Install Guide Windows Active Directory Application Mode v1.0

Global Open Versity, Vancouver Canada Install Guide Win2k3 ADAM v1.
Global Open Versity

Systems Integration Hands-on Labs Training Manual
Install Guide Windows Active Directory Application Mode (ADAM)
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
Table of Contents Page No.
INSTALL GUIDE WINDOWS ACTIVE DIRECTORY APPLICATION MODE (ADAM) 2
Part 1: Install Windows AD Server 2k3 3

Step 1: Install Win2k3 AD 3
Step 2: Adding AD Users 3
Part 2: Windows Server 2003 Active Directory Application Mode 5

Step 1: Install Win2k3 ADAM using Win2k3 R2 5
Step 2: Install Win2k3 ADAM using Win2k3 6
Step 3: Troubleshooting ADAM 14
Step 4: Using ADAM ADSI Edit Administrative Tools 14
Step 5: Configuring the ADAM Schema Snap-in Administration Tool 18
Part 3: Using ADSchemaAnalyzer 21

Step 1: Loading Active Directory/ADAM Schema LDF Files 24
Step 2: Loading ADAM Synchronization Schema LDF File 25
Part 4: Editing/Customizing ADAM Synchronization Config XML File 26

Step 1: Creating the ADAM Synchronization Config XML File 26
Step 2: Installing the sample ADAM Synchronization Config XML File 28
Step 3: Running the Synchronization for the first time using config XML file 28
Part 5: Disabling SSL Authentication in ADAM 29
Part 6: Creating ADAM LDAP User for Pakaserver 31
1
© September 2008, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Global Open Versity, Vancouver Canada Install Guide Win2k3 ADAM v1.0
Global Open Versity

Systems Integration Hands-on Labs Training Manual
Install Guide Windows Active Directory Application Mode (ADAM)
By Kefa Rabah, krabah@globalopenversity.org Dec 12, 2009 SerengetiSys.com
Introduction
For organizations using Win 2k3 AD infrastructure that require flexible support for directory-enabled
applications, Microsoft has developed Active Directory Application Mode (ADAM). ADAM is a Lightweight
Directory Access Protocol (LDAP) directory service that runs as a user service, rather than as a system
service. Active Directory Application Mode represents a breakthrough in directory services technology that
provides flexibility and helps organizations avoid increased infrastructure costs.
LDAP is an acronym for Lightweight Directory Access Protocol; it is a simplified version of the X.500
protocol. The directory setup in this training manual will be later used for authentication. Nevertheless,
LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book,
etc.
A central component of the Windows platform, Active Directory directory service provides the means to
manage the identities and relationships that make up network environments. Windows Server 2003
makes Active Directory simpler to manage, easing migration and deployment. Active directory has been
around since the release of Windows 2000 several years ago, and is now a standard sight in many
offices. Its inclusion marked a radical change at the heart of the Windows Server platform, one that people
are still adjusting to today.
Proper design implementation and deployment of enterprise LDAP authentication right from the beginning
is very crucial. Failure to do so can be very detrimental in terms security. For example, it is very important
that before LDAP authentication is implemented the enterprise should first determine which system or
application will be authoritative for the identity data. And which users will be in super users’ categories and
what kind of privileges allocated to them. Not implementing things correctly in the end could mean
cleaning up the associated business processes dealing with identity creation, role changes and
terminations. Often the authoritative identity source will have many identities in their data stores listed as
active who are no longer active. This can create undetected and sometimes hidden security holes in any
large enterprise LDAP authentication.
In this Hands-on Systems Integration Training Lab, we’re going undertake a step-by-step installation,
configuration of Windows Server 2003 Active Directory Application Mode.
This project was demonstrated entirely using VMware, however, once you perfect the setup you can
migrated them into physical servers if you so wish. You may also Virtual PC instead of VMware for your
demo setup.
2

Part 1: Install Windows AD Server 2k3
Step 1: Install Win2k3 AD

It’s assumed that you have already installed Windows AD 2k3 or know how to install Win 2k3 AD. If not
then head to Scribd.com and check out an excellent article by the same author entitled "Install Windows
Server 2003 Active Directory HowTo v1.0", to get you started.
Our Win1k3 AD DC configuration is as follows:
• LDAP Server: server03.panyatech.com or localhost

• Domain: panyatech.com
• Bases DN: dc=panyatech,dc=com
Step 2: Adding AD Users
1. Click Start > Administrative Tools > Active Directory Users and Computers, and then select
User, see Fig. 1, to access the New Object – User dialog box, see Fig. 2.
Fig. 1: Active Directory Users and Computer console.
2. From Fig. 2, complete as shown to create a new user, or change as desired and click Next.
3

Fig. 2
3. From Fig. 3, complete as shown, or change as desired and click Next.
Fig. 3
4. From Fig. 4, click Finish, to complete creating new user. Repeat the same procedure to create as
many users as desired.
4

Fig. 4
5. Repeat the same procedure to create as many users as desired. We have created the following more
users:
Username: scraig (Sarah Craig); szulu (Shaka Zulu) iwong (Irene Wong)
Part 2: Windows Server 2003 Active Directory Application Mode

One of the most interesting features of Win2k3 AD directory services release is in its ability to work in
tandem with Active Directory 2003. Active Directory / Application Mode (or ADAM), which is a separate
application that should prove to be a boon to application developers, IT Pros and Managers alike. As
Active Directory is a customizable database that allows for replication across various internet links and
connections, many applications, SugarCRM, can use it to store data relating to a package and its users,
as well as for authorization of users. This means that the programmers of such applications needn’t
reinvent the wheel when it comes to creating distributed data stores, and development cycles can be
reduced.
Note: To install ADAM, you must log on to your computer using an account that belongs to the
local Administrators group.
Step 1: Install Win2k3 ADAM using Win2k3 R2

If you’re installing ADAM using Win2k3 R2, it already comes with ADAM, and you can install it using the
following procedure:
1. To install ADAM, log on as an administrator, click Start > Control Panel, and then select Add or
Remove Programs.
5

2. Click Add/Remove Windows Components.

3. Select the check box next to Active Directory Services, and then click Details.
4. Select the check box next to Active Directory Application Mode (ADAM), click OK, and then
click Next.
5. Review the message that appears. Based on the contents of message, do one of the following:
• If the message "You have successfully completed the Windows Component Wizard" appears,
click Finish.
• If an error message appears, make a note of the error, click Finish, and then review the
ADAM event messages in Event Viewer.
Step 2: Install Win2k3 ADAM using Win2k3

If you’re using the earlier version of Win2k3, then you need to download and install ADAM instance using
the Active Directory Application Mode Setup Wizard.
ADAM is available as a download from Microsoft and is installable on either a Windows 2003 server or on
Windows XP/Vista/Win7 workstations. When installed it runs in the context of a nominated account, and
as it’s separate to Active Directory replication schedules can be configured separately. On top of that,
multiple instances of ADAM can run on the same machine, which should allow developers and others
alike to test different schema setups far more easily than before.
1. Download and install ADAM using. When prompted click Run and the Run again to complete ADAM
installation.
2. To start the Active Directory Application Mode Setup Wizard, click Start, point to All Programs, point
to ADAM, and then click Create an ADAM instance, see Fig. 5
Fig. 5
The first page of the Active Directory Application Mode Setup Wizard looks like Fig. 6:
3. From Fig. 6, On the Welcome to the Active Directory Application Mode Setup Wizard page, click
Next.
6

Fig. 6
3. On the Setup Options page, you can choose whether to install a unique ADAM instance or join an
existing configuration set. Because you are installing the first ADAM instance, click A unique
instance (as shown in Fig. 7), and then click Next. Later, you can create additional ADAM instances
and join them in a configuration set.
Fig. 7
7

4. From 8, on the Instance Name page, provide a name for the ADAM instance that you are installing,.
This name is used on the local computer to uniquely identify the ADAM instance. For this exercise,
can accept the default name of "instance1", or change it as desired, in our case we used: "paka",
and then click Next.
Fig. 8
5. From Fig. 9, on the Ports page, specify the communications ports that the ADAM instance uses to
communicate. ADAM can communicate using both LDAP and Secure Sockets Layer (SSL); therefore,
you must provide a value for each port. For example, you can accept the default values of 389 and
636. However, if you already installed (or intend to install Active Directory DC), as in our case then
ADAM Wizard provides default value for LDAP port: 50000 & for the SSL port: 50001. Click Next.
Fig. 9
8

5. From Fig. 10, on the Application Directory Partition page, you can create an application directory
partition (or naming context) by clicking Yes, create an application directory partition. Or, you can
click No, do not create an application directory partition, in which case you must create an
application directory partition manually after installation. In our case, click Yes, create an application
directory partition. When you create an application directory partition, you must provide a
distinguished name for the new partition. For this install guide, type:
"CN=pakaserver,DC=panyatech,DC=com" as the distinguished name (as shown in Fig. 10), and
then click Next.
Fig. 10
Note: AD\AM also supports not only DNS naming styles but also X.500 directory partition naming styles. X.500
naming styles take the form of organization, country (e.g., "o=panyatech,c=US").
6. From Fig. 11, on the File Locations page, you can view and change the installation directories for
ADAM data and recovery (log) files. By default, ADAM data and recovery files are installed in
%ProgramFiles%\Microsoft ADAM\instancename\data, where instancename represents
the ADAM instance name that you specify on the Instance Name page, in our case "paka". For this
install guide, click Next to accept the default file locations.
9

Fig. 11
7. From 12, on the Service Account Selection page, you select an account to be used as the service
account for ADAM. For this install guide, we’re installing ADAM on a domain controller, click "Network
service account", and then click Next.
Fig. 12
10

8. From Fig. 13, on the ADAM Administrators page, you select a user or group to become the default
administrator for the ADAM instance. The user or group that you select will have full administrative
control of the ADAM instance. By default, the Active Directory Application Mode Setup Wizard
specifies the currently logged on user. You can change this selection to any local or domain account
or group on your network. For this exercise, click the default value of "Currently logged on user:
PANYATECH\Administrator", and then click Next. (Note: PANYATECH also mean Domain)
Fig. 13
9. From Fig. 14, on the Importing LDIF Files page, you can import into the ADAM schema two .ldf
files containing user class object definitions. Importing these user class object definitions is optional.
However, these object definitions are required later in this install guide so, you should import these
definitions now as follows:
a. Click Import the selected LDIF files for this instance of ADAM.
b. Click MS-InetOrgPerson.LDF, and then click Add.
c. Click MS-User.LDF, and then click Add.
d. Click MS-UserProxy.LDF, click Add, and then click Next.
11

Fig. 14
10. From Fig. 15, the Ready to Install page gives you an opportunity to review your installation
selections. After you click Next, the Active Directory Application Mode Setup Wizard begins copying
files and setting up ADAM on your computer.
Fig. 15
12

11. Figures 16 shows the progress of ADAM’s installation
Fig. 16
12. From Fig. 17, when the Active Directory Application Mode Setup Wizard finishes installing ADAM, it
displays this message: “You have successfully completed the Active Directory Application Mode
Setup Wizard.” When the Completing the Active Directory Application Mode Setup Wizard page
appears, click Finish to close the wizard.
Fig. 17
13

Note: Troubleshooting: If the Active Directory Application Mode Setup Wizard does not
complete successfully, an error message describing the reason for the failure appears on the
Summary page.
Step 3: Troubleshooting ADAM

13. If an error occurs in the Active Directory Application Mode Setup Wizard before the Summary page,
you can review the error message that appears. In addition, you can click Start > Run, and type either
of the following:
• %windir%\Debug\adamsetup.log
• %windir%\Debug\adamsetup_loader.log
Note: The Adamsetup.log and Adamsetup_loader.log files contain information that can help
you troubleshoot the cause of an ADAM setup failure.
14. You’re done with the section
Step 4: Using ADAM ADSI Edit Administrative Tools

An ADAM instance runs as a standard user service, rather than as a system service, and it can be
stopped and started through the Services snap-in in Microsoft Management Console (MMC). In addition,
ADAM includes several administration tools for general administration tasks. In this section of the install
guide, you:
1. Use the Services snap-in to stop and restart your ADAM instance.
2. Use ADAM ADSI Edit (ADAM-adsiedit.msc) to browse your directory.
3. Configure the ADAM Schema snap-in.
4. Use ADSchemaAnalyzer to produce a file that can be used to extend a schema with elements
from another schema.
5. Use Active Directory to ADAM Synchronizer to copy data from Active Directory to an ADAM
instance.
The DAM ADSI Edit is the main administrative too for ADAM. In this install guide you will use ADAM ADSI
Edit to: bind, view and browse your ADAM instance, in our case "pakaserver". To access ADAM ADSI
Edit, perform the following procedure:
1. Click Start > ADAM, and then select ADAM ADSI Edit, see Fig. 18.
Fig. 18: Starting ADAM ADSI Edit
14

2. In the console tree, click ADAM ADSI Edit. The ADAM ADSI Edit snap-in looks like shown in Fig.19
Fig. 18
3. From Fig 18, right-click ADAM ADSI Edit, select Connect to. The Connection Settings dialog box
appears, as shown in Fig. 20.
Fig. 19
4. From Fig 20, The Connection Settings dialog box appears, enter the following info:
• Connection name: "Pakeserver ADAM Connection" – this is the name under which the
connection will appear in console tree of the ADAM ADSI Edit.
• Server name: "server02" – is the host or DNS name of the computer on which ADAM
instance is running on. (Note: you can also use "localhost" if ADAM is running same local
computer.)
• Port: "50000" – is the LDAP or SSL communication ports in use by the installed ADAM
instance.
• Under Connect to the following node, click Distinguished name (DN) or naming context,
and type: "CN=pakaserver,DC=panyatech,DC=com" – which is the distinguished name
of the partition that we created earlier during setup.
15

• Under the Connect using these credentials, select The account of the currently logged
on user.
• The completed Connection Settings dialog box should look like shown in Fig. 20. Click OK.
Fig. 20
5. The ADAM ADSI Edit snap-in should now look as shown in Fig. 21.
Fig. 21: the ADAM ADSI Edit snap-in
16

6. From 21, double-click The Pakaserver ADAM Connection; and then double-click
"CN=pakaserver,DC=panyatech,DC=com". The ADAM ADSI Edit snap-in now shows the
application directory partition we created earlier, as shown in Fig. 22.
Fig. 21: the ADAM ADSI Edit snap-in showing application directory partition.
7. In the console tree, Fig. 21, click any container to view the objects in that container. For example, click
CN=Roles.
8. To open a different directory partition on the ADAM instance, in the console tree, again right-click
ADAM ADSI Edit, and then select Connect to.
9. Fill out the Connection Settings dialog box as shown, and then click OK.
Fig. 21
17

10. The ADAM ADSI Edit snap-in now looks as shown in Fig. 22.
Fig. 22: The final ADAM ADSI Edit snap-in showing application & Configuration directory partitions.
• Note: You can now browse the content of the configuration directory partition of your ADAM
instance.
11. To close ADAM ADSI Edit, click File menu > Exit.
Step 5: Configuring the ADAM Schema Snap-in Administration Tool

To configure the ADAM Schema Snap-in Administrative Tool, we first need to create an MMC file for it by
performing the following procedure:
1. Click Start > Run, and type mmc /a, and the click OK
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. In Available Standalone Snap-ins, click "ADAM Schema", click Add, see Fig. 23; click Close, and
then click OK to exit Add Standalone Snap-in.
18

Fig. 23: Adding Standalone Snap-in: (a) ADAM Schema, (b) Add/Remove, click OK to exit
4. From Console1, we now have ADAM Schema; which at the moment is empty, see Fig. 21. We
therefore, need to connect to the ADAM server
Fig. 22
5. From Fig. 22, right-click ADAM Schema, and select "Change ADAM Server", to access the
Connect ADAM Server dialog box Fig. 22a, and enter the information as shown; accept the default,
or change as desired. And then click OK. Recall that we had used port 50000 during setup.
19

Fig. 23
6. To save this Console1, click File menu, and select Save,

In File name, type Adampakaschmmgmt.msc, and then click Save, to save the file in:
"%windir%\system32\adampakaschmmgmt.msc"
7. The ADAM Schema snap-in now looks like is as shown in Fig. 24. You can now browse and view the
ADAM schema classes and attributes:
Fig. 24
Fig. 23: Adampakaschmmgmt with ADAM Schema showing classes and attribute
8. To exit "Adampakaschmmgmt.msc", click File menu > Exit.

9. To create a shortcut for the ADAM Schema snap-in on your Start menu:
20

a. Right-click Start, click Open All Users, double-click the Programs folder, and then double-click
the ADAM folder.
b. On the File menu, point to New, and then click Shortcut.
c. In the Create Shortcut Wizard, in Type the location of the item, type
"Adampakaschmmgmt.msc", and then click Next.
d. On the Select a Title for the Program page, in Type a name for this shortcut, type "ADAM
Schema", and then click Finish.
10. To access the ADAM Schema, click Start > ADAM and then select ADAM Schema, see Fig. 25
Fig. 25: Starting the ADAM Schema..
11. You’re done with this section.
Part 3: Using ADSchemaAnalyzer

You can use ADSchemaAnalyzer to help migrate the Active Directory schema to ADAM, from one ADAM
instance to another, or from any LDAP-compliant directory to an ADAM instance. You can use
ADSchemaAnalyzer to load a target (source) schema, mark the elements you want to migrate, and then
export them to the base ADAM schema. You can also compare the two schemas.
Note: When using ADSchemaAnalyzer to create an LDIF file, you should load both a target and a
base schema. Otherwise, the resulting LDIF file might not be usable by the ldifde tool
Step 1: Creating an LDIF file with ADSchemaAnalyzer

To create an LDIF file with ADSchemaAnalyzer – perform the following procedure:
1. Click Start > All Programs > ADAM, and click ADAM Tools Command Prompt, and then, at the
command prompt, type: "adschemaanalyzer", see Fig. 26.
Fig. 26
21

2. The AD Schema Analyzer tool will now appear, and will start with a blank white screen, see Fig. 27.
Fig. 27
3. Within the AD Schema Analyzer, click on File menu select "Load target schema..." , see Fig.
28a
Fig. 28
4. Enter in the following connection information for your Active Directory LDAP server, see Fig. 28b.
a) Server IP & Port number:
b) Administrative Username
c) Password for that username
d) FQDN of your domain (example: intel.com)
e) Select the "Secure" radio button in the "Bind type" section.
f) Select "Active Directory" in the "Server type" section.
22

g) When done entering in all required information, click the OK button.
Note: After clicking the OK button, you will notice it analyze your LDAP target schema. You should
see something similar to what is shown in Fig. 29. However, you may have differing attributes,
classes, and property set values.
Fig. 29
5. Again, within the AD Schema Analyzer, click on the File menu, and then select "Load base
schema..."; see Fig. 30a.
Fig. 30
23

6. Enter in the following connection information to connect to the LOCAL ADAM server, see Fig. 30b:
a) IP & Port of the network loopback
b) In the Bind type section, the "Secure" radio button
c) In the Server type section, select "Active Directory"
d) Click the OK button, after entering in all the required information.
Note: For the local ADAM instance, no other credentials are needed in order to connect. The server &
port are the only requirements. After clicking the OK button, you will notice the application display how
many attributes, classes and property sets it found, see Fig. 31
Fig. 31
7. Again, within the AD Schema Analyzer, click on the "Schema" menu, and then select "Mark all
nonpresent elements as included" Fig. 32
Fig. 32 Fig. 33
8. Again, within the AD Schema Analyzer, click on the File menu, and select "Create LDIF
file...", see Fig. 33.
9. In the "Save As" window, name the LDF file something recognizable because this file is used later
on in this guide: in our case filename: "adschemapaka.ldif".
10. You have now created a custom schema LDF file to load into ADAM. This file will be used in the next
section.
Step 1: Loading Active Directory/ADAM Schema LDF Files

To load the Active Directory/ADAM Schema LDIF files, perform the following procedure:
1. To load the custom created LDF File: "adschemapaka.ldif".
2. Launch the ADAM Command Prompt and issue the following command:
ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext

-f adschema.ldf
24

Note 1: After executing the command, it will show the following text output:
Connecting to "localhost"
Logging in as current user using SSPI
Importing directory from file "adschemapaka.ldif"
Loading entries.....
Note 2:
• The "adschemapaka.ldif" is the filename used from the previous section when we created a
custom LDF file with all schema differences. If you used a different name, please change the
filename used in the command listed above.
• After running the command, you will receive a message in the command line as shown in Fig. 34.
(Note: Number of entries modified may be different)
Fig. 34
Step 2: Loading ADAM Synchronization Schema LDF File

To load the ADAM Synchronization Schema LDIF file, perform the following procedure:
1. Launch the ADAM Command Prompt and issue the following command:
ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext

-f MS-AdamSyncMetaData.ldf
Note 1: After executing the command, it will show the following text output:
Connecting to "localhost"
Logging in as current user using SSPI
Importing directory from file "MS-AdamSyncMetaData.ldf"
Loading entries.....
Note 2: After it loads its entries for the Adam Sync Meta Data, it should indicate to you exactly like the
previously loaded custom LDF file that "The command has completed successfully", see Fig. 35
Fig. 35: ADAM Synchronization Schema LDIF file: "MS-AdamSyncMetaData.ldf"
25

Note 3: The "MS-AdamSyncMetaData.ldf" is located in the "C:\Windows\ADAM" by default and

is provided with the installation of ADAM.
2. You have now loaded in the 2 needed LDF files to allow ADAM to synchronize with your Active
Directory LDAP server.
Part 4: Editing/Customizing ADAM Synchronization Config XML File
Step 1: Creating the ADAM Synchronization Config XML File

In this section, I’ll present the instructions to show you how to create an ADAM Synchronization file. You
will use the created file to indicate to ADAM what object types and attributes you would like it to
synchronize from an LDAP server
It’s important to note that ADAM requires a special file in order to determine what information it should
synchronize from Active Directory. This file contains Distinguished Name (DN's) locations as to where the
information is coming from and where it should be going to. It also contains information as to what
attributes it should synchronize. This file is loaded into ADAM using a special command, and is used by
any subsequent automated synchronization.
To create the ADAM Synchronization Config XML File, perform the following procedure:
1. Open Notepad: (Start > All Programs > Accessories > Notepad)
2. Copy and paste the text below into a new notepad file
3. Save the file as: "AdamSyncConfPaka.xml" in "C:\Windows\ADAM"
Sample ADAM Synchronization Config XML file
<?xml version="1.0"?>
<doc>
<configuration>
<description>Pakaserver User Accounts</description>
<security-mode>object</security-mode>
<source-ad-name>server02</source-ad-name>
<source-ad-partition>dc=panyatech,dc=com</source-ad-partition>
<source-ad-account>Administrator</source-ad-account>
<account-domain>panyatech.com</account-domain>
<target-dn>CN=pakaserver,dc=panyatech,dc=com</target-dn>
<query>
<base-dn>dc=panyatech,dc=com</base-dn>
<object-filter>(objectClass=User)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>lastAgedChange</include>
<include>displayName</include>
<include>description</include>
<include>mail</include>
26

<include>member</include>
<include>memberOf</include>
<include>mobile</include>
<include>samaccountname</include>
<include>cn</include>
<include>givenName</include>
<include>sn</include>
<include>telephoneNumber</include>
<include>ou</include>
<include>objectclass</include>
<include>objectcategory</include>
<include>distinguishedname</include>
<include>whenchanged</include>
<include>whencreated</include>
<include>objectguid</include>
<include>usnchanged</include>
<include>usncreated</include>
<include>instancetype</include>
<include>lastagedchange</include>
<include>name</include>
<include>CountryCode</include>
<include>info</include>
<include>pwdLastSet</include>
<include>userParameters</include>
<include>badPasswordTime</include>
<include>lastLogoff</include>
<include>primaryGroupID</include>
<include>codePage</include>
<include>logonCount</include>
<include>userAccountControl</include>
<include>badPwdCount</include>
<include>lastlogon</include>
<exclude/>
</attributes>
</query>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd/>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie/>
<status/>
<authoritative-adam-instance/>
<configuration-file-guid/>
<last-sync-attempt-time/>
<last-sync-success-time/>
<last-sync-error-time/>
<last-sync-error-string/>
<consecutive-sync-failures/>
<user-credentials/>
<runs-since-last-object-update/>
27

<runs-since-last-full-sync/>
</synchronizer-state>
</doc>
Note: Modifying the sample ADAM Synchronization Config XML File

The synchronization file contains 6 lines which need to be edited, as follows:
a) Hostname of the Active Directory Server (ensure it is resolvable by DNS)
<source-ad-name>server02</source-ad-name>
b) Instance path of your Active Directory tree (e.g., panyatech.com translates into...)
<source-ad-partition>dc=panyatech,dc=com</source-ad-partition>
c) Username of user who has Administrative privileges

<source-ad-account>Administrator</source-ad-account>
d) Domain name of Active Directory (Step 2 translates into sparks.com)

<account-domain>panyatech.com</account-domain>
e) Local ADAM LDAP Distinguished name (Reference step 6 during installation procedures)
<target-dn>CN=pakaserver,dc=panyatech,dc=com</target-dn>
f) Remote LDAP Distinguished Name your Active Directory Server

<base-dn>dc=panyatech,dc=com</base-dn>
Step 2: Installing the sample ADAM Synchronization Config XML File

The following instructions will show you how to install the configuration file you just created. You will use
the file you created in the previous section named "AdamSyncConfPaka.xml" file located in
"C:\Windows\ADAM".
1. To do this, launch the ADAM Command Prompt and issue the following command:
ADAMSync /install localhost:50000 %windir%\ADAM\ AdamSyncConfPaka.xml
2. After running the command, it should move to the next line and display "Done"., as shown in Fig. 36.
Fig. 36: Installing the sample ADAM Synchronization Config XML File: "AdamSyncConfPaka.xml"
Note: Optionally: If you have a second domain XML file, please use the same command above
only and specify the appropriate file name.
Step 3: Running the Synchronization for the first time using config XML file
The following instructions in this section will show you how to run the synchronization for the first time.
28

To do this, launch the ADAM Command Prompt and perform the following procedure:
1. Create a directory on the C:\ drive named "ADAMLogs". This directory will hold all synchronization
logs.
ADAMSync /fs localhost:50000 "CN=pakaserver,dc=panyatech,dc=com" /log

C:\ADAMLogs\sync.log
Warning! Synchronization of data from your current Active Directory to the newly created ADAM
instance can take from 5 minutes to 5 hours depending on how many users you have within Active
Directory. Please monitor your ADAM Sync log in C:\AdamLogs\sync.log as it can grow in size
rapidly and cause low disk space.
Part 5: Disabling SSL Authentication in ADAM

In the following section shows you will learn how to disable SSL authentication into ADAM. This is needed
to allow the server02 to bind (authenticate) to the ADAM instance (Paka) without requiring a certificate.
The server02 and ADAM instance reside on the same machine and will never be communicating
outside of the server, so disabling SSL authentication is perfectly acceptable. In an environment where
ADAM was a remote system, it would be recommended to use a certificate.
To do this, perform the following procedure:

1. Open ADAM ADSI Edit by navigating to: Start > Programs > ADAM > ADAM ADSI Edit, see also
Fig. 37
2. Expand the Paka ADAM Configuration Conn. and expand: "CN=Configuration,CN=...."
4. Next, expand "CN=Services", then "CN=Windows NT"
5. Finally, right-click "CN=Directory Service", and Click "Properties", see Fig. 37
29

Fig. 37
6. In the Attributes list, find "msDS-Other- Settings", and click the "Edit" button, se Fig. 38.
Fig. 38
7. In Values, click "RequireSecureProxyBind=1", and then click "Remove".

8. It will then move the text up to the Value to add box. Change the 1 to a 0, and then click the Add
button. Then click the OK button, and then click the OK button again, see Fig. 39.
30

Fig. 39
9. You’re done disabling SSL authentication for this Paka ADAM instance. This is required to allow the
Pakaserver installer to connect to the ADAM instance without requiring a certificate.
Part 6: Creating ADAM LDAP User for Pakaserver

To create ADAM LDAP user for Pakaserver, perform the following procedure:
1. Launch the ADAM Tools command prompt from: Start > ADAM > ADAM Tools Command Prompt
2. Type in "ldp" and then press enter. The LDP application will then appear, see Fig. 40.
Fig. 40
31

3. Click the "Connection" menu, and select "Connect"., see Fig.41a

4. In Server box, type in "localhost", and then press the OK button, see Fig. 41b
Fig. 41: Connecting to the ldap server
Note: After you hit the OK button, you should see technical LDAP information appear on the right
hand window, as shown in Fig. 42.
Fig. 42
5. Click on the "Connection" menu again, and select "Bind".

6. Under "Bind type", select "Bind as currently logged on user". Click on the OK button, see
Fig. 43.
32

Fig. 43: Binding to the ldap server
7. After you click the OK button; on the right hand side bottom pane, the words: "Authenticated as:
MACHINENAME/Username" appear, see Fig. 44.
Fig. 44
8. Next, click on the "View" menu and select "Tree", see Fig. 45.
33

Fig. 45
9. You’re done for now – we take break – to continue later.
Summary
It should be said that Microsoft has included a new Application Directory Partition feature in Win2k3 AD,
which allows for a new fourth ‘logical’ partition, called ‘Application’. This new partition is tailor made to
store data from 3rd party AD aware programs, and means that data for AD aware programs can be stored
outside of the main three partitions, and can have separate replication schedules. This obviously has
several of the advantages that benefit the ADAM approach, but with ADAM you are able to run multiple
instances, something which cannot be done with a normal AD installation.
Stay tuned as I will be continuing working on this install guide.
Good Luck and Enjoy working with cool system integration.
-----------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity an e-Learning place for
enhancing your career goals through latest innovations and technology.
34

Install Guide Windows Active Directory Application Mode v1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Install Guide Windows Active Directory Application Mode v1.0

Uploaded by

Copyright:

Available Formats

Global Open Versity, Vancouver Canada Install Guide Win2k3 ADAM v1.

Global Open Versity

Install Guide Windows Active Directory Application Mode (ADAM)

Table of Contents Page No.

INSTALL GUIDE WINDOWS ACTIVE DIRECTORY APPLICATION MODE (ADAM) 2

Part 1: Install Windows AD Server 2k3 3

Part 2: Windows Server 2003 Active Directory Application Mode 5

Part 3: Using ADSchemaAnalyzer 21

Part 4: Editing/Customizing ADAM Synchronization Config XML File 26

Part 5: Disabling SSL Authentication in ADAM 29

Part 6: Creating ADAM LDAP User for Pakaserver 31

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Global Open Versity

Install Guide Windows Active Directory Application Mode (ADAM)

By Kefa Rabah, krabah@globalopenversity.org Dec 12, 2009 SerengetiSys.com

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Part 1: Install Windows AD Server 2k3

Step 1: Install Win2k3 AD

Our Win1k3 AD DC configuration is as follows:

• LDAP Server: server03.panyatech.com or localhost

Step 2: Adding AD Users

Fig. 1: Active Directory Users and Computer console.

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

3. From Fig. 3, complete as shown, or change as desired and click Next.

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Part 2: Windows Server 2003 Active Directory Application Mode

Step 1: Install Win2k3 ADAM using Win2k3 R2

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

2. Click Add/Remove Windows Components.

Step 2: Install Win2k3 ADAM using Win2k3

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

11. Figures 16 shows the progress of ADAM’s installation

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Step 3: Troubleshooting ADAM

14. You’re done with the section

Step 4: Using ADAM ADSI Edit Administrative Tools

Fig. 18: Starting ADAM ADSI Edit

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Fig. 21: the ADAM ADSI Edit snap-in

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Step 5: Configuring the ADAM Schema Snap-in Administration Tool

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

6. To save this Console1, click File menu, and select Save,

8. To exit "Adampakaschmmgmt.msc", click File menu > Exit.

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Fig. 25: Starting the ADAM Schema..

11. You’re done with this section.

Part 3: Using ADSchemaAnalyzer

Step 1: Creating an LDIF file with ADSchemaAnalyzer

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

g) When done entering in all required information, click the OK button.

www.globalopenversity.com A GOV Open Knowledge Access License Technical Publication

Step 1: Loading Active Directory/ADAM Schema LDF Files

ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext