·       Microsoft Active Directory on Windows Server 2008 must be implemented in Native Mode

·       All J1 users needing access to the J1 applications must exist in a single Active Directory domain

·       The person implementing the steps for the SQL Server must have System Administrator rights on the SQL Server

·       The person implementing the steps for the Active Directory must have Control rights in the J1 Organizational Unit (J1 OU)

·       SQL Server Agent must be operational and operating under the security context of a service account that has read rights in the J1 OU and DBO rights in the J1 database. The service account will commonly have SA rights to the SQL Server.

1.    Access your database server as a user with administrative permissions.

2.         Access Active Directory Users and Computers.

3.         In the console tree, right-click on your school's domain name.

4.         Point to New and select Organizational Unit. The New Object - Organizational Unit window appears.

5.         Enter the name of the J1 OU you are adding. This name should not have a database name associated with it.

6.         Click OK. The New Object - Organizational Unit window closes the Active Directory Users and Computers window reappears showing the newly created J1 OU.

Jenzabar recommends granting the AD group responsible for managing J1 application security FULL CONTROL permissions: a.         Right-click on the new OU and select Delegate control. b.         In the Welcome pane, click Next. c.          In the Users and Groups pane, click Add. d.         In the Enter the object names to select box, enter the AD group or user name managing application security, and then click OK. e.         Click Next. f.          In the Tasks to Delegate pane, select the Create, delete, and manage user accounts checkbox and the Read all user information checkbox, and then click Next. g.         Click Finish.

1.         Access J1 Desktop as a user with administrative permissions.

2.         Access the Maintain Config Table window.

3.         Locate the J1 OU setting using TL module, GLOBAL_VARIABLE function, EX_ORG_UNIT characteristic columns.

4.         Change the OU= to the J1 OU DN you created in Step One.

5.         Locate the AD Sync Setting using the TL module, GLOBAL_VARIABLE function, AD_SYNC_OPTION characteristic.

6.         If your school has installed 6.5.6 or 7.2.0:

• Enter B to synchronize J1 users and groups

• Enter U to synchronize J1 users

If your school has not installed 6.5.6 or 7.2.0, only B may be entered.

 

7.         Click Save.

1.         Log into your database server as an administrative user.

2.         Access Active Directory Users and Computers.

3.         In the console tree, underneath the J1 OU right-click on your school's domain name.

4.         Point to New and select Organizational Unit. The New Object - Organizational Unit window appears.

5.         Enter the name of the database OU you are adding. The name must be entered in uppercase letters.

THE DATABASE NAME ENTERED MUST MATCH YOUR J1 DATABASE NAME EXACTLY AND MUST BE ENTERED IN ALL UPPERCASE LETTERS. Failure to do so will result in errors.

6.         Click OK. The New Object - Organizational Unit window closes the Active Directory Users and Computers window reappears showing the newly created database OU. The example below shows the J1 OU with two new database OU's created beneath it, one for the TMSEPRD database and one for the TMSEPLY database.

Create the new EXAPPUSERS_dbname universal security group in the new J1 Database OU (dbname is the name of your database).   

The TMSEPRD J1 database OU would be EXAPPUSERS_TMSEPRD.

1.    From your database server, access Active Directory Users and Computers.

2.    In the console tree, right-click on the database OU and select New.

3.    From the New options, select Group. The New Object - Group window appears.

4.    In the Group Name field, enter EXAPPUSERS_dbname where dbname is the name of your database.

THE NAME ENTERED MUST BE ENTERED EXACTLY AS SHOWN HERE AND MUST BE ENTERED IN ALL UPPERCASE LETTERS. Failure to do so will result in errors.

5.    From the Group scope options, select Universal. When the Universal option is shaded.

6.    From the Group type options, select Security.

7.    Click the OK button.  The universal security group is created and the New Object - Group window closes.

8.         If needed, create security OUs for additional database OUs.

Create an integrated login tied to the EXAPPUSERS_dbname group created in Step Four.

1.         Connect to SQL Management Studio as a system administrator.

2.         Under Security, Logins, rigt-click and select New Login. The Login Properties window appears.

3.         Using the Login name field, register the EXAPPUSER+<database name> login as a user in the relevant database.   

They do not need to be added to a role.

4.         Grant the group SELECT rights on the TE_LOGIN table.

By default, all users in the database should have SELECT rights on the TE_LOGIN table through the PUBLIC role.

The following example shows the Login Properties for the JENZABAR\EXAPPUSERS_TMSEPRD Windows authentication login for SQL Server 2005. SQL Server 2008 is similar. The word ???JENZABAR??? in this login name is taken from Jenzabar's internal domain name. Your login name will be the domain name for your Active Directory.

The following figure shows the Jenzabar\EXAPPUSERS_TMSEPRD login being set up as the JENZABAR\EXAPPUSERS_TMSEPRD TMSEPRD database user with rights in the PUBLIC role.

Before implementing in your live production environment, apply the update in your test PLAY environment and test the system thoroughly!  Testing should include new Groups, new Users, and new Group Memberships.

1.         Access your database server as a user with Admin rights.

2.         From the Server Manager Dashboard, select Add roles and features. The Add Roles and Features Wizard window appears.

3.         From the Select features options, select Features.

4.         Locate and select the Active Directory module for Windows Powershell checkbox (if not already selected) as shown below. If the Add features that are required for Active Directory module for Windows Powershell window appears, select Add Features and the window below reappears.

5.         Locate Windows PowerShell and ensure the features shown below are selected. If the Add features that are required for Active Directory module for Windows Powershell window appears, select Add Features.

6.    Click the Next button.

7.    Click the Install button.

8.    Close the Add Roles and Features Wizard window when the installation is done.

9.    Open PowerShell (with the As Admin option), and execute the following:

Set-executionpolicy remotesigned

If you change the location or name of this directory, you must update the J1 App LDAP Synch Job Script.sql prior to executing it.  Jenzabar is not responsible for modifying the script to match any changes made.

1.         Access your database server as a user with Admin rights.

2.         Create a new C:\JenzabarPSScripts directory.

3.         Copy the LDAP_SYNC.PS1 script to this new directory (C:\JenzabarPSScripts) from the downloaded zip file (MyJenzabar).

4.         Access SQL Server Management Studio as a SA.

a.         Open the updated J1 App LDAP Synch Job Script.sql script, from the downloaded zip file.

b.         Locate Line 4: SET @DatabaseName = 'TMSEPLY'

c.          Change ???TMSEPLY??? to your school???s PLAY J1 database name.

When you apply the update to your LIVE production database, use your school???s LIVE production J1 database name here.

d.         Click Save.

e.         Execute the updated J1 App LDAP Synch Job Script.sql script.

f.          Open the updated ACTIVE_DIRECTORY$GROUP_REG Update.sql script, from the downloaded zip file.

g.         Execute the updated ACTIVE_DIRECTORY$GROUP_REG Update.sql script.

h.         Repeat these steps for each of your school???s J1 databases using AD authentication.

i.           Enable the J1 App LDAP Synch - <DBName> SQL Agent Job in the SQL Server Agent area of Management Studio.

j.           Verify the schedule assigned to the J1 App LDAP Synch - <DBName> SQL Agent Job.  It will have been defaulted back to every 5 minutes, Monday ??? Friday, 7AM to 7PM.

5.         Test! Verify your play environment is working correctly before implementing in your production environment.

1.         Access your database server as a user with Admin rights.

2.         Access SQL Server Management Studio.

3.         Access the Job Properties window for your database.

4.         Access the J1 App LDAP Synch Job Script.SQL located in the \Program Files\Jenzabar\Tools\DSU\Setup Extras\AD Setup Scripts folder.

5.         Locate Line 4 of the script.  

6.         Change the @DatabaseName variable to your school???s J1 database name. TIP: The script is shipped with the name set to TMSEPLY.

The figure below shows the Job Properties for the "J1 App LDAP Synch - TMSEPRD" job in SQL Server Management Studio.

7.    Access J1 Desktop as a user with administrative permissions.

8.         Access the Maintain Config Table window.

9.         Locate the J1 OU setting using TL module, GLOBAL_VARIABLE function, EX_AUTH_MODE characteristic columns.

10.      Verify it is set to S for Standard.

11.      Click Save.

12.      Return to SQL Server Management Studio.

13.      Access the SQL Server Agent.

14.      Locate the Jenzabar - J1 AD Synch job category.

15.      Locate the J1 App LDAP Synch - dbname job. It should still be disabled.

16.      Right-click and select Start Job. The list of Active Directory accounts for further assignment to existing standard J1 Application Users is populated. If the EX_AUTH_MODE is not set to S, Standard, new application users will be created.

17.      Return to J1 Desktop.

18.      Access the Maintain Config Table window.

19.      Locate the J1 OU setting using TL module, GLOBAL_VARIABLE function, EX_AUTH_MODE characteristic columns.

20.      Verify it is set to M for Mixed.

21.      Click Save.

1.         Access J1 Desktop.

2.         Access the Users window.

3.         For each J1 Desktop application user, select an Active Directory domain account from the Active Directory User drop-down list (populated with the users in the J1 Database OU EXAPUSERS_dbname group).

An Active Directory User domain account can be used only once.  Once associated with an J1 Desktop application user, it cannot be associated with another J1 Desktop application user.

4.         Open a text editor such as Notepad.

5.         Browse to the \Program Files\Jenzabar\Tools\DSU\Setup Extras\AD Setup Scripts folder.

6.         Locate and select the InitSynch.vbs script.

7.         Locate line 4 and change the strDatabase to your school's database name using uppercase letters and quotation marks. For example, "TMSEPRD"

8.         Locate line 5 and change the strSQLInstance string parameter to the instance name of your SQL Server hosting the database entered in step 7. Ensure that the strSQLInstance parameter is enclosed in quotes. The server name is not case sensitive. For example, replace SERVER\INSTANCE with your database instance name - i.e., HBG-PDSQL.

If your SQL Server is the default for the server hosting the database, there will not be an instance portion to this string and there will not be a backslash (\).

9.         Click Save.

10.      From the command prompt, run the updated InitSynch.vbs script.

To run the script, you must have FULL CONTROL permissions to the J1 Database OU.

·       The initial J1 Database OU groups are built from the existing J1 Desktop Application Groups (APP_GROUP)

·       The new J1 Database OU groups are populated with Active Directory user accounts associated with J1 Desktop application users (step above) and have membership in the existing J1 Desktop Application Groups

The figure below shows the TMSEPRD OU after running the InitSynch.vbs script. Note the top level groups in the OU are populated with existing groups having the same name as Application Groups in the J1 Desktop application.

If your school only syncs users, proceed to Step 12.

1.         Open a text editor such as Notepad.

2.         From the text editor, browse to the \Program Files\Jenzabar\Tools\DSU\Setup Extras\AD Setup Scripts folder.

3.         Locate and select the InitSynch.vbs script.

4.         Locate line 4 and change the strDatabase to your school's database name using uppercase letters and quotation marks. For example, "TMSEPRD"

5.          Locate line 5 and change the strSQLInstance string parameter to the instance name of your SQL Server hosting the database entered in Step 7.

The server name is not case sensitive, but you must ensure the strSQLInstance parameter is enclosed in quotes. For example, "DUNNO"

If your SQL Server is the default server hosting the database, there will not be an instance portion to this string and a backslash (\) will not be required.

6.         Click Save and close the text editor.

7.         Access the command prompt and run the updated InitSynch.vbs script.

To run the script, you must have FULL CONTROL permissions to the J1 Database OU.

• Existing J1 Database OU groups are built from the existing J1 Desktop Application Groups (APP_GROUP). These are NOT Jenzabar default security groups.

• New J1 Database OU groups are populated with Active Directory user accounts associated with J1 Desktop application users (step above). They are a part of Jenzabar default Application Groups.

The figure below shows the TMSEPRD OU after running the InitSynch.vbs script.  The OUs shown without the J1_ prefix were created locally (not default data) and were pulled from the J1 database and created in the Active Directory.

 

If your school only syncs users, proceed to Step 12.

You cannot change the function security assignments for these groups. They must be used ???as is.???  

1.         Open a text editor such as Notepad.

2.         Browse to the \Program Files\Jenzabar\Tools\DSU\Setup Extras\AD Setup Scripts folder.

3.         Locate and select the J1Synch.vbs script.

4.         Locate line 4 and change the strDatabase to your school's database name using uppercase letters and quotation marks. For example, "TMSEPRD".

5.         Locate line 5 and change the strSQLInstance string parameter to the instance name of your SQL Server hosting the database entered in step 7. Ensure that the strSQLInstance parameter is enclosed in quotes. The server name is not case sensitive. For example, "DUNNO".

If your SQL Server is the default for the server hosting the database, there will not be an instance portion to this string and there will not be a backslash (\).

6.         Click Save.

7.         From the command prompt, run the updated J1Synch.vbs script.

To run the script, you must have FULL CONTROL permissions to the J1 Database OU.

·       The initial J1 Database OU groups are built from the existing J1 Desktop Application Groups (APP_GROUP)

·       The new J1 Database OU groups are populated with Active Directory user accounts associated with J1 Desktop application users (step above) and have membership in the existing J1 Desktop Application Groups

The figure below shows the TMSEPRD OU after running the J1Synch.vbs script.

1.         Access your database server as a user with Admin rights.

2.         Access SQL Server Management Studio.

3.    Find and enable the J1 App LDAP Synch - dbname job.

4.    Access the Job Properties window for your database.

5.         From the job properties, click the Schedules window. The Job Schedule Properties window appears.

6.         Update the frequency schedule as needed. By default, the sync runs every five minutes between 7  AM and 7 PM Monday through Friday.

7.         Click OK.

Install J1 Desktop on each client machine on campus choosing "integrated" as the mode of authentication.

If you are switching the mode of authentication AFTER installing J1 Desktop, you must deliver a registry update to every client machine on which integrated authentication is needed.  This setting is in: HKEY_LOCAL_MACHINE\SOFTWARE\Jenzabar\ J1\\Application\Authentication

If individual database users are used for other purposes, such as other third-party tools like InfoMaker, Access, etc.; do not remove them from the SQL Server database.

Do not remove or change the TE_PGMR database user. This user is still required.

To clean up your SQL Server login list, remove the logins no longer in use.

In SQL Server 2005 and 2008, database users will be orphaned if their underlying SQL Server login is deleted.

The institution can remove, if desired, the TE_ADMIN, TE_TRAINEE, and other Jenzabar-created database accounts; however, for support purposes, you MUST either

·       Set up the domain account Jenzabar support uses to log into your clean machine with the appropriate application user and group membership entries in your Active Directory. This ensures they can access the J1 Desktop application.

OR

·       Allow the authentication mode on the clean machine to be "standard" to allow Jenzabar support staff to be able to log in to J1 Desktop. If you are planning to operate this way, leave TE_ADMIN or CMDSPGMR database logins and users in place.