June 2004

Enabling Enterprise Identity Management with SAP and Active

Directory

Abstract

Customers that are using SAP integration in Active Directory infrastructures can benefit from multiple
functionalities such as Single Sign On, HR module synchronization etc.

SAP AG describes two methods for installing SAP systems on servers that are part of a domain.

This document describes a third method allowing you to install SAP systems like a domain administra-
tor but without all the administrator rights.
The information contained in this document represents the current view of Microsoft Corpo-
ration on the issues discussed as of the date of publication. Because Microsoft must re-
spond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information pre-
sented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRAN-
TIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limi-
ting the rights under copyright, no part of this document may be reproduced, stored in or in-
troduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as ex-
pressly provided in any written license agreement from Microsoft, the furnishing of
this document does not give you any license to these patents, trademarks, copy-
rights, or other intellectual property.

© 2004 Microsoft Corporation. All rights reserved.

Microsoft, Win32, Active Directory, Windows and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.

The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.
CONTENTS
INTRODUCTION......................................................................................1

Recommended Solution........................................................................2

Predicted Benefits..................................................................................2

Technical Details....................................................................................3

1. Schema update........................................................................................3

2. Rights delegation.....................................................................................3

3. Preparing the installation.........................................................................4

Users’ account and groups..........................................................................4

I. Creating the New Group.................................................4

II. Creating the New Users.................................................6
III. Adding the <sapsid>adm User account to the
SAP_<SAPSID>_GlobalAdmin Group..............................6
IV. Adding the SAPService<SAPSID> User account to
the SAP_<SAPSID>_GlobalAdmin Group........................7
Computers’ accounts and operating system installation............................7

4. SAP system installation...........................................................................8

Conclusion..............................................................................................8

References..............................................................................................8
SAP OSS Note 169468 – Version 43 – Windows 2000 Support.................8
INTRODUCTION More and more customers are asking to use the same Active Directory domain
infrastructure to manage user environment and SAP systems. The benefits of
this integration are mainly using new functionalities like Kerberos Single Sign
On, HR module synchronization with Active Directory more easily, and also
easier administration of SAP systems using the SAP MMC snap-in, etc.
Other reasons for doing this type of integration are to reduce costs of operating
the IT system. These cost reductions can be realized by focusing each admini-
strator population on their main technology (SAP Administrators manage SAP
software, Operating System Administrators manage all the operating system,
Active Directory Administrators manage users rights and delegations, and so
on) and defining an infrastructure easier to administer on their perimeter for
each group of administrators.
These types of integration increase the business value of each product; SAP
and Active Directory.
SAP AG provides two methods of installing an SAP system on servers that are
members of a domain. These methods are described in the “SAP R/3 Enter-
prise on Windows Installation Guides”.
The first method is dedicated to Domain Administrators. This method is the
easiest to follow because all users’ accounts and groups necessary for SAP are
automatically created in the domain by the R3SETUP or SAPINST program.
But this method requires giving the Domain Administrators rights to people who
must install the SAP system. This could be considered as a security issue, this
is one reason why SAP recommends installing SAP systems in their own Win-
dows Domain.
The second method is dedicated to SAP Administrators that are not Domain
Administrators. This method is a little bit more difficult because a Domain Admi-
nistrator must create the users’ accounts and groups required to install SAP
manually before starting the R3SETUP program. In this method, the SAP admi-
nistrators will need to synchronize the deployment of the SAP system with ope-
rations made by the Domain Administrator. The Domain Administrator will need
to create user accounts and groups manually respecting exactly the guidelines
provided in the “SAP Installation Guide”. The installation of an SAP system will
be blocked if this creation of users’ accounts and groups is not done in re-
specting the case and the rights that should be given.
The SAP R3SETUP program and the SAPINST program have been designed
to run on Windows NT4 and Windows 2000 servers. These programs have not
been designed to take advantage of Active Directory delegation tools like Orga-
nizational Units1. This is why SAP AG does not recommend installing SAP ser-

1
The R3SETUP and SAPINST programs create users’ accounts and groups needed for SAP
system installation using the Windows NT 4.0 commands. These objects will be created in the
default container called “Users”. This container doesn’t accept right delegation and because SAP
doesn’t use ldap commands to create these objects, it’s not possible to automatically create these
objects in a specific OU.

Windows Server 2003 White Paper 1

PREDICTED
RECOMMENDED vers in the organizational unit (OU) of a domain.2
SOLUTION
BENEFITS As we can see, these two methods do not benefits from Active Directory and
usually imply that customers could find necessary to create dedicated SAP do-
mains.

The main purpose of Active Directory is to simplify the Domain architecture by

reducing the number of domains to be deployed. This is a means of doing way
of creating bigger domains, also reducing the replication traffic and providing
the possibility of delegating administrative tasks such as accounts creation to
people that are not Domain Administrators. This delegation is performed using
the Organization Units containers.
As seen earlier, the SAP installation programs are unable to take benefits from
OU. But it is possible to delegate rights of creating new users’ accounts, new
groups and new computers accounts to a group of people (let’s call it the “SAP
Installation Group”) without giving them all Domain Administrators Rights.
Doing this delegation, this group will be able to create manually all users and
groups required to install an SAP system without requesting help from a Do-
main Administrator. Moreover, this group will be able to pre-create computer
accounts in this OU. So, they will be able to add new servers to the domain. All
the servers will be in the same OU. It is possible to force the customizing of
these servers using GPOs with an SAP dedicated OU.
After adding the server to the domain, the SAP Installation Group can be ad-
ded, manually or automatically (using GPO), to the local Administrators group
of the server. After creating SAP user accounts and groups in this way, users
who are members of the “SAP Installation Group” will be able to start the
R3SETUP or SAPINST program to install an SAP central instance, an SAP
Application Server or anything else.
With this method, customers can deploy an Active Directory forest with fewer
domains. This means the forest will be easier to administer. It will be easier to
implement the Kerberos Single Sign On mechanism or synchronize SAP HR
with Active Directory and so on…
SAP Administrators will have the total autonomy to do their usual tasks and
deployment. It will not necessary to give them Domain Administrators rights
there by eliminating possible become a security issue. This means SAP Admi-
nistrators will be more efficient and Domain Administrators will not be disturbed
by non-valuable tasks like SAP user accounts and group management.
SAP Administrators will not need to manage their dedicated domain (because
there will be no dedicated SAP domain). They can transfer this task to Domain
Administrators.
The customers will be able to reduce the number of servers deployed:
• No dedicated Domain Controllers for SAP Domain,

2
This recommendation can be found in the OSS Note 169468 available at the end of this
document.

Windows Server 2003 White Paper 2

TECHNICAL DETAILS • Easier sharing of printing servers, messaging servers, backup servers
and so on.
In conclusion, this method of deployment is a way to reduce direct and indirect
IT systems costs and proposes an easier way to deploy new functionalities that
can be seen as business values for customers.

The following chapters explain in detail the method used to deploy SAP syst-
ems without Domain Administrator rights.

1. Schema update
A schema update of the forest is required to be able to publish SAP services in
Active Directory. This publishing of SAP Services allows SAP administrators to
use the SAP MMC snap-in more efficiency.
This schema extension is provided by SAP. This adds few objects and attri-
butes but none of these attributes are published to the forest Global Catalog.
Therefore, there is no impact on the Active Directory replication traffic.
This schema update can only be performed by administrators that own the
Schema Administrators rights. This means the schema update will not be made
by SAP Administrators. Fortunately, this upgrade has to be done only once by
Active Directory Forests.
The easiest way to extend the Active Directory for SAP is to use the R3SETUP
program delivered with an SAP 4.6d or 6.10 Kernel. One the R3SETUP pro-
gram has been installed, a Schema Administrator will be able to extend the
Active Directory schema using the shortcut “Configure Active Directory for
SAP”.

2. Rights delegation
Rights delegation is required in order to give the SAP Administrators maximum
autonomy necessary to perform their usual function. This has to be performed
by a Domain Administrator of the domain where SAP servers are installed. This
task must be done for each domain where SAP servers are installed but it is
only done once for each domain.
This delegation is performed doing as follows:
• The Domain Administrator will start the MMC snap-in “Active Directory
Users and Computers”.
• Connect this MMC to the domain where SAP servers from a system are
be added
• Use this MMC to create a group for all users accounts of people de-
signated as SAP Administrators.

Windows Server 2003 White Paper 3

 • Use this MMC to create an Organizational Unite dedicated to SAP ser-
vers and call it “SAP”, for example.
• Use the delegation Wizard on the SAP OU to give the SAP Administra-
tors Group, at least, the right of creating, deleting and changing: Users’
accounts, Computers’ accounts and Groups. More rights could be dele-
gated if you desire to allow SAP Administrators to manage Group Poli-
cy Objects on this OU.

3. Preparing the installation

At this time, the SAP Administrators have all rights needed to install an SAP
system. However, they will need to do some preparation before installing SAP.

USERS’ ACCOUNT AND GROUPS

Each SAP system must have a service user account and two groups. After the
Right delegation, an SAP administrator can create these account and groups
using the MMC snap-in “Active Directory Users and Computers”. This account
and groups will be created in the SAP dedicated OU (SAP Administrators
should not be able to create it elsewhere).
The procedure will be as follow:

I. Creating the New Group

To create the SAP_<SAPSID>_GlobalAdmin group:
1. Log on as SAP administrator.
2. To start the Active Directory Users and Computers Console, choose:
Start → Programs → Administrative Tools → Active Directory Users
and Computers
If you cannot find Active Directory Users and Computers, start as
follows:
a. Choose Start → Run and enter mmc.
b. Choose Console → Add/Remove Snap-in... and choose Add.
c. Choose Active Directory Users and Computers.
d. Select Add.
e. When finished, select Close and then OK.
3. On the left tree, right-click on the SAP OU and choose:
New → Group
4. Enter the following:
Group name: SAP_<SAPSID>_GlobalAdmin
Group name (pre-Windows 2000): SAP_<SAPSID>_GlobalAdmin

Windows Server 2003 White Paper 4

5. Select the following:
Group scope: Global
Group type: Security
6. Press OK.

Windows Server 2003 White Paper 5

 II. Creating the New Users

To create the SAP system User <sapsid>adm and SAPService<SAPSID>

proceed as follows:
1. In the Active Directory Users and Computers Console right-click on the
SAP OU on the left tree and choose:
New → User
2. Enter the following:
Field name Entry for Entry for
<sapsid>adm SAPService<SAPSID>
First name None None
Initials None None
Last name None None
Full name <sapsid>adm SAPService<SAPSID>
User logon name <sapsid>adm SAPService<SAPSID>

Enter the <sapsid>adm and SAPService<SAPSID> user as specified,

respecting upper and lower case syntax.
3. Choose Next and enter the following:
Password: <password>
Confirm password: <password>
4. Select Password never expires.
Make sure that no other option is selected
5. Choose Next and then Finish.

III. Adding the <sapsid>adm User account to the

SAP_<SAPSID>_GlobalAdmin Group

1. In the SAP OU select the newly created user account in the list on the
right hand and double-click it.
2. Select the “Member of” tab.
3. Choose Add.
4. Select the new SAP_<SAPSID>_GlobalAdmin group and choose Add
to add it to the list at the bottom.
By default, the user is also a member of the Domain Users group.
5. Click OK twice.

Windows Server 2003 White Paper 6

 IV. Adding the SAPService<SAPSID> User account to the
SAP_<SAPSID>_GlobalAdmin Group

1. In the SAP OU, select the newly created user account

SAPService<SAPSID> in the list on the right and double-click it.
2. Select the “Member of” tab.
3. Choose Add.
4. Select the new SAP_<SAPSID>_GlobalAdmin group and choose Add
to add it to the list at the bottom.
5. Choose OK.
The SAPService<SAPSID> user account must not be a member of the
Domain Users group.
To remove this group from the “Member of” list:
i. Select the SAP_<SAPSID>_GlobalAdmin group and choose
Set Primary Group.
ii. Select the Domain Users group and choose Remove to
delete it from the “Member of” list.
6. Choose OK to close the SAPService<SAPSID> Properties dialog box.
7. Close the Active Directory Users and Computers Management
Console.

COMPUTERS’ ACCOUNTS AND OPERATING SYSTEM INSTALLATION

Before installing SAP, SAP Administrators will need to have servers ready for
the installation. This means adding some SAP dedicated servers with operating
systems installed and joined to the domain.
If the customer has developed an unattended or manual installation process of
the operating system, the server installation can be done by an SAP Admini-
strator.
The SAP Administrator will only need to pre-create servers’ accounts using the
MMC snap-in “Active Directory Users and Computers”. The procedure is as
following:
1. Log on as SAP administrator.
2. To start the Active Directory Users and Computers Console, choose:
Start → Programs → Administrative Tools → Active Directory Users
and Computers

Windows Server 2003 White Paper 7

REFERENCES
CONCLUSION If you cannot find Active Directory Users and Computers, start it as
follows:
a. Choose Start → Run and enter mmc.
b. Choose Console → Add/Remove Snap-in... and choose Add.
c. Choose Active Directory Users and Computers.
d. Select Add.
e. When finished, select Close and then OK.
3. In the tree on the left, right-click on the SAP OU and choose:
New → Computer
4. Enter a computer name and click twice on Next Button then Finish.
SAP Administrator will have to do this operation for each server. Then, SAP Ad-
ministrator will be able to run unattended installation of the operating system on
each server. This installation procedure can automatically add the server in the
domain if the name used for the server correspond to one of the newly com-
puter account created.

4. SAP system installation

At this point, everything is ready to follow the normal installation procedure for
SAP systems given by SAP AG. This installation procedure depends on the
version of SAP R/3 kernel to deploy. Please, follow the instructions given by
SAP in the Installation Guide corresponding to the version of SAP R/3 you want
to install.
Since the first draft of this white paper, multiple customers had deployed their SAP
systems using this methodology.

SAP itself has tested it and has written an OSS note describing shortly and manu-
ally how to proceed. The OSS note is referenced as “OSS Note 711319 – Domain
Installation using delegation of administration in AD”.

SAP OSS Note 169468 – Version 43 – Windows 2000 Support

(see http://service.sap.com/~form/sapnet?
_FRAME=CONTAINER&_OBJECT=011000358700007554442001)

Symptom

Availability of Windows 2000 Server

Windows Server 2003 White Paper 8

Depending on the SAP Release and the database version, some special features for
Windows 2000 have to be observed for a new installation or an operating system up-
grade.

Release of databases for Windows 2000

Information about the release of databases, database versions and SAP releases for
Windows 2000 can be found in the SAP Service Marketplace:

http://service.sap.com/platforms

For SAP 3x releases, there are only special releases that must be specially ordered by
customers. Kernel 3.1I is required for the upgrade.

For Oracle, no special release is required, but the 3.1I_COM CD has to be used.

The following information is valid for:

 Windows 2000 Server

 Windows 2000 Advanced Server

 Windows 2000 Data Center Server

Additional key words

Windows 2000

Windows Server 2003 White Paper 9

Cause and preconditions

Solution

In the following, you will find a short summary of the special features to be observed on
Windows 2000. Important general notes on the SAP new installation and the operating
system upgrade can be found.

For information on the operating system upgrade within the scope of a SAP system up-
grade to release 4.0B, 4.5B, 4.6B or later, refer to Note 179274.

This Note is subdivided into the following sections:

 a) General
Contains information on the SAP new installation on Windows 2000 and on the
operating system upgrade.

 b) SAP new installation

Contains information on the new installation of a 4.0B, 4.5B, 4.6B or later SAP
system.

 c) Operating system upgrade

Contains notes for the upgrade of the operating system of an existing SAP sys-
tem.

 d) Additional information
Contains further information relevant for Windows 2000. In particular, important
aspects of the SAP domain under Windows 2000 are described.

a) General

Note the following points when you install a SAP system under Windows 2000 or up-
grade an operating system:

 Language versions
For SAP Server, the "International English" language version of Windows 2000
is supported only. If you want to use another language for the user interface,
you can install the so-called "Multilanguage User Interface" kit (MUI). For infor-
mation on the installation and usage of MUI, please refer to Note 362379.

 Windows 2000 Advanced Server Cluster Support (MSCS)

You can use the Cluster Service from Windows 2000 for databases and SAP
releases which have been released for Windows 2000. However, you need to
import either Windows 2000 Service Pack 1 and two additional Microsoft
Hotfixes (Q257577 and Q265017), or Windows 2000 Service Pack 2 and one
additional Hotfix (Q265017).

For further information see Notes 30478 and 144310.

Windows Server 2003 White Paper 10

  ADSI and MMC
These components already exist in Windows 2000 and must not be installed
from the kernel CD.

 Terminal Server Service

On the R/3 application server, terminal services can be used for the server ad-
ministration in 'remote administration mode' (just as with pcAnywhere). Only
know exception:
Console messages (for example during the DB installation) are not displayed.
Using terminal services in 'Application server mode' on an R/3 Server must be
avoided at all costs. The additional load negatively affects the system perfor-
mance.

 DB software installation
The database software installation may not function with a Terminal Server
Session (affects Microsoft SQL Server). The software can be installed with
PcAnywhere or locally on the console of the respective computer.
Enter the following command prior to the installation at the command prompt:
Change user /install
After the installation enter the following command:
change user /execute

 SAP DB only: DLL pcr62md.dll.

SAP DB Version 6.2 requires an additional DLL on Windows 2000.
The required DLL, pcr62md.dll, is stored in the SAP Service Marketplace.

 pcAnywhere
For Windows 2000 use pcAnywhere Version 9.01 or higher only.

 Temp variables
After the SAP installation or after the operating system upgrade, check the
TEMP and TMP variables of the <sid>adm user. In Windows 2000, you may
obtain invalid or unfavorable values. A short and user-independent path such
as "c:\temp" is best suited for SAP.

b) SAP reinstallation

The procedure of a new installation of the SAP system depends on the release.

Relaese 4.6B and later releases and 4.0B COM

 As of release 4.6B, the SAP releases that are released for Windows NT are
fully compatible with Windows 2000. No special actions are necessary. Follow
the instruction for a standard SAP installation in the implementation guide "R/3
installation on Windows NT".
The same applies to R/3 4.0B COM.

Realease 4.5B

 DLLs
Prior to the beginning of the installation import the current version of the Dy-
namic Link Libraries R3DLLINS for Windows 2000. To do this, unpack

Windows Server 2003 White Paper 11

 R3DLLINS.car for your platform from the attachment to Note 65878. Then exe-
cute file R3DLLINS.EXE manually.

 R3SETUP Tool
Use the R3SETUP version that is stored for Windows 2000 in the SAP Service
Marketplace. For this purpose, download file R3SETUP_<Patch-Level>.CAR.

 Kernel exchange
After the installation with R3SETUP replace the R/3 kernel. If you do not re-
place it you will get error "SICK" after the first log-on attempt after the start.
Download the following two patches from the SAP Service Marketplace
(www.service.sap.com/patches) and unpack them to directory usr\sap\exe:
dw1_<patch-level>
dw2-<Patch-level>
Use at least patch level 186.

 SAPOSCOL
Use the current saposcol version. This version supports the changed perfor-
mance counter of Windows 2000 to determine values for ST06 and RZ20.
The latest version is stored in file saposcol_<Patch Level>.CAR. in the SAP
Service Marketplace.

c) Operating system upgrade

If you upgrade an existing SAP system to Windows 2000 perform the following actions
described in section "SAP new installation":

 Install the latest R3DLLINS version.

 Replace the R/3 kernel.

 Use the latest saposcol version.

 Only SAP DB: See Note 315237.

d) Additional information

 Compatibility of the hardware with Windows 2000

The upgrade to Windows 2000 may be carried out only if the hardware has
been explicitly released for this purpose. This can be checked in one of the
following ways:

 If the Windows 2000 CD is available, compatibility can be checked

using program WINNT32.EXE in the \I386 directory. The exact state-
ment is: <DRIVE:>\I386\WINNT32 /CHECKUPGRADEONLY. The re-
sult is stored as text file WINNT32.LOC in the present Windows direc-
tory (e.g. C:\WINNT).

 The hardware has successfully passed SAP hardware certification

(www.addon.de/fcert)

 The hardware is contained in the Microsoft Hardware Compatibility

List (www.microsoft.com/hcl).

Windows Server 2003 White Paper 12

  The hardware has been released for Windows 2000 by the manu-
facturer. This information is published on the corresponding website.

 Kerberos Single Sign-On

When the SAP system is installed on Windows 2000 you can setup the Kerbe-
ros Single Sign-On. If you use the Kerberos protocol the information exchanged
between the SAP front-end and the application server for authentication is en-
crypted.
The procedure for setting up Single Sign-On is described in all recent instal-
lation guides. You can, for example, download the installation guide 4.6C SR 2
from the SAPNet, alias "Instguides".

 Terminal Service
All kernel objects (Shared Memory, Semaphoren, Events...) can be used for
operation with "Terminal Service". External error analysis programs (dpmon..)
also support the "Terminal Service" by Windows 2000, that is an R/3 system in
a Terminal session can be monitored.

 Using more than 4GB RAM

Zero Administration Memory Management from SAP (see Note 88416) automa-
tically supports main memory larger than 4GB under Windows. SAP however
does not use the AWE (Address Windowing Extension) API from Windows
2000. However, an SAP instance consists of several work processes. Each
work process can use its own physical storage up to 2GB (or 3GB) in its virtual
address space.

 SAP domain under Windows 2000

Follow the instructions of the Windows documentation for the migration of a NT
4 domain to Windows 2000. For the SAP environment some additional points
need to be observed.

For NT 4 there are two models for the SAP system domain:
- the single domain and
- the additional domain.

 Single domain
All users and the SAP system build one single domain. This domain
can be migrated to Windows 2000 and exist there as single domain.

 Additional domain
Here, there is one domain for the users and a second domain for the
SAP system(s). For a migration to Windows 2000 the SAP system do-
main has to be created as child domain under the user domain. A
"Top-down" procedure is to be used. The higher domain (the user do-
main) must be migrated prior to the SAP child domain. If the user and
SAP domain is part of a larger domain structure the complete domain
structure for Windows 2000 needs to be planned in a preparing phase.
Usually, the structure created under NT 4 has to be re-arranged and
consolidated.

The name space of the root domain and all subordinated domains has
to be defined and the distribution of the DNS services needs to be
determined.
Here, note the following:
- The SAP domain has to be created as child domain.

Windows Server 2003 White Paper 13

- The SAP domain must not be converted into an organiza-
tional unit (OU). OUs are not supported by R3SETUP and
R3up.

Windows Server 2003 White Paper 14