Beruflich Dokumente
Kultur Dokumente
Abstract
Customers that are using SAP integration in Active Directory infrastructures can benefit from multiple
functionalities such as Single Sign On, HR module synchronization etc.
SAP AG describes two methods for installing SAP systems on servers that are part of a domain.
This document describes a third method allowing you to install SAP systems like a domain administra-
tor but without all the administrator rights.
The information contained in this document represents the current view of Microsoft Corpo-
ration on the issues discussed as of the date of publication. Because Microsoft must re-
spond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information pre-
sented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRAN-
TIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limi-
ting the rights under copyright, no part of this document may be reproduced, stored in or in-
troduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft, Win32, Active Directory, Windows and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.
CONTENTS
INTRODUCTION......................................................................................1
Recommended Solution........................................................................2
Predicted Benefits..................................................................................2
Technical Details....................................................................................3
1. Schema update........................................................................................3
2. Rights delegation.....................................................................................3
Conclusion..............................................................................................8
References..............................................................................................8
SAP OSS Note 169468 – Version 43 – Windows 2000 Support.................8
INTRODUCTION More and more customers are asking to use the same Active Directory domain
infrastructure to manage user environment and SAP systems. The benefits of
this integration are mainly using new functionalities like Kerberos Single Sign
On, HR module synchronization with Active Directory more easily, and also
easier administration of SAP systems using the SAP MMC snap-in, etc.
Other reasons for doing this type of integration are to reduce costs of operating
the IT system. These cost reductions can be realized by focusing each admini-
strator population on their main technology (SAP Administrators manage SAP
software, Operating System Administrators manage all the operating system,
Active Directory Administrators manage users rights and delegations, and so
on) and defining an infrastructure easier to administer on their perimeter for
each group of administrators.
These types of integration increase the business value of each product; SAP
and Active Directory.
SAP AG provides two methods of installing an SAP system on servers that are
members of a domain. These methods are described in the “SAP R/3 Enter-
prise on Windows Installation Guides”.
The first method is dedicated to Domain Administrators. This method is the
easiest to follow because all users’ accounts and groups necessary for SAP are
automatically created in the domain by the R3SETUP or SAPINST program.
But this method requires giving the Domain Administrators rights to people who
must install the SAP system. This could be considered as a security issue, this
is one reason why SAP recommends installing SAP systems in their own Win-
dows Domain.
The second method is dedicated to SAP Administrators that are not Domain
Administrators. This method is a little bit more difficult because a Domain Admi-
nistrator must create the users’ accounts and groups required to install SAP
manually before starting the R3SETUP program. In this method, the SAP admi-
nistrators will need to synchronize the deployment of the SAP system with ope-
rations made by the Domain Administrator. The Domain Administrator will need
to create user accounts and groups manually respecting exactly the guidelines
provided in the “SAP Installation Guide”. The installation of an SAP system will
be blocked if this creation of users’ accounts and groups is not done in re-
specting the case and the rights that should be given.
The SAP R3SETUP program and the SAPINST program have been designed
to run on Windows NT4 and Windows 2000 servers. These programs have not
been designed to take advantage of Active Directory delegation tools like Orga-
nizational Units1. This is why SAP AG does not recommend installing SAP ser-
1
The R3SETUP and SAPINST programs create users’ accounts and groups needed for SAP
system installation using the Windows NT 4.0 commands. These objects will be created in the
default container called “Users”. This container doesn’t accept right delegation and because SAP
doesn’t use ldap commands to create these objects, it’s not possible to automatically create these
objects in a specific OU.
2
This recommendation can be found in the OSS Note 169468 available at the end of this
document.
The following chapters explain in detail the method used to deploy SAP syst-
ems without Domain Administrator rights.
1. Schema update
A schema update of the forest is required to be able to publish SAP services in
Active Directory. This publishing of SAP Services allows SAP administrators to
use the SAP MMC snap-in more efficiency.
This schema extension is provided by SAP. This adds few objects and attri-
butes but none of these attributes are published to the forest Global Catalog.
Therefore, there is no impact on the Active Directory replication traffic.
This schema update can only be performed by administrators that own the
Schema Administrators rights. This means the schema update will not be made
by SAP Administrators. Fortunately, this upgrade has to be done only once by
Active Directory Forests.
The easiest way to extend the Active Directory for SAP is to use the R3SETUP
program delivered with an SAP 4.6d or 6.10 Kernel. One the R3SETUP pro-
gram has been installed, a Schema Administrator will be able to extend the
Active Directory schema using the shortcut “Configure Active Directory for
SAP”.
2. Rights delegation
Rights delegation is required in order to give the SAP Administrators maximum
autonomy necessary to perform their usual function. This has to be performed
by a Domain Administrator of the domain where SAP servers are installed. This
task must be done for each domain where SAP servers are installed but it is
only done once for each domain.
This delegation is performed doing as follows:
• The Domain Administrator will start the MMC snap-in “Active Directory
Users and Computers”.
• Connect this MMC to the domain where SAP servers from a system are
be added
• Use this MMC to create a group for all users accounts of people de-
signated as SAP Administrators.
1. In the SAP OU select the newly created user account in the list on the
right hand and double-click it.
2. Select the “Member of” tab.
3. Choose Add.
4. Select the new SAP_<SAPSID>_GlobalAdmin group and choose Add
to add it to the list at the bottom.
By default, the user is also a member of the Domain Users group.
5. Click OK twice.
SAP itself has tested it and has written an OSS note describing shortly and manu-
ally how to proceed. The OSS note is referenced as “OSS Note 711319 – Domain
Installation using delegation of administration in AD”.
(see http://service.sap.com/~form/sapnet?
_FRAME=CONTAINER&_OBJECT=011000358700007554442001)
Symptom
Information about the release of databases, database versions and SAP releases for
Windows 2000 can be found in the SAP Service Marketplace:
http://service.sap.com/platforms
For SAP 3x releases, there are only special releases that must be specially ordered by
customers. Kernel 3.1I is required for the upgrade.
For Oracle, no special release is required, but the 3.1I_COM CD has to be used.
Windows 2000
Solution
In the following, you will find a short summary of the special features to be observed on
Windows 2000. Important general notes on the SAP new installation and the operating
system upgrade can be found.
For information on the operating system upgrade within the scope of a SAP system up-
grade to release 4.0B, 4.5B, 4.6B or later, refer to Note 179274.
a) General
Contains information on the SAP new installation on Windows 2000 and on the
operating system upgrade.
d) Additional information
Contains further information relevant for Windows 2000. In particular, important
aspects of the SAP domain under Windows 2000 are described.
a) General
Note the following points when you install a SAP system under Windows 2000 or up-
grade an operating system:
Language versions
For SAP Server, the "International English" language version of Windows 2000
is supported only. If you want to use another language for the user interface,
you can install the so-called "Multilanguage User Interface" kit (MUI). For infor-
mation on the installation and usage of MUI, please refer to Note 362379.
DB software installation
The database software installation may not function with a Terminal Server
Session (affects Microsoft SQL Server). The software can be installed with
PcAnywhere or locally on the console of the respective computer.
Enter the following command prior to the installation at the command prompt:
Change user /install
After the installation enter the following command:
change user /execute
pcAnywhere
For Windows 2000 use pcAnywhere Version 9.01 or higher only.
Temp variables
After the SAP installation or after the operating system upgrade, check the
TEMP and TMP variables of the <sid>adm user. In Windows 2000, you may
obtain invalid or unfavorable values. A short and user-independent path such
as "c:\temp" is best suited for SAP.
b) SAP reinstallation
The procedure of a new installation of the SAP system depends on the release.
As of release 4.6B, the SAP releases that are released for Windows NT are
fully compatible with Windows 2000. No special actions are necessary. Follow
the instruction for a standard SAP installation in the implementation guide "R/3
installation on Windows NT".
The same applies to R/3 4.0B COM.
Realease 4.5B
DLLs
Prior to the beginning of the installation import the current version of the Dy-
namic Link Libraries R3DLLINS for Windows 2000. To do this, unpack
R3SETUP Tool
Use the R3SETUP version that is stored for Windows 2000 in the SAP Service
Marketplace. For this purpose, download file R3SETUP_<Patch-Level>.CAR.
Kernel exchange
After the installation with R3SETUP replace the R/3 kernel. If you do not re-
place it you will get error "SICK" after the first log-on attempt after the start.
Download the following two patches from the SAP Service Marketplace
(www.service.sap.com/patches) and unpack them to directory usr\sap\exe:
dw1_<patch-level>
dw2-<Patch-level>
Use at least patch level 186.
SAPOSCOL
Use the current saposcol version. This version supports the changed perfor-
mance counter of Windows 2000 to determine values for ST06 and RZ20.
The latest version is stored in file saposcol_<Patch Level>.CAR. in the SAP
Service Marketplace.
If you upgrade an existing SAP system to Windows 2000 perform the following actions
described in section "SAP new installation":
d) Additional information
Terminal Service
All kernel objects (Shared Memory, Semaphoren, Events...) can be used for
operation with "Terminal Service". External error analysis programs (dpmon..)
also support the "Terminal Service" by Windows 2000, that is an R/3 system in
a Terminal session can be monitored.
For NT 4 there are two models for the SAP system domain:
- the single domain and
- the additional domain.
Single domain
All users and the SAP system build one single domain. This domain
can be migrated to Windows 2000 and exist there as single domain.
Additional domain
Here, there is one domain for the users and a second domain for the
SAP system(s). For a migration to Windows 2000 the SAP system do-
main has to be created as child domain under the user domain. A
"Top-down" procedure is to be used. The higher domain (the user do-
main) must be migrated prior to the SAP child domain. If the user and
SAP domain is part of a larger domain structure the complete domain
structure for Windows 2000 needs to be planned in a preparing phase.
Usually, the structure created under NT 4 has to be re-arranged and
consolidated.
The name space of the root domain and all subordinated domains has
to be defined and the distribution of the DNS services needs to be
determined.
Here, note the following:
- The SAP domain has to be created as child domain.