Easy migration from DCD to Active Directory?

Similar Messages

• Problem in provisioning user from oim to active directory using ssl

  hi,
  problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
  15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
  15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
  AvailableAD():simple bind failed: 172.16.30.35:636
  15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
  me problems: Must set a query before executing
  com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
  at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
  at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
  at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
  nnectToAvailableNextAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
  archResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
  known Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
  ce)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
  on.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
  ource)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
  ava:520)
  can any one help.
  Thanks and Regards,
  praveen,

  Are you able to connect to AD over SSL through some LDAP Browser ?
  Check the validity of Certificate ?
  Does your certificate appear in the list ?

• Migration SBS2003 to SBS2008 Active Directory Replication

  I am migrating from SBS2003 server to SBS2008.  I fired up the 2008 server on the network with the 2003 server and started the migration.  I got about 25% progress on the “Expanding and Installing Files” window when I got an error message of “Active Directory Replication is taking longer than expected.  You can choose whether to continue waiting.  If you choose not to wait the migration may fail.  Unless you are sure that replication is working correctly, it is recommended that you continue to wait”.  After waiting three times of 20 minutes each I don’t think it is working.  What are my options?  What can I check for?

  Hi,
  As it is a SBS-related issue, you may wish to post to the SBS newsgroup. This will provide access to others who read the public newsgroups regularly who will either share their knowledge.
  Connect Windows Small Business Server 2008
  http://connect.microsoft.com/SBS08
  Thank you for your understanding and cooperation.
  Miles

• Can you authenticate user/password from SAP to Active Directory

  I don't want to implement SSO for ABAP because my company doesn't have the license for  "SAP NW Single Sign-On"; but we would like to authenticate our users and their passwords to active directory.  Our goal is to make sure the user/password in SAP is the same as their Active Directory user/password.  Is this possible?
  Thanks!

  This has been discussed many times, for example see SSO with LAN UserID/Password. The short answer is no, you can't synchronize passwords. You can however achieve the requirement assuming you are using Identity Management to provision users and passwords to all systems (AD, SAP, etc). In that case you will have to deal with users changing their password. Recommendation is to enable SSO. If you don't want to get licenses for NWSSO, try to look at other options (X.509 certificates, SPNEGO in AS JAVA and then issue a Logon Ticket, 3rd party solution, etc).

• Adding Users from sharepoint into Active Directory Groups

  I have a requirement for Approval Workflow where the Approved User gets added   to AD group directly,i think 2 way sync is possible.plz help

  Out of the box, I really doubt that this is possible BUT it can more than likely be achieved via the Object Model.  A good discussion and some attached code can be seen here.
  https://social.technet.microsoft.com/Forums/office/en-US/a1905a01-e7a7-458b-a7a6-d24cd4e19e09/action?threadDisplayName=add-a-user-in-ad-group-from-sharepoint
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• Provisioning: Users from OIM to Active Directory

  Dear Experts!
  I am trying to setup provisionig from OIM to AD. I just want to provision Users from OIM to AD.
  I am going through this documentation/tutorial:
  http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/deploy.htm#insertedID0
  i also read this:
  http://www.oracle.com/technology/obe/fusion_middleware/im1014/oim/ad_provision/prov2ad.htm
  But it just won't work. The provisioned resource get's always status rejected in the (To-Do List --> Open Tasks).
  Then i tried to test the connection to AD using this documentation:
  http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/testing.htm
  And i get this error in the console:
  http://img689.imageshack.us/img689/3190/errorq.png
  The IT resource: ADITResource looks like this:
  Remote Manager Prov Script Path:     
  Admin FQDN: [email protected]
  Use SSL: no
  Remote Manager Prov Lookup: AtMap.AD.RemoteScriptlookUp
  Target Locale TimeZone: GMT
  Port Number: +636+
  AtMap ADUser: AtMap.AD
  ADGroup LookUp Definition: Lookup.ADReconciliation.GroupLookup
  isUserDeleteLeafNode: no
  Allow Password Provisioning: no
  UPN Domain: domain-test.local
  AtMap ADGroup: AtMap.ADGroup
  ADAM LockoutThreshold Value: +5+
  isADAM: no
  Admin Password: *********
  Invert Display Name: no
  Root Context: dc=domain-test,dc=local
  Server Address: testing-server.domain-test.local
  Could be the problem that i don't use SSL? I don't set Passwords in AD, i have read that then i don't need SSL...?
  I am new to OIM, so your response is greatly appreciated!
  Thank you very much in advance!

  Hello again Raj!
  Thank you for your answer. You have always good ideas...
  *1) Whats the response that you are getting from AD for this operation. Check this as following:*
  Go to Users->UserABC->(Resource Profile from Drop down)->(Click your particular resource instance)->(Select the rejected task precisely "Create User")_
  I get this on the Task Name - Create User:
  Status:Rejected
  Response: Please Select the Organization or Container Name from Organization Name Lookup
  Response Description: Please Select the Organization or Container Name from Organization Name Lookup
  But i can't get to populate the Organization Name on the user form, because there are no values available.
  Under Error Details there is nothing.
  *2) If your IT resource parameters are incorrect, you will get a connection error in logs. Your port information is correct, it has to be Port->389 and Use SSL-no*
  I have created a new IT resource without SSL. Just to test the connection to AD. It works because I get “Successfully established connection to the AD_Test_without_SSL.”
  Bellow is my NEW configuration for the IT Resource.
  IT Resource Name:* AD_Test_without_SSL
  IT Resource Type:* AD Server
  ADAM LockoutThreshold Value:* 5
  ADGroup LookUp Definition:* Lookup.ADReconciliation.GroupLookup
  Admin FQDN:* [email protected]
  Admin Password:* *********
  Allow Password Provisioning:* no
  AtMap ADGroup:* AtMap.ADGroup
  AtMap ADUser:* AtMap.AD
  Invert Display Name:* no
  isADAM:* no
  isUserDeleteLeafNode:* no
  Port Number:* 389
  Remote Manager Prov Lookup:* AtMap.AD.RemoteScriptlookUp
  Remote Manager Prov Script Path:*
  Root Context:* dc=domain-test,dc=local
  Server Address:* testing-server.domain-test.local
  Target Locale TimeZone:* GMT
  UPN Domain:* domain-test.local
  Use SSL:* no

• Migrating to new Active Directory Domain

  Hey people,
  I have a OSX Server here at a school which I need to move from an old Active Directory domain to a new one. We are having a restructure of our IT System and 90% of our equipment is PC but have a few macs on site for the specific tasks that we need them to do.
  The OSX server was set-up 2yrs ago by some consultant which charged an arm and leg, so its up to me this time round to configure it. It is not a vital part of the IT system so a rebuild is possible, but the quicker it can moved across the better.
  So my question is. Is it easier to "modify" the settings on the OSX Server to the new domain? i.e. change field names in Server Admin. or rebuild the server from scratch?
  Our configuration is Apple clients authenticate to AD, but grab all their settings and OSX group membership from the OSX server. I have here a guide called "Leveraging Active Directory on OSX" would this be useful if I need to rebuild the server? I am fairly confident that I wont run into too many problems, but things like kerberos settings, etc may confuse me. Any help would be excellent!

  Hi,
  perform homogeneous system copy if you migrate from one server to other.
  find document at service.sap.com/systemcopy
  if you just add you local system to domain then look following
  Domain name change for an existing SAP System
  regards,
  kaushal

• Date and Time in Active Directory

  How to update date and time from internet in active directory server ?

  Hey Hadi.Balaghi,
  You do this from the command line by using W32TM command
  Example: "w32tm /config /manualpeerlist:ntp1.tpg.com.au /syncfromflags:manual" (it's will be updated from ntp1.tpg.com.au server time).
  I've provided you a link that explains in simple amazing on any subject time update, it also presents an example.
  I recommend you watch the video and learn
  https://www.youtube.com/watch?v=-NCheMw851M
  Please Mark This As Answer if it helps to solve the issue
  Tzuri Ben Ezra | My Certifications:
  CompTIA A+ ,Microsoft MCP, MCTS, MCSA, MCITP
  |
  FaceBook: Tzuri FaceBook | vCard:
  Tzuri vCard | 
  Microsoft ID:
  Microsoft Transcript 
   |

• Creating group dynamically in active directory depending on their role

  Hi,
  I have sycn oid and active directory using directory integration platform. Now the scenario is We have one system says hr system which take care of entering all the user information. Once it submit that information it goes to oid. Now we want that when we import all that user from oid to active directory it didn't duplicate any user as well as depending on their role it should create groups dynamically in active directory. For e.g: If user belong to Trainee category or manager category it must create Trainee group & Manager group & respective person should go into that group. I don't know whether my question is placed in right group or not. I am using filter to do this task but not able to write proper condition in "source matching filter" and "destination matching rule". Any help will be appreciated.
  Thanks,
  Sonya Sharma

  Thanks Tamim. To clear your thought, i will explain again. I have sync oid and active directory through Directory integration platform. I have created user in oid.(cn=users,dc=mycompany,dc=com). It get sync in active directory properly. Now i have created two group in active directory say for e.g Trainees and Manager. There is a field name position in oid which is a custom attribute. When i fill the information of user in oid, I have to fill "Position" attribute also. So my question is that, if i fill Trainee as a value in Position attribute and click on submit it should go in Trainee Group In active directory and not in user group. Same for manager. How can we achieve this? Can we do it through filter? Or any other way? It's needed desperately. Please help me in resolving this issue.
  Regards,
  Sunil

• LMS 2.6 and ACS 4.2 compatible with Windows 2008 R2 Active Directory?

  Hi,
  We are planning to upgrade CORP Domain from Windows 2003 Active Directory Schema to Windows 2008 R2 Active Directory Schema.
  I wanted to know if the following applications which are installed on windows (domain member servers) are compatible with windows 2008 server R2 schema?
  CiscoWorks LAN Management Solution 2.6
  Cisco Secure Access Control System 4.2
  Cisco Fabric Manager 1.5
  Any help is much appreciated!

  - CiscoWorks LAN Management Solution 2.6 - Not supported and this software is EOS-EOL.
  www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_end-of-life_notice0900aecd80532c07.html
  - Cisco Secure Access Control System 4.2 - Not supported either:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041324
  - Cisco Fabric Manager 1.5 - Was not able to find anything for version 1.5 and not really familiar with this product.  However, according to the below not even version 4.2(7d) supports 2008:
  www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/fm/release/notes/20325_10.html#wp657668

• Creating users in Active Directory through LDAP connector

  Hello,
  If we need to create users in Active directory using LDAP connector, what are the options for the following:
  1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
  2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
  Regards,
  Ahmad

  Hello!
  I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
  Here is the posting again - sanitized this time.
  You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
  You can also perform group membership assignment in LDAP from SAP if needed.
  I have done this quite a few times at different companies that use SAP HCM.
  A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
  The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
  A job runs every 8 hours to perform delta updates in LDAP.
  The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR.

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• Using Active-Directory PW at SAP logon procedure

  Hello,
  I have the requirement no to use single sign on for some systems with sensitive data, but  would like to check during sap logon procedure the  from our central active directory password.
  is there any best practice configuration or SAP / AD Win Addon solution available to connect SAP NW abap 7.40 at Win2012 sever with our active directory. Nearly all win based applications can handle a PW check from application to AD. Is there any SAP or Partner implementation helpful to expand the SAP client internal User-PW check?
  Thanks in advanced for alternatives to the standard client SSO or any idea in the direction using active directory password within sap-logon.
  Please give me a short feedback if you need more details.
  regards,
  Bernhard Mair
  Goethe-Institut München

  The SAP NetWeaver ABAP app server only accepts SAP user id and password or it can use SNC to authenticate the user when SAP GUI is used on workstation. So, if you want the user to be prompted to enter their Active Directory credentials during a logon using SAP GUI, and you don't want SSO, then you need to purchase a third party product.
  Please note, that SAP is not JUST a Windows based application, as it can also be installed on Unix and Linux, so SAP have made it work in same way on all platforms without any 'special' windows authentication capabilities.
  Thanks
  Tim

• Unable to add objectclass:nismap to active directory

  I'm try to move some autofs maps from linux to Active Directory but am having some problems:
  using this ldif file;
  dn: nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com
  objectClass: top
  objectClass: nisMap
  nisMapName: auto.dal
  dn: cn=/home,nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com
  nisMapName: auto.dal
  objectClass: nisObject
  nisMapEntry: ldap:vm1:nismapname=auto.home,ou=autofs,dc=test,dc =com
  cn: /home
  I get an an error when using ldapadd
  test01 /test/LDAP# ldapadd -h adserver01 -p 50006  -D "CN=autofs_admin,OU=Users,Ou=generic-test,DC=test,DC=com" -w xxxxxx -f example_2.ldif
  adding new entry "nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com"
  ldap_add: Naming violation (64)
          additional info: 00002073: NameErr: DSID-03050C0D, problem 2005 (NAMING_VIOLATION), data 0, best match of:
          'nisMapName=auto.dal,ou=automount,ou=nfs,ou=generic-test,dc=test,dc=com'
  Error 0x2073 An attempt was made to add an object using an RDN that is not the RDN defined in the schema.
  not sure why it doesn't like the nisMapName=auto.dal bit
  anyone see why or can suggest where to look.
  Thanks

  Hi,
  >>Error 0x2073 An attempt was made to add an object using an RDN that is not the RDN defined in the schema.
  Based on the error description, the RDN attribute of the object doesn't match the RDN attribute defined in AD Schema.
  Regarding RDN attribute in AD Schema, the following article can be referred to for more information.
  RDN attribute
  https://msdn.microsoft.com/en-us/library/ms678697(v=vs.85).aspx
  In addition, for this involves third party product, it's recommended that we also contact vendor support to ask for suggestions.
  Best regards,
  Frank Shen 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Does one of the Lync SQL databases store the active directory username or SID of the person who made a call ?

  I am trying to write a report that uses data from Lync (2010), Active directory (AD) and other databases.
  I need to match data from Lync with records in active directory.
  When you make/recieve a call, the session details has a userid column - a foreign key to the users table, which has the UserURI - the users emails adddress or telephone number.
  However, trying to mach the data, I have noticed that someones email address can change so that what is in active directory does not match that used as the SIPaddress in Lync.
  I need a field that matches in Active directory and Lync to be able to link a users call records with their active directroy records.
  I was wondering how Lync decides which Lync user you are when it auto logins you in.
  Does it do it on the basis of your phone number, AD username or something else ?
  If so , where in Lync does it store the mapping from whatever it uses to your Lync userid ?
  Greg

  The msrtcsip-primaryuseraddress attribute in AD is where the users SIP address is stored.
  This can change still, but generally that should not be very often except maybe a name change or domain name change.
  Almost everything in Lync is based on the SIP address. In CDR's case, it is just recording SIP messages as they pass through the front end; it has no visibility into the actual AD account that sent it.
  If you will need to match user SIP addresses back to live AD accounts, even after a SIP address change, then I would recommend setting up a custom AD attribute to store their SIP account history and have a policy to update that attribute each time someone's
  SIP address gets changed.