W2 k3 ad_integration-how_to


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

W2 k3 ad_integration-how_to

  1. 1. June 2004Enabling Enterprise Identity Management with SAP and ActiveDirectoryAbstractCustomers that are using SAP integration in Active Directory infrastructures can benefit from multiplefunctionalities such as Single Sign On, HR module synchronization etc.SAP AG describes two methods for installing SAP systems on servers that are part of a domain.This document describes a third method allowing you to install SAP systems like a domain administra-tor but without all the administrator rights.
  2. 2. The information contained in this document represents the current view of Microsoft Corpo-ration on the issues discussed as of the date of publication. Because Microsoft must re-spond to changing market conditions, it should not be interpreted to be a commitment onthe part of Microsoft, and Microsoft cannot guarantee the accuracy of any information pre-sented after the date of publication.This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRAN-TIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limi-ting the rights under copyright, no part of this document may be reproduced, stored in or in-troduced into a retrieval system, or transmitted in any form or by any means (electronic,mechanical, photocopying, recording, or otherwise), or for any purpose, without theexpress written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or otherintellectual property rights covering subject matter in this document. Except as ex-pressly provided in any written license agreement from Microsoft, the furnishing ofthis document does not give you any license to these patents, trademarks, copy-rights, or other intellectual property.© 2004 Microsoft Corporation. All rights reserved.Microsoft, Win32, Active Directory, Windows and Windows NT are either registeredtrademarks or trademarks of Microsoft Corporation in the United States and/or othercountries.The names of actual companies and products mentioned herein may be the trademarks oftheir respective owners.
  3. 3. CONTENTSINTRODUCTION...................................................................................... 1Recommended Solution........................................................................ 2Predicted Benefits.................................................................................. 2Technical Details.................................................................................... 3 1. Schema update........................................................................................3 2. Rights delegation.....................................................................................3 3. Preparing the installation.........................................................................4 Users’ account and groups..........................................................................4 Computers’ accounts and operating system installation............................7 4. SAP system installation...........................................................................8Conclusion.............................................................................................. 8References.............................................................................................. 8 SAP OSS Note 169468 – Version 43 – Windows 2000 Support.................8
  4. 4. INTRODUCTIONMore and more customers are asking to use the same Active Directory domaininfrastructure to manage user environment and SAP systems. The benefits ofthis integration are mainly using new functionalities like Kerberos Single SignOn, HR module synchronization with Active Directory more easily, and alsoeasier administration of SAP systems using the SAP MMC snap-in, etc.Other reasons for doing this type of integration are to reduce costs of operatingthe IT system. These cost reductions can be realized by focusing each admini-strator population on their main technology (SAP Administrators manage SAPsoftware, Operating System Administrators manage all the operating system,Active Directory Administrators manage users rights and delegations, and soon) and defining an infrastructure easier to administer on their perimeter foreach group of administrators.These types of integration increase the business value of each product; SAPand Active Directory.SAP AG provides two methods of installing an SAP system on servers that aremembers of a domain. These methods are described in the “SAP R/3 Enter-prise on Windows Installation Guides”.The first method is dedicated to Domain Administrators. This method is theeasiest to follow because all users’ accounts and groups necessary for SAP areautomatically created in the domain by the R3SETUP or SAPINST program.But this method requires giving the Domain Administrators rights to people whomust install the SAP system. This could be considered as a security issue, thisis one reason why SAP recommends installing SAP systems in their own Win-dows Domain.The second method is dedicated to SAP Administrators that are not DomainAdministrators. This method is a little bit more difficult because a Domain Admi-nistrator must create the users’ accounts and groups required to install SAPmanually before starting the R3SETUP program. In this method, the SAP admi-nistrators will need to synchronize the deployment of the SAP system with ope-rations made by the Domain Administrator. The Domain Administrator will needto create user accounts and groups manually respecting exactly the guidelinesprovided in the “SAP Installation Guide”. The installation of an SAP system willbe blocked if this creation of users’ accounts and groups is not done in re-specting the case and the rights that should be given.The SAP R3SETUP program and the SAPINST program have been designedto run on Windows NT4 and Windows 2000 servers. These programs have notbeen designed to take advantage of Active Directory delegation tools like Orga-nizational Units1. This is why SAP AG does not recommend installing SAP ser-1 The R3SETUP and SAPINST programs create users’ accounts and groups needed for SAPsystem installation using the Windows NT 4.0 commands. These objects will be created in thedefault container called “Users”. This container doesn’t accept right delegation and because SAPdoesn’t use ldap commands to create these objects, it’s not possible to automatically create theseobjects in a specific OU. Windows Server 2003 White Paper 1
  5. 5. PREDICTED RECOMMENDED BENEFITS SOLUTIONvers in the organizational unit (OU) of a domain.2As we can see, these two methods do not benefits from Active Directory andusually imply that customers could find necessary to create dedicated SAP do-mains.The main purpose of Active Directory is to simplify the Domain architecture byreducing the number of domains to be deployed. This is a means of doing wayof creating bigger domains, also reducing the replication traffic and providingthe possibility of delegating administrative tasks such as accounts creation topeople that are not Domain Administrators. This delegation is performed usingthe Organization Units containers.As seen earlier, the SAP installation programs are unable to take benefits fromOU. But it is possible to delegate rights of creating new users’ accounts, newgroups and new computers accounts to a group of people (let’s call it the “SAPInstallation Group”) without giving them all Domain Administrators Rights.Doing this delegation, this group will be able to create manually all users andgroups required to install an SAP system without requesting help from a Do-main Administrator. Moreover, this group will be able to pre-create computeraccounts in this OU. So, they will be able to add new servers to the domain. Allthe servers will be in the same OU. It is possible to force the customizing ofthese servers using GPOs with an SAP dedicated OU.After adding the server to the domain, the SAP Installation Group can be ad-ded, manually or automatically (using GPO), to the local Administrators groupof the server. After creating SAP user accounts and groups in this way, userswho are members of the “SAP Installation Group” will be able to start theR3SETUP or SAPINST program to install an SAP central instance, an SAPApplication Server or anything else.With this method, customers can deploy an Active Directory forest with fewerdomains. This means the forest will be easier to administer. It will be easier toimplement the Kerberos Single Sign On mechanism or synchronize SAP HRwith Active Directory and so on…SAP Administrators will have the total autonomy to do their usual tasks anddeployment. It will not necessary to give them Domain Administrators rightsthere by eliminating possible become a security issue. This means SAP Admi-nistrators will be more efficient and Domain Administrators will not be disturbedby non-valuable tasks like SAP user accounts and group management.SAP Administrators will not need to manage their dedicated domain (becausethere will be no dedicated SAP domain). They can transfer this task to DomainAdministrators.2 This recommendation can be found in the OSS Note 169468 available at the end of thisdocument. Windows Server 2003 White Paper 2
  6. 6. TECHNICAL DETAILSThe customers will be able to reduce the number of servers deployed: • No dedicated Domain Controllers for SAP Domain, • Easier sharing of printing servers, messaging servers, backup servers and so on.In conclusion, this method of deployment is a way to reduce direct and indirectIT systems costs and proposes an easier way to deploy new functionalities thatcan be seen as business values for customers.The following chapters explain in detail the method used to deploy SAP syst-ems without Domain Administrator rights.1. Schema updateA schema update of the forest is required to be able to publish SAP services inActive Directory. This publishing of SAP Services allows SAP administrators touse the SAP MMC snap-in more efficiency.This schema extension is provided by SAP. This adds few objects and attri-butes but none of these attributes are published to the forest Global Catalog.Therefore, there is no impact on the Active Directory replication traffic.This schema update can only be performed by administrators that own theSchema Administrators rights. This means the schema update will not be madeby SAP Administrators. Fortunately, this upgrade has to be done only once byActive Directory Forests.The easiest way to extend the Active Directory for SAP is to use the R3SETUPprogram delivered with an SAP 4.6d or 6.10 Kernel. One the R3SETUP pro-gram has been installed, a Schema Administrator will be able to extend theActive Directory schema using the shortcut “Configure Active Directory forSAP”.2. Rights delegationRights delegation is required in order to give the SAP Administrators maximumautonomy necessary to perform their usual function. This has to be performedby a Domain Administrator of the domain where SAP servers are installed. Thistask must be done for each domain where SAP servers are installed but it isonly done once for each domain.This delegation is performed doing as follows: • The Domain Administrator will start the MMC snap-in “Active Directory Users and Computers”. Windows Server 2003 White Paper 3
  7. 7. • Connect this MMC to the domain where SAP servers from a system are be added • Use this MMC to create a group for all users accounts of people de- signated as SAP Administrators. • Use this MMC to create an Organizational Unite dedicated to SAP ser- vers and call it “SAP”, for example. • Use the delegation Wizard on the SAP OU to give the SAP Administra- tors Group, at least, the right of creating, deleting and changing: Users’ accounts, Computers’ accounts and Groups. More rights could be dele- gated if you desire to allow SAP Administrators to manage Group Poli- cy Objects on this OU.3. Preparing the installationAt this time, the SAP Administrators have all rights needed to install an SAPsystem. However, they will need to do some preparation before installing SAP.USERS’ ACCOUNT AND GROUPSEach SAP system must have a service user account and two groups. After theRight delegation, an SAP administrator can create these account and groupsusing the MMC snap-in “Active Directory Users and Computers”. This accountand groups will be created in the SAP dedicated OU (SAP Administratorsshould not be able to create it elsewhere).The procedure will be as follow: I. Creating the New GroupTo create the SAP_<SAPSID>_GlobalAdmin group: 1. Log on as SAP administrator. 2. To start the Active Directory Users and Computers Console, choose: Start → Programs → Administrative Tools → Active Directory Users and Computers If you cannot find Active Directory Users and Computers, start as follows: a. Choose Start → Run and enter mmc. b. Choose Console → Add/Remove Snap-in... and choose Add. c. Choose Active Directory Users and Computers. d. Select Add. e. When finished, select Close and then OK. 3. On the left tree, right-click on the SAP OU and choose: New → Group Windows Server 2003 White Paper 4
  8. 8. 4. Enter the following: Group name: SAP_<SAPSID>_GlobalAdmin Group name (pre-Windows 2000): SAP_<SAPSID>_GlobalAdmin5. Select the following: Group scope: Global Group type: Security6. Press OK. Windows Server 2003 White Paper 5
  9. 9. II. Creating the New UsersTo create the SAP system User <sapsid>adm and SAPService<SAPSID>proceed as follows: 1. In the Active Directory Users and Computers Console right-click on the SAP OU on the left tree and choose: New → User 2. Enter the following: Field name Entry for Entry for <sapsid>adm SAPService<SAPSID> First name None None Initials None None Last name None None Full name <sapsid>adm SAPService<SAPSID> User logon name <sapsid>adm SAPService<SAPSID>Enter the <sapsid>adm and SAPService<SAPSID> user as specified,respecting upper and lower case syntax. 3. Choose Next and enter the following: Password: <password> Confirm password: <password> 4. Select Password never expires. Make sure that no other option is selected 5. Choose Next and then Finish. III. Adding the <sapsid>adm User account to the SAP_<SAPSID>_GlobalAdmin Group 1. In the SAP OU select the newly created user account in the list on the right hand and double-click it. 2. Select the “Member of” tab. 3. Choose Add. 4. Select the new SAP_<SAPSID>_GlobalAdmin group and choose Add to add it to the list at the bottom. By default, the user is also a member of the Domain Users group. 5. Click OK twice. Windows Server 2003 White Paper 6
  10. 10. IV. Adding the SAPService<SAPSID> User account to the SAP_<SAPSID>_GlobalAdmin Group 1. In the SAP OU, select the newly created user account SAPService<SAPSID> in the list on the right and double-click it. 2. Select the “Member of” tab. 3. Choose Add. 4. Select the new SAP_<SAPSID>_GlobalAdmin group and choose Add to add it to the list at the bottom. 5. Choose OK. The SAPService<SAPSID> user account must not be a member of the Domain Users group. To remove this group from the “Member of” list: i. Select the SAP_<SAPSID>_GlobalAdmin group and choose Set Primary Group. ii. Select the Domain Users group and choose Remove to delete it from the “Member of” list. 6. Choose OK to close the SAPService<SAPSID> Properties dialog box. 7. Close the Active Directory Users and Computers Management Console.COMPUTERS’ ACCOUNTS AND OPERATING SYSTEM INSTALLATIONBefore installing SAP, SAP Administrators will need to have servers ready forthe installation. This means adding some SAP dedicated servers with operatingsystems installed and joined to the domain.If the customer has developed an unattended or manual installation process ofthe operating system, the server installation can be done by an SAP Admini-strator.The SAP Administrator will only need to pre-create servers’ accounts using theMMC snap-in “Active Directory Users and Computers”. The procedure is asfollowing: 1. Log on as SAP administrator. 2. To start the Active Directory Users and Computers Console, choose: Start → Programs → Administrative Tools → Active Directory Users and Computers Windows Server 2003 White Paper 7
  11. 11. REFERENCES CONCLUSION If you cannot find Active Directory Users and Computers, start it as follows: a. Choose Start → Run and enter mmc. b. Choose Console → Add/Remove Snap-in... and choose Add. c. Choose Active Directory Users and Computers. d. Select Add. e. When finished, select Close and then OK. 3. In the tree on the left, right-click on the SAP OU and choose: New → Computer 4. Enter a computer name and click twice on Next Button then Finish.SAP Administrator will have to do this operation for each server. Then, SAP Ad-ministrator will be able to run unattended installation of the operating system oneach server. This installation procedure can automatically add the server in thedomain if the name used for the server correspond to one of the newly com-puter account created.4. SAP system installationAt this point, everything is ready to follow the normal installation procedure forSAP systems given by SAP AG. This installation procedure depends on theversion of SAP R/3 kernel to deploy. Please, follow the instructions given bySAP in the Installation Guide corresponding to the version of SAP R/3 you wantto install.Since the first draft of this white paper, multiple customers had deployed their SAPsystems using this methodology.SAP itself has tested it and has written an OSS note describing shortly and manu-ally how to proceed. The OSS note is referenced as “OSS Note 711319 – DomainInstallation using delegation of administration in AD”.SAP OSS Note 169468 – Version 43 – Windows 2000 Support(see http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700007554442001)Symptom Windows Server 2003 White Paper 8
  12. 12. Availability of Windows 2000 ServerDepending on the SAP Release and the database version, some special features forWindows 2000 have to be observed for a new installation or an operating system up-grade.Release of databases for Windows 2000Information about the release of databases, database versions and SAP releases forWindows 2000 can be found in the SAP Service Marketplace:http://service.sap.com/platformsFor SAP 3x releases, there are only special releases that must be specially ordered bycustomers. Kernel 3.1I is required for the upgrade.For Oracle, no special release is required, but the 3.1I_COM CD has to be used.The following information is valid for:  Windows 2000 Server  Windows 2000 Advanced Server  Windows 2000 Data Center ServerAdditional key words Windows 2000 Windows Server 2003 White Paper 9
  13. 13. Cause and preconditionsSolutionIn the following, you will find a short summary of the special features to be observed onWindows 2000. Important general notes on the SAP new installation and the operatingsystem upgrade can be found.For information on the operating system upgrade within the scope of a SAP system up-grade to release 4.0B, 4.5B, 4.6B or later, refer to Note 179274.This Note is subdivided into the following sections:  a) General Contains information on the SAP new installation on Windows 2000 and on the operating system upgrade.  b) SAP new installation Contains information on the new installation of a 4.0B, 4.5B, 4.6B or later SAP system.  c) Operating system upgrade Contains notes for the upgrade of the operating system of an existing SAP sys- tem.  d) Additional information Contains further information relevant for Windows 2000. In particular, important aspects of the SAP domain under Windows 2000 are described.a) GeneralNote the following points when you install a SAP system under Windows 2000 or up-grade an operating system:  Language versions For SAP Server, the "International English" language version of Windows 2000 is supported only. If you want to use another language for the user interface, you can install the so-called "Multilanguage User Interface" kit (MUI). For infor- mation on the installation and usage of MUI, please refer to Note 362379.  Windows 2000 Advanced Server Cluster Support (MSCS) You can use the Cluster Service from Windows 2000 for databases and SAP releases which have been released for Windows 2000. However, you need to import either Windows 2000 Service Pack 1 and two additional Microsoft Hotfixes (Q257577 and Q265017), or Windows 2000 Service Pack 2 and one additional Hotfix (Q265017). For further information see Notes 30478 and 144310. Windows Server 2003 White Paper 10
  14. 14.  ADSI and MMC These components already exist in Windows 2000 and must not be installed from the kernel CD.  Terminal Server Service On the R/3 application server, terminal services can be used for the server ad- ministration in remote administration mode (just as with pcAnywhere). Only know exception: Console messages (for example during the DB installation) are not displayed. Using terminal services in Application server mode on an R/3 Server must be avoided at all costs. The additional load negatively affects the system perfor- mance.  DB software installation The database software installation may not function with a Terminal Server Session (affects Microsoft SQL Server). The software can be installed with PcAnywhere or locally on the console of the respective computer. Enter the following command prior to the installation at the command prompt: Change user /install After the installation enter the following command: change user /execute  SAP DB only: DLL pcr62md.dll. SAP DB Version 6.2 requires an additional DLL on Windows 2000. The required DLL, pcr62md.dll, is stored in the SAP Service Marketplace.  pcAnywhere For Windows 2000 use pcAnywhere Version 9.01 or higher only.  Temp variables After the SAP installation or after the operating system upgrade, check the TEMP and TMP variables of the <sid>adm user. In Windows 2000, you may obtain invalid or unfavorable values. A short and user-independent path such as "c:temp" is best suited for SAP.b) SAP reinstallationThe procedure of a new installation of the SAP system depends on the release.Relaese 4.6B and later releases and 4.0B COM  As of release 4.6B, the SAP releases that are released for Windows NT are fully compatible with Windows 2000. No special actions are necessary. Follow the instruction for a standard SAP installation in the implementation guide "R/3 installation on Windows NT". The same applies to R/3 4.0B COM.Realease 4.5B  DLLs Prior to the beginning of the installation import the current version of the Dy- namic Link Libraries R3DLLINS for Windows 2000. To do this, unpack Windows Server 2003 White Paper 11
  15. 15. R3DLLINS.car for your platform from the attachment to Note 65878. Then exe- cute file R3DLLINS.EXE manually.  R3SETUP Tool Use the R3SETUP version that is stored for Windows 2000 in the SAP Service Marketplace. For this purpose, download file R3SETUP_<Patch-Level>.CAR.  Kernel exchange After the installation with R3SETUP replace the R/3 kernel. If you do not re- place it you will get error "SICK" after the first log-on attempt after the start. Download the following two patches from the SAP Service Marketplace (www.service.sap.com/patches) and unpack them to directory usrsapexe: dw1_<patch-level> dw2-<Patch-level> Use at least patch level 186.  SAPOSCOL Use the current saposcol version. This version supports the changed perfor- mance counter of Windows 2000 to determine values for ST06 and RZ20. The latest version is stored in file saposcol_<Patch Level>.CAR. in the SAP Service Marketplace.c) Operating system upgradeIf you upgrade an existing SAP system to Windows 2000 perform the following actionsdescribed in section "SAP new installation":  Install the latest R3DLLINS version.  Replace the R/3 kernel.  Use the latest saposcol version.  Only SAP DB: See Note 315237.d) Additional information  Compatibility of the hardware with Windows 2000 The upgrade to Windows 2000 may be carried out only if the hardware has been explicitly released for this purpose. This can be checked in one of the following ways:  If the Windows 2000 CD is available, compatibility can be checked using program WINNT32.EXE in the I386 directory. The exact state- ment is: <DRIVE:>I386WINNT32 /CHECKUPGRADEONLY. The re- sult is stored as text file WINNT32.LOC in the present Windows direc- tory (e.g. C:WINNT).  The hardware has successfully passed SAP hardware certification (www.addon.de/fcert)  The hardware is contained in the Microsoft Hardware Compatibility List (www.microsoft.com/hcl). Windows Server 2003 White Paper 12
  16. 16.  The hardware has been released for Windows 2000 by the manu- facturer. This information is published on the corresponding website. Kerberos Single Sign-On When the SAP system is installed on Windows 2000 you can setup the Kerbe- ros Single Sign-On. If you use the Kerberos protocol the information exchanged between the SAP front-end and the application server for authentication is en- crypted. The procedure for setting up Single Sign-On is described in all recent instal- lation guides. You can, for example, download the installation guide 4.6C SR 2 from the SAPNet, alias "Instguides". Terminal Service All kernel objects (Shared Memory, Semaphoren, Events...) can be used for operation with "Terminal Service". External error analysis programs (dpmon..) also support the "Terminal Service" by Windows 2000, that is an R/3 system in a Terminal session can be monitored. Using more than 4GB RAM Zero Administration Memory Management from SAP (see Note 88416) automatically supports main memory larger than 4GB under Windows. SAP however does not use the AWE (Address Windowing Extension) API from Windows 2000. However, an SAP instance consists of several work processes. Each work process can use its own physical storage up to 2GB (or 3GB) in its virtual address space. SAP domain under Windows 2000 Follow the instructions of the Windows documentation for the migration of a NT 4 domain to Windows 2000. For the SAP environment some additional points need to be observed. For NT 4 there are two models for the SAP system domain: - the single domain and - the additional domain.  Single domain All users and the SAP system build one single domain. This domain can be migrated to Windows 2000 and exist there as single domain.  Additional domain Here, there is one domain for the users and a second domain for the SAP system(s). For a migration to Windows 2000 the SAP system do- main has to be created as child domain under the user domain. A "Top-down" procedure is to be used. The higher domain (the user do- main) must be migrated prior to the SAP child domain. If the user and SAP domain is part of a larger domain structure the complete domain structure for Windows 2000 needs to be planned in a preparing phase. Usually, the structure created under NT 4 has to be re-arranged and consolidated. The name space of the root domain and all subordinated domains has to be defined and the distribution of the DNS services needs to be determined. Here, note the following: - The SAP domain has to be created as child domain. Windows Server 2003 White Paper 13
  17. 17. - The SAP domain must not be converted into an organiza- tional unit (OU). OUs are not supported by R3SETUP and R3up. Windows Server 2003 White Paper 14