Querying Active Directory via linked server in SQL2012

Similar Messages

• Configuring Microsoft ACtive Directory in WebLogic server 10.3.3

  Hi,
  I am working on configuring Microsoft ACtive Directory in WebLogic server 10.3.3. After configuration I couldn't see any AD users in myrealm-users.
  If there is any document / step-by-step tutorial available please provide me.
  Thanks
  MC

  Just check the product documentation ;-) The Guide Securing WebLogic Server might be of interest for you.
  Here is a link to start with: http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/atn.htm#SECMG175
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• MS Active Directory as LDAP Server - Email & Group variables do not pickup values

  Hello Experts
  We have OBIEE 10.1.3.4.2 using MS Active Directory as LDAP Server. Init Block "Authentication" (4 variables setup - USER, DISPLAYNAME, EMAIL and GROUP) seems to work fine, but when you do a "Test" and supply userid and password , only USER and DISPLAYNAME showup. Email and Group variables are blank.
  Please help .  Thanks  lot in advance.
  Regards.

  Hello Srini
  Just USER and DISPLAYNAME variables get populated and I think they are coming from MSAD. However, the Email and Group membership information from MSAD does not flow back to OBIEE Server.
  Regards

• Execute Oracle procedure via Linked server takes very long

  Exec ('Begin [procedurename]; End;') at OracleLinkedServer
  I used this statement to execute store procedure on Oracle database via linked server. It keeps running and never ends.
  However, if I run this procedure Begin [procedurename]; End; in TOAD, it completes in 10s. 
  This procedure is just simply to merge data between two tables.
  Is there any bug or limit on SQL Server Oracle linked server? I am using SQL SERVER 2012 and Oracle 11g client.

  See if this link helps you
  http://markmal.blogspot.co.il/2008/01/it-is-really-pain-if-you-need-to-call.html
  select * from openquery(MYORADB, '{CALL SCOTT.PROC4MS({resultset 25, OUTPUT})}');
  SELECT * FROM OPENQUERY(<linked server name>, '{CALL <oracle sp>}')
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Syntax to query a MSSQL 2008R2 linked server from Oracle

  Hi,
      I would know if it's possible to query a MSSQL 2008R2 linked server from Oracle. Actually I can query local MSSQL databases from Oracle using dg4odbc without problem but how can I query the linked servers configured on the MSSQL side ?
  From MSSQL, I can query those linked servers using the [linked server name].[catalog].[owner].[table] syntax but using select * from [linked server name].[catalog].[owner].[table]@oracle_dblink_name syntax from the oracle side throw this error:
  ERROR at line 1:
  ORA-00933: SQL command not properly ended
  I tried some syntax variations, e.g. putting double quotes around the object name without luck. After some hours to find a solution I'm out of idea...
  So please if someone had a clue on this it would be very helpfull.
  Some info:
  Oracle 10g 10.2.0.5 Enterprise Edition x64
  Oracle Linux 5.9 Enterprise Edition x64
  MSSQL 2008R2 Enterprise x64
  Windows Server 2008R2 Enterprise x64
  Oracle 11gR2 Enterprise x64 for dg4odbc on MSSQL side
  SQL Server Natice Client 10.0 used as ODBC driver

  Hi kgronau,
                  Maybe I'm not clear in my explanations, sorry.
  I want, from Oracle, to query a MSSQL linked server.
  Basically I want to do that, if possible:
  Oracle --> MSSQL --> linked server --> MSSQL
      ^                                                         ^
      |                                                          |
      ---------------->------------------->--------------------
  and maybe have a clue about the syntax to be used.
  Knowing that querying the linked server directly form MSSQL is working and querying from Oracle to local MSSQL db is working too.
  Using the right syntax should lead me to succes, am I right ? Or maybe its something that cannot be done using oracle dblinks ?
  Thanks

• Query via linked server to DB2/NT gives different results

  I have a DB2 9.7 database I need to query. I'm testing from four separate SQL Servers.
  ServerA - SQL 2012 SP2
  ServerB - SQL 2012 SP1
  ServerC - SQL 2012 SP1 CU1
  ServerD - SQL 2012 SP1
  I set up a linked server from ServerA. I run QueryA, and am happy with the results.
  I create a linked server from ServerB. I run QueryA and get the message, "Error converting data type DBTYPE_DBDATE to datetime."
  I did the same test on ServerC. It works fine.
  If, inside OPENQUERY, I convert the datetime to a varchar, call it QueryB, it mostly works, but will be missing a small percentage of datetime values from that converted column when run on ServerB. If I run QueryB on the on ServerA, those missing
  values are there. Same for ServerC.
  At this point, I can think only that the main difference is the service pack and CU level. I can't find any documentation on updates that are relevant, but doesn't mean much.
  Then, I did the same test on ServerD. ServerD is at the same SP/CU level as ServerB. ServerD worked just fine. Apparently it's not the service pack or cumulative update level making the difference.
  My setup: On each server I loaded MS OLE DB Provider for DB2 Version 4.0. I used the same sp_addlinkedserver script with the same connection string on each server. QueryA and QueryB both used OPENQUERY. They were identical except for the CAST to varchar
  for a datetime field. This CAST became a call to a function VARCHAR on the DB2 server in later tests with the same result. 
  Of course, the only place I actually need this working is ServerB.
  tia,
  Steve

  Sure, with some obfuscation and shortening.
  On each server, (except the first where I had to figure it out), I went through the same process.
  Load MS OLE DB Provider for DB2 Version 4.0 version 9.0.1390.0
  Run the Create Linked Server query
  Run QueryA.
  Only on ServerB has this been a problem. 
  --Create Linked Server
  EXEC sp_addlinkedserver
  @server='LinkedServer',
  @srvproduct='Microsoft OLE DB Provider for DB2',
  @catalog='DBName',
  @provider='DB2OLEDB',
  @provstr='Provider=DB2OLEDB;User ID=Username;Password=Password;Initial Catalog=DBName;Network Transport Library=TCPIP;Host CCSID=1252;PC Code Page=1252;Network Address=127.0.0.1;Network Port=50000;Package Collection=MSDB2COL;Process Binary as Character=False;Units of Work=RUW;DBMS Platform=DB2/NT;Use Early Metadata=False;Defer Prepare=False;DateTime As Char=False;Rowset Cache Size=0;Datetime As Date=False;AutoCommit=True;Authentication=Server;Decimal As Numeric=False;Derive Parameters=True;LoadBalancing=False;Persist Security Info=True;Cache Authentication=False;Mode=Read;Connection Pooling=False;'
  --QueryA
  SELECT * FROM OPENQUERY(LinkedServer,'
  SELECT [ARRIVAL]
        ,[ACCT_CODE]
        ,[ACC_EVENT_ID]
        ,[TRANS_DATET]
        ,[AVAIL_DATE]
        ,[AVAIL_STATUS]
    FROM [DBName].[UserName].[TableName]
  ') AS TableNameLink
  --QueryB
  SELECT * FROM OPENQUERY(LinkedServer,'
  SELECT [ARRIVAL]
  ,[ACCT_CODE]
  ,[ACC_EVENT_ID]
  , CAST([TRANS_DATET] AS VARCHAR(26)) TRANS_DATET
  ,[AVAIL_DATE]
  ,[AVAIL_STATUS]
  FROM [DBName].[UserName].[TableName]
  ') AS TableNameLink
  --QueryC
  SELECT * FROM OPENQUERY(LinkedServer,'
  SELECT [ARRIVAL]
  ,[ACCT_CODE]
  ,[ACC_EVENT_ID]
  , VARCHAR([TRANS_DATET]) TRANS_DATET
  ,[AVAIL_DATE]
  ,[AVAIL_STATUS]
  FROM [DBName].[UserName].[TableName]
  ') AS TableNameLink

• Query Active Directory + Problem with thumbnailPhoto

  Hi<o:p></o:p>
  I have a problem and I don’t know if it is my SQL Query, so here goes
  <o:p></o:p>
  I have a view on my SQL server that Queries our Active Directory. I can see that there is data in the table.<o:p></o:p>
  But when I try to use the Image in some C# code I get an error on 60% of the images with the exception header missing or corrupted.
  My view is built with this Query:
  select
  * from
  openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName,  department, thumbnailPhoto
  FROM ''LDAP:[REMOVED]''
  WHERE objectCategory = ''Person''
  Do you have any idea where the problem is? The photos shows up fine in Outlook, SharePoint, lync etc. I’m pretty sure that the C# code works correctly. Hope you can help.
  Regards
  If only I had time to learn everything I wanted ...

  Hi Latheesh
  I've tried with this script:
  SELECT ISNULL(ROW_NUMBER() OVER ( ORDER BY department ), -999) 'id' ,
  CONVERT(NVARCHAR(25), givenName) AS Fornavn ,
  CONVERT (NVARCHAR(50), sn) AS Efternavn ,
  CONVERT(CHAR(5), UPPER(SUBSTRING(mail, CHARINDEX(mail, N'@'),
  CHARINDEX(N'@', mail)))) AS 'initialer' ,
  CONVERT(NVARCHAR(255), mail) AS Mail ,
  CONVERT(NVARCHAR(75), title) AS Stilling ,
  CONVERT(NVARCHAR(120), department) AS Afdeling ,
  CONVERT(NVARCHAR(13), telephoneNumber) AS Fastnet ,
  CONVERT(NVARCHAR(13), mobile) AS Mobil ,
  CASE WHEN userAccountControl = 2 THEN 'Account is Disabled'
  WHEN userAccountControl = 16 THEN 'Account Locked Out'
  WHEN userAccountControl = 17
  THEN CONVERT (VARCHAR(48), 'Entered Bad Password')
  WHEN userAccountControl = 32
  THEN CONVERT (VARCHAR(48), 'No Password is Required')
  WHEN userAccountControl = 64
  THEN CONVERT (VARCHAR(48), 'Password CANNOT Change')
  WHEN userAccountControl = 512 THEN 'Normal'
  WHEN userAccountControl = 514 THEN 'Disabled Account'
  WHEN userAccountControl = 544
  THEN 'Account Enabled - Require user to change password at first logon'
  WHEN userAccountControl = 8192
  THEN 'Server Trusted Account for Delegation'
  WHEN userAccountControl = 524288
  THEN 'Trusted Account for Delegation'
  WHEN userAccountControl = 590336
  THEN 'Enabled, User Cannot Change Password, Password Never Expires'
  WHEN userAccountControl = 65536
  THEN CONVERT (VARCHAR(48), 'Account will Never Expire')
  WHEN userAccountControl = 66048
  THEN 'Enabled and Does NOT expire Paswword'
  WHEN userAccountControl = 66050
  THEN 'Normal Account, Password will not expire and Currently Disabled'
  WHEN userAccountControl = 66064
  THEN 'Account Enabled, Password does not expire, currently Locked out'
  WHEN userAccountControl = 8388608
  THEN CONVERT (VARCHAR(48), 'Password has Expired')
  ELSE CONVERT (VARCHAR(248), userAccountControl)
  END AS 'Disabled' ,
  CONVERT(NVARCHAR(75), givenName + ' ' + sn) AS 'DisplayName' ,
  CONVERT (VARBINARY(MAX), thumbnailPhoto) AS 'Photo'
  INTO ##adTemptable
  FROM openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto,userAccountControl
  FROM ''[REMOVED]''
  WHERE objectCategory = ''Person''
  WHERE department IS NOT NULL
  But i still gets the same error on MANY rows
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6846 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 7006 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6496 and truncated data length is 4000.
  If only I had time to learn everything I wanted ...

• How to create two domains name in one active directory domain service .server 2012 ??

  Hi there 
  I want to try sharepoint foundation and office web apps server .
  I installed server 2012 sharepoint found 2013 sql server 2012 and create a new forest on active directory domain sevice 
  now I want to install office web apps server 2013 but when I run the setup said me can't install office web apps server on the domain name that installed sharepoint .
  how can I create second domain name on this active directory domain service to install office web apps server ?
  help me please I'm new and just want to try sharepoint and office web apps server .
  mostly I need to create MS access custom web app and I need the web place to run my access custom web app on this server and because I live in iran can't create and sign up for office 365 and sharepoint online so i'm forced to run them on my system .help
  me to complete ths server ?
  Greate Regards :
  Raha
  whit the best regard : Raha

  Hi,
  For how to Use Office Web Apps with SharePoint 2013, the below links should be what you want to refer to:
  Configure Office Web Apps for SharePoint 2013
  http://technet.microsoft.com/en-us/library/ff431687.aspx
  Video: Configure Office Web Apps for SharePoint 2013
  http://technet.microsoft.com/en-us/library/dn455088.aspx
  How Office Web Apps work on-premises with SharePoint 2013
  http://technet.microsoft.com/en-us/library/ff431685.aspx
  In addition, for further assistance for Sharepoint, I suggest you post in the SharePoint forum.
  Regards,
  Yan Li
  Regards, Yan Li

• SAP R/3 Authentication with Active Directory on Win2k server.

  Hello list ,
  We are running SAP R/3 4.7 with WebAS 6.2 on Solaris and a Windows 2000 Active Directory domain. Our users access SAP in 3 ways
  1) SAP GUI .
  2) SAP BW
  3) Travel & Expense - a java application that records users travel details and posts a transaction to SAP using the SAP userid and password.
  Wish to implement SSO for all our users.
  Some research we have done suggests
  1) Using Kerberos for authentication. while it appears that microsoft krb 5 implementation will work only on windows servers, it is not clear how well are other krb implementations supported by SAP. OSS note # 150380 and link http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
  2) OSS note # 352295 suggest there could be some issue using KRB 5 shipped with unixes.
  "All of the major Unix vendors seem to be shipping a version of Kerberos 5 these days. These implementations should be wire-interoperable with each other and with Microsoft W2K (not necessarily W2K3!), however they may not be interoperable with SAP's shared library interface to GSS-API v2 mechanisms."
  3) There are some commercial solutions like - CyberSafe that provides krb based SSO at a fee. Has anyone tried this software ?
  I have created an OSS ticket but we are still in a queue since 5 days already.
  Has any one from the list implemented a similar solution ? What are the best practices and way to go for a robust solution.
  4) Another option that we have is to start with user synchronization. Where in Users created in Active Directory get synchronized with SAP .
  What is mandatory for us is that Users marked disabled in Active Directory should be blocked in SAP by synchronizing user information at regular interval. If anyone has implemented this solution I will appreciate if they give me some pointers.
  Thanks in advance.
  Harsh Busa

  Tim,
  you are perfectly right: that Vintela product is not certified (as SNC solution).
  But you are not quite right regarding the separate treatment. The major difference between that product and the SNC certified products (such as CyberSafe, Entrust, ...) is: Vintela uses different SNC libraries on the client side (=> our Windows SSPI wrappers, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/352295">SAP note 352295</a>) and the server side (=> their own SNC library, not certified). And that is actually also one reason why that solution cannot be certified ...
  Well, those Windows SSPI wrappers provided by SAP (=> gsskrb5.dll, for example) are also not "SNC certified", but SAP provides support (being in contact with Microsoft). Well, as some people might know, there are also some interoperability issues between different Microsoft OS versions ... - resulting in reactive patches of our SSPI wrappers.
  I really do <u>not</u> want to promote <u>any</u> product - neither the one of Quest Software Inc., nor the one of <a href="http://www.cybersafe.ltd.uk/">CyberSafe Ltd</a>, nor <a href="http://www.entrust.com">Entrust Inc.</a>, nor <a href="http://www.secude.com/">SECUDE IT Security GmbH</a>, nor ...
  I do not even want to disencourage anyone from implementing his own Kerberos-based solution (or any other solution which provides an GSS API), provided that this person is able to help himself. Reason: if products of different vendors are used and interoperability problems occur the usual finger-pointing will start. In the end you'll not get support by anyone ... - as long as you are aware of this (and capable of helping yourself) you can go ahead. Some (known) universities are belonging to that group ... - but it might not be appropriete to the vast majority of customers.

• Updating custom boolean attribute in Active Directory via OIM

  The adapters delivered with the AD connector support updating standard attributes (string) and multi-value attributes, but I can't seem to figure out how to update a custom Boolean attribute in AD via OIM. The delivered Boolean fields all appear to have custom adapters (ie Account Locked, Password Never Expires, etc.)
  I've tried using the delievered adpADCSCHANGEATTRIBUTE adapter, but it fails (as expected) with:
  +com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : updateDetails : Attributes cannot update:[LDAP: error code 21 - 00000057: LdapErr: DSID-0C090B73, comment: Error in attribute conversion operation, data 0, v1772 ]+
  Suggestions?

  No I don't have custom boolean attributes in AD. But I added custom attributes of other types.
  When you say custom, do you mean it did not come with the out of the box AD connector, but exists in the Active Directory of your organization?
  There are a few attributes in AD which look like they are boolean when you see the AD console but are actually different. Look at the link for details.
  [http://support.microsoft.com/kb/305144]
  Look at this post for context.
  AD Provisioning - Password never expires & User must chg pwd at next logon
  Thanks,
  M

• Active Directory FSMO link fail: auth doesn't work

  We have an active directory forest installed with 3 domain controllers located in various cities connected by 10mb links:
  1. KHB (FSMO) - windows 2008 server
  2. KMS - windows 2008 server
  3. AMR - windows 2008 server
  There is also a computers in each city:
  1. xxxDCOMSVR - windows 7  
  2. xxxDCOMCLI - windows 7
  When we disconnect link between AMR and KHB - AMRDCOMCLI can't connect to AMRDCOMSVR DCOM object (access denied)
  When I try to setup rights on DCOM object it shows me "The target principal name is incorrect".
  AMRDCOMSVR and AMRDCOMCLI dns ip settings is an ip of AMR.
  Is there any way to setup active directory to authorize users with FSMO link error ?

  I would recommend that you start with this for the IP settings of your DCs: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23
  For your client computers, make sure that they point to AMR server as primary DNS server and the other DCs as secondary DNS servers (I assume here that all your DCs are DNS servers).
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Db10g external password authentication from Active Directory via OID

  HI ALL
  - i have a synchronization AD-to-OID (OAS 10.1.2 (Infra)cold failover cluster, 2 nodes)
  - i have external authorization of AD users via SSO (external authorization plug-in)
  - i have RAC DB(10.1.0.3, 2 nodes) enterprise authorization of OID native users who have their passwords in OID (global schema)
  - but i cann't configure DB autorization of AD-to-OID synchronized users who don't have their passwords in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  I've gone through that thread a few times already, but it only covers infrastructure based on Sun JDS, which seems to pose less problems than Active Directory. Many others refer only to hand-compiled OpenLDAP installations which are quite different to configure... sigh
  I have, however, managed to get the base system running - meaning I can see Solaris ask LDAP for locally unknown user and group names - but all I get back is Unknown Object.
  Here's a snoop dump of one of the failed requests, in hope someone here can shed some light on the problem:
  request from my server to the LDAP box:
  LDAP: [Base Object]
  LDAP: ou=people,OU=Austria,DC=AT,DC=OurADdomain,DC=com
  LDAP: [Scope]
  LDAP: wholeSubtree
  LDAP: Equality Match *[3]
  LDAP: [Attr Descr]
  LDAP: objectClass
  LDAP: [Value]
  LDAP: posixAccount
  LDAP: *[3]
  LDAP: [OctetString]
  LDAP: uid
  LDAP: [OctetString]
  LDAP: myusername
  reply from the LDAP server:
  LDAP: [Error Message]
  LDAP: 0000208D: NameErr: DSID-031001CD
  LDAP: , problem 2001 (NO_OBJECT), data
  a) our Active Directory 2003 R2 with the default Unix schema does not seem to implement the objectClass=posixAccount attribute, although the documentation on MSDN suggests that attribute should be there. I'm atm about to get some MS guy to solve this..
  b) The base object DN seems to always get prefixed with ou=people - why? I didn't enter that field with ldapclient, and that orgunit does not exist in AD per default. How can I prevent Solaris from modifying my search path in that way? I think this is one of the reasons why I keep getting no-object-errors.
  c) Our AD doesn't seem to offer a way to create/modify the unix object classes shadowExpire, shadowFlag and others for password management. Are those strictly necessary - i.e. will I run into new problems with those if I managed to solve a) and b)?

• DNS and Active Directory error 4000 server 2008

  Hello all,
  My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
  of my budget haven't given me the option to do so and it's the only back up we have.
  Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
  in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
  I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory. 
  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
  Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
  the tombstone lifetime. Replication has been stopped with this source."
  Followed by more text I can post if needed.
  Under File Services error 1202 "The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the
  next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
  And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
  I'm not sure where to start or what to post that might help. Any and all help is appreciated.
  Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.

  It's the other way around.  Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
  1.) You do a force demote of the 2008 server because it's tombstoned.  This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate.  If it could replicate, we'd just do a graceful demotion
  and be done with it.
  2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD.  From that server we run a metadata cleanup using the ntdsutil utility.  We use that utility to clean out references to the 2008 server which is
  no longer a DC.
  3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory.  Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
  Hopefully that clarifies things. 

• Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory

  We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
  can recommend?

  Hi Ginandtonic,
  To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
  Upgrade from windows Server 2012 to 2012 R2                                 
  Upgrade Active Directory from 2012 to 2012 R2
  I hope this helps.
  Best Regards,
  Anna

• SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server

  All,
  I'm having a nightmare with this and I'm hoping someone can either confirm my problem or solve it for me.
  We are running R/3 Enterprise 4.7 (Web AS 6.20) and would like to sync the users with Micsoroft Active Directory 2003.
  We are exploring the option of using full Active Directory schema expansion for the SAP sync.  i.e. so we have all SAP related fields in AD.
  According to the SAP notes, I need the WEB AS 6.10 installation CD so that I can run R3SETUP to perform the Active Directory schema modifications.
  I have tried to download this from the SWDC with no luck.
  So I guess my questions are:
  1, Do I really need the 6.10 install cd (it seems it's only the ADSINIT.R3S file).
  2, If I do, where can I get it from?, do I need to order it through our SAP contract manager?
  In the meantime, I have tried performing the manual schema extension using the RSLDAPSCHEMAEXT report, uploading this to the AD server and running "ldifde" command.
  This has extended the schema (or so it says), but I can't see any SAP icon in the AD tree.  Have I missed something?
  Any help appreciated.
  Thanks,
  Darryl

  Rainer,
  Thanks for that.
  I have been re-reading note 793191 and question 14 says exactly that.
  I will checkout JXplorer.
  I have found a couple of MS technet articles on how to add your own context menus to the snap-in but it seems like a lot of effort for no real gain.
  Thanks again.
  ps. awarded points