Issue in ldap-sync with active directory - OIM11gR2

Similar Messages

• Active sync with Active Directory.  activeSync.password

  AD - OS - Win2k3
  IDM -6.0SP1
  I am using active sync with Active Directory.
  Form for Active Sync make with Wizard Active Sync.
  Make user in AD with correct password.Excecute StartActiveSync.
  User not make in Lighthouse.
  In log file appears the following:
  <WavesetResult>
  <ResultItem type='error' status='error'>
  <ResultError throwable='com.waveset.exception.PolicyViolation'>
  <Message id='PL_POLICY_VIOLATION_HEADER'>
  <String>password</String>
  <String>Lighthouse User</String>
  </Message>
  <Message id='PL_STRING_MIN_CHARACTERS'>
  <String>4</String>
  </Message>
  <StackTrace>com.waveset.exception.PolicyViolation: Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
       at com.waveset.policy.StringQualityPolicy.check(StringQualityPolicy.java:1090)
       at com.waveset.provision.PolicyProcessor.checkPolicy(PolicyProcessor.java:716)
       at com.waveset.provision.PolicyProcessor.checkLighthousePasswordPolicy(PolicyProcessor.java:651)
       at com.waveset.provision.PolicyProcessor.checkPasswordPolicies(PolicyProcessor.java:574)
       at com.waveset.provision.PolicyProcessor.checkAccountPolicies(PolicyProcessor.java:232)
       at com.waveset.provision.Provisioner.checkPolicies(Provisioner.java:1102)
       at com.waveset.view.UserViewer.checkPolicies(UserViewer.java:1559)
       at com.waveset.view.UserViewer.checkPoliciesAndConstraints(UserViewer.java:1415)
       at com.waveset.view.UserViewer.checkinView(UserViewer.java:1159)
       at com.waveset.object.ViewMaster.checkinView(ViewMaster.java:725)
       at com.waveset.sync.IAPIUserImpl.submitCreate(IAPIUserImpl.java:559)
       at com.waveset.sync.IAPIUserImpl.submit(IAPIUserImpl.java:657)
       at com.waveset.adapter.ADSIResourceAdapter.processUpdates(ADSIResourceAdapter.java:1419)
       at com.waveset.adapter.ADSIResourceAdapter.getAndProcessChanges(ADSIResourceAdapter.java:1456)
       at com.waveset.adapter.ADSIResourceAdapter.poll(ADSIResourceAdapter.java:1546)
       at com.waveset.adapter.SARunner.doRealWork(SARunner.java:268)
       at com.waveset.task.Executor.execute(Executor.java:159)
       at com.waveset.task.TaskThread.run(TaskThread.java:119)
  </StackTrace>
  </ResultError>
  </ResultItem>
  </WavesetResult>
  2006-11-09T13:19:07.904+0500: lastname: Bogdanov9, accountId: Bogdanov9, objectGUID: <GUID=fb4016ebb4851b43af59763d6094932d>, isDisabled: false, identity: cn=Alexey L. Bogdanov9,ou=Users,ou=Test,dc=aut,dc=tst, uSNChanged: 78587, firstname: Alexey, AccountLocked: false, fullname: Alexey L. Bogdanov9, Initials: L
  Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
  But, when i use sample active sync form from ...sample/forms/ActiveDirectoryActiveSyncForm user make in Ligthhouse with password change12345.
  Logicaly, from this code:
  <Field name='waveset.password'>
  <Comments>
  Make up a password for accounts that are being
  created. This makes it a constant
  </Comments>
  <Disable>
            <neq>
            <ref>feedOp</ref>
                 <s>create</s>
            </neq>
       </Disable>
  <Expansion>
  <cond>
            <notnull>
                 <ref>activeSync.password</ref>
            </notnull>
  <ref>activeSync.password</ref>
  <s>change12345</s>
  </cond>
  </Expansion>
  </Field>
  I think password from AD not put in to activeSync.
  Why?
  With MBR
  Bogdanov Alexey.

  --I think password from AD not put in to activeSync.
  --Why?
  You cannot change the user's password from the activeSync RA. The password is encrypted in Active Directory and you can't decrypt it.
  You can read the Idm Resources Reference - Active Directory. There's a table with all the supported fields; the userPassword field is write-only.
  If you want to take the AD password and send it to IDM, you want to use Password Sync.
  Good luck

• Active Sync with Active Directory

  I am using active sync with Active Directory, but When I excecute the synchronization, it does not work, in log file appears the following:
  00.037-0500: Polling
  2006-11-01T18:35:00.053-0500: Looking for updates with filter: (objectCategory=person)(uSNChanged>=62506)
  2006-11-01T18:35:00.506-0500: Missing uSNChanged for user user1. Skipping
  2006-11-01T18:35:00.506-0500: Missing uSNChanged for user mike2. Skipping
  2006-11-01T18:35:00.506-0500: Missing uSNChanged for user little5. Skipping
  2006-11-01T18:35:00.506-0500: Missing uSNChanged for user george. Skipping
  2006-11-01T18:35:00.724-0500: Looking for deletes with filter: (uSNChanged>=62506)
  2006-11-01T18:35:00.740-0500: Missing uSNChanged for user CN=maria \0ADEL:7924c26d-9f1f-40a8-af4d-120e191aa84e,CN=Deleted Objects,DC=xxx,DC=com. Skipping
  2006-11-01T18:35:00.740-0500: Poll complete.
  I am using IDM 6.0 sp1

  Did you add the uSNChanged attribute to your schema mapping (name it "uSNChanged" on both the IDM and resource side of the mapping)?
  - Robin

• LDAP realm with Active Directory

  Hello,
  In the sun one app server admin console i have set the security role to LDAP.
  I have set up security roles in my web.xml such as this:
  <security-role>
  <description>This role represents administrators of the system, see actor administrators</description>
  <role-name>administrators</role-name>
  </security-role>
  ..and mapped the roles to groups in sun-application as follows:
  <security-role-mapping>
  <role-name>administrators</role-name>
  <group-name>CMS_PM</group-name>
  <principal-name>rlancett</principal-name>
  </security-role-mapping>
  My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
  directory: ldap://earth.tier2consulting.com:389
  base-dn: cn=Users,dc=tier2consulting,dc=com
  jaas-context: ldapRealm
  search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
  search-bind-password: ******
  search-filter: sAMAccountName=%s
  I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  WARNING: va:850)
  FINEST: JAAS authentication aborted.
  INFO: SEC5046: Audit: Authentication refused for [administrator].
  I am pretty stuck on this having looked arounds all the forums:
  Has anyone got sun one app server using Active Directory to get user/group information for security roles?
  Thanks.

  Howdy,
  I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
  The error message you get back from the directory contains an error code in hexidecimal:
  LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
  1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
  It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
  System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
  Okay, hope this helps somebody.
  Now it's up to you to find out why it can't find the administrator!
  Craig

• Does WLS 6.1 LDAP work with Active Directory?

  I see in the security docs that Microsoft Site Server LDAP is supported. Anyone
  know if it will work with Active Directory which is supposed to be LDAP v3 compatible?
  TIA

  I've done it with :
  <CustomRealm
  ConfigurationData="server.host=myLDAP.mydomain.org;membership.filter=(&
  (member=%M)(objectclass=group));server.port=389;group.dn=ou=groupes,dc=myDomain.org;group.filter=(&(cn=%g)(objectclass=group));server.principal=cn=Administrator,cn=Users,dc=myDomain.org;user.dn=ou=Utilisateurs,dc=myDomain.org;user.filter=(&(cn=%u)(objectclass=person));server.ssl=false"
  Name="MyLDAPv2" Notes="Test ldap V2 active Directory"
  Password="myPassword" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
  Will Spies <[email protected]> wrote:
  Can you put up what a sample <CustomRealm/> tag for AD looks like? I'm
  trying to get this to work with no success. Thanks for any help.

• Error while password sync with Active directory.

  Hi all.
  Am doing active directory password sync with oim 11g but this gives an error
  Debug [07/31/12 11:52:14] CONFIG VALUE LENGTH
  Debug [07/31/12 11:52:14] 254
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] Before adding configsync attributes
  Debug [07/31/12 11:52:14]
  sgslrgac instance
  Debug [07/31/12 11:52:14] User Name --->
  Debug [07/31/12 11:52:14] TEST.TEST10
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] RelativeId:
  Debug [07/31/12 11:52:14] 1122
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14]
  sgsladac Instance
  Debug [07/31/12 11:52:14]
  LDAP Connected
  Debug [07/31/12 11:52:14] search string :
  Debug [07/31/12 11:52:14] (&(objectCategory=person)(objectClass=user)(sAMAccountName=TEST.TEST10))
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] Connected to ADSI
  Debug [07/31/12 11:52:14] After Search
  Debug [07/31/12 11:52:14] SID::
  Debug [07/31/12 11:52:14] S-1-5-21-449192332-2375483478-3823051035-1122
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] DN::
  Debug [07/31/12 11:52:14] CN=test test10,CN=Users,DC=thakralone,DC=com
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] GUID:::
  Debug [07/31/12 11:52:14] QHetRJE7hEKkG8PeqYRKlQ==
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] after ladp search
  Debug [07/31/12 11:52:14] Success sgsldpap
  Debug [07/31/12 11:52:14]
  Passlen populated :
  Debug [07/31/12 11:52:14] 190
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14]
  Moving sgsloidi from asynchSystem
  Debug [07/31/12 11:52:14] Store Object populated
  Debug [07/31/12 11:52:14] [getObjectGuid=QHetRJE7hEKkG8PeqYRKlQ==
  getPasswordLen=190
  getUserDn=CN=test test10,CN=Users,DC=thakralone,DC=com
  getUserId=TEST.TEST10
  Debug [07/31/12 11:52:14]
  ***end of status
  Debug [07/31/12 11:52:14]
  Out of sgsloidi from asynchSystem
  Debug [07/31/12 11:52:14]
  Before Free
  Debug [07/31/12 11:52:14]
  After Free
  i have tried to reconfig and reinstall the connector but still the same issue.

  Don't think so.
  Reconcile will just find accounts that are out of sync (that is, that exist on one system but not the other). It doesn't update account attributes.
  ActiveSync can identify and process changed records, but the password itself is hashed, so unless you can use the hashed password directly (and IDM can't) then you just would get "garbage" data via the sync.
  I think you do need to use one of the PasswordSync tools for this, because they intercept the password change process before the password is hashed, allowing you to apply the changes in multiple locations.

• SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server

  All,
  I'm having a nightmare with this and I'm hoping someone can either confirm my problem or solve it for me.
  We are running R/3 Enterprise 4.7 (Web AS 6.20) and would like to sync the users with Micsoroft Active Directory 2003.
  We are exploring the option of using full Active Directory schema expansion for the SAP sync.  i.e. so we have all SAP related fields in AD.
  According to the SAP notes, I need the WEB AS 6.10 installation CD so that I can run R3SETUP to perform the Active Directory schema modifications.
  I have tried to download this from the SWDC with no luck.
  So I guess my questions are:
  1, Do I really need the 6.10 install cd (it seems it's only the ADSINIT.R3S file).
  2, If I do, where can I get it from?, do I need to order it through our SAP contract manager?
  In the meantime, I have tried performing the manual schema extension using the RSLDAPSCHEMAEXT report, uploading this to the AD server and running "ldifde" command.
  This has extended the schema (or so it says), but I can't see any SAP icon in the AD tree.  Have I missed something?
  Any help appreciated.
  Thanks,
  Darryl

  Rainer,
  Thanks for that.
  I have been re-reading note 793191 and question 14 says exactly that.
  I will checkout JXplorer.
  I have found a couple of MS technet articles on how to add your own context menus to the snap-in but it seems like a lot of effort for no real gain.
  Thanks again.
  ps. awarded points

• OIM 11g Sync with Active Directory

  Hi, I need to configure OIM 11g 11.1.1.3 Sync with a AD (Windows server 2003), I believe this is not possible (in this release), but, I am trying to configure through OVD but the queries of creation Containers throw errors.
  Can be configured through OVD ??
  Sync with AD will be supported in future Releases?
  Thanks!!

  From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory
  Refer http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#CHDDJGIG

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• Synchronization with Active Directory issue - Error ID 1004

  I  found the Application Event Log error below.  
  Error ID 1004: The resource 'D:\SharePoint 2010\14.0\Service\Microsoft.ResourceManagement.Service.exe' does not exist.
  This means, the Network Service account does not have rights to the %programfiles%\Microsoft Office Servers\14.0 folder so,
  the User Profile Synchronisation with Active Directory does not run properly.
  The solution is to grant read access to the Network Service account to the  ...\14.0 folder.
   https://support2.microsoft.com/kb/2473430?wa=wsignin1.0
  But I cannot find %programfiles%\Microsoft
  Office Servers\14.0 folder. Instead
  there is a folder in D drive: 'D:\SharePoint 2010\14.0 and I granted read access to the Network Service account to this
  folder and ran Full synchronization but still not a joy.
  Could you please advise me?
  Thanks

  Thanks Victoria, 
  I granted full access to the user
  NETWORK SERVICE:, which
  is listed in the error message on the folder D:\SharePoint 2010\14.0.
  Then reset IIS and ran a full
  synchronization, but there are still some user accounts who are a member of an AD group (this AD group has contribute right to the Intranet)  and when
  I check permission for those users, it seems they don't inherit permission from that AD group.
  For example :
  AD group name: TeamMembers
  TeamMembers has contribute
  permission.
  user1, user2, user3 and user4 are  members of TeamMembers
  user1 and user2 have contribute
  permissionGiven through the "TeamMembers"
  group.
  user3 and user4 have no permission!!!
  I don't know what the problem is. I don't have access to Active Directory but the people who have access to  say all users are  members of that AD group.
  Could you please advise?
  Thanks

• LDAP sync with AD

  Is it possible to sync data with users in a group?
  Our AD structure separates users by their location, so it's quite a bit of work setting this up to sync.  We do have a group setup which contains all or our SAP users.
  In this example SAP USERS is a group.
  CN=John Doe,OU=SAP USERS,OU=Security and Distribution,OU=Groups,DC=d1c
  Transaction LDAP fails to find record for John Doe, so I have to use
  CN=John Doe,OU=Users, OU=Texas,DC=d1c
  Any help is appreciated.

  I think I know what you're problem may be.. There is a hard limit or 1000 results for a LDAP search against active directory. And I think you're hitting this limit. One way to test is to narrow your search to one small OU with only 10 users in the OU.
  This setting can be changed at the controller and is called "MaxValRange". here's a link to more info http://support.microsoft.com/kb/315071
  Before you make this change on your domain controller I'd try narrowing the search to a single OU first.

• Single Signon and Integration with Active Directory

  Hi,
  We have a requirement to integrate Active Directory with SAP and implement Single Signon solution. Our Active Directory is running on Windows 2003 and we are having systems 4.7 , ECC6.0 which run on Linux OS in our landscape.
  Can anyone of you help me by answering following questions
  1. Is there any need of any third party solution(tool) to integrate  Active Directory and SAP and activate single signon?
  2.Is there any difference in integration from SAP 4.7 and ECC6.0 of SAP on Linux OS with Active Directory ?
  3. If possible please share any documents or links on above issue.
  Suitable answers will be rewarded with points. Thanks in advance for your help
  Regards
  Murali

  > Thank you very much for providing me the link. But the document on link seem to be in German. Can you please let me know how to get English version of this document.
  I'm sorry, you'd have to ask Realtech for that document in English.
  Basically you can follow
  http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html
  Markus

• Beginners guide to integration with Active Directory?

  Hi (complete beginner to this, but a quick learner)
  I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
  I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
  So far, this is how I think the process goes:
  1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
  2) Get an Xserve for IT.
  3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
  4) Push out the system builds to the Macs on the network
  5) Connect the Macs using Open Directory...
  6) ...
  As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?

  pisto_grih wrote:
  Hi (complete beginner to this, but a quick learner)
  I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
  And that is about as far as the Apple plugin will take you. In order to do more you need to either extend schema (very scary), look at third party products like Centrify (very expensive), or look at getting an OS X Server and implementing the "magic triangle" in which OS X attributes are managed in OD while users, groups, and password are managed by AD.
  I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
  If you go the route of OS X Server and MCX settings, make life easy on yourself and build one common build. Then limit app access based on your groups. That way you can simplify the number of images you maintain down to one (provided you have appropriate licensing).
  So far, this is how I think the process goes:
  1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
  See above. But if you need to, look at InstaDMG
  2) Get an Xserve for IT.
  Yep. But if you are only doing MCX you might want to look for a cheeper alternative. The Xserve can offer some nice additions, including software update server and Netinstall server among others.
  3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
  Yep. You are on the money.
  4) Push out the system builds to the Macs on the network
  Push huh. Look at Radmind. Then take a summer off to learn it. Then become god.
  5) Connect the Macs using Open Directory...
  Actually, connect the macs to both AD and OD. This will allow authentication and instantiating through AD and management through OD. Works very well.
  6) ...
  As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?
  It is learnable especially with the summer and available hardware. However, supporting the consulting industry is always nice http://consultants.apple.com
  Hope this helps

• 10.6 home directory mounting with active directory and open directory integration

  Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
  For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
  I feel like this is the problem with the home folders not mounting.
  Can anyone provide some help with this?
  Thanks,
  Dani

  Hi dani190,
  are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
  If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
  For the contact search path, did you put the AD at the top the list? (in directory utility)
  Did you set the WINS work group on your client computer to your domain?
  ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

• SQL Server 2000\2005 compatibility with Active Directory 2012

  Hi All,
  We are currently using Active Directory 2003 and will be upgrading to AD 2012.  I'm trying to determine if there is any known compatibility issues when running older versions of SQL Server (2000 and 2005) when upgrading to AD 2012.   I've
  read forums from when others went from AD 2003 to AD 2008 and didn't experience any issues.  We have the newer versions of SQL but I'm not too concerned about these.  Any advice would be greatly appreciated?   Has anyone been through
  this process. 
  Thanks,

  Hi CraftsmanRobert,
  Based on my understanding, you used Active Directory 2003, then it would be upgraded to Active Directory 2012. You wanted to run older versions of SQL Server (2000 and 2005) with Active Directory 2012.
  Firstly, there can be a compatibility problem when run older version with Active Directory 2012. SQL Server 2005 (the release version and service packs) and earlier versions of SQL Server are not supported on Windows Server 2012 R2, Windows Server 2012,
  Windows 8.1, or Windows 8. For more information, please refer to this article: How to use SQL Server in Windows and Windows Server environments (http://support.microsoft.com/kb/2681562/en-us).
  Besides, Microsoft doesn’t provide assisted support for SQL Server 2000 and SQL Server 2005 already. Please upgrade the existing instance of SQL Server 2000 and SQL Server 2005 to a new version like SQL Server 2012. You can download SQL Server 2012 Express
  from this link:
  http://www.microsoft.com/en-us/download/details.aspx?id=29062.
  Best regards,
  Qiuyun Yu