What is Active directory?

Similar Messages

• Active Directory integration problem, Bind AC and OD

  Hi.
  I'm trying to set an Open Directory as "connect to a Directory System" because I have a windows 2000 server with Active Directory. But i have a problem when i click on "open directory Access", Access Directory appear and I select Active Directory.
  xxx.yyy is the server with active directory, with its admin and its password. but i cant Bind it and an error always appear.
  can you help me?
  what's "active directory domain"?is it xxx.yyy?
  and what's "computer ID"?
  Are there others parameters to set for example in DNS or other?
  help help help

  What are you trying to achieve by doing this?
  Got to http://www.afp548.com/ and serach for AD-OD integration.
  http://www.afp548.com/article.php?story=20051202151540574

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

• To build the organization's Active Directory permissions are what we need

  To build the organization's Active Directory permissions are what we need

  what is your actual question?  Can you be more specific?
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• UME connected to Active Directory. How to change what fields are available

  I have successfully changed my UME to point to Active Directory. I'll describe process further on in post. My issue now is how to modify what AD fields will be available in UME and what UME fields they'll be 'mapped' to.
  I'll try to describe the process I've gone through so far:
  1) Download the 'dataSourceConfiguration_ads_readonly_db.xml' file from Config Tool
  2) Renamed file and added the following:
      a) in <responsibleFor><principal type="user"> <nameSpaces><nameSpace name="com.sap.security.core.usermanagement"><attributes> section I added a <attribute name="xxx"/> tag for each new field I wanted. 'xxx' is, of course, the name of the field
      b) in <attributeMapping><principals><principal type="user"> <nameSpaces><nameSpace name="com.sap.security.core.usermanagement"><attributes> section I added a <attribute name="xxx"><physicalAttribute name="yyy"/></attribute> tag for each new field I wanted. 'xxx' is, of course, the name of the field in UME and 'yyy' is the field in the LDAP
  Then I uploaded the new file into Config Tool and switched the "Data source configuration file" selection to that new file. Saved the change and restarted the engine.
  When I ran some test code I was getting information back from the user's AD entry. For example, I tested the email field. This is a field that is not maintained in the UME but I got the correct value back so I knew it was getting it from AD.
  Then I wanted to see if I could get one of the new fields. When I ran my test code the user.getXxx() method call returend null.
  Since I knew that getting the e-mail worked I thought I'd change the mapping for the email UME field to point to the 'yyy' field in AD. I did this by making this change:
  <b>FROM:</b>
  <attribute name="email">
      <physicalAttribute name="mail"/>
    </attribute>
  <b>TO:</b>
    <attribute name="email">
      <physicalAttribute name="yyy"/>
    </attribute>
  I then uploaded that new xml file and switched to it in Config Tool. Then I restarted the engine.
  However, when I ran my test code (see below for snippet) it still shows the email value instead of the value of field 'yyy'.
  Any help would be GREATLY appreciated.
  <b>Web Dynpro code snippet:</b>
  String input = "smith";
  IUserFactory userFactory = UMFactory.getUserFactory();
  try {
    IUserSearchFilter searchFilter = userFactory.getUserSearchFilter();
    searchFilter.setLastName(input, ISearchAttribute.LIKE_OPERATOR, false);
    ISearchResult searchResult = userFactory.searchUsers(searchFilter);
    while (searchResult.hasNext()) {
      String userID = (String)searchResult.next();
      IUser user = userFactory.getUser(userID);
      String email = user.getEmail();
  } catch (UMException e1) {
    //error handling

  Update. I uploaded the wrong file the 2nd time. When I changed the XML file to 'bind' theAD field to the 'email' UME field, my code did return the AD value when I did
  user.getEmail();
  However, I'm still not able to get the AD field bound to any other UME field that wasn't part of the default XML file.
  Is there something else I need to do besides adding the tags I described in my original entry?
  Thanks

• What do I need the Computer certificate for in an Active Directory domain? Theoretical Inquiry

  So we are trying to clean up the thousands of certificate we have deployed.  We are on a 2008 R2 Active Directory and have been using certs for about a decade.  With all of our machines auto enrolling in Computer certificates and renewing every
  year we have maybe 50,000 certificates, yes some are expired already but its a nightmare to manage.  So what do we need the Computer certificate on all the Windows machines for anyway, some are XP most are Windows 7.
  Is the Computer certificate required for Kerberos authentication?
  If we don't need it I rather stop publishing the Computer template and simplify our lives.
  Please explain (I am not new to PKI, though this question may make me seem like a novice) I get the Web Certs, EFS, etc.

  Computer certificates are not needed for Kerberos authentication.
  They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.
  So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials.
  Elke

• What is the Best Practice for publishing Offline Root CA Cert and CRL to Active Directory?

  Hi,
  I've read and seen in a few labs different approaches to what is published in Active Directory for a Offline Root CA.  I've seen just the Root Cert published to AD as well as the Root Cert and the Root CRL published to AD. 
  I can understand why the Root Cert is published to AD, but why would the Root CRL need to be published to AD, especially if my Offline Root CA just issues the Cert for my Subordinate Issuing CA?  So looking for Best Practices here.
  Thanks for your help! SdeDot

  On Sun, 22 Feb 2015 18:44:25 +0000, Andrzej Kazmierczak wrote:
  Best practice is to publish CRL to 2 alternative paths - LDAP for your internal users to access them on the first place and HTTP as an alternative option to LDAP and as the only option for your external users.
  No, the current recommended best practice is to publish to a highly
  available HTTP location first (and possibly the only CDP) that is available
  both internally and externally. This covers Windows and non-Windows
  devices, domain joined and non-domain joined devices and internal and
  external devices as well as multi-forest scenarios with no trust between
  forests.
  Paul Adare - FIM CM MVP

• What is the concept of Active directory in HFM

  Hi Experts
  What is the concept of Active directory in HFM?
  regards
  Dev

  Hi Dave,
  Not sure if this is your exact requirement... but might be helpful.
  The concept of Active directory is that users can login to HFM application with the windows credentials. To make that work you should first need to configure.
  Please refer the below link, page 23:
  http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200.pdf
  Hope this helps,
  Thank you,
  Charles Babu J

• What is Azure? Can it replace an on premise Active Directory?

  As you might guess, I'm a complete newbie to Azure and have no knowledge of it at all.
  I have a project for which I need to find the most efficient and cost effective solution. Rather than me ask questions, perhaps its better I explain the project and hopefully someone will be able to tell me if Azure will provide a solution.
  I have an on premise SBS 2003 R2 server which I need to replace due to the end of life of Server 2003 R2. This server provides, AD, Exchange and File & Print services to around 40 users. I have been given the remit of 'spend as little as possible
  and use Cloud services as much as possible' to achieve the migration but I don't want it to be at the expense of productivity and end user harmony.
  I have started trialling Office 365, which will hopefully take care of the File and Exchange side of things. So far the users have found it a bit frustrating trying to navigate to files on SharePoint. They are unable to effectively map a drive or explore
  to SharePoint and they are frequently asked to enter their O365 password, on top of their local domain password. Although I've not tried Single Sign On, it sounds like this might resolve the issues we're having with O365.
  From what I've heard, I'd need an on premise AD server in order to implement Single Sign On, so this means buying a new on premise 2012 server to replace the 2003 SBS server. This obviously means expense. I'm wondering if there is an alternative solution
  that addresses the Single Sign On problem and gives me AD features, such as group policy, but without the necessity for an on premise server. Ideally it would also give me print server features too.
  Has anyone any idea if Azure can provide an effective solution to my project or have any other solutions. If not, I'll have to get the on premise server.

  Hi TIMTAM73,
  This is actually a great topic around the position of Azure for the Enterprise environment and how Azure AD might help.
  You've earlier mentioned that you're currently trial-ing O365, for which I truly congratulate you. In my opinion, that's by far the best SaaS product for organizations looking for a professional Exchange, SharePoint and CRM solution.
  Please let me also introduce a new term to the discussion, namely Azure Active Directory (AAD, for short). AAD is what the entire Office 365 users & groups repository is based on.
  In terms of Windows Server Active Directory, if you're looking to domain-join your organizational computers after you ditch your ancient-WS2003 server, please be advised that AAD won't help, because currently AAD is NOT an LDAP, meaning that it's only
  a little more than a user&groups repository and that's it. However, because you were advised to look more into cloud services, please note that there's always the option of deploying a VM with Windows Server 2012 R2 installed and install the role of Active
  Directory Domain Services on it. This also means that you get LDAP, but on a newer system.
  Afterwards, you'll have to worry how your organizational computers will join the domain you created "in the cloud". Here's where Azure Virtual Networks come in. Considering that you have a decent router, you have the option of creating a site-to-site
  VPN and thus connect your local LAN to a network of cloud services which will be hosted on the same IP classes where your computers are: voila, you get domain-joined computers on a cloud-hosted VM.
  Lastly, because Exchange might be too expensive to acquire and maintain, I suggest you look into Office 365. Here, you have the option of using the so-called AD Connect (or the generally available and tested DirSync option) which will synchronize your users
  and (optionally) password hashes. Additionally, there's also the option of Single-Sing-On (SSO), which will help your users from having to regulary input their credentials.
  As for the File and Exchange things, you have a few options:
  Use OneDrive for Business and thus your users will get a OneDrive repo directly in File Explorer
  Deploy a VM on your cloud service which has the File and Document role installed, with the Work Folders feature and afterwords configure Work Folders on your users' Windows 7/8 PCs
  ...or simply use a SMB share or FTP on that VM on Azue
  Please keep in mind that when it comes to document sharing, it would be best to add at least an additional data drive (with no write caching) and configure the shares on this/these drives. Never use the D:\ drive on the VM - that a temporary storage solution
  designed for caching in IIS, for example - or C:\ - the OS disk has write caching applied and you'll eventually get into lots of trouble with your users for loosing their data :).
  I hope this helps. I'll be happy to give you more insights and put you on the right track if you miss finding the right documentation.
  Alex

• What is the Point of Active Directory/LDAP Specification?

  My college threw an interesting curve ball today and I couldn't give him a good enough answer. The question was simple 'What is the point of active directory'. Now I don't have a lot of exposure to active directory, but I thought I could easily answer. My argument was; If you have a group of objects its easy to look up attributes for those objects using active directory. For example, if you have a group in AD and you want to verify the users of that group you simply look up the member attribute of that group. However he argued, rightly so, that you can do that with a table in a database, why do that in AD. I couldn't give him a good enough answer and now I'm curious. Given the above example, why use AD over a database?
  To me AD is a way to manage a set of resources, whatever they are, by mapping them to objects that have however many attributes. But we could do that in a database, whats the point of AD? Why do you use AD?

  I come from a primarily database centric background. Just like life experience, it casts a certain perspective on problems. Database people solve things with databases. Directory people solve things with directories. Everyone has their perspective. It's not really about who's right and who's wrong. It's about perspective because people are most likely to go with what's familiar when given a problem. It's easy to have this conversation in a educational environment but when you're on the job it's about turf, schedules and careers. My latest job (in which this debate comes up a lot) has been about directories which has been a very enlightening experience because I've been given a gift of perspective. I can put on the directory hat and look at it from another angle.
  To get back to your professor's question. The answer is easy. LDAP (AD or other) is an application above a database. It has a data store behind it, in most cases we can just assume this is a database. So, in short, it's apples to oranges. But if we insist on comparing which makes the better juice, let's look at how we'd make a database like a directory. We could create a data model with an attributes table, an entries table and so on. We can deconstruct what LDAP data structures really are and implement each type as a table with FK/PK relationships and so on. It's sure to work because there are already so many products on the market doing this very thing. But think about the effort now. How are you going to add new users? A front-end? Stored procedures? Scripts? How are you going to keep someone from seeing things they shouldn't? You have to insert an object into all the right tables to ensure that your data is consistent and valid. In a pure database, you're trying to create ACLs on database rows. Now you're writing a full featured application with a lot of complexity. Given enough directory features, the database isn't going to be able to do everything without an external application.
  What is the point of LDAP? It's got hierarchy, ACLs, group of unique names functionality and things that are a layer of abstraction above the data store. I love databases but if you start designing out a directory server from scratch you'll realize it's far beyond comparing a user.ldif to a row in a user table. They are similar in appearance but different types of software.
  Edited by: milkfilk on Dec 16, 2008 11:48 AM
  Edited by: milkfilk on Dec 16, 2008 11:54 AM

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!

• What is everyone using for managing iPads and iPhones for an Active Directory network. We also have a BES server

  I am seeking a solution to manage iphones and ipads for my enterprise. A few are currently being used. I will need to go back and shut them down to gather the appropriate information necessary to manage them going forward. Looking for manageability, security remote wipe logging. Pretty much what I can do with a Blackberry on a bes seerver. I see several products available. Can someone point me to one that they are happy with?

  The Identity Service for Active Directory 10.3.0 is only available on Windows because it uses .Net functionality to work with AD. Even if you run everything else on Linux, you would still need a Windows server for the AD Identity Service.
  You can download it from edelivery.oracle.com as part number V14368-01. You can also find it on that site by performing a media pack search for:
  Select a Product Pack: Oracle Fusion Middleware
  Platform: Microsoft Windows (32-bit)
  Then navigate down into "Oracle® Application Server 10g Release 3 (10.1.3) Media Pack v31 for Microsoft Windows".
  The package is "Oracle WebCenter Interaction Identity Service for Active Directory 10.3.0 for Microsoft Windows".

• What is the risk for my Active Directory when you make a magic triangle ?

  Hi hello
  I want know that because, i need installed a lion server in my company, in the production server.
  Now i have make a magic triangle in my labo, i don't have noted a problem with my AD.
  1 ) What's risk for my AD when i make a magic triangle ?
  2 ) The Director Administrator ( diradmin )  of Open direcory need rights in the Active Directory for manage Mac os x client ? if yes what's rights ?
  3 ) Can confirm me that ==>>> When i want manage users Macs, i need create a local group in the open directory " MacUsers" , and in this group i add users from the "AD" is that ??  i want to be sure what i do ....
  4 )  for the account computer Mac in registred in my AD, what's i can do ?  
  5 ) For the MCX, i appply the preference in the Users or Computer ?
  Thanks you for your help

  Hi
  Q3 - You create a shared directory (the LDAP node) when you promote the Server to an Open Directory Master Role. Judging by what you're saying you've already done this. The Users and/or Groups you're creating after promotion will be in the shared directory (the LDAP node). You can tell which node Users and/or Groups are in by simply looking at them in the Server App. If they have a small blue globe icon on their right shoulder they will be in the LDAP node. If they don't they will be local users and not in the shared directory (the LDAP node).
  To view them in WorkGroup Manager, launch the application and authenticate using the Directory Administrator account. Above the main interface window you should see a small blue globe. The shared directory will be listed by the side of this icon as: Viewing Directory:  /LDAPv3/127.0.0.1 etc.
  Q5 - MCX (Managed Cleint X) is Apple's equivalent to GPOs (Global Policy Objects). If you're familiar with Active Directory you'll know what this means.
  Deprecation means "not using anymore". In other words you should not be using WorkGroup Manager to apply mac-style GPOs. You should be using Profile Manager instead. Profile Manager is the 'new' way to apply mac-style GPOs.
  Profile Manager is part of Lion Server. It's also known as the MDM Server (Mobile Device Management Server).
  It's up to you to decide what is good for your environment and needs. In some situations I'll use both and possibly augment them with Apple Configurator and Apple Remote Desktop. Then again in other sitations I'll use other numerous 3rd-Party tools available.
  HTH?
  Tony

• What is the default Win2000 Active Directory Object Attribute definition for adding users? I'm using the 4.1 Netscape Directory SDK

  The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?

  Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)

• What happened to Active Directory and Windows file shares?

  Hello all,
  i have a few questiona about the integration in active directory. I recently updated to Lion (most certainly without proper risk analysis on the consequences...)
  First:
  How can one connect to a windows share?
  If trying in finder and CMD+k "smb://server/share" a message appears stating i have insufficient rights.
  Great, in Snow Leopard one was presented a credentials window, where is it gone? (as most macbook users wont join the domain completely...)
  Next try: "smb://DOMAIN;User@server/share" same result...
  Second:
  Is there any support for DFS (Distributed File System) included in Lion? This would be _very_ much appreciated!
  Thanks for your help (hopefully)

  Hi JFlynn12,
  Are you using fully qualified DNS name for the server?
  ie:
  if your realm is domain.company.com then your FQD for the server would typically be server.company.com. or server.domain.company.com . this is of corse assuming your DNS is properly set for the DNS / DHCP server. x.x.x.x => server.company.com and server.company.com => x.x.x.x .
  With that in mind you would expect smb://server.company.com or smb://server.domain.company.com
  give it a try, let me know if it works.
  -tt