Dave's Technology

Tuesday, April 23, 2013

Remove Missing Dependencies for SCVMM 2012 RC VHDs

Ran into this issue with SCVMMM2012 and I could not delete a VHD from my library as I had a series of items that were dependent on the VHD. I resolved the template issue by entering the following command from Powershell on the SCVMM server:

Get-SCVMTemplate | where {$_.Name -like "Temporary*"} | Remove-SCVMTemplate

The second issue will be identified by the following error when you attempt to delete the VHD:

The library object (VHDNAME) cannot be removed because following objects are dependent on it:

Virtual Hard Disk deployment configuration

Thanks to Ryan Holt for this (http://www.ryanholt.net/2012/02/07/quick-tip-remove-missing-dependencies-for-scvmm-2012-rc-vhds/) and @TheChadVent for the tip.

Thursday, April 18, 2013

ABC Video of Cocky

This is funny…. www.abc.net.au/abc3/microsites/petsuperstars/petsuperstars.htm

Watch it NOW !

SCVMM 2012 SP1 and Linux

To automatically configure the Linux OS after SCVMM creates the OS there are extra tools that are needed. On the VMM management server, open a command prompt, (administrative).

They programs are found in the c:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\agents\Linux folder.

Copy all the agent installation files from that folder to a new folder on the virtual machine, and then, on the virtual machine on which Linux is running as a guest operating system, open the new folder.

Make the installer executable

chmod +x install

Run either the x86 or x64 installer:

./install scvmmguestagent.1.0.0.544.x64.tar

/install scvmmguestagent.1.0.0.544.x86.tar

The official Microsoft link is: http://technet.microsoft.com/en-us/library/jj860429.aspx

Monday, April 15, 2013

Linux, on Hyper-V Server 2012

Supported Linux on Hyper-V 2012, ALL Are 64 BIT ! (http://technet.microsoft.com/en-us/library/hh831531.aspx)

CentOS 5.7 and 5.8, CentOS 6.0 – 6.3 (Download and install Linux Integration Services Version 3.4 for Hyper-V.)

Red Hat Enterprise Linux 5.7 and 5.8, Red Hat Enterprise Linux 6.0 – 6.3 (Download and install Linux Integration Services Version 3.4 for Hyper-V.)

SUSE Linux Enterprise Server 11 SP2 (Integration services do not require a separate installation because they are built-in.

Open SUSE 12.1 (Integration services are built-in.)

Ubuntu 12.04 (Integration services are built-in.)

Dont forget there are Integration Services AND an SCVMM Agent

(http://windowsitpro.com/virtual-machine-manager/deploy-linux-scvmm )

Checking the OS (Red Hat)

Checking Redhat version installed

$ uname -a

Linux server.domain.com 2.4.22-32.ELsmp #1 SMP Mon Apr 15 21:17:59 EDT 2005 i686 i686 i386 GNU/Linux

To get the version in simple terms, check /etc/redhat-release instead.

$ cat /etc/redhat-release

Red Hat Enterprise Linux AS release 3 (Taroon Update 5)

To turn on DHCP for Red Hat

To configure a DHCP client manually, modify the /etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.

The /etc/sysconfig/network file should contain the following line:

NETWORKING=yes

The NETWORKING variable must be set to yes if you want networking to start at boot time.

The /etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

Other options for the network script include:

DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)

PEERDNS=<answer>, where <answer> is one of the following:
- yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
- no — Do not modify /etc/resolv.conf.

SRCADDR=<address>, where <address> is the specified source IP address for outgoing packets.

USERCTL=<answer>, where <answer> is one of the following:
- yes — Non-root users are allowed to control this device.
- no — Non-root users are not allowed to control this device.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/System_Administration_Guide/s1-dhcp-configuring-client.html

Set-ExecutionPolicy Unrestricted

(I use this all the time, so posted it for my convenience).

Using the Set-ExecutionPolicy Cmdlet

Changing the Windows PowerShell Script Execution Policy

The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:

Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
AllSigned - Only scripts signed by a trusted publisher can be run.
RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

To assign a particular policy simply call Set-ExecutionPolicy followed by the appropriate policy name. For example, this command sets the execution policy to RemoteSigned:


http://technet.microsoft.com/en-us/library/ee176961.aspx

Sunday, April 14, 2013

System Center [sic] App Controller Certificate Import Error

I get this error when using a W2K12 Cluster File Server for a Library Server in SCVMM 2012 SP1…

Export of the library server certificate from the VMM server has failed for library server %clustered library server%. In order to perform this operation, you must be an Administrator in both Virtual Machine Manager and App Controller, and also a local Administrator on the server. (StatusCode: Microsoft.SystemCenter.CloudManager.Providers.ProviderException)

and

An internal error has occurred trying to contact an agent on the NO_PARAM server: NO_PARAM: NO_PARAM.
Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent. (StatusCode: Microsoft.VirtualManager.Utils.CarmineException)

You we have some steps you can use to manually import the missing certificates.

Open MMC (Start -> Run -> MMC)
Add the certificate snap-in and select Computer account and specify your VMM server
Add the certificate snap-in and select Computer account and specify your App Controller server
Expand the Trusted People\Certificates folder for the App Controller server
Browse to the Trusted People\Certificates folder for the VMM server
Make sure you're looking in the Friendly Name column for the certificates
Find the certificates that start with SCVMM_CERTIFICATE_KEY_CONTAINER and then has the FQDN of the library cluster nodes
You only need the certificates for the library server - you don't need any of the certificates for the Hyper-V hosts
Copy the certificates to the Trusted People\Certificates folder on the App Controller server

If you previously had success importing certificates, you might find that some of the library certificates are already present. You do not need to recopy these certificates - just the missing certificates for the library servers.

On the VMM server you will see a certificate for each of your host computers - you do NOT need to copy these certificates.

http://social.technet.microsoft.com/Forums/en-US/appcontroller/thread/48b86539-5a8e-4909-87a2-4eb97564ffff

All I have to say is ‘cool story Bro, tell it again’. Yep this did not work for me and I ended up creating a new W2K12 Server and presenting the storage that way… But it look good heh?

</DaveColvin>

Monday, April 08, 2013

Server 2012 Phone Activation

Hi Server,

Let me choose somewhere other than Afghanistan… That’d be great.

BTW Phone Australia on 13 20 58 Option 3 then option 1…

Thursday, April 04, 2013

SCCM 2012 SP1, SQL 2012 on Server 2012

If like me you ‘skimmed’ the pre-reqs for SCCM 2012 SP1 and then cant install due to the database collation (see below), here is how to fix it.

Open up command prompt, from the SQL setup folder where the setup.exe is located and execute the command:

Setup.exe /QUIET 
/ACTION=REBUILDDATABASE  
/SQLCOLLATION=SQL_Latin1_General_CP1_CI_AS 
/INSTANCENAME=MSSQLSERVER 
/SQLSYSADMINACCOUNTS=Domain\Administrator

(all above is one line)

Note your

“INSTANCENAME=MSSQLSERVER” and/or

“SQLSYSADMINACCOUNTS=Domain\Administrator” may be different…

Friday, March 22, 2013

Duplicate SIDs in on multiple Cluster Nodes

I was working on a two node w2k8 R2 cluster running in VMware ESX 5.1, running SQL 2008 and a bunch of other services, the disks were local and also RDMs out to iSCSI NetApp disks. The system had been running for about three months, but started acting weird… yep just weird.

You could logon with a domain cache credential, but there was no ‘LogonServer’ but when you did you get a temporary profile.

Services that had a domain service account that needed a profile would fail.

A local logon with Administrator would fail with a ‘the Group Policy service failed the logon. Access is denied’.

The issue turned out to be the first server was cloned to the second server and both had the same SID. This caused account and domain connection issues and looked like file corruption, virus issues, and got progressively worse, to the point you could not add/remove programs due to ‘appdata’ issues and finally the two servers we cut loose and rebuilt.

I have also been told of SQL server and FIM Portal 2010 that all have problem with this, so maybe a worthwhile check from time to time access environments… A quick powershell would be handy Winking smile

Article on fixing Windows profiles.
http://www.sysprobs.com/fix-temporary-profile-windows-7

Why SIDs should matter. http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

Thursday, March 14, 2013

Installing SQL Server 2012 on Server 2012 error

Error while enabling Windows feature NetFX3 Error Code -2146498298

Thanks to my mate Tony to Install netfx3

Mount Windows 2012 ISO/DVD

open a command prompt and issue the command:

dism /online /enable-feature /featurename:netfx3 /all /source:d:\sources\sxs

An you are ready to try again.

Of course if you need a GUI here is how (hat tip to Scott):

kickthatcomputer.wordpress.com/2013/03/02/installing-dotnet-3-5-on-windows-8-and-server-2012/

Monday, March 11, 2013

Windows Phone 8 (Nokia Lumia 820)

Having been an Apple iPhone users for the 3g/3gs/4/4s I was recently given a Nokia Lumia 820 running Windows Phone 8. I wanted to give it a far review and commit to keeping it or putting it in the cupboard with the Motorola Q phone (Windows Mobile 6.5, I am waiting to kill a bugler with that). So I have had the phone for two weeks and here is a blow by blow of the good and bad.

Lets start with the good:

The screen size, colour, brightness, touch are all fantastic
The ability to have live tiles, configure the interface, move things around as you please, information on the home screen are all fantastic
The new twitter app is very good, the old one (last week) was so bad I was going to give it up for that
The pictures, people hubs are an interesting concept and take some time, but they are getting better – I understand more
The OS and phone look and feel, sliding around, moving is very snappy and very cool
The ability to pin just about anything to the home screen and lock screen is great
The Nokia apps are good and cost effective (free)
The dedicated button for the camera is great
The overall concept of endless scroll up-down and left-right is very cool
The web browser, flash support, generally web everything is really very good (tabs need a new way to access but otherwise great)

The Bad or confusing or what the f… moments

The side power button is exactly under the finger used to pick it up, I mean really…
The Windows phone software copied every podcast as it could not tell what was listened to, fair enough but a pain
The lack of feedback is odd, for example, subscribe to a podcast, sit back, wait, try again, give up, try again, google some, give up, try again, plug the damn thing in and do it via Windows Phone software and itunes
Want to subscript to a podcast on the phone, good luck, I cant.
The camera on this phone is poor indoors compared to the iPhone 4s !. It is not Windows it is the handset camera, natural light is however good.
Wifi and network, not sure here, slow to find, slow to connect, but seems ok, there is an issue with work where the phone reboots on that wifi maybe 4-5 times a day?
Reboots, yep for no reason maybe 1-2 a week? It does not have any real downside it is just odd
Youtube, don't start me, it works, lets just leave it there, re-open a video, restart from the beginning, want to fast forward, haha you funny man
The ‘Windows’ button could wake the phone (man I am ex iPhone and press it every time, every time)
The buttons at the bottom are too sensitive, I bump them all the time, see above youtube
The sound output to your ear is tiny, and at the lip of the top, could be down a bit and larger, but no big issue
Battery is on par for the iPhone, but so slow to charge (I mean 6-7 hours pugged into the computer)

So the big question, keep it or blend it?

Keep, yes it is new, fresh, different and has great potential
I will give away the iPhone and look forward to new apps and new OS updates as it is 90-95% as good and just needs some minor updates

UPDATES week 3

The reboots seem to have stoped now, just happens when I run out of juice.
Charging genuinely seems to take 6 hours? WTF? Anyway I can live with this, but really? Maybe I don't have the right charger? Used both laptop and someone elses Micro USB charger, but not the Nokia one…
Battery life, well.. lets just say; carry a charger, I am not close to my IPhone charge time with similar use. Hours less. But again can live with this I have a charger in the car and office.

Wednesday, February 13, 2013

P2V–Poverty pack edition for Linux

If you are running a tight (nah free, nah hobo data centre) you may from time to time need to P2V your Linux server to run it under VirtualBox. Here are some ways how:

If you have a USB HDD

Boot a Linux live CD, mount your USB somewhere, lets say /media/bigusb then simply run:

df –h (to find your {localdrivename})

dd if=/dev/{localdrivename} of=/media/bigusb/p2vdrive.raw

unmount the bigusb and move it to your virtualbox server, then run

VBoxManage convertdd p2vdrive.raw p2vdrive.vdi --format VDI

If you have a server

dd if=/dev/{localdrivename} | ssh logonname@ipAddress "dd of=/media/bigdisk/p2vdrive.raw"

VBoxManage convertdd p2vdrive.raw p2vdrive.vdi --format VDI

And away you go..

Wednesday, January 16, 2013

GPO Precendence and GPO testing

Group Policy processing and precedence

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.

Order of processing settings

This section provides details about the order in which Group Policy settings for users and computers are processed. For information about where the processing of policy settings fits into the framework of computer startup and user logon, see steps 3 and 8 in Startup and logon, in this topic.

Group Policy settings are processed in the following order:

Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Organizational units—GPOs that are linked to the organisational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organisational unit, and so on. Finally, the GPOs that are linked to the organisational unit that contains the user or computer are processed.
At the level of each organisational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organisational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

Using Gpresult

Displays the Resultant Set of Policy (RSoP) information for a remote user and computer. For examples of how this command can be used, see Examples.

gpresult [/s <COMPUTER> [/u <USERNAME> [/p [<PASSWORD>]]]] [/user [<TARGETDOMAIN>\]<TARGETUSER>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <FILENAME> [/f] | /?}

Parameters

/s <COMPUTER> Specifies the name or IP address of a remote computer. Do not use backslashes. The default is the local computer.

/u <USERNAME> Uses the credentials of the specified user to run the command. The default user is the user who is logged on to the computer that issues the command.

/p [<PASSWORD>] Specifies the password of the user account that is provided in the /u parameter. If /p is omitted, gpresult prompts for the password. /p cannot be used with /x or /h.

/user [<TARGETDOMAIN>\]<TARGETUSER> Specifies the remote user whose RSoP data is to be displayed.

/scope {user | computer} Displays RSoP data for either the user or the computer. If /scope is omitted, gpresult displays RSoP data for both the user and the computer.

[/x | /h] <FILENAME> Saves the report in either XML (/x) or HTML (/h) format at the location and with the file name that is specified by the FILENAME parameter. Cannot be used with /u, /p, /r, /v, or /z.

/f Forces gpresult to overwrite the file name that is specified in the /x or /h option.

/r Displays RSoP summary data.

/v Displays verbose policy information. This includes detailed settings that were applied with a precedence of 1.

/z Displays all available information about Group Policy. This includes detailed settings that were applied with a precedence of 1 and higher.

/? Displays Help at the command prompt.

Examples

The following example displays RSoP data for the computer srvmain and the logged-on user. Data is included about both the user and the computer. The command is run with the credentials of the user maindom\hiropln, and p@ssW23 is entered as the password for that user.

gpresult /s servername/u domainname\username /p password/r

These two links comr from http://microsoft.com

Sluggish mouse on w2k8r2 and w7

(Poor mouse performance on Windows 2008 R2 virtual machine or a Windows 7 virtual machine)

Cause

The virtual machine is using the SVGA video driver supplied by VMware Tools not the WDDM video driver.

Resolution

Update the driver for the video card to use the WDDM driver that is available after VMware Tools is installed. The virtual machine must be at hardware version 7 or 8 to use the WDDM driver. For additional information, see WDDM and XPDM graphics driver support with ESX 4.x,5.x, (1016770).

To update the driver for the video card to use the WDDM driver:

Right-click the desktop and click Screen resolution.
Click Advanced Settings.
Click Properties.
Click the Driver tab.
Click Update Driver.
Click Browse my computer for driver software.
Enter this location or click Browse and navigate to it:
C:\Program Files\Common Files\VMware\Drivers\wddm_video
Click Next. The driver is installed and you see a screen confirming that Windows has finished installing the driver for VMware SVGA 3D.
Reboot the virtual machine to enable the new video driver.

This is from http://VMware.com (sorry I don't have the exact link handy)

Monday, December 24, 2012

Windows password recovery USB

Most of these providers are going to payed supply and the instructions are awful. Here is the best one I found and used the other day.

Full web site: http://pogostick.net/~pnh/ntpasswd/

Download files for USB install usb110511.zip (~3MB) (md5sum: 50ced8d2a5febe22199f99acec74e63b)

How to make an bootable USB drive

Get a soon to be blank USB

Copy the files from the above usb*.zip onto the USB drive root folder

either as root or via sudo, use disk utility or df or any other utility to find the usb drive name (generally /dev/sdb1)

unmount the drive if it mounted, either as root or via sudo,

syslinux.exe –ma /dev/sdb1

Boot and away you go..

Tuesday, December 11, 2012

AD:DS verses AD:LDS

You have a requirement to provide an LDAP directory service to applications. And as a part of this there has been a discussion comparing full Active Directory (AD:DS) verses an Active Directory as an LDAP instance (AD:LDS).

The key differentiators between the two services are:

Active Directory Domain Services

Active Directory was designed and built in the late nineties for release with Windows Server 2000. The system was a direct replacement for Windows NT 4 Domains but is based on the X.500 standards. The solution was built as a replacement for file and print management but always contained methods to extend the schema and therefore extending functionality.

Active Directory Lightweight Directory Service

Designed and delivered as a direct competitor to traditional LDAP services such as iPlanet LDAP server AD:LDS (released as ADAM in Windows Server 2003) uses the same code base as traditional Active Directory but decouples many of the file and print specific details such as Domain Controllers , Domains and Forests. With a traditional Active Directory there is a single instance per server of the directory whereas AD:LDS can run many different ‘services’ on the same computer. AD:LDS comes without most schema objects to allow for custom schemas and is ideally suited to multi-million objects in web facing environment.

Comparing Services

Many of the features are listed below and shown if they are supported on both platforms.

Feature	AD:DS	AD:LDS
Forest and Domain	Yes	No
Sites	Yes	Yes
Run as a services	No	Yes
Trusts	Yes	No
LDAP 2/3	Yes	Yes
Kerberos	Yes	Partial
DNS Integration (SRV records required)	Yes	No
Schema modification	Yes	Yes
Computer objects (required)	Yes	No
Hosts computers (domain members)	Yes	No
Unique names (SAMaccountName)	Yes	Yes
Support iNetOrgPerson	Yes	Yes
Static ACL (stamped)	Yes	Yes
Global Catalogue	Yes	No
Custom Indexed objects	Yes	Yes
Scale (above 1 billion objects)	Yes	Yes
FSMOs	Yes	Yes
Trusts – Traditional Kerberos	Yes	No
SAML support	Yes	Yes
ADFS support	Yes	Yes
Group policy support	Yes	Partial
GPO based object rules	Yes	No
Active Directory Users and Computers support	Yes	No
LDAP tool support	Yes	Yes
ADSI Edit	Yes	Yes
Server Core support	Yes	Yes
Self-managed (via GPO)	Yes	No
Event log	Yes	Partial
Auditing	Yes	Partial
Higher computing power required	Yes	No
Built in Active Directory sync tool	No	Yes
Security outside of “Domain Admins”	No	Yes

High-level comparison

Some of the key aspects of Active Directory verse LDS.

Key: The larger area is best.

Monday, December 03, 2012

EduPerson, AuEduPerson, schac Schema for Active Directory

As part of moving a Sydney University from Sun/Oracle iPlanet LDAP directory to Active Directory I have to support the educational standard objects, EduPerson, the Australian specific options required by the AFF, AuEduPerson, the university is also using the schac, the Schema for Academia. All three of these are out on the internets in different formats but not all were available for AD. I have taken these works, additional information from the schema documentation and converted them or updated them to support AD direct import. I have also be provided these to the AAF to list in there ‘files’ section of there web site.

These have all been tested on AD domain and forest modes 2003-2008r2 on Windows 2008 R2.

Make sure you turn on Advanced Features in AD users and computers to see them. And to enable the schema manager use the command “regsvr32 c:\Windows\System32\schmmgmt.dll”

To import these files, from a Domain Controller logged on as a Schema Admin run the following, you can run this remotely to the DC, but the command line is horrible…:

ldifde -i -f "eduPerson-active directory.ldf" -v

ldifde -i -f "aueduPerson-active directory.ldf" -v

ldifde -i -f "schac-active directory.ldf" -v

You will notice in some attributes the “searchFlags: 1” setting is on for some key attributes, this is anticipating searching and managing performance, this can be changed in the GUI or in the schema once scale testing is underway, this may also need to be enabled for some POSIX / PAM settings.

Following are the three schema files.

AuEduPerson

# ========================================================================================================================
#
# File: auEduPerson-active directory.ldf
# Version: 20121130
#
# Updated by Dave Colvin, http://davestechnology.blogspot.com.au/ for direct AD import
#
# This file should be imported with the following command while logged in to the Domain Controller as an Admin User:
# ldifde -i -f -v auEduPerson.ldif
#
# REMEMBER TO SEARCH AND REPLACE DC=XXX,DC=EDU,DC=AU WITH YOUR DC SUFFIX
#
# ========================================================================================================================
# Attributes
# ========================================================================================================================
#
dn: CN=auEduPersonAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: auEduPersonAffiliation
lDAPDisplayName: auEduPersonAffiliation
adminDisplayName: auEduPersonAffiliation
adminDescription: Specifies a person's relationship to the institution in broad categories but with a finer-grained set of permissible values than eduPersonAffiliation.
attributeID: 1.3.6.1.4.1.27856.1
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=auEduPersonLegalName,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: auEduPersonLegalName
lDAPDisplayName: auEduPersonLegalName
adminDisplayName: auEduPersonLegalName
adminDescription: The user’s legal name, as per their passport, birth certificate, or other legal document.
attributeID: 1.3.6.1.4.1.27856.2
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=auEduPersonSharedToken,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: auEduPersonSharedToken
lDAPDisplayName: auEduPersonSharedToken
adminDisplayName: auEduPersonSharedToken
adminDescription: A unique identifier enabling federation spanning services such as Grid and Repositories. Values of the identifier are generated using a set formula. The value has the following qualities: unique; opaque; non-targeted; persistent; resolvable (only by an IdP that has supplied it); not re-assignable; not mutable (refreshing the value is equivalent to creating a new identity); permitted to be displayed (Note: the value is somewhat display friendly, and may be appended to the displayName with a separating space, and used as a unique display name to be included in PKI Certificate DNs and as a resource ownership label, e.g. John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk ); and portable.
attributeID: 1.3.6.1.4.1.27856.3
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# ========================================================================================================================
# Object classes
# ========================================================================================================================

dn: CN=auEduPerson,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: auEduPerson
lDAPDisplayName: auEduPerson
adminDisplayName: auEduPerson
adminDescription: Consists of a set of data elements or attributes about individuals within Australian higher education
governsID: 1.3.6.1.4.1.27856
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.27856.1
mayContain: 1.3.6.1.4.1.27856.2
mayContain: 1.3.6.1.4.1.27856.3
defaultObjectCategory: CN=EduPerson,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: auEduPerson
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# ========================================================================================================================

EduPerson

# ========================================================================================================================
#
# File: eduPerson-active directory.ldf
# Version: 200806
#
# Updated by Dave Colvin, http://davestechnology.blogspot.com.au/ for direct AD import
#
# This file should be imported with the following command while logged in to the Domain Controller as an Admin User:
# ldifde -i -f eduPerson-active directory.ldif -v
#
# REMEMBER TO SEARCH AND REPLACE DC=XXX,DC=EDU,DC=AU WITH YOUR DC SUFFIX
#
# ========================================================================================================================

# ========================================================================================================================
# Attributes
# ========================================================================================================================

dn: CN=eduPersonAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonAffiliation
lDAPDisplayName: eduPersonAffiliation
adminDisplayName: eduPersonAffiliation
adminDescription: Specifies the person's relationship(s) to the institution, permissible values: faculty, student, staff, alum, member, affiliate, employee
attributeID: 1.3.6.1.4.1.5923.1.1.1.1
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonNickname,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonNickname
lDAPDisplayName: eduPersonNickname
adminDisplayName: eduPersonNickname
adminDescription: Person's nickname, or the informal name by which they are accustomed to be hailed
attributeID: 1.3.6.1.4.1.5923.1.1.1.2
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonOrgDN,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonOrgDN
lDAPDisplayName: eduPersonOrgDN
adminDisplayName: eduPersonOrgDN
adminDescription: Specifies the person's relationship(s) to the institution, permissible values: faculty, student, staff, alum, member, affiliate, employee
attributeID: 1.3.6.1.4.1.5923.1.1.1.3
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: TRUE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonOrgUnitDN,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonOrgUnitDN
lDAPDisplayName: eduPersonOrgUnitDN
adminDisplayName: eduPersonOrgUnitDN
adminDescription: The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s)
attributeID: 1.3.6.1.4.1.5923.1.1.1.4
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonPrimaryAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonPrimaryAffiliation
lDAPDisplayName: eduPersonPrimaryAffiliation
adminDisplayName: eduPersonPrimaryAffiliation
adminDescription: Specifies the person's PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc
attributeID: 1.3.6.1.4.1.5923.1.1.1.5
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonPrincipalName,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonPrincipalName
lDAPDisplayName: eduPersonPrincipalName
adminDisplayName: eduPersonPrincipalName
adminDescription: The "NetID" of the person for the purposes of inter-institutional authentication. It should be represented in the form "user@scope" where scope defines a local security domain
attributeID: 1.3.6.1.4.1.5923.1.1.1.6
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonEntitlement,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonEntitlement
lDAPDisplayName: eduPersonEntitlement
adminDisplayName: eduPersonEntitlement
adminDescription: URI (either URN or URL) that indicates a set of rights to specific resources
attributeID: 1.3.6.1.4.1.5923.1.1.1.7
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonPrimaryOrgUnitDN,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonPrimaryOrgUnitDN
lDAPDisplayName: eduPersonPrimaryOrgUnitDN
adminDisplayName: eduPersonPrimaryOrgUnitDN
adminDescription: The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s)
attributeID: 1.3.6.1.4.1.5923.1.1.1.8
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: TRUE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonScopedAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonScopedAffiliation
lDAPDisplayName: eduPersonScopedAffiliation
adminDisplayName: eduPersonScopedAffiliation
adminDescription: Specifies the person's affiliation (see eduPersonAffiliation) within a particular security domain, the values consist of a left (affiliation) and right component (security domain) separated by an "@" sign
attributeID: 1.3.6.1.4.1.5923.1.1.1.9
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonTargetedID,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonTargetedID
lDAPDisplayName: eduPersonTargetedID
adminDisplayName: eduPersonTargetedID
adminDescription: Specifies the person's relationship(s) to the institution, permissible values: faculty, student, staff, alum, member, affiliate, employee
attributeID: 1.3.6.1.4.1.5923.1.1.1.10
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonAssurance,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonAssurance
lDAPDisplayName: eduPersonAssurance
adminDisplayName: eduPersonAssurance
adminDescription: Set of URIs that assert compliance with specific standards for identity assurance.
attributeID: 1.3.6.1.4.1.5923.1.1.1.11
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# ========================================================================================================================
# Object classes
# ========================================================================================================================

dn: CN=eduPerson,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: eduPerson
lDAPDisplayName: eduPerson
adminDisplayName: eduPerson
adminDescription: Consists of a set of data elements or attributes about individuals within higher education
governsID: 1.3.6.1.4.1.5923.1.1.2
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.5923.1.1.1.1
mayContain: 1.3.6.1.4.1.5923.1.1.1.2
mayContain: 1.3.6.1.4.1.5923.1.1.1.3
mayContain: 1.3.6.1.4.1.5923.1.1.1.4
mayContain: 1.3.6.1.4.1.5923.1.1.1.5
mayContain: 1.3.6.1.4.1.5923.1.1.1.6
mayContain: 1.3.6.1.4.1.5923.1.1.1.7
mayContain: 1.3.6.1.4.1.5923.1.1.1.8
mayContain: 1.3.6.1.4.1.5923.1.1.1.9
mayContain: 1.3.6.1.4.1.5923.1.1.1.10
mayContain: 1.3.6.1.4.1.5923.1.1.1.11
defaultObjectCategory: CN=eduPerson,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: eduPerson
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1

# ========================================================================================================================

SchAc

# ========================================================================================================================
# Based on file Schac-Schema-1.4-Sun.ldif (non experimental schema items)
#
# File: # schac-active directory.ldf
# Version: 20121103
#
# updated by Dave Colvin, http://davestechnology.blogspot.com.au/ for AD direct import...
#
# This file should be imported with the following command while logged in to the Domain Controller as an Admin User:
# ldifde -i -f eduPerson.ldif -v
#
# REMEMBER TO SEARCH AND REPLACE DC=XXX,DC=EDU,DC=AU WITH YOUR DC SUFFIX
#

dn: cn=schacMotherTongue,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: schacMotherTongue
lDAPDisplayName: schacMotherTongue
adminDisplayName: schacMotherTongue
adminDescription: RFC 3066 code for prefered language of communication
attributeID: 1.3.6.1.4.1.25178.1.2.1
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
systemOnly: FALSE