Active Directory change impact on JDE

[jimmymac]

We are on E1 JDE 9.0, tools 9.1.4.7. Our enterprise servers are Microsoft windows 7 and database is Oracle.

We've been asked to review the impact of various changes on our different systems, including JDE. I'm not a CNC but from what I've researched and got from Oracle, the impact would be minimal. Some minor configuration changes might be needed in server manager and/or web and enterprise servers.

1. Is Active Directory used for authentication?
2. Is Active Directory used for something other than authentication.
3. If users/groups move to another AD domain, would there be any impact on JDE?
4. If the enterprise and/or web servers moved to a new domain, would there be any changes?

Any thoughts or comments would be appreciated.

Thanks.

 

[altquark]

Hi Jimmy

First of all, you've probably made a mistake in your post. Your enterprise servers are no doubt Windows Server, not Windows 7 (we all hope) - since Windows 7 is a desktop client, not a server platform !

However, to answer your questions.

1. AD is sometimes used for authentication for users. JDE refers to it as LDAP Integration - and you can set it up as the method for having users authenticate. However, with Tools Release 9.1.4.7 on 9.0, you would have issues with password length unless you were using a 3rd party product such as Oracle Identity Management or Everest SSO. To easily identify if LDAP is enabled, check the JDE Enterprise Servers JDE.INI (located in x:\JDEdwardsPPack\E910_1\system\bin32) and look for the line that has "LDAPAuthentication=false" or "true" ! Obviously, true means its turned on, false means its turned off !
2. AD is often used for resource accounts that start services on the EnterpriseOne stack. For example, there might be a "jde" account that is in the AD that starts the JD Edwards EnterpriseOne Enterprise Server services, or there might be accounts that are configured for the Weblogic service startups. These should be relatively easily identified by looking at the windows services, and checking the "startup" accounts.
3. If either 1 or 2 are true, then there would be an impact on moving those accounts to a different domain. Otherwise there would not be any impact.
4. Moving the servers to a different domain would likely not cause an issue, because JDE doesn't directly use FQDomainNames as server names, as long as the actual server names do not change. For example, moving "JDEDeploy.olddomain.com" to "JDEDeploy.newdomain.com" wouldn't be any impact, but moving it to "JDENewDeploy.newdomain.com" would have very serious implications that would require major CNC work. Changing IP Addresses should also not be a major issue - but remember that the installation likely updated host files in the x:\windows\system32\drivers\etc folders and hard-coded the local machine names to local network names.

Hope those quick answers help - more than likely you will be ok moving servers and users to a different domain, but you absolutely should check all of the above thoroughly, and back up your AD before you make the change !

 

[jimmymac]

Thanks for the info. All that makes sense. Yes we are using Windows Server 2008 and LDAP authentication is off (false).

As for the JDE account that starts the E1 Services or Weblogic, when i look at those services on the enterprise server and web servers, I'm looking at the Properties for the Services and the Log On tab. Is that what you are referring to in regards to the startup accounts.

Our E900 service on the enterprise server shows a log on user as [email protected]. So it would appear that if the jdeweb user is moved to a new domain, this would have to be revised to be in sync with that. However, on the web servers, the Local Account option is checked. So there would likely be no changes needed to the weblogic startup.

Does that make sense?

 

[altquark]

Yes - the "log on" tab is the startup accounts. If the jdeweb user is moved to a new domain, it would have to be granted permissions back to the machine that it starts the E900 services, which would likely be local admin on that machine.

Weblogic should be fine if you're using local accounts. No problem there.

Of course, there may be other ancillary software that might be affected. Check the printing solution, for example - if you're using Optio or something else. All standard E1 printers might have to be re-created in E1 if their UNC paths change.