/
Active Directory Performance Enhancement Optional

Badger TraCS Guides

Active Directory Performance Enhancement Optional

Owned by Geraldine Polster
Sept 08, 2023
9 min read

TraCS FAQ— Optional Active Directory Performance Enhancement

 

Because of the nature of Active Directory, using it with complicated TraCS implementations can make login times slow. The number of groups and associated users and the groups belonging to those associated users has a direct effect on the amount of time it takes TraCS to query AD and login.

To improve AD login performance significantly, a TraCS Windows service (TraCS Active Directory Service) can be installed that periodically syncs the TraCS Users Database from AD. With the TraCS Users Database containing the latest AD associated user and group information, TraCS can query it instead of AD for this information. Querying the TraCS Users Database is much quicker than querying AD for the same information making login times quicker overall.

When using this alternative AD interface method, TraCS still authenticates the user with AD and loads the user’s field values and permissions from AD. However, the user’s associated user’s and their permissions are loaded from the TraCS Users Database instead of AD.

Then TraCS will pull user groups and associated user information from the TraCS users database instead of A/D to save time traversing through A/D groups on login and when reconnecting in web services mode.

This is an option to speed up TraCS web services when used with Active Directory. TraCS web services will continue to work with Active Directory even if this new service is not being used.

This requires a new windows service (Active Directory Service.exe) to be installed on the server.

Update the Active Directory Database Connection

 In the Database Connection Editor in Configuration Manager, expand the Other option and select the Active Directory connection.  Update the following properties on the TraCS server and any TraCS workstations using Active Directory to login.

  1. AssocUsers – Enter False so that Associated User information will be obtained from the TraCS Users Database and not Active Directory when a user logs in to TraCS.  

NOTE: Even though the Associated User information will come from the TraCS Users Database, the TraCS Active Directory Service will be constantly updating the Users Database with what is in AD.

  1. UserGroups – Enter False so that User Groups information will be obtained from the TraCS Users Database and not Active Directory when a user logs in to TraCS.

NOTE: Even though the User Groups information will come from the TraCS Users Database, the TraCS Active Directory Service will be constantly updating the Users Database with what is in AD.  

Update the following properties on the TraCS server.

  1. Sync Interval – The number of minutes between when the TraCS Active Directory Service syncs the TraCS User Database with Active Directory.  The default value is 240 minutes.

  2. UserID – The User ID that the TraCS Active Directory Service uses to login to AD.

  3. Password – The Password that the TraCS Active Directory Service uses to login to AD.

  4. ConfirmPassword – Used to confirm the Password that the TraCS Active Directory Service uses to login to AD.

Install and Start the TraCS Active Directory Service

Install the TraCS Active Directory Service on a server that has access to both AD and the TraCS Users Database.

  1. Run the following batch file from the TraCS Program Files folder.

    1. ActiveDirectoryService.bat

    2. This batch file installs the TraCS Active Directory Service Windows service.

    3. NOTE: In some configurations, to successfully install the service you may need to run this batch file as “Run as administrator” or even run it manually through a Windows Command Prompt launched as “Run as administrator”.

  2. Right click on the service in the Windows Services utility to edit the service properties including the user to run the service as and the Startup Type.

  3. Start the service when finished.

Once started, the service will update the TraCS Users Database with information from AD on the interval set in the Active Directory database connection entry.

How AD Works

How AD Works

Active Directory on a Workstation

The first time an AD user logs into TraCS (that does not exist in the TraCS users database already), a new user record is created in the user table from information gathered from AD combined with information from the TraCS template user (including password, location name and encryption key).  Users logging in subsequent times will have their user record updated in the TraCS user table with any updated AD information.  Each time the user logs into TraCS, the data from AD is merged with the data in the TraCS users database to create a merged copy to be used by the user while logged into TraCS.  

If logging in through the Active Directory is unsuccessful, TraCS will prompt for a user name and password to login to TraCS manually.

In the case of manual login, TraCS will completely ignore any AD information; therefore, user records need to exist in the current TraCS users database in order for the user to login and perform functions in TraCS on their own forms or on other users’ forms.

Active Directory on a Field Unit

In order for AD login to work correctly on a field unit, the template user file must be placed in the Users folder under the TraCS application data root folder.

The first time an AD user logs into TraCS (that does not have an existing TraCS user file on the machine), a new TraCS user file is created for that user using information gathered from AD combined with information from the TraCS template user (including password, location ID and encryption key).

Unlike the merging that is performed on workstations, TraCS does not merge active directory data with data from the user file on a field unit.  Only the active directory data is used.  For example, if the AssocUsers property is set to true in the Database Connections editor for the Active directory connection, TraCS will load only the associated user data from active directory and ignore the TraCS user file.  TraCS will then overwrite the user file when logging out of TraCS with the Active Directory information.

If logging in through the AD is unsuccessful, TraCS will prompt for a user name and password to login to TraCS manually.

In the case of manual login, TraCS will completely ignore any AD information and rely solely on the TraCS user file.  Because the TraCS user file is updated each time the user logs out, the user file will always contain the data from the last successful active directory login.

Active Directory Hints

Add Active Directory Groups

 Some special TraCS groups need to be created for Active Directory to work properly. 

NOTE: Only the login group is required to use Active Directory login mode.  Groups, Access Levels, and Associated Users can be managed by either AD or TraCS.  You can determine how each category is managed in the Database Connections Editor.  See the Setup TraCS topic in the following pages for more information.

Login Group: {Login Group Name

This group is used to determine which AD users should be allowed access to log into TraCS.  If an AD user is placed in this group, they will be able to log into TraCS.  You can choose any name for this group.  You will need to enter this group name again later in the Database Connections Editor.

Access Levels Group(s): {TraCSAccessLevelAccessLevelName}

These AD groups will match up with the access levels that you created in the Configuration Manager.  The name of the AD group should be prefixed with TraCSAccessLevel with the name of the TraCS access level appended to the end.

  Adding an AD user to this AD group will give that user access to whatever actions were added to this access level in the Configuration Manager.

TraCS Group: {TraCSGroupTraCSGroupName}

These AD groups will match up with the user groups that you created in the Configuration Manager.  The name of the AD group should be prefixed with TraCSGroup with the name of the TraCS user group appended to the end.

Adding an AD user to this AD group will place that user in the specified group in the Configuration Manager.

Associated Users Group: {TraCSAUTraCSGroupName_AccessLevelName}

The users in this group will have access to all actions assigned to the access level (specified by AccessLevelName) for use on forms and reports created by users in the TraCS user group (specified by TraCSGroupName). 

Setup User Attributes

You can add AD user attributes that match up with TraCS user fields.  

The table below shows the fields in the TraCS database that will get refreshed on login if there are values inside of the Active Directory attributes.  The attributes that are marked custom will need to be created inside the Active Directory server.

TraCS Field

AD Field

Attribute Type

TraCS Field

AD Field

Attribute Type

UserID

sAMAccountName

SYSTEM

SecondaryUserID

TraCSSecondaryUserID

CUSTOM

NameLast

SN

SYSTEM

NameFirst

givenName

SYSTEM

NameMiddle

middleName

SYSTEM

NameSuffix

TraCSNameSuffix

CUSTOM

Title

title

SYSTEM

AccessLevels

memberOf*

SYSTEM

LocationID

TraCSLocationID

CUSTOM

UserDefaultsID

TraCSUserDefaultsID**

CUSTOM

LocationDefaultsID

TraCSLocationDefaultsID

CUSTOM

EnterpriseDefaultsID

TraCSEnterpriseDefaultsID

CUSTOM

EMailAddress

mail

SYSTEM

LastModified

whenChanged

SYSTEM

EncryptionKeyLabel

TraCSEncryptionKeyLabel

CUSTOM

 

User Definable Fields can be added to Active Directory to correspond with those that exist in TraCS, so that they can be managed through Active Directory.  The name of the attribute in Active Directory needs to start with “TraCSUserDef.”

*Any AD Group created that begins with TraCSAccessLevel that the AD user is a member of will be put into this TraCS field.

**This will default to the current User ID if this custom field is not found.

Adding Custom Attributes to Active Directory

Prerequisite: Enable Schema Updates by Means of the Registry on the Active Directory server.

  • Click Start, click Run, and then in the Open box, type: regedit then press ENTER.

  • Locate and click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

  • On the Edit menu, click New, and then click DWORD Value.

  • Enter the value data when the following registry value is displayed:

    • Value Name: Schema Update Allowed

    • Data Type: REG_DWORD

    • Base: Binary

    • Value Data: Type 1 to enable this feature, or 0 (zero) to disable it.

  • Quit Registry Editor.

Follow these steps to configure attributes:

  1. Install the Schema snap-in (Start, Run, regsvr32 schmmgmt.dll).

  2. Go to Start -> Run -> Type MMC and press Enter

  3. Go to File -> Add/Remove Snap-in -> click Add -> Select Active Directory Schema and click Add

  4. Expand the Active Directory schema and Right Click Attributes

  5. Click “Create Attribute”

  6. Create New Attribute window will appear

  7. In Common name enter your attribute name, for example “TraCSUserDefADTest1”

  8. The name needs to begin with “TraCSUserDef” for TraCS to recognize it as a TraCS User Definable field information.

  9. Enter LDAP name also as your attribute name, for example “TraCSUserDefADTest1”

  10. Get OID please refer http://msdn2.microsoft.com/en-us/library/ms677620.aspx

  11. For our demo we have used DUMMY Values like 1.2.3.4.5

  12. Select the appropriate syntax.  TraCS currently ONLY SUPPORTS strings or dates.

  13. Mention Minimum and Maximum values if required. These are optional you can leave them blank.

  14. Once Attribute is created, select Classes

  15. Expand CLASSES and Select PERSON

  16. Right click PERSON and select Properties

  17. Click Attribute Tab and click Add

  18. Select the Attribute you created and click OK.

  19. Click OK to close all property windows

  20. Goto Start ->Run -> Type ADSIEDIT.MSC. For running this command you may need to install the support tools from the Windows installation CD.

  21. Open the Active Directory Service Interfaces (ADSI) Edit utility, then navigate to Configuration Container, CN=Configuration,

  22. Click CN=DisplaySpecifiers

  23. Click CN=409.

  24. In the right-pane, locate and right-click CN=user-display, and select Properties.

  25. Select AdminContextMenu and click EDIT

  26. In the Edit Attribute box, type the following:

  • Enter the following in the Empty box and Click Add:

    • 3,&TraCSUserDefADTest1, c:\EnterAttrib.vbs

    • Note:

      • 3 is the serial number

      • & TraCSUserDefADTest1 is the Attribute which will appear in User and Computers context Menu

      • C:\EnterAttrib.vbs is the script which will add the value to attribute

      • Please do not change the Syntax 

  1. Click OK to close all window popups    

  2. Select Configuration in ADSIEDIT panel and Right Click

  3. Click “UPDATE SCHEMA NOW”

  4. These steps configure the options TraCSUserDefADTest1 on the context menu for a user in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 

  5. You must write and place the following scripts on your C drive or somewhere else in your file path:

Dim oVar Dim oUsr Dim tmp Set oVar = Wscript.Arguments Set oUsr = GetObject(oVar(0)) tmp = InputBox("The TraCSUserDefADTest1 of the user is: " & oUsr. TraCSUserDefADTest1 &  vbCRLF & vbCRLF & “Enter the new Roll Number Below“) if tmp <> "" then oUsr.Put " TraCSUserDefADTest1",tmp oUsr.SetInfo Set oUsr = Nothing WScript.Quit

How to Add Custom Attributes to the Directory Service Find List:

  1. Use ADSIEdit to select the Configuration namespace.

  2. Expand the displaySpecifier container.

  3. Expand the appropriate displaySpecifier container. For example, "409" is English.

  4. View the Properties for the user-Display object.

  5. Modify the attributeDisplayNames attribute by adding a value in the format:

    • Your_new_Attribute,friendly_name

    • For example, " TraCSUserDefADTest1 " looks like this:

    • TraCSUserDefADTest1, TraCSUserDefADTest1

You may need to logout of the server or reboot in order to see your changes take effect in the interface.

 

 

Related content

email badgertracs@dot.wi.gov or call 608-267-2096