This comprehensive guide gives you all you need to bridge the digital divide between Microsoft's Active Directory and Altiris' Helpdesk and CMDB datastores. Once you've made the journey, mapped data will flow between systems and save your staff from spending countless hours entering redundant data.

• Introduction
• Editing Active Directory Schema
• Adding or Leveraging AD Attributes
• Adding Values to Custom Attributes
• Scripts
• Using the ASDI Interface
• Creating New Data Sources
• Adding Data Classes to Resource Types
• Configuring Active Directory Connector Solution
• Conclusion

Introduction

This white paper will outline the technical aspects of leveraging an organizations investment in Microsoft Active Directory and Altiris solutions such as the Active Directory Connector, Inventory Solution, Asset Management and Helpdesk solutions. It will focus on how to create new resource types within Active Directory and the Altiris CMDB and export the information from Active Directory to be imported and mapped to Altiris Resources to be made available for use with other Altiris Solutions. This ability improves the integration of Altiris and Microsoft while reducing time of manually entering data into Altiris, reducing human typographic errors and reduces likely errors from incorrect or missing updates.

Editing Active Directory Schema

The Microsoft Active Directory Schema (MMC) snap-in is not available by default in the list of snap-ins. In order to leverage it you need to register the schmmgmt.dll and build a new console. Follow the steps below to do so.

1. To register the console, click Start -> Run and type regsvr32 schmmgmt.dll and hit Ok.
   

   Figure 1

   Click to view.

2. You should receive a successful registration message.
   
   

   Figure 2

3. After chmmgmt.dll has been registered you can create the MMC console with the Active Directory Schema snap-in by clicking Start -> Run
4. Type mmc and press Enter. Console1 opens.
5. From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box opens.
6. Click Add. The Add Standalone Snap-in dialog box appears. The Active Directory Schema should now be available as a snap-in. Select it and click Add.
7. Click Close to close the Add/Remove Standalone Snap-in dialog box. Click OK in the Add/Remove Snap-in dialog box. You should now see the Active Directory Schema snap-in in the Console1 MMC.
   
   

   Figure 3

   Click to view.

8. Choose File, Save As. The Save As dialog box opens. In the file name box, type AD Schema.msc in the Save in box, select Desktop. Click Save. This saves a Schema console on the desktop for use later.

Adding or Leveraging AD Attributes

Active Directory already includes attributes such as Employee ID or Employee Number which you may simply map to using the AD connector shown later in this white paper. Other customers may prefer or a desire to create new attributes to the user class or computer class based on IT or Business needs. Examples would be employee Social Security Numbers, Social Insurance Numbers, Cost Center Numbers, Additional Computer Details, etc. The needs are endless. This will walk you through an example of how you add a social security number attribute to the Active Directory schema, but the steps are applicable to adding any other attributes as well.

1. Open the AD Schema.msc you created earlier and expand the Active Directory Schema snap-in and click the Attributes node. A list of attributes will appear in the right pane. Right-click the Attributes node and click Create Attribute on the context menu
   

   Figure 4

   Click to view.

2. A Schema Object Creation message appears, warning you that attributes can be disabled later, but not deleted and that they will be a permanent part of your Active Directory implementation. Make you have either tested this in your Dev Altiris environment and for those who don't have one yet I highly recommend building one. To proceed, click Continue.
3. Enter the values for a Social Security Number as follows
   
   

   Figure 5

   Click to view.

   The Unique X.500 Object ID setting is a predefined value. If you need object IDs for additional classes or attributes, visit the Microsoft web site for additional details. You will need to register them with Microsoft.

4. Click OK. You should now have your new attribute in the AD Schema.
5. The Employee ID and Employee Number attributes are already in the schema. The Employee Number attribute is already linked to the user class. To use the Social Security Number attribute created as an example, the Employee ID and or any other attributes you must link them. In the AD Schema console expand the Classes node in the left pane and right click on the user class object and select properties.
   
   

   Figure 6

   Click to view.

6. Click the Attributes tab and then click the Add button. A Select Schema Object dialog box appears.
7. Browse to the attribute you want to add and click Ok. As in the example of employeeID, employeeNumber and the newly created SSN attributes you may add them in this fashion.

   The employeeNumber attribute should already be in the list; if it isn't, and you want to use it you can go ahead and add it now.

   

   Figure 7/8

   Click to view.

Now you know how to extend the user class and add attributes to the Active Directory schema. Of course, none of this will do you any good unless you have an application that will make use of these new attributes. That's what Altiris is all about!

Adding Values to Custom Attributes

So now that you have new attributes added to your user or computer resources you're going to want to add values to all of them. There are 2 ways you can do this. The obvious one would be to leverage only scripting to do so. For some companies this may even be the preferred method. For most customers a GUI would make things easier. To create a nice GUI to do this we need to leverage ASDI Edit off of the Windows 2000 or 2003 Server Installation CD and by putting some scripts on our DC's. You will need to install the appropriate suptools.msi in the Support\Tools directory on the CD. Once you have done so follow the steps below to create the GUI.

1. Open ADSI Edit by going click Start -> Run and type adsiedit.msc and Ok.
   

   Figure 9

   Click to view.

2. Expand the Configuration, CN=Configuration, and CN=DisplaySpecifiers nodes, and then select the CN=409 node.
   
   

   Figure 10

   Click to view.

3. In the right pane, locate the CN=user-Display object, right click on it, and choose Properties.
4. Double click on adminContextMenu. Or push the Edit button. A Multi-valued String Editor dialog box opens. In the Value to Add text box, type the following strings, clicking Add after each one:
   • ,&SSN, C:\ssn.vbs
   • ,&Employee-Number, C:\employee-number.vbs
   • ,&EmployeeID, C:\employee-ID.vbs
   

   Figure 11

   Click to view.

5. Click OK twice to close this dialog box and then the CN=user-Display Properties dialog box.
6. Close ADSI Edit.
7. Open the AD Schema console and reload the schema. In the left pane, right-click the Active Directory Schema node and click Reload the Schema.
8. Close the Schema console.

Scripts

Scripts need to be added to every DC in order for this to work. Scripts can be created for any custom Attribute that you have created. The paths for the scripts are on the root of C:\ in these examples. However, you can adjust the path statements using the String Editor as we did in the previous example to reflect wherever you want them to be.

Script for Employee ID:
Name it: employee-ID.vbs

Dim oemployeeID
Dim oUser3
Dim temp3
Set oemployeeID = Wscript.Arguments
Set oUser3 = GetObject(oemployeeID(0))
temp3 = InputBox("Employee-ID: " & oUser3.employeeID & vbCRLF
    & vbCRLF & "If you would like enter a new number
    or modify the existing number, enter the new number
    in the textbox below")
if temp3 <> "" then oUser3.Put "employeeID",temp3
oUser3.SetInfo
Set oUser3 = Nothing
Set oemployeeID = Nothing
Set temp3 = Nothing
WScript.Quit

Script for Employee Number:
Name it: employee-number.vbs

Dim oemployeeNumber
Dim oUser2
Dim temp2
Set oemployeeNumber = Wscript.Arguments
Set oUser2 = GetObject(oemployeeNumber(0))
temp2 = InputBox("Employee-Number: " & oUser2.employeeNumber
    & vbCRLF & vbCRLF & "If you would like enter a
    new number or modify the existing number, enter
    the new number in the textbox below")
if temp2 <> "" then oUser2.Put "employeeNumber",temp2
oUser2.SetInfo
Set oUser2 = Nothing
Set oemployeeNumber = Nothing
Set temp2 = Nothing
WScript.Quit

Script for Social Security Number:
Name it: ssn.vbs

Dim oSSN
Dim oUser1
Dim temp1
Set oSSN = Wscript.Arguments
Set oUser1 = GetObject(oSSN(0))
temp1 = InputBox("Social Security Number: " & oUser1.SSN & vbCRLF
    & vbCRLF & "If you would like enter a new number or
    modify the existing number, enter the new number in
    the textbox below")
if temp1 <> "" then oUser1.Put "SSN",temp1
oUser1.SetInfo
Set oUser1 = Nothing
Set oSSN = Nothing
Set temp1 = Nothing
WScript.Quit

You will need a script for other attributes you plan on or have already created just like these examples. A @ denotes part of the script that needs to be changed based on the name of your new attribute and the others should remain untouched. Bold should reflect your new attribute name or custom text to prompt for an alphanumeric value.

@Dim oSSN
Dim oUser1
Dim temp1
@Set oSSN = Wscript.Arguments
Set oUser1 = GetObject(oSSN(0))
@temp1 = InputBox("Social Security Number: "& oUser1.SSN & vbCRLF
    & vbCRLF & "If you would like enter a new number or
    modify the existing number, enter the new number in
    the textbox below")
if temp1 <> "" then oUser1.Put "SSN",temp1
oUser1.SetInfo
Set oUser1 = Nothing
Set oSSN = Nothing
Set temp1 = Nothing
WScript.Quit

Using the ASDI Interface

After copying the employee-ID.vbs, employee-number.vbs, ssn.vbs and or any other scripts created on the C: drive or the path you have chosen you can now add data to those new attributes.

1. Open Active Directory Users and Computers. Locate a user account and right-click. The new attributes (SSN, Employee-Number, and Employee-ID) should appear on the context menu for the user.
   

   Figure 12

   Click to view.

2. Click on any of the new attributes you created. When the text box opens you should be able to enter the information and click OK.

Once you have entered in values to these new attributes you can now use the Active Directory Connector Solution from Altiris to import these values in to be made available for other solutions. We will begin that in the next section.

Creating New Data Classes

Now that you have a method of entering data for your new attributes within Active Directory we will need to map and or create new data classes within Altiris. The first step is to go to the Configuration Tab -> Configuration -> Resource Settings -> Data Classes -> User Defined

This is where you would want to create a new data class such as our new attribute such as the Social Security Number.

Figure 13

Click to view.

1. Right click on the User Defined Folder and choose New -> Editable Data Class
2. Give the new Data Class Configuration a Name and Description. For the example of the Social Security Number or Employee Number use the below screen shots as examples.
   
   

   Figure 14

   Click to view.

3. Click the Add New Attribute button
4. Give the New Attribute a Name, Description, choose Type as String and Maximum Length.
   
   

   Figure 15

   Click to view.

   

   Figure 16

   Click to view.

5. Click Ok to Save the Attribute Configuration(s)
   
   

   Figure 17

   Click to view.

   

   Figure 18

   Click to view.

6. Click Apply to create the new data class
7. For other Data Classes check to see if Altiris has them already created to leverage them. For the example of the Employee ID, Altiris already has Data Class for it created which we will map to later in the Altiris Active Directory Connector Solution. It can be found at Configuration Tab -> Configuration -> Resource Settings -> Data Class -> General Data Classes -> Employee ID
   
   

   Figure 19

   Click to view.

Adding Data Classes to Resource Types

Now that we have created our new data class(es) we will need to map them to our resources. In the case of our Social Security Number and Employee Number they need to be mapped to User Resources. However depending upon what you are creating you may be mapping them to another resource type and the same logical steps apply.

1. For a User Resource Type go to the Configuration Tab -> Configuration -> Resource Settings ->Resource Types -> Organizational Types -> User
   

   Figure 20

   Click to view.

2. Click on the Add Data Classes button
   
   

   Figure 21

   Click to view.

3. Click your Data Classes that you created earlier as in the case of our examples Employee ID, and our newly created Employee Number and Social Security Number and click the Apply button
4. The new Data classes will now be added to the Resource. Click the Apply button to save your updates.

Figure 22

Click to view.

Configuring Active Directory Connector Rules

The final step is to configure the Active Directory Import rules to pull in the AD attributes we want and to map them to our newly created or modified resource types. The Active Directory Connector comes with 5 rules by default. They are for importing the following resource types:

• Computer
• User
• Print Queue
• Site
• Subnet

For our examples we are going to modify the default Import rule for Users.

1. To modify these import rules go to the Configuration Tab -> Configuration -> Server Settings -> Notification Server Infrastructure -> Microsoft Active Directory Import
2. Click on the default column mappings hyperlink for Import User rule. If you need to map to another resource follow the exact same steps as the User example. If you have never previously configured the Active Directory rules you will need to enable the ones you want to use after first selecting the schedules and frequency of full and delta imports should take place and click the Apply button.
   
   

   Figure 23

   Click to view.

3. Once the Column mappings have been clicked we will want to choose the AD Data Source Attributes that we enabled and or created based on the enabled Resources / Data Classes we created within Altiris. In the case of Employee ID, Employee Number and Social Security Number see the screen shot examples below.
   
   

   Figure 24

   Click to view.

   

   Figure 25

   Click to view.

   

   Figure 26

   Click to view.

4. Once you have saved your column mappings you will want to either wait for your import rule(s) to synchronize the data based on the synchronization schedule you have in place or manually click on the rule and click the full import icon to synchronize now as in the screenshot below.

Figure 27

Click to view.

Conclusion

You now have a complete process to take advantage of your Active Directory investment and automatically bring that information into Altiris to take full advantage of the integration for reporting, and any of the other Altiris Solutions you may own. Some of these would include Inventory Solution, Asset Management and Helpdesk Solution. I have attached screenshots of the information examples in these solutions. Leveraging this functionality an organization can also remove manual typing of this information into other solutions, reduce time and the chance of human error and still provide a single source of entering information into your directory for use within Altiris and or any other solutions which can read from the directory. If you have questions please feel free to contact me.

Asset CMDB Screenshot

Figure 28

Click to view.

Inventory Details Screenshot

Figure 29

Click to view.

Asset Resource Screenshot

Figure 30

Click to view.

Helpdesk Solution Worker Screenshot

Figure 31

Click to view.