2.5.1 Extend Active Directory Schema
The addschema command is used to create all the Active Directory Schema extensions, if they are not already there. Each element will be checked individually to see if it is already there and if not, will be added.
This command is intended to be run manually by a domain administrator before the main IDENTIKEY Server installation is run, as recommended by Microsoft.
It may be necessary to go through an approval process in your company before running this command, as it involves changes to Active Directory Schema. You may also need to have another administrator run the command for you, possibly in another part of your network. This depends on your company’s structure and rules for Active Directory control.
Prerequisite Information Schema Master Machine
This command may technically be run on any Windows XP, 2003, Vista or 2008 machine. However it needs to contact the Domain Controller which has the Schema Master role. There can be only one Domain Controller in the Forest with that role. It may be simplest to run the command directly on the Schema Master, to avoid any potential connectivity or permission issues.
Warning
Warning: If you are passing the credentials to the command in the parameters, and you are not running the command on the Schema Master, check that you do not have any shares on the Schema Master open. This will cause the command to fail.
Domain Administrator Account
In order to successfully update the Schema, you must know the username and password of a Domain Administrator account that is able to log into the Schema Master. You must either run the command while logged in as that user, or pass the credentials to the command in the parameters. The Domain Administrator must have permission to extend the Schema – they must be a member of the Schema Admins group in the Forest-Root-Domain (the first Forest-Root-Domain created in the Forest).
Schema Changes Allowed
By default, Active Directory does not permit Schema extensions to be made. There is a registry setting that must be changed to allow extensions. If this is not already set, DPADadmin will ask you whether it should change the setting itself or not. If you click on Yes, it will change the setting itself, make the extensions then change it back again.
If you would prefer to change the setting manually, log into the Schema Master and change the value of the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ Parameters\Schema Update Allowed registry key to 1, adding it as a value of type DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is installed on the machine, this can be used to enable or disable Schema extensions.
If you have disabled the Schema extensions after removing a previous installation in the Forest, reactivate them before using this command. This can be done using the Schema Manager MMC snap-in used to deactivate them.
Extend the Schema on the Schema Master
1. Log into the Schema Master as a member of the Schema Administrators group.
2. Copy dpadadmin.exe onto the Schema Master
3. Open a command prompt in the location to which it was copied.
4. Type:
dpadadmin addschema
5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel.
The progress and success/failure of the command will be displayed in the command prompt window. If there was a failure, it can be run again after the problem has been rectified.
Extend the Schema on the IDENTIKEY Server
1. Open a command prompt and navigate to the installation’s bin directory by typing:
cd <install dir>\bin
2. Type:
dpadadmin addschema –master schema_master –u user_name –p password
3. See Command Line Syntax for more details regarding the required parameters.
4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to enable them. Enter y to enable them, or n to cancel.
The progress and success/failure of the command will be displayed in the command prompt window. If there was a failure, it can be run again after the problem has been rectified.
Active Directory Replication Interval
If Active Directory is running replication between multiple domain controllers, allow time for the schema changes to be replicated across the system. The DPADadmin checkschema command may be used to check this – see 2.5.2 Check Schema Extensions for more information.
Command Line Syntax
dpadadmin addschema [–master schema_master] [–u user_name [–p password]]
[-q]
Option Description
-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be omitted if the command is run directly on the Schema Master.
-u User name of a Domain Administrator in the Schema Administrators group. This option may be omitted if you are logged into the machine as that Domain Administrator when you run the command.
-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain Administrator or if they have a blank password.
-q Quiet mode, will not output commentary text.
DPADadmin addschema Command Sample
dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password
2.5.2 Check Schema Extensions
The checkschema command can be used to check that the Active Directory schema has been extended to include VASCO objects and attributes.
2.5.2.1 Check the Database Structure
1. Open a command prompt and go to the installation’s bin directory by typing:
a. Open a command prompt and navigate to the installation’s bin directory by typing:
cd <install dir>\bin
2. Type
dpadadmin checkschema –u user_name –p password
3. See below for more details regarding the parameters.
The progress and success/failure of the command will be displayed in the command prompt window.
2.5.2.2 Command Line Syntax
dpadadmin checkschema [–u user_name [–p password]] [-m] [-d] [-q] [-v] [-l file_name]
Table 8: DPADadmin checkschema Command Line Options
Option Description
-u User name of a Domain Administrator in the Schema Administrators group. This option may be omitted if you are logged into the machine as that Domain Administrator when you run the
Option Description command.
-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain Administrator or if they have a blank password.
-m Fully qualified name of the Domain Controller with the Schema Master role. This option may be omitted if the command is run directly on the Schema Master.
-d Specify the domain in which the schema check should be run.
-q Quiet mode, will not output commentary text.
-v Verbose mode.
-l Log output to file file_name.
DPADadmin checkschema Command Sample
dpadadmin checkschema –u schema_admin –p sa_password
2.5.3 Set Up Digipass Containers in Domain
This command sets up the Digipass-Pool and Digipass-Reserve containers in the specified domain. It can optionally set up the Digipass-Configuration container also.
2.5.3.1 Prerequisite Information
Domain Administrator
You must be logged into the machine as a Domain Admin in the target domain.
2.5.3.2 Set Up Digipass Containers
1. Log into the machine as a Domain Administrator in that Domain.
2. Copy dpadadmin.exe onto the machine and open a command prompt in the location to which it was copied.
3. Type:
dpadadmin setupdomain
The progress and success/failure of the command will be displayed in the command prompt window.
2.5.3.3 Command Syntax
dpadadmin setupdomain [-config] [-domain <FQDN>] [-q]
Option Description
-config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration container must be created.
-domain <FQDN> OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current machine belongs will be used.
-q OPTIONAL. Specifies that quiet mode should be used.
DPADadmin setupdomain Command Sample
dpadadmin setupdomain -config -q
2.5.4 Assign Digipass Permissions to a Group
This command assigns Digipass-specific permissions to a Windows group, applicable at the domain root and downwards. The permissions assigned are:
Full read access to everything in the domain Full control over vasco-DPToken objects Full control over vasco-DPApplication objects Full write access to vasco-UserExt auxiliary objects
2.5.4.1 Pre-requisites
You must be logged into the machine as a Domain Admin in the target domain.
2.5.4.2 Command Syntax
dpadadmin.exe setupaccess -group <group name> [-domain <FQDN>] [-q] [-c]
Table 10: DPADadmin setupaccess Command Line Options
Option Description
-group <group name> MANDATORY. Specify the name of the group to assign the permissions. Double-quotes are required if there are any spaces.
-domain <FQDN> OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or user belongs. If omitted, the domain to which the current machine belongs will be used.
-q OPTIONAL. Specify that quiet mode should be used.
-c OPTIONAL. Add the local computer to the group named.
DPADadmin setupaccess Command Sample
dpadadmin.exe setupaccess -group “RAS and IAS Servers” -q
2.5.5 Delete all Digipass-Related Data from Active Directory
Digipass-specific information is not removed from Active Directory when IDENTIKEY Server is uninstalled from a computer.
A custom VB script is available which will strip all information related to the IDENTIKEY Server from a domain. The data removed includes:
Digipass-Configuration container if present VASCO Records in container:
Policy Component BackendServer Report Reportformat Configuration
Offline authentication data Digipass-Pool container if present Digipass records in container Digipass-Reserve container if present Digipass records in container
All Digipass in the domain, including all Digipass Applications.
All Digipass User Accounts
Each Digipass User account is deleted by searching for Active Directory Users with the vasco-CreateTime attribute set (indicating that a Digipass User account has been created for that User). All vasco-UserExt attributes on the Active Directory User are reset.
Note
The script must be run in each domain from which data is to be removed.
2.5.5.1 Run Delete Script on a Domain
you will run the command.
2. Open cmd prompt, logged in as domain admin in the domain required.
3. Enter the following:
cscript dpDeleteAll.wsf [<domain>] [-v]
4. If the machine does not belong to the target domain, specify the domain name 5. If you want record-by-record progress display, specify -v (verbose mode).
Example
cscript dpDeleteAll.wsf dm3.vasco.com -v