Adding a linux server to a windows domain

I already described in an earlier post how I added a linux server to a windows domain. Recently I added a new server to my domain, to replace my existing domain controller. As a consequence I had to update the krb5.conf file to point to the newly added server. Actually this hasn’t been to the first change in domain controllers, and usually users point out, that they cannot authenticate to subversion or apache based applications (which use kerberos authentication as well). OK, so I missed to update the krb5.conf again.

So there must be a more convenient way to configure kerberos. If only I had some way to pull the information of the current KDC from the domain-data. But wait – there is DNS. There are a couple of service-entries in DNS to point to all available kerberos servers in the domain! That sounds promising.

So I changed my krb5.conf file and added

dns_lookup_realm = yes
dns_lookup_kdc = yes

to the libdefaults section. Then I removed the realms and domain_realms section. Now all information about available KDC servers is directly pulled from DNS – sweet.

Scripting the Active Directory

Background

Well, sometimes the built-in MMC snap-in doesn’t do it all. In this case you need to do more than just add another user. Of course there a bunch of different ways to access your Active Directory. You most certainly can write a nifty c# programm, which could do all kinds of operations. But a lot of times you will end up write some little VBScript, just because it’s so darmn simple.

The Story

For the purpose of illustrating the usage of Active Directory scripting I have a little sample setup. Assume you have a database containing employee data and you want to sync this data with your Active Directory instance. You could further use this data in Active Directory to enable Active Directory aware programs (like SharePoint šŸ™‚ ) to access this data.

The Basics

OK; to get started I will show a little script, which access the Active Directory and does some mass-updating off user-accounts. For example say you want to add employee-numbers to the users accounts.

First of all, you need to connect to the directory. For this you need to know the root path of your Active Directory, or as a convenience you might as well useĀ LDAP://RootDSE instead. OK, let’s get connected to our Active Directory; the code below assumes you have a recordset calledĀ rstEmployees which holds our employee data. So we iterate over the recordset:

Sub UpdateActiveDirectoryEntries
        On Error Resume Next
        Dim objRoot, objUser
          Dim intEmployeeCount
        Set objRoot = GetObject(strRootADPath)
        WScript.Echo "Processing records ..."
        rstEmployees.MoveFirst
        While Not rstEmployees.EOF
                WScript.Echo "processing:" & rstEmployees.Fields("EmployeeName") & " (" & rstEmployees.Fields("EmployeeNumber") & ")"
                  Set objUser = GetObject("LDAP://CN=" & rstEmployees.Fields("EmployeeName") & "," & strAllEmployeeADPath)
                  If objUser Is Nothing Then
        WScript.Echo "User '" & rstEmployees.Fields("EmployeeName") & "' could not be found!"
                  Else
                        ShowUser objUser
                          WScript.Echo "Writing ..."
                          objUser.Put "EmployeeID", rstEmployees.Fields("EmployeeNumber").Value
                          objUser.Put "EmployeeNumber", rstEmployees.Fields("EmployeeNumber").Value
                          ' objUser.PutEx ADS_PROPERTY_CLEAR, "EmployeeNumber",  vbNullString
                          objUser.SetInfo
                          ShowUser objUser
                  End If
                  Set objUser = Nothing
                  rstEmployees.MoveNext
          Wend
  End Sub