Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Greg.

Asked: May 25, 2001 - 10:00 am UTC

Last updated: February 16, 2018 - 1:44 am UTC

Version: 8i

Viewed 10K+ times! This question is

You Asked

My company has select MS Active Directory for the enterprise directory services. We would like to integrate our Oracle networking with AD, in lieu of TNSNAMES or Oracle Names, for database connection resolution. However, we are having a hard time finding any resources (white papers, articles, books, etc) that can help with our understanding of the architecture and implementation of Oracle and Active Directory. Do you have any suggestions?

and Tom said...

Article-ID: <Note:111424.1>
Circulation: PUBLISHED (EXTERNAL)
Folder: server.DBA.Security
Title: How to Install Oracle 8.1.6 with Integration for Windows
2000 Active Directory
Document-Type: BULLETIN
Impact: LOW
Skill-Level: NOVICE
Server-Version: 08.01.06
Updated-Date: 04-APR-2001 09:16:51
References:
Shared-Refs:
Attachments: NONE
Content-Type: TEXT/PLAIN
Keywords: 8.1.6; ACTIVE; DATABASE; DIRECTORY; INSTALL; REGISTER;
Products: 5/RDBMS;
Platforms: 100;

PURPOSE
-------

To Install Oracle 8.1.6 With Integration for
Microsoft Windows 2000 Active Directory


SCOPE & APPLICATION
-------------------

Intended Audience: DBA
Use: Help for installing 8.1.6 with Active Directory


How to Install Oracle 8.1.6 with Integration for
Microsoft Windows 2000 Active Directory
------------------------------------------------

I. Introduction
A. This document introduces the procedures for performing a Typical
install of the Oracle 8.1.6.0.0 EE database on a Windows 2000 server domain
controller. The operating system on this server is installed with one 6 GB
partition, formatted as NTFS with the default permission settings. The fully
qualified domain name of the server is rocky.mountain.com, with a downlevel
NetBIOS name of Rocky (the domain controller for the Mountain domain).

B. It should be noted that although this procedure has been performed
on the only domain controller in the Active Directory forest, the steps are
very similar if they are performed on a member server in an Active Directory
domain. Moreover, this domain controller will be left in mixed mode (an Active
Directory status which allows interaction with downlevel Windows NT domain
controllers).


II. Requirements
A. It is vital that the person performing this procedure has the proper
administrative control, both in the Active Directory forest, as well as on the
local member server (if this procedure is performed on a member server), or
domain controller. Integrating the Oracle database with Active Directory will
cause a modification of the Active Directory Schema and will also create new
services. Since these processes will run with the credentials of the logged on
user, it is required that the person logged on has the necessary credentials
for performing these tasks.

B. The person who is installing the Oracle 8.1.6 database must be a member
of the Schema Admins group in order to make changes to the Active Directory
Schema. By default, this group has only one member: the Administrator account
of the first domain in the forest. If the installer is not using this account,
the installer must be manually added to Schema Admins prior to installing the
database. Keep in mind that when a user is added to this group, that user must
log off and log back on in order to have the new membership reflected in the
access token of the user (i.e., to have this new membership take effect). This
person should also be a member of Domain Admins and this group should be a
member of the local Administrators group. The Administrator account in the
first domain created in the forest is a member of all of these groups by
default, as well as being a default member of Enterprise Admins (a forest
level group). If possible, the installer should log on as Administrator, the
administrative account in the first domain in the forest and check to make sure
that this account has the proper forest wide control. If it is not possible to
log on with this account, the installer must at the very least be a member of
the local Administrators group and a member of the forest wide Schema Admins
group.

C. DNS should be properly installed somewhere in the Active Directory
forest, and the installer should verify that the service is available and
correctly resolving the machine names involved in the installation of the
database. This is especially important if the database is being installed
on a machine which is remote from the domain controller where the Schema
resides (by default, the first domain controller in the first domain in the
Active Directory forest is the Schema Operations Master).


III. Procedures
A. Create or open a Microsoft Management Console which contains snap-ins
for Active Directory Domains and Trusts, Active Directory Sites and Services,
Active Directory Users and Computers, and Computer Management. This mmc is
necessary to enable writing to the Schema and perform troubleshooting as
necessary. To create the mmc, Click Start, Run, and type mmc. When the window
opens, click the Console menu and click Add/Remove Snap-in. When that window
opens, click Add. When the Add Standalone Snap-in window opens, highlight the
above snap-ins one at a time and click add. When all are added, click close,
then OK, and then save the console by clicking on the Console menu, click Save
As and choose a location and name for the new console. Leave the console open.

B. In order to install a snap-in for the Active Directory Schema, you must
first register a .dll file to make the tool visible. Click Start, Run, and
type regsvr32 schmmgmt.dll. You should see a confirmation window stating:
“DllRegisterServer in schmmgmt.dll succeeded”. Click OK.

C. On the Console menu of your new console, click Add/Remove Snap-in.
When the Add/Remove Snap-in Window opens, click Add. When the Add Standalone
Snap-in window opens, you should see a new snap-in listed second from the top
called Active Directory Schema. Highlight it and click Add. Click Close and
then OK. Your console should now show Active Directory Schema at the bottom
of the console tree. Click the Console menu, and click Save.

D. Right-click Active Directory Schema and click Operations Master. Click
the check box next to “The Schema may be modified on this Domain Controller”.
Note the name of the operations master on which the schema resides. Click OK
to close the box.

E. Ensure that you have sufficient free space to install the database.
A typical install requires 1001 MB, but expansion of the installation files may
require up to 2 GB for the install to succeed. Place the Oracle 8.1.6 EE
CD-ROM into the CD-ROM drive and when the auto-run brings up the Install
window, click Install/Deinstall Products.

F. At the Welcome Screen, Click Next.

G. Modify or accept the name and location for the Destination options and
click Next.

H. Ensure that Oracle8i Enterprise Edition 8.1.6.0.0 is selected and click
Next.

I. Ensure that Typical is selected and click Next.

J. Type in orcl.world at the Global Database Name window. Orcl should now
appear in the SID window. Click Next.

K. At the Summary window, click Install

L. At the end of the install, click Exit and Yes to confirm the exit.

M. At this point, you must configure the naming methods and Directory
Service Access.

N. Click Start, Programs, Oracle- OraHome81, Network Administration, Net8
Configuration Assistant.

O. Select Directory Service Access configuration.

P. Select Perform directory access configuration for a server.

Q. Pull down the Directory Type select box and choose Microsoft Active
Directory and click Next.

R. At the Hostname window, type in the fully qualified domain name of the
domain controller on which the schema resides. For this example, the fully
qualified domain name of my server is rocky.mountain.com. Click Next.

S. Ensure that “Yes, I want to add the required Oracle Schema” is selected
and click Next only ONCE. This process may take up to a minute. You will
receive a warning which appears to be an error that states that the NET8
Configuration Assistant is unable to create or update the schema. The process
has actually succeeded. Click OK only ONCE to close the window.

T. You may see another window with a Red alarm bell. Select “I want to
verify the directory service information and try again” and click OK

U. Ensure that Directory Service Access configuration is selected and
click Next.

V. Select Perform directory access configuration for a server and click
Next.

W. Ensure that Directory Type is selected for Microsoft Active Directory
and click Next.

X. Type in the fully qualified domain name of your schema operations
master and click next.

Y. Note that this screen has now changed from the option in step S to
“Yes, I want to create a new Oracle Context”. Click Next only ONCE and you
should receive a message that Directory Server Access configuration is complete.
Click Next and select Naming Methods configuration and click Next.

Z. Select “Directory” from the left window and click the right arrow. You
may choose to remove Oracle Names and Host Name from the list, but ensure that
you have at least Directory and local in the right window and then click Next
and Next again. You will receive a message that Naming methods configuration
is complete. Click Next and then Finish.

AA. Open your mmc console, expand the Active Directory Schema and highlight
Classes. In the right pane, scroll down and you should note several classes
which begin with orcl. The Schema has now been updated to reflect Oracle
objects.

BB. Expand the Active Directory Users and Computers and Expand the domain
name and expand the Oracle Context. If any of the icons are not fully formed,
log off and log back on. This is caused by the addition of your account to
groups created by the Active Directory configuration. Logging back on will
update your access token.

CC. Close the mmc console. Leaving it open at this point may cause the
next procedure to fail.

DD. To register the database with Active Directory, Click Start, Programs,
Oracle-OraHome81, Database Administration, Database Configuration Assistant.

EE. When the application opens, select Change database configuration.

FF.Ensure that the servicesid for your database is selected
and click Next.

GG. Select Dedicated Server mode and click Next. Click Next again.

HH. Ensure that Yes, register the database is selected and click Finish.

II. You will be prompted to confirm the location of the init.ora file
for your database. Confirm it and click OK. You will be prompted to confirm
the changing of the init.ora. Click OK.

JJ. Open the mmc console, expand Active Directory Users and Computers and
Expand the domain name and expand the Oracle Context. You should now notice
that the sid name of your database appears under Oracle Context.
The Oracle Database is now registered with Active Directory with a service
name which is identical to your sid name.

IV. Optional Procedures
A. If you choose, you may add the snap in for the Oracle Managed Products
and complete the OS authentication procedures or create users in the database.

B. Click the Console Menu and click Add/Remove Snap-in.

C. Click Add, scroll down, and highlight Oracle Primary MMC Snap-in and
click Add and then click close.

D. Click OK, then Click the console menu and click Save.

E. Expand the Oracle Managed Objects Snap-in, Expand Computers, Expand
your computer name, and expand databases. You should now see your sid name.
Right click the sid name and click connect database. You should connect
immediately since your Administrator account is a member by default in the
newly created Ora_Dba group. You may right click External OS Users and OS
database Administrators and create users in the database.

F. Client machines can be set up and configured by installing the Oracle
client from the CD-ROM, running the Net8 Configuration Assistant, choosing
Directory Service Access Configuration, and choosing directory access
configuration for a client.


Rating

  (13 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Active Directory and Oracle 9i on HP Unix

Anton, May 30, 2005 - 12:42 am UTC

Hi Tom.

Can Oracle 9i on HP Unix be integrated directly with Microsoft Active Directory without using Oracle Internet Directory as the go between ?

Thanks

Tom Kyte
May 30, 2005 - 8:48 am UTC

Not that I'm aware of.

Microsoft Active Directory and Oracle 9i on Unix

Anton, June 13, 2005 - 6:34 pm UTC

Hi Tom.

Thanks for the reply.

So, if we are running Oracle 9i on HP Unix and want to authenticate database users against Active Directory, then do we have to configure Oracle Internet Directory on the HP Unix server and use LDAP replication to drag the usernames/passwords down from the Active Directory to to Internet Directory ?

Or is there another way to authenticate Oracle 9i users on HPUX against Active Directory ?



Thanks Tom.

A reader, November 03, 2005 - 4:36 pm UTC

The document you posted discusses how to install Oracle but it doesnt talk about how to configure a global tnsnames.ora....

Tom Kyte
November 04, 2005 - 2:52 am UTC

the director would be used as the "global tnsnames.ora", the question was in regards to using active directory.

active directory

sam, June 16, 2006 - 11:24 pm UTC

Tom:

I have a web app using mod_plsql, oracle 8i and 8IAS on IBM AIX. I have an internal users table for each user/password. I have another application used by external users and it has also its own users table. A security group suggested to take the users outside the database to active directory or tivoli.

1. Would there be any benefit of using authentication server like active directory instead of using an oracle table?

2. Would mod_plsql(8IAS or 9IAS) work with active directory. IT seems that active directory is a windows product.

3. Does oracle have similar tools that do what active directory does? It seems Web Single Sign on is similar.

4. Would you integrate internal and external users into one table or keep them separate?

Tom Kyte
June 17, 2006 - 7:06 am UTC

1) sure, centralization of user accounts and management thereof. Lack of "wheel re-invention"

2) Oracle single sign on can be integrated with active directory, yes. Applications written on top of mod_plsql can take advantage of that (APEX, formally known as htmldb, does for example)

3) Single sign on uses an LDAP repository (in OID - Oracle Internet Directory), yes.

4) only answer to that is "it depends", depends on the size, needs, and other political factors.

active directory

sam, June 17, 2006 - 11:25 am UTC

Tom:
1. I do not understand what you mean by lack of wheel re-invention. It takes a few minutes to create an oracle table for users/passwords and one procedure to authenticate user and two procedures to create/edit passwords. We already have all of that done and they are all available here and oracle books. It might take more time to install/configure and try to get active directory working with apache.

My question "why migrate to Active DIrectory". What is the short/long term benefits of going there? I thought you always try to use oracle database for everthing.

2. Also is not it a bad idea to add two extra pieces in the architecutre? I guess if you use active directory then user will call HTTP server which passes info to Active DIrectory which validates userid/password and then pass that to http server which calls mod_plsql and then hits database.

3. You said Single sign on can be integrated with active directory. Is not that redundant? they are both the same product providing same function?

4. when you say integrating both tables depends on size and needs? what do you mean. We only have 200-300 users in each table.

5. Can active directory interface with users or it is more of an admin tool? We need to have users be able to change their passwords themselves using a friendly interface like HTML.

Tom Kyte
June 17, 2006 - 4:08 pm UTC

1) it does not. you going to encrypt those passwords? hope not. going to hash them? how - what is the plan there.

and you have just re-invented, well, access control and everything. You need a user interface, you need admin tools. Hey, you just built a mini directory. And YET ANOTHER directory, yet another place to remember to remove accounts from when people get fired. Yet another place to remember to change permissions when people move groups/departments.

big time "re-invention" of yet another wheel.

If you have an organization of any size these days - being able to centralize user administration is not a horrible idea.

2) we call it single sign on. users dig it. management likes it. administrators lives are made easier by it.

3) similar functions yes.

4) looking again, I don't even believe I know what you mean by external and internal users actually.

5) active directory is a "directory". It doesn't "interface with users", it is a "database". You would have to ask microsoft about interfacing with their repository - I'm sure the users can change their passwords, must be so.

active directory

mo, June 19, 2006 - 9:41 pm UTC

Tom:

Internal users are the company employees and external are the ones that place orders to the company.

1. Can you describe how would web single sign on work. Let us now I have user tom/oracle as a userid/password in my users table. Now I want to eliminate this and use single sign on or active directory.

How would the process work? mod_plsql is connecting to DB using one account only. How does authentication work and then passing the userid to application to do authorization.

2. DO you usually use the windows 2000/NT accounts for authenticating to all web apps too?


Thank you,

Tom Kyte
June 20, 2006 - 9:38 am UTC

bottom line will always be: you will do what your company policy says to do here.

If you want to "do it yourself" and you have the permission to do so - so be it. If someone else was offering to

a) manage the user accounts
b) deal with support issues (hey, i forgot my password....)
c) deal with hirings, firings, transfer of responsibility


I'd be interesting in letting them do that.


1) download htmldb (apex), install it, read the documentation. It does SSO. SSO doesn't use a database account per user. Doesn't have (it could) to. No one ever said there would be an account per user for this.

2) I (we) use windows for nothing like that. We use SSO however, and our implementation uses LDAP.

SSO

sam, June 20, 2006 - 12:57 pm UTC

Tom:

I thought HTML DB (apex) is a windows gui tool for fast application web development.

Are you saying if I want to implement SSO/OID i have to download HTML DB or it just shows me how it works.

I thought SSO is installed as parts of the 9IAS. You just have to configure it to work with the mod_plsql and the database on unix.

Tom Kyte
June 21, 2006 - 9:33 am UTC

APEX is a browser based web development environment. It has NOTHING WHATSOEVER TO DO WITH A SINGE OPERATING system. It works on them all.


APEX can show you an implementation of an application that uses SSO and is built on mod_plsql. It would be a "reference".

That and it comes free. And if you are building an application using mod_plsql, not starting with APEX would be the worst choice you could make...

active directory

sam, June 21, 2006 - 12:29 pm UTC

tom:

Thanks for the clarification.
Commneting on your statement below:

<And if you are building an application using mod_plsql,
not starting with APEX would be the worst choice you could make... >

1. HTML DB was introduced in 9i. Our applications use 8i and were never based on APEX which is the old webdb or portal. They are coded using pl/sql web toolkit or htp.p statements.

Did you mean implementing SSO would be much easier if we use APEX or the whole development effort should have been in APEX from the begining.

2. I am confused on Oracle Internet Directory and Single Sign On. My understanding is that OID is a directory server/application that does the same thing as Active Directory. If this is true why do I need Single Sign on? Is OID a directory structure and Single Sign On a feature that uses OID to allow signle accounts?



Tom Kyte
June 22, 2006 - 11:35 am UTC

1) you are doing development on an un-supported database, using tools from the stone age. You might, just might, consider rethinking that decision.

I pointed you to APEX because

a) it is already integrated in with SSO and shows how you can use SSO from mod_plsql since it is mod_plsql

b) if you are doing development today in the year 2006 - you should consider using software that was at least written this century.

c) you'll be much more productive in apex than doing it by hand.


2) SSO is a "thing", a "feature". OID is a repository that this "thing" called SSO (which is a bunch of API's and features) uses.


An analogy:

HR applications are a "thing". Oracle the database is a repository that this "thing" called HR uses.


SSO is like an application, it implements a bunch of stuff you can reuse. One of the foundation technologies it uses - an LDAP repository.

active directory

sam, June 22, 2006 - 11:01 pm UTC

Tom:

Thanks for the excellent clarification on SSO and OID.

We are trying to get our client to upgrade to 9i. It should happen next month. It is out of my control. They have to test it to make sure it works well!

Now, let us say we upgrade this Pl/SQL web toolkit application to 9i. Apex is still out of the picture. You cant integrate APEX into the existing app. I think you have to start from scratch developing in APEX because you cant edit the code and you cant integrate it with other non-apex pl/SQL pages.

So how do you do you start setting up OID and SSO with the existing 9i pl/sql app? Are there any good books or docs on how to do that?

Is it complex or easy thing to do?

Tom Kyte
June 23, 2006 - 10:10 am UTC

htmldb/apex is 9ir2 and above.

so, I don't agree with "out of the picture"

I really don't agree with "cannot integrate" - it can integrate as well as ANYTHING ELSE.


You do edit the code.
You can integrate it with ANYTHING YOU FEEL LIKE (hey, I'm "integrated" with amazon.com - see the home page)



active directory

sam, June 23, 2006 - 3:40 pm UTC

Tom:

I guess you are considering a URL to amazon as integration.

SO are you saying that when I migrate the existing application to 9i I should develop all new pages with htmldb/apex and then have old pl/sql pages link or submit data to new html db pages. Correct?

2. But let us say a decision was made against that, is it hard to implement SSO without using htmldb/apex into existing app?


Tom Kyte
June 24, 2006 - 11:23 am UTC

Actually, it is a lot more than just a URL to amazon, it is truly integrated.

I can tell that so far this quarter - I've "sold" 127 copies of my book via that link (the Expert Oracle Database Architecture one). It is not because I'm keeping count, but amazon is and tells me about it.

You can use SSO to build any SSO enabled application, sure. SSO is an "API" to you as the application developer.

SSO

sam, June 25, 2006 - 1:16 pm UTC

Tom:

What is the best reference that lists the steps in detail to implement SSO? any books or oracle docs.

Is it difficult, or easy or depends on the developer skill?

Tom Kyte
June 25, 2006 - 5:13 pm UTC

You might like the book by David Knox. See "Effective Oracle Database 10g Security by Design" link in the "links i like" tab above.

A reader, November 04, 2011 - 3:37 pm UTC

I am running Oracle 11g R2 on Windows 2008 R2 . Our users's profiles are stored in Microsoft Active Directory ( AD) .

How can I use AD for authentication and authorization ?.
Tom Kyte
November 07, 2011 - 11:04 am UTC

http://search.oracle.com/search/search?q=active+directory

AD Credentials with OVD

Rajeshwaran, Jeyabal, February 14, 2018 - 12:38 pm UTC

Team,

got this question today, dont know how to respond - but could you help us on this?
https://docs.oracle.com/cd/B28359_01/win.111/b32010/active_dir.htm#CDEBGIFJ
How do I used AD credentials with oracle there is OVD product but without I want to tru.

We are on Oracle 11g(11.2.0.4).
Connor McDonald
February 16, 2018 - 1:44 am UTC

OVD ?

Integration with Active Directory goes through Oracle Internet Directory until 18c.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.