Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Centralized names resolution

Re: Centralized names resolution

From: Plunkett, Lyn <>
Date: Tue, 14 Feb 2006 15:52:29 -0600
Message-ID: <>

As requested, some info/lessons learned on implementing tnsname info in AD. Let me say up front that I did not implement this, but have inherited it, and the DBA who implemented it did a good job and we had very little fallout. Disclaimer: neither myself or my employer take any responsibility for what you might do with the info. (Sheesh, I feel like a lawyer, but this email is coming from my work account. :-) )  

  1. Version gotchas. We used the 10g client for configuring AD, as there is a bug in 9.2 that can cause problems if it was used to set it up.
  2. Domain gotchas. Remember that the AD tree has your domain at the root. If there are any other hardcoded extensions in apps, like the old .world, it will not be able to find them in an AD-based lookup. In this case, we had some very old apps that unfortunately had connectstrings with .world hardcoded. The workaround for us was to grandfather a tnsnames, which had the old entries with the .world, and will not change. If this is not a problem for you, ignore my further comments about the tnsnames.
  3. AD Security. In AD, anonymous needs read to the area with the tns information in it. Our AD administrators limited this to only this part of AD. The DBA group has read/write to the same area.
  4. Setup. The NetConfiguration assistant was used to configure 'Directory Usage Configuration', with a directory type of "Microsoft Active Directory", and using the option to create/upgrade the Oracle schema, etc. You will need to know the server your directory service is located on, and have rights to create the schema in AD. (Strongly recommend trying this in a test AD environment first.)
  5. Loading the service info. NetManager can be used next to import/export the services.
  6. sqlnet.ora/ldap.ora files. The clients will not use AD until you have changed the sqlnet.ora/ldap.ora The sqlnet.ora and ldap.ora files are used on the clients to set up a searchpath that looks in the grandfathered tnsnames first, then LDAP (the other order did not work) sqlnet.ora:contains a line NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP) Sample ldap.ora------------------------------------- DEFAULT_ADMIN_CONTEXT = "your-list-of-domain-components-here" # example: DEFAULT_ADMIN_CONTEXT = "DC=x,DC=y,DC=com" (for DIRECTORY_SERVERS= (your-ldapserver:your-port:your-SSL-port) DIRECTORY_SERVER_TYPE = AD
  7. RAC. The aforementioned export/import did not handle RAC entries well, so we used adsvw.exe to manage these entries. This is not an Oracle tool, but worked fine.
  8. Useful metalink notes: 146605.1, 250413.1, 202156.1, 247863.1, 461635.999, 428767.995, 211014.1


Received on Tue Feb 14 2006 - 15:52:29 CST

Original text of this message