Authentication Server metadata in the Active Directory

Installation of the metadata 

The Authentication Server does not modify or change the AD schema with extensions, instead, it uses existing LDAP fields; therefore it can be completely removed if required.

When Authentication Server is installed with Active Directory the following items are created:

  • A Container object called Authlogics in the CN=System of the Forest Root domain. This container also includes 3 child objects:
    • Administrators Hit
    • Global Settings
    • Operators Hit
  • 3 Universal Security Groups:
    • Authlogics Administrators
    • Authlogics Operators
    • Authlogics Servers

The following object will exist for each Authentication Server deployed:

  • A serviceConnectionPoint object called AuthlogicsServer on the Active Directory Computer Account the Authlogics Authentication server software is installed onto.

The ServiceConnecitonPoint object is used by agents, such as the Windows Desktop Logon Agent, to automatically detect and locate an Authentication Server in the Active Directory.

Further information regarding the groups is available in the Authlogics Authentication Server Installation and Configuration Guide.

The Authlogics Container can be browsed to and the contents viewed using ADSIEdit. The distinguished name for the parent object would be:

CN=Authlogics,CN=System,DC={Domainname}

ADSIEdit.png

Removal of the metadata

In some scenarios, it may be required to remove some or all of the Authentication Server data from the Active Directory. This is NOT done automatically by uninstalling the Authentication Server software. This is by design to cater for upgrade and server migration scenarios without losing data.

To remove user metadata from Active Directory:

  1. Delete the required user accounts from within the Authentication Server MMC (NOT Active Directory Users and Computers) which will remove the metadata from the user account objects. To remove all user account metadata, delete all of the user accounts.

To remove an instance of the Authentication Server:

  1. Uninstall the Authlogics Authentication Server software.
  2. Remove the CN=AuthlogicsServer entry, and all its sub-objects, from the Active Directory Computer Account of the Authentication server using ADSI Edit.

To remove all Authentication Server shared metadata:

  1. Remove the CN=Authlogics,CN=System,DC={Domainname} entry, and all its sub-objects, from the Default Naming Context using ADSI Edit.
  2. Delete the following Authentication Server groups from Active Directory using Active Directory User and Computers Management Console:
    • Authlogics Administrators
    • Authlogics Operators
    • Authlogics Servers

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.