Professional Documents
Culture Documents
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
1
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Introduction
For organizations using Win 2k3 AD infrastructure that require flexible support for directory-enabled
applications, Microsoft has developed Active Directory Application Mode (ADAM). ADAM is a Lightweight
Directory Access Protocol (LDAP) directory service that runs as a user service, rather than as a system
service. Active Directory Application Mode represents a breakthrough in directory services technology that
provides flexibility and helps organizations avoid increased infrastructure costs.
LDAP is an acronym for Lightweight Directory Access Protocol; it is a simplified version of the X.500
protocol. The directory setup in this training manual will be later used for authentication. Nevertheless,
LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book,
etc.
A central component of the Windows platform, Active Directory directory service provides the means to
manage the identities and relationships that make up network environments. Windows Server 2003
makes Active Directory simpler to manage, easing migration and deployment. Active directory has been
around since the release of Windows 2000 several years ago, and is now a standard sight in many
offices. Its inclusion marked a radical change at the heart of the Windows Server platform, one that people
are still adjusting to today.
Proper design implementation and deployment of enterprise LDAP authentication right from the beginning
is very crucial. Failure to do so can be very detrimental in terms security. For example, it is very important
that before LDAP authentication is implemented the enterprise should first determine which system or
application will be authoritative for the identity data. And which users will be in super users’ categories and
what kind of privileges allocated to them. Not implementing things correctly in the end could mean
cleaning up the associated business processes dealing with identity creation, role changes and
terminations. Often the authoritative identity source will have many identities in their data stores listed as
active who are no longer active. This can create undetected and sometimes hidden security holes in any
large enterprise LDAP authentication.
In this Hands-on Systems Integration Training Lab, we’re going undertake a step-by-step installation,
configuration of Windows Server 2003 Active Directory Application Mode.
This project was demonstrated entirely using VMware, however, once you perfect the setup you can
migrated them into physical servers if you so wish. You may also Virtual PC instead of VMware for your
demo setup.
2
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
1. Click Start > Administrative Tools > Active Directory Users and Computers, and then select
User, see Fig. 1, to access the New Object – User dialog box, see Fig. 2.
2. From Fig. 2, complete as shown to create a new user, or change as desired and click Next.
3
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 2
Fig. 3
4. From Fig. 4, click Finish, to complete creating new user. Repeat the same procedure to create as
many users as desired.
4
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 4
5. Repeat the same procedure to create as many users as desired. We have created the following more
users:
Username: scraig (Sarah Craig); szulu (Shaka Zulu) iwong (Irene Wong)
Note: To install ADAM, you must log on to your computer using an account that belongs to the
local Administrators group.
ADAM is available as a download from Microsoft and is installable on either a Windows 2003 server or on
Windows XP/Vista/Win7 workstations. When installed it runs in the context of a nominated account, and
as it’s separate to Active Directory replication schedules can be configured separately. On top of that,
multiple instances of ADAM can run on the same machine, which should allow developers and others
alike to test different schema setups far more easily than before.
1. Download and install ADAM using. When prompted click Run and the Run again to complete ADAM
installation.
2. To start the Active Directory Application Mode Setup Wizard, click Start, point to All Programs, point
to ADAM, and then click Create an ADAM instance, see Fig. 5
Fig. 5
The first page of the Active Directory Application Mode Setup Wizard looks like Fig. 6:
3. From Fig. 6, On the Welcome to the Active Directory Application Mode Setup Wizard page, click
Next.
6
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 6
3. On the Setup Options page, you can choose whether to install a unique ADAM instance or join an
existing configuration set. Because you are installing the first ADAM instance, click A unique
instance (as shown in Fig. 7), and then click Next. Later, you can create additional ADAM instances
and join them in a configuration set.
Fig. 7
7
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
4. From 8, on the Instance Name page, provide a name for the ADAM instance that you are installing,.
This name is used on the local computer to uniquely identify the ADAM instance. For this exercise,
can accept the default name of "instance1", or change it as desired, in our case we used: "paka",
and then click Next.
Fig. 8
5. From Fig. 9, on the Ports page, specify the communications ports that the ADAM instance uses to
communicate. ADAM can communicate using both LDAP and Secure Sockets Layer (SSL); therefore,
you must provide a value for each port. For example, you can accept the default values of 389 and
636. However, if you already installed (or intend to install Active Directory DC), as in our case then
ADAM Wizard provides default value for LDAP port: 50000 & for the SSL port: 50001. Click Next.
Fig. 9
8
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
5. From Fig. 10, on the Application Directory Partition page, you can create an application directory
partition (or naming context) by clicking Yes, create an application directory partition. Or, you can
click No, do not create an application directory partition, in which case you must create an
application directory partition manually after installation. In our case, click Yes, create an application
directory partition. When you create an application directory partition, you must provide a
distinguished name for the new partition. For this install guide, type:
"CN=pakaserver,DC=panyatech,DC=com" as the distinguished name (as shown in Fig. 10), and
then click Next.
Fig. 10
Note: AD\AM also supports not only DNS naming styles but also X.500 directory partition naming styles. X.500
naming styles take the form of organization, country (e.g., "o=panyatech,c=US").
6. From Fig. 11, on the File Locations page, you can view and change the installation directories for
ADAM data and recovery (log) files. By default, ADAM data and recovery files are installed in
%ProgramFiles%\Microsoft ADAM\instancename\data, where instancename represents
the ADAM instance name that you specify on the Instance Name page, in our case "paka". For this
install guide, click Next to accept the default file locations.
9
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 11
7. From 12, on the Service Account Selection page, you select an account to be used as the service
account for ADAM. For this install guide, we’re installing ADAM on a domain controller, click "Network
service account", and then click Next.
Fig. 12
10
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
8. From Fig. 13, on the ADAM Administrators page, you select a user or group to become the default
administrator for the ADAM instance. The user or group that you select will have full administrative
control of the ADAM instance. By default, the Active Directory Application Mode Setup Wizard
specifies the currently logged on user. You can change this selection to any local or domain account
or group on your network. For this exercise, click the default value of "Currently logged on user:
PANYATECH\Administrator", and then click Next. (Note: PANYATECH also mean Domain)
Fig. 13
9. From Fig. 14, on the Importing LDIF Files page, you can import into the ADAM schema two .ldf
files containing user class object definitions. Importing these user class object definitions is optional.
However, these object definitions are required later in this install guide so, you should import these
definitions now as follows:
a. Click Import the selected LDIF files for this instance of ADAM.
b. Click MS-InetOrgPerson.LDF, and then click Add.
c. Click MS-User.LDF, and then click Add.
d. Click MS-UserProxy.LDF, click Add, and then click Next.
11
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 14
10. From Fig. 15, the Ready to Install page gives you an opportunity to review your installation
selections. After you click Next, the Active Directory Application Mode Setup Wizard begins copying
files and setting up ADAM on your computer.
Fig. 15
12
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 16
12. From Fig. 17, when the Active Directory Application Mode Setup Wizard finishes installing ADAM, it
displays this message: “You have successfully completed the Active Directory Application Mode
Setup Wizard.” When the Completing the Active Directory Application Mode Setup Wizard page
appears, click Finish to close the wizard.
Fig. 17
13
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: Troubleshooting: If the Active Directory Application Mode Setup Wizard does not
complete successfully, an error message describing the reason for the failure appears on the
Summary page.
Note: The Adamsetup.log and Adamsetup_loader.log files contain information that can help
you troubleshoot the cause of an ADAM setup failure.
The DAM ADSI Edit is the main administrative too for ADAM. In this install guide you will use ADAM ADSI
Edit to: bind, view and browse your ADAM instance, in our case "pakaserver". To access ADAM ADSI
Edit, perform the following procedure:
1. Click Start > ADAM, and then select ADAM ADSI Edit, see Fig. 18.
14
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
2. In the console tree, click ADAM ADSI Edit. The ADAM ADSI Edit snap-in looks like shown in Fig.19
Fig. 18
3. From Fig 18, right-click ADAM ADSI Edit, select Connect to. The Connection Settings dialog box
appears, as shown in Fig. 20.
Fig. 19
4. From Fig 20, The Connection Settings dialog box appears, enter the following info:
• Connection name: "Pakeserver ADAM Connection" – this is the name under which the
connection will appear in console tree of the ADAM ADSI Edit.
• Server name: "server02" – is the host or DNS name of the computer on which ADAM
instance is running on. (Note: you can also use "localhost" if ADAM is running same local
computer.)
• Port: "50000" – is the LDAP or SSL communication ports in use by the installed ADAM
instance.
• Under Connect to the following node, click Distinguished name (DN) or naming context,
and type: "CN=pakaserver,DC=panyatech,DC=com" – which is the distinguished name
of the partition that we created earlier during setup.
15
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
• Under the Connect using these credentials, select The account of the currently logged
on user.
• The completed Connection Settings dialog box should look like shown in Fig. 20. Click OK.
Fig. 20
5. The ADAM ADSI Edit snap-in should now look as shown in Fig. 21.
16
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
6. From 21, double-click The Pakaserver ADAM Connection; and then double-click
"CN=pakaserver,DC=panyatech,DC=com". The ADAM ADSI Edit snap-in now shows the
application directory partition we created earlier, as shown in Fig. 22.
Fig. 21: the ADAM ADSI Edit snap-in showing application directory partition.
7. In the console tree, Fig. 21, click any container to view the objects in that container. For example, click
CN=Roles.
8. To open a different directory partition on the ADAM instance, in the console tree, again right-click
ADAM ADSI Edit, and then select Connect to.
9. Fill out the Connection Settings dialog box as shown, and then click OK.
Fig. 21
17
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
10. The ADAM ADSI Edit snap-in now looks as shown in Fig. 22.
Fig. 22: The final ADAM ADSI Edit snap-in showing application & Configuration directory partitions.
• Note: You can now browse the content of the configuration directory partition of your ADAM
instance.
11. To close ADAM ADSI Edit, click File menu > Exit.
18
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 23: Adding Standalone Snap-in: (a) ADAM Schema, (b) Add/Remove, click OK to exit
4. From Console1, we now have ADAM Schema; which at the moment is empty, see Fig. 21. We
therefore, need to connect to the ADAM server
Fig. 22
5. From Fig. 22, right-click ADAM Schema, and select "Change ADAM Server", to access the
Connect ADAM Server dialog box Fig. 22a, and enter the information as shown; accept the default,
or change as desired. And then click OK. Recall that we had used port 50000 during setup.
19
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 23
Fig. 24
Fig. 23: Adampakaschmmgmt with ADAM Schema showing classes and attribute
a. Right-click Start, click Open All Users, double-click the Programs folder, and then double-click
the ADAM folder.
b. On the File menu, point to New, and then click Shortcut.
c. In the Create Shortcut Wizard, in Type the location of the item, type
"Adampakaschmmgmt.msc", and then click Next.
d. On the Select a Title for the Program page, in Type a name for this shortcut, type "ADAM
Schema", and then click Finish.
10. To access the ADAM Schema, click Start > ADAM and then select ADAM Schema, see Fig. 25
Note: When using ADSchemaAnalyzer to create an LDIF file, you should load both a target and a
base schema. Otherwise, the resulting LDIF file might not be usable by the ldifde tool
Fig. 26
21
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
2. The AD Schema Analyzer tool will now appear, and will start with a blank white screen, see Fig. 27.
Fig. 27
3. Within the AD Schema Analyzer, click on File menu select "Load target schema..." , see Fig.
28a
Fig. 28
4. Enter in the following connection information for your Active Directory LDAP server, see Fig. 28b.
a) Server IP & Port number:
b) Administrative Username
c) Password for that username
d) FQDN of your domain (example: intel.com)
e) Select the "Secure" radio button in the "Bind type" section.
f) Select "Active Directory" in the "Server type" section.
22
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: After clicking the OK button, you will notice it analyze your LDAP target schema. You should
see something similar to what is shown in Fig. 29. However, you may have differing attributes,
classes, and property set values.
Fig. 29
5. Again, within the AD Schema Analyzer, click on the File menu, and then select "Load base
schema..."; see Fig. 30a.
Fig. 30
23
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
6. Enter in the following connection information to connect to the LOCAL ADAM server, see Fig. 30b:
a) IP & Port of the network loopback
b) In the Bind type section, the "Secure" radio button
c) In the Server type section, select "Active Directory"
d) Click the OK button, after entering in all the required information.
Note: For the local ADAM instance, no other credentials are needed in order to connect. The server &
port are the only requirements. After clicking the OK button, you will notice the application display how
many attributes, classes and property sets it found, see Fig. 31
Fig. 31
7. Again, within the AD Schema Analyzer, click on the "Schema" menu, and then select "Mark all
nonpresent elements as included" Fig. 32
Fig. 32 Fig. 33
8. Again, within the AD Schema Analyzer, click on the File menu, and select "Create LDIF
file...", see Fig. 33.
9. In the "Save As" window, name the LDF file something recognizable because this file is used later
on in this guide: in our case filename: "adschemapaka.ldif".
10. You have now created a custom schema LDF file to load into ADAM. This file will be used in the next
section.
11. You’re done with this section.
24
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Note 1: After executing the command, it will show the following text output:
Connecting to "localhost"
Logging in as current user using SSPI
Importing directory from file "adschemapaka.ldif"
Loading entries.....
Note 2:
• The "adschemapaka.ldif" is the filename used from the previous section when we created a
custom LDF file with all schema differences. If you used a different name, please change the
filename used in the command listed above.
• After running the command, you will receive a message in the command line as shown in Fig. 34.
(Note: Number of entries modified may be different)
Fig. 34
Note 1: After executing the command, it will show the following text output:
Connecting to "localhost"
Logging in as current user using SSPI
Importing directory from file "MS-AdamSyncMetaData.ldf"
Loading entries.....
Note 2: After it loads its entries for the Adam Sync Meta Data, it should indicate to you exactly like the
previously loaded custom LDF file that "The command has completed successfully", see Fig. 35
25
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
2. You have now loaded in the 2 needed LDF files to allow ADAM to synchronize with your Active
Directory LDAP server.
3. You’re done with this section.
It’s important to note that ADAM requires a special file in order to determine what information it should
synchronize from Active Directory. This file contains Distinguished Name (DN's) locations as to where the
information is coming from and where it should be going to. It also contains information as to what
attributes it should synchronize. This file is loaded into ADAM using a special command, and is used by
any subsequent automated synchronization.
To create the ADAM Synchronization Config XML File, perform the following procedure:
1. Open Notepad: (Start > All Programs > Accessories > Notepad)
2. Copy and paste the text below into a new notepad file
3. Save the file as: "AdamSyncConfPaka.xml" in "C:\Windows\ADAM"
<?xml version="1.0"?>
<doc>
<configuration>
<description>Pakaserver User Accounts</description>
<security-mode>object</security-mode>
<source-ad-name>server02</source-ad-name>
<source-ad-partition>dc=panyatech,dc=com</source-ad-partition>
<source-ad-account>Administrator</source-ad-account>
<account-domain>panyatech.com</account-domain>
<target-dn>CN=pakaserver,dc=panyatech,dc=com</target-dn>
<query>
<base-dn>dc=panyatech,dc=com</base-dn>
<object-filter>(objectClass=User)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>lastAgedChange</include>
<include>displayName</include>
<include>description</include>
<include>mail</include>
26
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
<include>member</include>
<include>memberOf</include>
<include>mobile</include>
<include>samaccountname</include>
<include>cn</include>
<include>givenName</include>
<include>sn</include>
<include>telephoneNumber</include>
<include>ou</include>
<include>objectclass</include>
<include>objectcategory</include>
<include>distinguishedname</include>
<include>whenchanged</include>
<include>whencreated</include>
<include>objectguid</include>
<include>usnchanged</include>
<include>usncreated</include>
<include>instancetype</include>
<include>lastagedchange</include>
<include>name</include>
<include>CountryCode</include>
<include>info</include>
<include>pwdLastSet</include>
<include>userParameters</include>
<include>badPasswordTime</include>
<include>lastLogoff</include>
<include>primaryGroupID</include>
<include>codePage</include>
<include>logonCount</include>
<include>userAccountControl</include>
<include>badPwdCount</include>
<include>lastlogon</include>
<exclude/>
</attributes>
</query>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd/>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie/>
<status/>
<authoritative-adam-instance/>
<configuration-file-guid/>
<last-sync-attempt-time/>
<last-sync-success-time/>
<last-sync-error-time/>
<last-sync-error-string/>
<consecutive-sync-failures/>
<user-credentials/>
<runs-since-last-object-update/>
27
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
<runs-since-last-full-sync/>
</synchronizer-state>
</doc>
e) Local ADAM LDAP Distinguished name (Reference step 6 during installation procedures)
<target-dn>CN=pakaserver,dc=panyatech,dc=com</target-dn>
1. To do this, launch the ADAM Command Prompt and issue the following command:
2. After running the command, it should move to the next line and display "Done"., as shown in Fig. 36.
Fig. 36: Installing the sample ADAM Synchronization Config XML File: "AdamSyncConfPaka.xml"
Note: Optionally: If you have a second domain XML file, please use the same command above
only and specify the appropriate file name.
Step 3: Running the Synchronization for the first time using config XML file
The following instructions in this section will show you how to run the synchronization for the first time.
28
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
To do this, launch the ADAM Command Prompt and perform the following procedure:
1. Create a directory on the C:\ drive named "ADAMLogs". This directory will hold all synchronization
logs.
Warning! Synchronization of data from your current Active Directory to the newly created ADAM
instance can take from 5 minutes to 5 hours depending on how many users you have within Active
Directory. Please monitor your ADAM Sync log in C:\AdamLogs\sync.log as it can grow in size
rapidly and cause low disk space.
29
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 37
6. In the Attributes list, find "msDS-Other- Settings", and click the "Edit" button, se Fig. 38.
Fig. 38
30
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 39
9. You’re done disabling SSL authentication for this Paka ADAM instance. This is required to allow the
Pakaserver installer to connect to the ADAM instance without requiring a certificate.
10. You’re done with this section.
Fig. 40
31
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: After you hit the OK button, you should see technical LDAP information appear on the right
hand window, as shown in Fig. 42.
Fig. 42
32
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
7. After you click the OK button; on the right hand side bottom pane, the words: "Authenticated as:
MACHINENAME/Username" appear, see Fig. 44.
Fig. 44
8. Next, click on the "View" menu and select "Tree", see Fig. 45.
33
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 45
Summary
It should be said that Microsoft has included a new Application Directory Partition feature in Win2k3 AD,
which allows for a new fourth ‘logical’ partition, called ‘Application’. This new partition is tailor made to
store data from 3rd party AD aware programs, and means that data for AD aware programs can be stored
outside of the main three partitions, and can have separate replication schedules. This obviously has
several of the advantages that benefit the ADAM approach, but with ADAM you are able to run multiple
instances, something which cannot be done with a normal AD installation.
-----------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity an e-Learning place for
enhancing your career goals through latest innovations and technology.
34
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada