Microsoft Windows 2000 inetOrgPerson Kit
Updated: December 2001
Summary: The Microsoft Windows 2000 operating system inetOrgPerson kit was developed for users who would like to add the inetOrgPerson class to their Windows 2000 Active Directory schema. This document provides some background information about this issue, as well as a list of the files that are included in the kit and an explanation of how to load them. (5 printed pages)
Download the inetOrgPerson kit.
Windows 2000 Implementation
Differences Between inetOrgPerson and the user Class
Installing the InetOrgPerson Kit
Technical Support for InetOrgPerson
inetOrgPerson Kit Files
Exchange Collision Issue
Mangled Name Issue
Because directories other than Microsoft® Active Directory™ use the inetOrgPerson class to define the user account object, applications that were originally written to access objects in these directories may implement the inetOrgPerson class. To make those applications more compatible with Active Directory and permit the migration of inetOrgPerson objects to Active Directory, the inetOrgPerson class is being introduced into the base schema for the Microsoft Windows® 2003 Server operating system. In Windows 2003 Server, the inetOrgPerson class is expected to be a full implementation that is compatible with the user class.
The inetOrgPerson class is defined in RFC2798; however, the inetOrgPerson class defined in Windows 2000 deviates from that defined in RFC2798 in two ways:
- In Active Directory, inetOrgPerson is derived from the user class so it can easily behave as a security principal.
- Some of the attributes are defined differently due to legacy issues.
Many companies and individuals have asked for an implementation of inetOrgPerson for their Windows 2000 schema that will be compatible with the Windows 2003 Server schema. This kit provides that functionality. Many of the applications that use the inetOrgPerson class were designed for use with other directories such as iPlanet. If you are neither using nor creating an application that uses the inetOrgPerson class, this kit is not for you.
The kit does not provide full integration of the inetOrgPerson class for Windows 2000. Rather, this kit is provided only to permit the inetOrgPerson class to be defined in the schema before the release of Windows Server 2003. Windows Server 2003 will include full implementation of the class. The following section will describes the missing functionality.
After installing this kit in a Windows 2000 forest, you will notice a difference in the functionality that is available between the user and inetOrgPerson classes. Most of the differences in behavior occur in the Active Directory Users and Computers user interface. As with any class that is derived from the user class, the UI for the user class is not inherited. The display specifier file that is supplied with this kit provides some limited UI capability. Here is a list of known differences in the inetOrgPerson class:
- When creating an inetOrgPerson object, a creation wizard will not be available.
- The inetOrgPerson object will appear as a container object on the Active Directory Users and Computers UI. This is a bug that will be fixed in Windows 2003 Server.
- User context menus that are normally displayed when you right-click a user object in the Active Directory Users and Computers UI will not be available for inetOrgPerson objects. Instead, right-click the inetOrgPerson object to see the user context menu for a container object.
- The password is blank and there is no option available on the user context menu to set the password. To modify the password, you can write a script that will set it, or use client tools such as ADSI Edit.
- Newly created inetOrgPerson objects will have their account disabled. You will need to modify the userAccountControl attribute to set the status for the account.
To install the InetOrgPerson kit, follow these steps:
- Ensure that end-to-end replication of Active Directory is occurring on all domain controllers in the forest receiving the InetOrgPerson update. The "repadmin /showreps" utility from the \Support\Tools directory of the Windows 2000 CDROM can be used to verify Active Directory replication.
- Locate and configure the schema FSMO role owner to accept schema updates. The following link documents prerequisites for extending the Active Directory schema:
Prerequisites for Installing a Schema Extension
- Copy the InetOrgPerson kit files to the schema FSMO role owner identified in Step 2.
- From a CMD prompt, run "Load_IOP.BAT" with the fully qualified distinguished name path of the forest root in quotes. For example, the command line to add the InetOrgPerson schema changes to the CORP.COMPANY.COM forest would be:
- Monitor domain controllers throughout the forest for replication of the schema updates before use.
The InetOrgPerson kit is provided "as is" to offer the schema definition for the InetOrgPerson class in Windows 2000 forests. For issues with installation of the InetOrgPerson kit, send e-mail to firstname.lastname@example.org.
This kit contains several files that are compatible with Windows 2003 Server. Installing these files will not affect your upgrade to Windows 2003 Server and the new data that is created using these classes will be preserved during the Windows 2003 Server installation. This section contains the name and description of the files that are included with this kit.
Note These files are provided as a convenience to customers and do not reflect a full implementation. Additional functionality will not be provided for Windows 2000; full implementation of this functionality will occur with the Windows XP release.
The following LDIF files must be loaded in the order in which they appear.
This file modifies Microsoft® Exchange 2000 attributes when they collide with the inetOrgPerson definition. When loading this file with LDIFDE, use the -k option. For more information about this file, see Exchange Collision Issue later in this document.
This file defines the inetOrgPerson class.
This file defines the inetOrgPerson class and its associated display specifier. It permits the use of the user property sheet for inetOrgPerson objects.
This file contains additional attributes that were requested by various customers. They are defined by various RFCs. These attributes will be included in the base schema for Windows XP. This file is not necessary, but if decide to use it, you should load it after loading inetOrgPerson-ds.ldf so that the inetOrgPerson class is already defined in the schema. The following attributes are added when you import this file:
- UniqueMember (based on RFC2256)
- UnstructuredName (based on RFC2985)
- UnstructuredAddress (based on RFC2985)
- AttributeCertificateAttribute (based on X.509)
This file fixes the mangled name problem, described later, that may occur when defining inetOrgPerson in a forest that has Exchange 2000 installed. For more information, see Mangled Name Issue later in this document.
This is a sample batch file that you can edit to specify how these files will be loaded. For example, you may want to remove the command that imports Extra.ldf if you think you will have no need for it.
The Exchange 2000 schema includes definitions for the secretary and labeledURI attributes, which are two of the attributes used by the inetOrgPerson class. When these attributes were defined in the Exchange 2000 schema, they were modified from the definition originally provided in RFC2798. This causes a conflict that prevents the inetOrgPerson class from loading into the schema. The Exchange.ldf file modifies the ldapDisplayName for these attributes to avoid this conflict and defines these attributes if they don't exist.
When Active Directory detects a duplicate name, it modifies the name of one of the objects by adding "Dup" and some unique characters to the beginning of the name. This is called mangling. In Windows 2000, if the inetOrgPerson class is imported into a forest that already has Exchange 2000 installed, the ldapDisplayName for the secretary or labeledURI attributes may become mangled when replication occurs. Importing the Exchange.ldf file may not prevent this. Mangling does not cause any problems with the functioning of Active Directory or the operating system because the ldapDisplayName for the secretary or labeledURI attributes are not used. To repair the mangled names, use inetOrgPerson-Fix.ldf.
Note Mangling may also occur when upgrading from Windows 2000 to Windows 2003 Server.