services.workflow.query.impl.TaskQueryService.destroyWorkflowContext(TaskQueryService.java:161)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at worklistapp.servlets.Logout.handleRequest(Logout.java:66)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at worklistapp.servlets.BaseServlet.doGet(BaseServlet.java:142)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at java.security.AccessController.doPrivileged(Native Method)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at java.lang.Thread.run(Thread.java:595)
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Caused by: BPEL-10555
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Identity Service Configuration error.
  <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Identity Service Configuration file has error.

  Hi Adina,
  thank you for your answer (questions)!
  We use 10.1.3.1 SOA Suite and the default jazn.com Security Provider and what we set at java.naming.security.principal property is oc4jadmin.
  It is interesting, we deployed again out EAR and now it works again! There is not Invalid Token Error exception, but we didn't change almost anything...
  Can we debug it somehow?
  Where does this bug come from?
  Thanks!
  ric

• Active directory Integration with OBIEE

  Hi all,
  Can any one send me a link for active directory integration with OBIEE.
  I have imported the users succesfully and I was able to login to analytics as an AD user.
  But SSO is not possible. Kindly help me over this.
  Thanks,
  Haree.

  Thanks for reply veeravalli.
  Me too followed the same link and successfully imported all the users from AD into OBIEE and login in is also possible.
  But my requirement is to have Single Sign On ie.., users may log on to their Windows PCs and access Oracle BI EE via a standard web browser with no further authentication required on their part.
  Thanks,
  Haree

• Can Microsoft active directory integrated with Oracle Applications

  Hi,
  Can anyone provide me any document on Microsoft Active Directory Integration with Oracle Applications(12.0.6)
  Manish

  Hi,
  It is possible, please refer to the following documents for details.
  Note: 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
  Note: 415007.1 - Oracle Application Server with Oracle E-Business Suite Release 12 FAQ
  Regards,
  Hussein

• Issue with Reset Password from Active Directory Integration Pack

  I seem to be having some issues with a subscription in the Reset Password activity from the Active Directory Integration Pack. The "User Password" field refuses to take a value from a subscription provided earlier in a Generate Random
  Text activity. As you will see in the screenshot below, when the Reset Password activity runs, the User Password value is blank.
  Any idea why this might be happening? It looks like a possible bug with the Active Directory Integration Pack.

  Hi John,
  I think this is not a bug, this should be by design because the password is a secure string. If you look for the Published data for Reset User Password activity at
  http://technet.microsoft.com/en-us/library/hh553463.aspx it is not listed there as well.
  If you need the the string (e.g. to send it via email) use the
  data from the "Generate Random Text" Activity.
  Regards,
  Stefan
  www.sc-orchestrator.eu ,
  Blog sc-orchestrator.eu

• Recommended DNS zone replication scope for single domain environment

  Hi, in my company we have domain/forest functional level Windows Server 2008 R2 - there is only one domain. AD DS is installed on 5 servers -
  AD integrated DNS zone is used.
  I noticed today that on both forward lookup DNS zones, _msdcs.internaldomain.com
  & internaldomain.com, zone replication scope was set to
  All DNS servers in this domain and also for one reverse lookup zone. I changed this setting for all these zones to
  All domain controllers in this domain but later (10-15 mins at most) I reverted these settings back to
  All DNS servers in this domain.
  Which zone replication scope for mentioned zones is recommended keeping in mind this is single domain environment? Also could I do any harm to DNS and AD in all when I changed zone replication scope and later reverting it back for these zones? How to check
  that dns related informations (zones) are located where they should be in Active Directory and that there is no any garbage in other locations (partitions) in AD database.

  Hi,
  All DNS servers in this domain : Replicates zone data to all Windows Server 2003 and Windows Server 2008 domain controllers running the DNS Server service in the Active Directory domain. This option replicates zone data
  to the DomainDNSZone partition. It is the default setting for DNS zone replication in Windows Server 2003 and Windows Server 2008.
  http://technet.microsoft.com/en-us/library/cc772101.aspx
  Hope this helps.
  Regards.
  If you have any feedback on our support, please click
  here
  Vivian Wang

• Is there any way to log in to active directory from a mac without joining the AD domain?

  I am looking for a way to log in to active directory without having the Mac join the AD domain. Basically i have not been able to understand all the ramifications of joining the AD domain. From what I have read in various documentations on the apple site and some of the AD plug in sites, it seems that if the mac joins the domain, all kinds of group policies get 'transfered' to the mac experience. How exactly does that affect the privileges of the local mac user on their machine? do they need to change their mac password? what happens to their existing home directories? what happens when they have their laptops at home?
  TIA
  Costas Manousakis

  Costas Manousakis wrote:
  The reason i am hesitant about binding the macs is that i'm not sure what are all the effects of that. will they have to change their mac passwords / usernames? more than likely the auto login will have to go. If there are multiple accounts on the mac (ex one admin account and other regular and admin accounts) how does binding affect them? how will it work when the mac is not in the office? if they have admin rights on the mac but not on the windows AD, how will that affect them? Do you know of a source i could go to to find answers for questions like these?
  Unfortunately, the source for answers should be your IT department. I can tell you how my machine works. I have a personal machine with no restrictions and a work machine bound to an Active Directory domain. Even my work machine has few restrictions compared to normal. I have a privileged account I can use if necessary. Also, I'm pretty much a goody-two-shoes so I don't try to circumvent restrictions.
  Basically, the Mac uses a system called Open Directory to manage user accounts. Every Mac comes with its own miniature Open Directory server. If you have a network with MacOS X Server, you can use the server's Open Directory. You can also use Microsoft's Active Directory to perform all the same tasks. The user's logins and passwords would be whatever is on Active Directory. They can change their password on the Mac and it will change the Active Directory password. Active Directory can enforce passwords expirations too.
  I am not an Active Directory administrator, so I can't give you specifics. Pretty much everything you have mentioned can be controlled via Active Directory. That is what it is for. It does require active participation of your IT staff. If you don't have that, then I don't see it working out well. It sounds like a paradox. IT wants to control users, but doesn't want to deal with it. You can't have it both ways. Maybe let it be known among the Mac users that visiting those restricted sites could cause IT to get rid of Mac altogether. That does sound like a probable outcome.

• Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)

  I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate. 
  Windows 2008 R2

  Errr 5706
  The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS.  The following error occurred: 
  The system cannot find the file specified.
  Event 7009
  A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
  Event 1058
  The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
  this event is resolved. This issue may be transient and could be caused by one or more of the following: 
  a) Name Resolution/Network Connectivity to the current domain controller. 
  b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
  c) The Distributed File System (DFS) client has been disabled.
  All Critical
  This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
  Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
  Test replication
  Domain Controller Diagnosis
  Performing initial setup:
     * Verifying that the local machine dc, is a DC. 
     * Connecting to directory service on server dc.
     * Collecting site info.
     * Identifying all servers.
     * Identifying all NC cross-refs.
     * Found 2 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\dc
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           * Active Directory RPC Services Check
           ......................... dc passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\dc
        Starting test: Replications
           * Replications Check
           * Replication Latency Check
              DC=ForestDnsZones,DC=GRP,DC=LOCAL
                 Latency information for 7 entries in the vector were ignored.
                    7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              DC=DomainDnsZones,DC=GRP,DC=LOCAL
                 Latency information for 7 entries in the vector were ignored.
                    7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
                 Latency information for 8 entries in the vector were ignored.
                    8 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              CN=Configuration,DC=GRP,DC=LOCAL
                 Latency information for 9 entries in the vector were ignored.
                    9 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              DC=GRP,DC=LOCAL
                 Latency information for 9 entries in the vector were ignored.
                    9 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
           ......................... dc passed test Replications
        Test omitted by user request: Topology
        Test omitted by user request: CutoffServers
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: Advertising
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: RidManager
        Test omitted by user request: MachineAccount
        Test omitted by user request: Services
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: frssysvol
        Test omitted by user request: frsevent
        Test omitted by user request: kccevent
        Test omitted by user request: systemlog
        Test omitted by user request: VerifyReplicas
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: CheckSecurityError
     Running partition tests on : ForestDnsZones
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : DomainDnsZones
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : Schema
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : Configuration
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : GRP
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running enterprise tests on : GRP.LOCAL
        Test omitted by user request: Intersite
        Test omitted by user request: FsmoCheck
        Test omitted by user request: DNS
        Test omitted by user request: DNS
  On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON.

• Active Directory integration problem, Bind AC and OD

  Hi.
  I'm trying to set an Open Directory as "connect to a Directory System" because I have a windows 2000 server with Active Directory. But i have a problem when i click on "open directory Access", Access Directory appear and I select Active Directory.
  xxx.yyy is the server with active directory, with its admin and its password. but i cant Bind it and an error always appear.
  can you help me?
  what's "active directory domain"?is it xxx.yyy?
  and what's "computer ID"?
  Are there others parameters to set for example in DNS or other?
  help help help

  What are you trying to achieve by doing this?
  Got to http://www.afp548.com/ and serach for AD-OD integration.
  http://www.afp548.com/article.php?story=20051202151540574

• Active Directory integrated LION with offline Domain Controller

  Hi,
  I have some OS X Lion machine, and all of them joined into the Win2008 AD. There is no any issue when the Domain Controller is reahcable, but when it is not reahcable, or the machine is not in the same network as the DC, then I am not able to login with my AD user.
  In Windows the last credential is stored on the local machines. So if the machine is OFFLINE from the DC, then it is able to let the AD user to login.
  Is there any trick or option how I can implement it with my LION clients? Or there is no way to use AD user when the AD is not reachable?
  Thanks in advance!

  He actually didn't specify much about dynamic updates requirements for old domains, if they don't need secure dynamic updates then a primary zone would work:
  The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load
  either a standard primary or directory-integrated zone.
  REF: Understanding Dynamic updates
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• Failover agents who work with active directory integration

  Hi Guys,
  I have implemented 'Active Directory' failover in SCOM. But what i see is that it doesn't work.
  The agents are assigned by AD, but the first (RMS Role) management server has got all the agents and is to busy and
  has got many problems to handle all the load. Even with this case nothing is failing over.
  A few i could failover with hand, but the most i cannot because 'change primary management' server is blanked out. Even with the agents turned back from manuel to automatic (blog Kevin Holman).
  1. Has anybody got any idea of getting the AD failover to work automatic?
  2. Has anybody got a workaround to do this manual, by powershell (SCOM 2012 R2 cmdlets), bypassing the grayed out 'Change primary management server?
  3. In my failover screen is see the management servers + the internet DMZ gateway server. I don't want to failover to the internet DMZ Gateway server. Can i delete this?
  Please have a look at my specific question. I did read many blogs who are based on powershell without AD integration or AD integration without explaining how the automatic failover works.
  Kind regards,
  André

  Hi,
  SCOM windows agents automatic failover does not require AD integration or PowerShell scripting or Configuration Manager or manual agents installation specially for small to medium environment and agents distribution between different SCOM management servers
  can be accomplished through push agents wizard, and windows agents failover can be simply verified from event viewer.
  Please refer to the below links for more details:
  How to Use Active Directory Domain Services to Assign Computers to Management Servers
  http://technet.microsoft.com/en-us/library/hh212712.aspx
  OpsMgr AD Integration - how it works
  http://blogs.msdn.com/b/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• Process flow - Active Directory integration with Enterprise Portal

  Hi
  I have seen number of documents/forum discussions on integrating Microsoft Active Directory (LDAP) with Enterprise Portal, but unable to find out the process flow for achieving the same.
  I have installed Enterprise Portal 6 (SP13) running on Web AS 640 (J2EE Standalone). The UME is currently configured to use Java database. (i.e datasourceconfiguration_database_only.xml)
  I intend to proceed as below for integrating with Active Directory and integrate with Windows authentication:
  1) Configure UME to use an LDAP Server as Data Source using Config Tool
  http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm
  2) Configure Enterprise Portal UME i.e http://<host name>:50000/irj - System Administration - System Configuration - UM Configuration
  <b>Should I configure Data Sources & LDAP Server here as I have already configured these using J2EE Config tool (point no.1).</b>
  3) Integrate Windows authentication with EP using IISProxy module.
  I hope the above will enable me to logon to Portal without supplying username and password once you are logged on to the PC using your Windows user name and password.
  Also, any schema updates required to Activie Directory i.e What additional data is stored in A.D.
  I would appreciate your guidance on this.
  Thanks in advance,
  Chandu

  Hi Chandau,
  you wanted that some users are not taken into account by the User Management Engine (UME).
  This behavior can be established by specifying the
  ume.ldap.negative_user_filter property for the LDAP data sources in the data source configuration file. Using this property one can define that all users and accounts that
  match the defined conditions are filtered out by the UME API.
  A detailed documentation can be found in the SAP Online Help:
  http://help.sap.com/saphelp_nw04/helpdata/en/9a/f43541b9cc4c0de10000000a1550b0/
  content.htm
  In the following example of a data source configuration file for Microsoft Active Directory
  Server the attribute userPrincipalName is used as Logon ID of a portal user id (j_user).
  Here the user accounts that have one of the following Logon ID’s (index_service,
  notificator_service and cmadmin_service ) are filtered out.
  <dataSources>
  </dataSource>
  <dataSource id="CORP_LDAP">
  <privateSection>
  <ume.ldap.negative_user_filter>
  userPrincipalName=[index_service,notificator_service,cmadmin_service]
  </ume.ldap.negative_user_filter>
  </privateSection>
  </dataSource>
  </dataSources>

• Active Directory integration with call manager

  Hi,
  I am facing issues while Integrating the CCM to my Active Directory using AD Plug-in.
  SITE SETUP:
  1. Windows 2003 Parent Domain Controller located remotely with GC.
  2. Windows 2003 Child Domain for the Parent DC located Locally with GC.
  3. Cisco CallManager 4.1.3 sr3b
  My Requirement is to integrate CCM with my Windows 2003 AD.
  My Questions are:
  1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
  2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
  3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
  Can anyone can help me on this?
  Thanks,
  V.Kumar

  1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
  Use the root domain, in this case the Parent domain.
  Cisco does not recommend having a Cisco Unified CallManager cluster service users in different domains because response times while user data is being retrieved might be less than optimal if domain controllers for all included domains are not local.
  2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
  Yes, actually all domains in the forest share the same Schema, which will be modified after running the AD plugin.
  3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
  Account should be a member of the Schema Admins group in Active Directory, try the one in parent domain.
  Correct permissions for CCMAdministration and similar example for your setup:
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a00806e8c04.html#wp1043057
  HTH