Prerequisites

Software

To perform the procedures in this section, you will need the following software:

  • ldifde.exe, the Microsoft LDAP utility that is shipped with AD LDS.
  • Enterprise Server MFDS and the cas-to-ad utility, which are supplied with the product install.
  • The following LDIF (LDAP data) files are in the %ProgramFiles(x86)%\Micro Focus\Enterprise Developer\bin directory.
    • mf-partition.ldf
    • mf-ad-containers.ldf
    • ms-user-plus-mto.ldf
    • es_default_ldap.ldf or es_default_ldap_msuser.ldf (only one of these is used)

Information

You will need the following:

  • A user account authorized to make AD schema changes (shown as username and password below).
  • The location of the AD server (shown as servername below).
  • The user class you will use.

    This can either be microfocus-MFDS-User (supplied by Micro Focus), if ES users will be separate from Windows users, or user (supplied by Microsoft and modified by Micro Focus) to use your Windows user accounts for ES. (Shown as userclass below.)

  • The DN of the AD domain (shown as domain-DN below).

    Normally, this will be the fully-qualified domain name of the AD host, minus the hostname, with each segment of the name listed as a separate DC element, so for example server.dept.mydom.com would use DC=dept,DC=mydom,DC=com. If you are using AD LDS, you may want to use the default domain DN for ES LDAP data, which is "CN=Micro Focus,CN=Program Data,DC=local".

  • The DNs of the containers for users, ES user groups, and ES resources, if you are going to use something other than the default values.

    ES groups and resources are used only by ES, so we recommend you use the defaults (located in CN=Micro Focus,CN=Program Data) for their containers.

    If you are using the Micro Focus user class (microfocus-MFDS-User), you can use the default ES user container (CN=Enterprise Server Users,CN=Micro Focus,CN=Program Data, below the domain-DN) as well.

    On the other hand, if you want to let existing Windows users sign on to ES without creating separate ES user accounts for them, you will need to configure ES to use your existing user container in AD (usually CN=Users). Use that for your user container (shown as user-container below) in the following commands as well.

Backups

Before you make any AD modifications we recommend you back up your AD schema and Directory Information Tree (DIT). You may already have standard procedures for this. If not, you should make a backup of the contents of the %WINDIR%\ntds directory to another location. This way you can drop the server (assuming Server 2003) into "Directory Server Recovery" mode and restore your previous AD data if you ever have to.

Note that the contents of that directory are in use when the server is running, so ordinary copy commands generally will not work. Some ways you can back up your AD information:

  • Make the backup in Directory Server Recovery Mode (press F8 while booting the AD host to enter Recovery Mode)
  • Use a backup utility such as the Backup applet that comes with Windows, or the ntbackup command-line equivalent (this does not require a reboot)
  • Use a utility to schedule a copy when the system is rebooted, such as SysInternals movefile (and then reboot to effect the copy)

Consult your Windows documentation for more information.

You may also want to export your current LDAP hierarchy to an LDIF file for later reference, using a command such as:

ldifde -f export-file -s servername -r "(objectclass=*)" -d "CN=Schema,CN=Configuration,domain-DN"