Sei sulla pagina 1di 15

Synchronize Active Directory to ADAM with ADAMSync (step-by-step)

Jeff Nuckolls 1 Apr 2007 12:24 PM

10
I have created two sets of step-by-step instructions. The first is for someone who may be already somewhat familiar with using ADAM and ADAM tools, the second is for those who would prefer a little more detail.

Here is the first set of step-by-step instructions (if you'd like more detail see the second set of step-by-step instructions below).

Before we begin you must setup the environment. Create a partition using dsmgmt:

create nc dc=MySchool,dc=edu contoso-sp:389

To use Active Directory to ADAM Synchronizer for the first time

1. Click Start, point to All Programs, click ADAM, and then click ADAM Tools Command Prompt to open a command window in the ADAM directory.

2. To extend the ADAM schema to match the default Windows Server 2003 schema objects in Active Directory, at the command prompt, type the following command on a single line, and then press ENTER: ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSchemaW2k3.ldf

3. To extend the ADAM schema to include schema objects that are required by Active Directory to ADAM Synchronizer, at the command prompt, type the following command on a single line, and then press ENTER: ldifde -i -s localhost:389 -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetadata.ldf

4. Modify the configuration file MS-AdamSyncConf.xml with the appropriate parameters: Replace the value of <source-ad-name> with the name of the source Active Directory domain controller, for example, <source-ad-name>SeattleDC1</source-ad-name>. Replace the value of <source-ad-partition> with the distinguished name of the source domain, for example, <sourcead-partition>dc=fabrikam,dc=com</source-ad-partition>. Replace the value of <source-ad-account> with the name of an account in the Domain Admins group of the source domain, for example, <source-ad-account>administrator</source-ad-account>.

Replace the value of <account-domain> with the fully qualified name of the source domain, for example, <accountdomain>fabrikam.com</account-domain>. Replace the value of <target-dn> with the name of the partition of the target ADAM instance, in this case, <targetdn>o=microsoft,c=US</target-dn>. Replace the value of <base-dn> with the base distinguished name of the source domain, for example, <basedn>dc=fabrikam,dc=com</base-dn>. Important Do not delete any unused fields from this file.

5. Install the configuration file. At a command prompt, type the following command, and then press ENTER: ADAMSync /install localhost:389 %windir%\ADAM\MS-AdamSyncConf.xml

6. Synchronize the data from the Active Directory forest to the ADAM configuration set. At a command prompt, type the following command, and then press ENTER: ADAMSync /sync localhost:389 "o=microsoft,c=US" /log

The /log option displays detailed information about the status of the synchronization. You can also use ADAM ADSI Edit to verify that the data has been synchronized.

That's It!

The next set of instructions is a step-by-step for accomplishing the same thing, but includes more detail.

Jeffs AD-to-ADAM Sync Instructions

Step 1 (Installing ADAM)


You can install an ADAM instance either by using the Active Directory Application Mode Setup Wizard or by using the ADAM unattended installation process. Below demonstrates installing ADAM using the Active Directory Application Mode Setup Wizard.

To install ADAM

1. To install ADAM, log on as an administrator, click Start, point to Control Panel, and then click Add or Remove Programs. 2. Click Add/Remove Windows Components. 3. Select the check box next to Active Directory Services, and then click Details. 4. Select the check box next to Active Directory Application Mode (ADAM), click OK, and then clickNext. 5. Review the message that appears. Based on the contents of message, do one of the following: If the message "You have successfully completed the Windows Component Wizard" appears, click Finish. If an error message appears, make a note of the error, click Finish, and then review the ADAM event messages in Event Viewer.

Step 2 (Create an ADAM Instance)


You have create multiple ADAM instances to support multiple application directories by assigning each ADAM instance a different Instance Name and Port #. The first ADAM instance will default to 389 (Since Active Directory also uses port 389, you should not install ADAM on the Domain Controller.) Then every subsequent ADAM instance you create will increment by 1 starting at 50000 and assign the SSL port # to 50001 (for example: 50000/50001, 50002/50003, etc), but you can configure it to use which ever port #s you chose. To create an ADAM instance you have two options: a. Create an ADAM Instance using a command line tool dsmgmt.exe OR

b. Create an ADAM Instance using the ADAM Setup Wizard

Option A (To install an ADAM instance by using Command line tool dsmgmt.exe)
[To avoid Naming Violation schema errors later, create the new ADAM instance as a DC such as DC=MySchool or DC=MySchool,DC=edu]

1. First we will simply list all the existing Naming Contexts to see what is installed. NOTE: Be sure to use the port # of the local ADAM Instance you are working with. In this case its 389 because this is the first ADAM instance Im creating (every ADAM instance will have a different port #) For the following command however, the port # doesnt matter so much because its really looking at

the ADAM configuration context which is shared by all ADAM instances, but it is still a good practice to use the appropriate port # especially later when we start importing schemas.
C:\WINDOWS\ADAM>dsmgmt dsmgmt: partition management partition management: connections server connections: connect to server adam-poc:389 Binding to localhost:50000 ... Connected to adam-poc:50000 using credentials of locally logged on user. server connections: q partition management: list Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 2 Naming Context(s) 0 - CN=Configuration,CN={5D51FDDE-6E30-4AF8-80E9-0F357AD3EB3D} 1 - CN=Schema,CN=Configuration,CN={5D51FDDE-6E30-4AF8-80E9-0F357AD3EB3D}

[Continue to Create a new ADAM instance]

2. Now we can create a new Naming Context (called dc=MySchool,dc=edu) by running the following command: (NOTE: you can also delete any existing Naming Contexts by running delete NC dc=xyz,dc=com DomainDNS NULL assuming you replace dc=xyz,dc=com with the name of the Naming Context you wish to delete.)
partition management: create NC dc=MySchool,dc=edu DomainDNS NULL adding object dc=MySchool,dc=edu partition management: quit dsmgmt: quit

Option B (To install an ADAM instance by using the Active Directory Application Mode Setup Wizard) 1. To start the Active Directory Application Mode Setup Wizard, click Start, point to All Programs, point to ADAM, and then click Create an ADAM instance. The first page of the Active Directory Application Mode Setup Wizard looks like the following: 2. On the Welcome to the Active Directory Application Mode Setup

Wizard page, click Next. 3. On the Setup Options page, you can choose whether to install a unique ADAM instance or join an existing configuration set. Because you are installing the first ADAM instance, click A unique instance (as shown in the following), and then click Next. Later, you will create additional ADAM instances and join them in a configuration set. 4. On the Instance Name page, provide a name for the ADAM instance that you are installing. This name is used on the local computer to uniquely identify the ADAM instance. For this exercise, simply accept the default name of instance1, and then click Next. 5. On the Ports page, specify the communications ports that the ADAM instance uses to communicate. ADAM can communicate using both LDAP and Secure Sockets Layer (SSL); therefore, you must provide a value for each port. For this exercise, accept the default values of 389 and 636, and then click Next. Note If you install ADAM on a computer where either of the default ports is in use, the Active Directory Application Mode Setup Wizard automatically locates the first available port, starting at 50000. For example, Active Directory uses ports 389 and 636, as well as ports 3268 and 3269 on global catalog servers. Therefore, if you install ADAM on a domain controller, the Active Directory Application Mode Setup Wizard provides a default value of 50000 for the LDAP port and 50001 for the SSL port. 6. On the Application Directory Partition page, you can create an application directory partition (or naming context) by clicking Yes, create an application directory partition. Or, you can clickNo, do not create an application directory partition, in which case you must create an application directory partition manually after installation. For this exercise, click Yes, create an application directory partition. When you create an application directory partition, you smust provide a distinguished name for the new partition. For this exercise, type DC=MySchool,DC=EDUas the distinguished name (as shown below), and then click Next. Note ADAM supports both X.500-style and Domain Name System (DNS)-style distinguished names for top-level directory partitions. 7. On the File Locations page, you can view and change the installation directories for ADAM data and recovery (log) files. By default, ADAM data and recovery files are installed in %ProgramFiles%\Microsoft ADAM\instancename\data, where instancename represents the ADAM instance name that you specify on the Instance Name page. For this exercise, click Next to accept the default file locations.

Important When installing ADAM on a computer running Windows XP, you must install these files on the same logical volume. When installing ADAM on Windows Server 2003 and Windows Server 2003 R2 in a production environment, it is recommended that you install the files on separate physical disks. Note ADAM setup installs program files and administration tools in %windir%\ADAM. 8. On the Service Account Selection page, you select an account to be used as the service account for ADAM. The account that you select determines the security context in which the ADAM instance runs. Unless you are installing ADAM on a domain controller, the Active Directory Application Mode Setup Wizard defaults to the Network Service account. For this exercise, clickNext to accept the Network service account default. Or, if you are installing ADAM on a domain controller, click This account, and then select a domain user account to use as the ADAM service account. Note You can change the ADAM service account after ADAM is installed by using the Dsmgmt command-line tool. When you install ADAM on a domain controller, you must select a domain user account as the ADAM service account. 9. On the ADAM Administrators page, you select a user or group to become the default administrator for the ADAM instance. The user or group that you select will have full administrative control of the ADAM instance. By default, the Active Directory Application Mode Setup Wizard specifies the currently logged on user. You can change this selection to any local or domain account or group on your network. For this exercise, click the default value of Currently logged on user, and then click Next. 10. On the Importing LDIF Files page, you can import into the ADAM schema two .ldf files containing user class object definitions. Importing these user class object definitions is optional. However, these object definitions are required later in this guide so, you should import these definitions now: a. Click Import the selected LDIF files for this instance of ADAM. b. Click MS-InetOrgPerson.LDF, and then click Add. c. Click MS-User.LDF, and then click Add. d. Click MS-UserProxy.LDF, click Add, and then click Next. 11. The Ready to Install page gives you an opportunity to review your installation selections. After you click Next, the Active Directory Application

Mode Setup Wizard begins copying files and setting up ADAM on your computer. 12. When the Active Directory Application Mode Setup Wizard finishes installing ADAM, it displays this message: You have successfully completed the Active Directory Application Mode Setup Wizard. When the Completing the Active Directory Application Mode Setup Wizard page appears, click Finish to close the wizard. Note If the Active Directory Application Mode Setup Wizard does not complete successfully, an error message describing the reason for the failure appears on the Summary page.
If an error occurs in the Active Directory Application Mode Setup Wizard before the Summary page, you can review the error message that appears. In addition, you can click Start, click Run, and type either of the following: %windir%\Debug\adamsetup.log %windir%\Debug\adamsetup_loader.log

The Adamsetup.log and Adamsetup_loader.log files contain information that can help you troubleshoot the cause of an ADAM setup failure.

Step 3 (Create a place to log synchronization events)


3. Must first ensure that the c:\windows\adam\logs directory exists or is created prior to running the following. (Simply create a new directory called logs under c:\windows\adam\.)

Step 4 (Define Schema Elements for Synchronization)


1. Define the Objects and Attributes youd like to have synchronized from Active Directory to your ADAM instance. You have two options a. Use the ADSchemaAnalyzer tool to select specific Objects and Attribute to synchronize. NOTE: This tool is good for comparing schemas, but there is also an ADAM Schema mmc snap-in that provide you the ability to add/remove attributes to the Class Objects prior to running ADAMsync (I will discuss this further at the end of Step 6).

OR

b. Import the AdamSchemaW2K3.LDF and bring over all the default Windows 2003 AD objects and attributes. <This option is by far easier!>

Option A (Use the ADSchemaAnalyzer Tool)

You can use ADSchemaAnalyzer to help migrate the Active Directory schema to ADAM, from one ADAM instance to another, or from any LDAP-compliant directory to an ADAM instance. You can use ADSchemaAnalyzer to load a target (source) schema, mark the elements you want to migrate, and then export them to the base ADAM schema. You can also compare the two schemas.
Important When using ADSchemaAnalyzer to create an LDIF file, you should load both a target and a base schema. Otherwise, the resulting LDIF file might not be usable by the ldifde tool To create an LDIF file with ADSchemaAnalyzer 1. Click Start, point to All Programs, point to ADAM, click ADAM Tools Command Prompt, and then, at the command prompt, type: adschemaanalyzer 2. To load a target schema, click File, and then click Load target schema, and then do one of the following: a. To load the domain Active Directory schema as the target schema, in the dialog box, type your user name, password, and domain, and then click OK. b. To load a different schema (such as the schema of an Active Directory forest or an another LDAP-compliant directory), in the dialog box, type the server name and port of the directory containing the target schema, type your user name ,password, and domain as needed, and then click OK. It should look as follows: (NOTE: Use the name of your Domain Controller server no need to specify the port in this case because AD defaults to 389)

3. To load the schema of your ADAM instance as the base schema, click File, click Load base schema, and then in Server[:port], type the server name and port of the ADAM instance. 4. In the dialog box, click OK.

(NOTE: Use the name of the computer where ADAM is installed and the Port (ie. MyADAMServer:389). Be sure to use the appropriate port on which this particular ADAM instance is running.)

5. In the resulting tree, mark all elements that you want to export to your base schema by right-clicking the element and selecting one of the following options: a. Auto automatically marks an element as included or excluded in the export. If an element is marked as Auto (included), you can right-click that element, and then click Why auto included? to see the reverse dependency tree for the element. b. Included marks an element so that it is included in the export. ADSchemaAnalyzer marks all related elements, such as superclasses, auxClasses, must/may contains, defaultObjectCategory, and possSuperiors. ADSchemaAnalyzer includes propsets for included attributes and back-links for links. c. Excluded marks an element so that it is not included in the export. You can block certain paths in the dependency graph. For example, you might want to import domainDns, but not samAccountDomain (which is an auxClass of domainDns). You can exclude a complete element, such as the samAccountDomain class, or you can exclude a relationship; for example, you can remove the auxClass reference from the domainDns class. If you exclude a relationship, any other classes that reference that element continue to include it. d. Present means that the element is present on the target server. By default, the top class is marked as present.

(NOTE: If after you load both the target and base schemas you notice some that there were some mismatch errors reported on certain Objects/Atributes or you notice some Objects/Atributes appear in Red Text you may experience a problem later when running ADAMSync (ie you receive an Object Class Violation) in this case see my comments about how to resolve this problem using the ADAM Schema mmc snap-in at the end of Step 6.)

In my case I just select the user class to import only user information, which as a dependency automatically includes memberOf information from the group class.

6.

To create the LDIF file, click File, and then click Create LDIF file. (For example: I saved my LDIF file as JeffsUserClassOnly.LDF, Ill be using this file in the next step when I use ldifde.exe to import the target schema elements from AD (as defined in this LDF file) into my base ADAM schema.)

7.

Run the ldifde.exe command line tool to import the new schema elements from AD into ADAM using the LDF file you created in the previous steps:

(NOTE: Youll notice that JeffsUsersClassOnly.LDF refers to my custom LDF file we just created above, adam-pocrefers to the computer name where I running ADAM on currently, and 389 refers to the port # for this particular ADAM instance we are working with currently.)

C:\WINDOWS\ADAM>ldifde -i -j c:\windows\adam\logs -f JeffsUsersClassOnly.LDF -s adam-poc -t 389 -c "cn=configuration,dc=x" #configurationNamingContext Connecting to "adam-poc" Logging in as current user using SSPI Importing directory from file "JeffsUsersClassOnly.LDF" Loading entries................................................................. ................................................................................ ................................................................................ ............... 239 entries modified successfully. The command has completed successfully

Now go to Step 5!

Option B (Import the AdamSchemaW2K3.LDF) <easiest option!>

This option brings over everything from AD to your ADAM instance, so it may be overkill, but at least you dont have to figure out what Objects and Attributes dependencies are required for to meet your specific needs. This is good for testing purposes, perhaps later prior to going into production you may want to consider synchronizing only a subset of these Objects and Attributes. NOTE: You may need to use the -t parameter to specify the port # for your ADAM Instance if it is anything other than 389, otherwise it will simply default to 389 I specified it below only as a best practice.

C:\WINDOWS\ADAM>ldifde -i -j c:\windows\adam\logs -f MS-AdamSchemaW2K3.LDF -s adam-poc -t 389 -c "cn=configuration,dc=x" #configurationNamingContext Connecting to "adam-poc" Logging in as current user using SSPI Importing directory from file "MS-AdamSchemaW2K3.LDF" Loading entries................................................................. ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ......................................... 1009 entries modified successfully. The command has completed successfully

Now go to Step 5!

Step 5 (Import Metadata & Install Configuration File for ADAMSync)


1. Import the AdamSyncMetadata.LDF file to extend the ADAM configuration schema to support AD specific objects and attributes.

C:\WINDOWS\ADAM>ldifde -i -j c:\windows\adam\logs -s adam-poc t 389 cCN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetadata.LDF Connecting to "adam-poc" Logging in as current user using SSPI Importing directory from file "MS-AdamSyncMetadata.LDF" Loading entries.......... 9 entries modified successfully.

The command has completed successfully

2.

Copy the existing defaut configuration file for ADAMSynch MS-AdamSyncConf.XML

C:\WINDOWS\ADAM>copy MS-AdamSyncConf.XML ADAMSyncDemo.XML 1 file(s) copied.

3.

Modify XML file used as the config point for ADAMSynch. You can use Notepad.exe to make modifications by running the following command Notepad should load the XML file appropriately.

C:\WINDOWS\ADAM>notepad.exe adamsyncdemo.xml

4.

For this example we will make minimal changes to the XML file as follows and then Save it:

<?xml version="1.0"?> <doc> <configuration> <description>Sample Adamsync configuration file</description> <security-mode>object</security-mode> <source-ad-name>DC-POC</source-ad-name> <source-ad-partition>dc=POC,dc=edu</source-ad-partition> <source-ad-account></source-ad-account> <account-domain></account-domain> <target-dn>dc=MySchool,dc=edu</target-dn> <query> <base-dn>dc=POC,dc=edu</base-dn> etc....

NOTE: <description> = This may contain ADAM Instance & Application specific information that describe what this configuration file is used for.

<source-ad-name> = This is the computer name of the Domain Controller server you are synchronizing from in my case my domain controller server name is DCPOC

<source-ad-partition> = This allows you to specify which partition othe Active Directory you are synchronizing from. (For example: dc=BusinessSchool,dc=MyUniversity,dc=edu)

<target-dn> = This is the root ADAM directory partition you are synchronizing to. <base-dn> = This is the root Active Directory domain partition you are synchronizing from.

5.

Install XML File into ADAM by running the following command, modifying the <serverName>:<port#> as follows:

C:\WINDOWS\ADAM>adamsync /install adam-poc:389 ADAMSyncDemo.XML Done.

Step 6 (Synchronize ADAM with AD using ADAMSync)


1. Run the adamsync tool modifying the <serverName>:<port#> and naming context dc=xyz,dc=edu as follows:

C:\WINDOWS\ADAM>adamsync /sync adam-poc:389 dc=MySchool,dc=edu

Thats It! If successful. you wont see anything printed out on the screen it will just return to a command prompt.Congratz!!! However if you do get an error you should have the results written to a log file by using the /log parameter as follows: adamsync /sync adam-poc:389 dc=MySchool,dc=edu /log c:\windows\adam\logs\mysync.log

NOTE: If you are importing the entire AD to ADAM that has several thousand objects/attributes this log file will grow huge, so be aware of this and dont run the logging in production sync scenarios for the sake of resource consumption.

You may confirm that the synchronization was successful by running the ADAM ADSI Edit tool.

Important Note: If your adamsync fails and you run it with the /log switch as described above and find the following error message:

Processing Entry: Page 3, Frame 1, Entry 22, Count 1, USN 0 Processing source entry <guid=d2db15678418e546bd1c58a98e0e6c60> Processing in-scope entry d2db15678418e546bd1c58a98e0e6c60. Adding target object CN=NuckollsJeff,OU=Admin,OU=Schools,OU=CentralIT Users,OU=CentralIT,dc=MySchool,dc=edu. Adding attributes: sourceobjectguid, objectClass, sn, title, description, physicalDeliveryOfficeName, givenName, initials, instanceType, info, company, sAMAccountName, mail, lastagedchange, Ldap error occured. ldap_add_sW: Object Class Violation. Extended Info: 0000207D: UpdErr: DSID-0315119D, problem 6002 (OBJ_CLASS_VIOLATION), data -1777014404 . Ldap error occured. ldap_add_sW: Object Class Violation. Extended Info: 0000207D: UpdErr: DSID-0315119D, problem 6002 (OBJ_CLASS_VIOLATION), data -1777014404 . Saving Configuration File on DC=MySchool,DC=edu Saved configuration file.

Then you will want to review the Objects/Attributes that are causing the error, in this case its listed in the above error (sn, title, description, physicalDeliveryOfficeName, givenName, initials, instanceType, info, company, sAMAccountName, mail, lastagedchange)

Resolution: To recover from this error do the following:

1. Start Run "mmc /a" 2. When the mmc console opens select File Add/Remove Snap-in... a. Select Add

b. When the Add/Remove Snap-in window opens select "ADAM Schema" from the list, then clickAdd c. Expand the Classes list, scroll down to the Person class d. right-click, select Properties e. Click on the Attributes tab, then Add the following: sn Title Description physicalDeliveryOfficeName givenName initials instanceType info, company sAMAccountName mail lastagedchange displayNamePrintable (even though this one didnt show up in our error message, you should add this one regardless)

Now try running AdamSync /sync again! Successfully this time!