Re: Centralized names resolution
- From: "Plunkett, Lyn" <Lyn.Plunkett@xxxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Tue, 14 Feb 2006 15:52:29 -0600
As requested, some info/lessons learned on implementing tnsname info in
AD. Let me say up front that I did not implement this, but have
inherited it, and the DBA who implemented it did a good job and we had
very little fallout. Disclaimer: neither myself or my employer take any
responsibility for what you might do with the info. (Sheesh, I feel like
a lawyer, but this email is coming from my work account. :-) )
1. Version gotchas. We used the 10g client for configuring AD, as there
is a bug in 9.2 that can cause problems if it was used to set it up.
2. Domain gotchas. Remember that the AD tree has your domain at the
root. If there are any other hardcoded extensions in apps, like the old
.world, it will not be able to find them in an AD-based lookup. In this
case, we had some very old apps that unfortunately had connectstrings
with .world hardcoded. The workaround for us was to grandfather a
tnsnames, which had the old entries with the .world, and will not
change. If this is not a problem for you, ignore my further comments
about the tnsnames.
3. AD Security. In AD, anonymous needs read to the area with the tns
information in it. Our AD administrators limited this to only this part
of AD. The DBA group has read/write to the same area.
4. Setup. The NetConfiguration assistant was used to configure
'Directory Usage Configuration', with a directory type of "Microsoft
Active Directory", and using the option to create/upgrade the Oracle
schema, etc. You will need to know the server your directory service is
located on, and have rights to create the schema in AD. (Strongly
recommend trying this in a test AD environment first.)
5. Loading the service info. NetManager can be used next to
import/export the services.
6. sqlnet.ora/ldap.ora files. The clients will not use AD until you have
changed the sqlnet.ora/ldap.ora The sqlnet.ora and ldap.ora files are
used on the clients to set up a searchpath that looks in the
grandfathered tnsnames first, then LDAP (the other order did not work)
sqlnet.ora:contains a line
NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)
Sample ldap.ora-------------------------------------
DEFAULT_ADMIN_CONTEXT = "your-list-of-domain-components-here"
# example: DEFAULT_ADMIN_CONTEXT = "DC=x,DC=y,DC=com" (for x.y.com)
DIRECTORY_SERVERS= (your-ldapserver:your-port:your-SSL-port)
DIRECTORY_SERVER_TYPE = AD
7. RAC. The aforementioned export/import did not handle RAC entries
well, so we used adsvw.exe to manage these entries. This is not an
Oracle tool, but worked fine.
8. Useful metalink notes: 146605.1, 250413.1, 202156.1, 247863.1,
461635.999, 428767.995, 211014.1
Regards,
Lyn
Other related posts:
