Trademarks
CRYPTOCard, CRYPTO‐Server, CRYPTO‐Web, CRYPTO‐Kit, CRYPTO‐Logon, CRYPTO‐VPN, CRYPTO‐MAS, BlackShield ID are either registered trademarks or trademarks of CRYPTOCard Inc. Microsoft Windows and Windows XP/2000/2003/2008/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.Publication History
Date Description Version
August 9, 2010 Initial release 1.0
Solution Overview
Summary
Product Name Active Directory Lightweight Directory Service AD LDS Server Side Software Active Directory Lightweight Directory Service AD LDA Client Side Software N/A - Solution is server based only
Pre-Requisites System must be joined to a domain
CRYPTOCard Product Requirements
CRYPTOCard BlackShield ID Professional 2.x + Support Token types KT-1, KT-2, KT-4, KT-5, RB-1, MP-1
Server OS Windows 2008 R2 x64
Within the AD DS/LDS Schema Analyzer, click on the Schema menu. Then select Mark all non‐present elements as included Note: A pop up will appear display the total amount of “non‐presents elements were marks as included”. Figure 16 Within the AD DS/LDS Schema Analyzer: Click on the File Then select Create LDIF file... In the Save As window, provide a name for the LDF file. Provide the file with a recognizable name as will be used in the next section. Save the LDF file in the default directory. Figure 17
Loading Active Directory/AD LDS Schema LDF Files
To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory. On the AD LDS system, launch a command prompt and navigate to: C:\Windows\ADAM Then issue the following command:ldifde -i -s localhost -c CN=Configuration,DC=X
Note: The (custom LDF filename).ldf is to be replaced to the filename of the LDF file that was created in the previous section. After executing the command, it will show the following text output: Connecting to "localhost" Logging in as current user using SSPI Importing directory from file "(custom LDF filename).ldf" Loading entries... Note: Loading entries make take a while depending on how many attributes are being loaded. Once the command has complete, a message in the command line as follows. (Number of entries may be vary) Figure 18
Loading AD LDS Synchronization Schema LDF Files
To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory. On the AD LDS system, launch a command prompt and navigate to: C:\Windows\ADAM Then issue the following command:ldifde -i -s localhost -c CN=Configuration,DC=X
<doc>
<configuration>
<num-objects>0</num-objects> </aging> <schtasks-cmd></schtasks-cmd> </schedule> </configuration> <synchronizer-state> <dirsync-cookie></dirsync-cookie> <status></status> <authoritative-adam-instance></authoritative-adam-instance> <configuration-file-guid></configuration-file-guid> <last-sync-attempt-time></last-sync-attempt-time> <last-sync-success-time></last-sync-success-time> <last-sync-error-time></last-sync-error-time> <last-sync-error-string></last-sync-error-string> <consecutive-sync-failures></consecutive-sync-failures> <user-credentials></user-credentials> <runs-since-last-object-update></runs-since-last-object-update> <runs-since-last-full-sync></runs-since-last-full-sync> </synchronizer-state> </doc> Once all changes have been made, please save the file to C:\Windows\ADAM, with a .xml extension. Please provide a name that is recognizable as the xml file will be used in the next section.
Installing custom AD LDS Synchronization Config File
The following instruction will explain how to install the custom configuration file that was created in the previous section. The custom configuration file should be placed in C:\Windows\ADAM. Launch a command prompt and navigate to: C:\Windows\ADAM Then type in the following command:ADAMSync /install localhost:389 %windir%\ADAM\(custom sync filename).xml
Note: If there is a second XML file to add a second domain, then please use the same command above, but specify the appropriate file name.
First time Synchronization
After installing the custom XML configuration file, a sync must occur between the LDAP Server specified in the custom XML config file to the AD LDS instance. The following instructions in this section will require the creation of a directory to store a sync file, and then running the command to start the sync. A directory needs to be created for the AD LDS synchronizations logs. Create a directory on the C:\ drive named ADLDS‐Logs. Launch a command prompt and navigate to: C:\Windows\ADAM Then type in the following command:Open up a command prompt and type in: whoami /user The command prompt will display the username, along with the user’s SID. Copy the SID as it will be needed to be added as an attribute in the Add Child window. Figure 35 In Edit Entry section of the Add Child window, enter in the information in there respective fields: Attribute: ObjectSID Values: S‐1‐5‐21‐140381145‐1539809123‐ 3681150278‐500 Click the Enter button Figure 36 Once the ObjectSID attribute and its value has been added into the Entry List, click the Run button.
Configuring AD LDS to auto synchronize
To have AD LDS auto synchronize based on a schedule, a batch file will need to be created either through Scheduled Task or the AT command. Add the following command into the batch file to automate the sync: ADAMSync /sync localhost:389"DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSync.log
Displaying Currently Loaded Configurations
To display the currently loaded ADAM synchronization files perform the following: Open a command prompt and navigate to:
C:\Windows\ADAM Enter the following command:
