Directory services such as Microsoft Active Directory enable companies to centralize their lists of users, servers, printers, and other resources. Users and applications can use Lightweight Directory Access Protocol (LDAP) to search the directory for the resources they need. Microsoft Exchange 2000, for example, no longer maintains its own list of user mailboxes; it searches Active Directory for this information.

Oracle databases are important enterprise resources for your clients, so you would expect that they could also be listed in Active Directory. Since version 8i, Oracle has supported LDAP-compliant directory services for locating databases and authenticating users. It supports three such services:

I’ll explain how you can help your clients register Oracle databases in Active Directory and connect to them.

More information from Oracle

Oracle’s customer-only support Web site, Metalink, has an excellent article on this subject with step-by-step instructions. The document ID number is DOC ID 111424.1.

Step 1: Enable schema updates in Active Directory
Active Directory maintains a list (schema) of the types of data (classes) it can contain. The schema starts out with classes related to Windows 2000, but applications can extend it to include additional classes.

Before using Active Directory with Oracle, you must first extend the schema to include Oracle-related data classes. The schema is maintained on a Windows 2000 domain controller called the Schema Master. To extend the schema for Oracle, you must log in as a member of the Security Group SchemaAdmins and enable updates on the Schema Master.


Modifying the Active Directory schema is a potentially dangerous operation. If you thought messing with the Windows Registry on a single machine was dangerous, imagine tampering with something that affects every machine in the network. Although the changes needed for Oracle are minor, be sure to prototype any schema change using lab machines and test extensively before making the change on your production servers.

Figure A

Use the Active Directory Schema snap-in for the Microsoft Management Console (MMC) to enable schema updates (see Figure A).This snap-in isn’t a standard one included during Windows 2000 installation, but the Adminpak.exe program on the Windows 2000 Server CD-ROM will install it. Add the snap-in to an existing MMC console or start a new one by typing mmc in the Run dialog box.

Once the snap-in is added, you’ll see the top-level entry Active Directory Schema in the navigation pane. Right-click on it and choose Operations Master. In the resulting dialog box, check the box labeled The Schema May Be Modified On This Domain Controller and then click OK. (Remember to go back and uncheck the setting after updating the schema to prevent accidental changes in the future.)

Step 2: Create the Oracle schema entries
You add the Oracle schema classes via Oracle’s Net8 Configuration Assistant utility. This utility is run automatically when you install Oracle, or you can run it later by selecting Start | Programs | Oracle | Network Administration | Net8 Configuration Assistant. (Note: Net8 Configuration Assistant isn’t the same tool as Net8 Assistant. Choose carefully.)

In Net8 Configuration Assistant, select Directory Service Access Configuration and then Perform Directory Access Configuration For A Server. From the three directory choices, select Microsoft Active Directory. On the next screen, type the fully qualified name of the Schema Master domain controller (e.g., and click Next. Finally, select Yes, I Want To Add The Required Oracle Schema (see Figure B).

Figure B

(Depending on your version of Oracle, an error dialog may appear, but the schema has still been updated.)

Step 3: Create an Oracle context in the directory
Updating the schema is like modifying the blueprints for a house: Nothing has actually been built. Only the plans have been changed. The next step is to actually add a new section to Active Directory to hold all the Oracle-related data. This section is called the Oracle Context.

Again, use Oracle Net8 Configuration Assistant. As before, choose Directory Service Access Configuration and then Perform Directory Access Configuration For A Server. Select Microsoft Active Directory as the type of service and, on the next screen, enter the name of the domain controller that is the Schema Master.

This time through, the screen will give you the opportunity to select Yes, I Want To Create A New Oracle Context (see Figure C). Click Next.

Figure C

When you finish, log off and log back on again. This will refresh your Windows permissions. It’s also necessary because creating the Oracle Context added you to some new security groups.

Step 4: Register databases with Active Directory
If you’re installing Oracle, the next tool that runs will be the Database Configuration Assistant. This utility creates a sample database and will enable you to register it with Active Directory. Registration creates a new object within the Oracle Context you set up.

You can also run the Database Configuration Assistant later by selecting Start | Programs | Oracle | Database Administration | Database Configuration Assistant. Select Change A Database Configuration, select the instance to modify, and then select the server mode (Dedicated or Shared). Click Next twice and you’ll be given the opportunity to register the database. Choose Yes and then Finish.

Step 5: Configure clients and connect
On client machines, Oracle Client software has been installed. Use the Net8 Configuration Assistant and select Directory Service Access Configuration. This time, however, select Perform Directory Service Access Configuration For A Client. Again, choose Microsoft Active Directory as the directory service type and enter the fully qualified name of the Schema Master.

You can now connect to registered databases via Active Directory. When logging in to a database using Oracle’s SQL*Plus program, for example, use the system identifier (SID) of the database as the Host String. Net8 will search the Oracle Context within Active Directory to locate the server’s network address, port number, and SID—all information that is needed to make a connection.

Normally, this information must be defined on the client in a file named tnsnames.ora and updated on each client machine when it changes. When a directory service is used, though, only the directory needs to be changed.

Bottom line
Interoperability between Active Directory and Oracle presents opportunities for consultants who work with either technology. Active Directory consultants must be able to convince clients that a single enterprise-level directory service is capable of handling all the enterprise’s needs, including Oracle. Oracle consultants whose clients are installing Active Directory can assist in converting clients from Local Naming (tnsnames.ora files) to Directory Naming (LDAP).