AD Integration

[jkinning]

Just wondering if there is still development work taking place for the AD feature? I am unable to use this feature because of the user count we have in our environment. I am getting capped at a limit and there is no way to see all the users in my AD environment to add or setup as contacts. Is there any way to leverage AD groups? Has anyone else that may have had this issue figured out a work around? It would be even nice if I knew the user name in AD that I could manually enter it and forget about browsing the tree for the user.

Manually maintaining local users and groups are growing old.

[hsmith]

Just wondering if there is still development work taking place for the AD feature?

There are things planned for the future. See below.

Is there any way to leverage AD groups?

There's not, but it's planned for the future.

Has anyone else that may have had this issue figured out a work around?

Code: Select all

Please open up an administrative command prompt and run these commands on the domain controller to see what the settings are, this is what resolved it on mine:

ntdsutil.exe [enter]
ldap policies [enter]
connections [enter]
connect to server dc1.contoso.local [enter]
quit [enter]
show values [enter]


The part that we are interested in is the MaxPageSize settings, mine was set to 1000 so I ran this:

set maxpagesize to 5000 [enter]

These instructions should work for you. Credit to @ssax.

It would be even nice if I knew the user name in AD that I could manually enter it and forget about browsing the tree for the user.

You can do this under Manage Users in the Admin menu.

[jkinning]

There are things planned for the future. See below.

I don't see anything below?

There's not, but it's planned for the future.

Thanks.

Code: Select all

Please open up an administrative command prompt and run these commands on the domain controller to see what the settings are, this is what resolved it on mine:

ntdsutil.exe [enter]
ldap policies [enter]
connections [enter]
connect to server dc1.contoso.local [enter]
quit [enter]
show values [enter]


The part that we are interested in is the MaxPageSize settings, mine was set to 1000 so I ran this:

set maxpagesize to 5000 [enter]

These instructions should work for you. Credit to @ssax.

Unfortunately our AD admin is resistant.

Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller.

See: https://support.microsoft.com/en-us/kb/ ... kb/2009267

Microsoft recommends using Paged Queries (RFC 2969), a standard which was introduced approx. 10 years ago.

Poorly constructed LDAP queries can literally bring a domain controller to its knees by flooding port 389. It is basically a self-inflicted denial of service. The DC becomes unresponsive to other LDAP requests (authentication, etc.) because it's so busy servicing the query. An administrator who knows enough to be dangerous and performs a query on say (objectClass=User) in a large environment could do that, just as well as an application.
MaxPageSize, then, guarantees that you won't get more than 1,000 entries in a single search result. You can get the results you want by using paged search controls, which group the results in MaxPageSize limits. I have seen a number of cases where a well meaning admin has expanded this value to large numbers. This is extremely dangerous and can cause all sorts of errors and failures caused by a DC being unresponsive for a period of time.
Microsoft's ExBPA (Exchange Best Practices Analyzer) tool checks for MaxPageSize and flags it as a critical issue if the value is more that 1,000. In another case, we found that MaxPageSize had been set to 50,000. This caused Exchange to break because the Global Catalog server was so overwhelmed with LDAP traffic that the Exchange server couldn't locate a GC. Remember, MaxPageSize is forest-wide and affects all LDAP servers.

The best practice for setting MaxPageSize is to leave it alone.

You can do this under Manage Users in the Admin menu.

I am not seeing anyplace to do this other than browse the tree. Where can I key in a username in order to add them?

[hsmith]

What version of XI are you on? There should be a dropdown under 'Authentication Settings'.

[jkinning]

5.2.5

I think I found it. I need to create a new user and then select AD. I'll test this out and see if it works but this would still create a local user account right?

[jkinning]

So, I just ran a test using an AD Universal Distributed group and it worked. I had my ID along with a cell SMS AD ID and I received both notifications. That is what I was originally looking for. I still have an issue where even though the notification is sent and user receives it they are unable to login as themselves. I guess because they don't actually have a specific ID with their AD user information since it is piggy backing off the AD group. I wanted to have these AD groups tied to service and host templates for notifications. Now comes the fun part, which I may need to open another post, how to identify the local accounts to migrate them to AD accounts?

Also, is it possible to setup AD accounts with different notification options globally? We have accounts in AD marked as page_firstname_lastname which reference the cell carrier email address to deliver SMS messages. Is there an easy way to set these as default notification times from 5pm to 7am or something like that? Or would each person need to login to XI as the page_ account and modify that information. Maybe I'm not saying this all correctly either. During business hours email alerts are alright but off hours sending SMS alerts is what I would be looking for.

[tmcdonald]

Also, is it possible to setup AD accounts with different notification options globally?

Automatically, I don't think so. If you have the Enterprise Edition (or haven't used the trial yet) you can go to Admin -> Notification Management, and deploy those settings to the users (it actually goes to the contacts as well, but basically the same idea).