Changes Made During Installation

Running the Schema Extension Wizard adds the following data to Active Directory.

Active Directory Containers

The Schema Extension Wizard installs two subcontainers in the Active Directory System container. They contain information administrators can use to verify and administer the DigitalPersona AD Server installation. In the ADUC (Active Directory Users and Computers) Snap-in, ensure that Advanced Features is selected from the View menu in order to view the System container.

The new containers installed are the BAS (Biometric Authentication Servers) container and the Licenses container.

The Biometric Authentication Servers container provides the objectCategory and objectClass for the BAS.

The Licenses container stores the license files for DigitalPersona AD products.

Published Information

DigitalPersona AD Server publishes its service using the following properties:

  • Service Class Name, set to Authentication Service.

  • Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}.

  • Vendor Name, set to DigitalPersona.

  • Product Name, set to UareUPro.

  • Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}.

  • Authentication Server Object Name, the DNS name of the host computer.

  • Service Principal Name, a unique name identifying the instance of a service for a client.

  • Schema Version Number, the version of the Active Directory schema extension.

  • Product Version Number, the version of DigitalPersona AD Server software.

  • Product Version High, set to [current version].

  • Product Version Low, set to [current version].

  • Keywords for searching the server are Service Class GUID, Vendor Name, Product Name and Product GUID. The keyword values are the same as the property values listed in this section.

The Server publishes its service in compliance with the Active Directory Service Connection Point specifications.

DNS Registration

The use of DNS registration enables DigitalPersona AD Workstations to locate DigitalPersona AD Servers without needing additional local configuration to do so. If your DNS Server supports dynamic registration, DigitalPersona AD Server registers itself with the DNS using the service name, _dpproent.

The format of the DNS resource records for DigitalPersona AD Server is:

_dpproent._tcp.[domain] 600 IN SRV 0 100 0 [server name]

_dpproent._tcp.[site name]._sites.[domain] 600 IN SRV 0 100 0 [server name]

DigitalPersona AD Server calculates site coverage based on the availability of other DigitalPersona AD Servers on the domain (as well as sites configured for the domain) and then creates Service Resource Records (SRV RRs) for the domain and sites it covers.

Settings in the DigitalPersona AD Administrative Template govern whether or not DigitalPersona AD Server utilizes dynamic registration (see this and other DNS related settings).

Automatic Registration

By default, DigitalPersona AD Server registers itself with DNS every time it starts, is automatically refreshed at specified intervals, and unregisters itself every time it stops.

When DigitalPersona AD Server unregisters itself, it removes only the records it has created during automatic registration. Records entered by the administrator will be unaffected.

Automatic Registration may be disabled through a GPO setting.

Manual DNS Registration

If your DNS Server does not support dynamic registration, or if dynamic registration is disabled through a DigitalPersona AD GPO setting, an administrator can manually register the DigitalPersona AD Servers by entering the DNS resource records in the format shown above.

You can view the default values of settings created during DigitalPersona AD Server setup by opening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\ DigitalPersona\bin folder.

To manually register a DigitalPersona AD Server in Microsoft DNS:

  1. Open the DNS console and expand the Forward Lookup Zone.

  2. In the left pane, select and then right-click on [domainname], and select Other New Records in the context menu.

  3. In the Resource Record Type dialog box, click on Service Location, and then click the Create Record button.

  4. In the New Resource Record dialog, set the following values:

    • Service: _dpproent

    • Weight: 100

    • Port Number: 0

    • Host offering this service: domaincomputername.domainname.com

  5. Click OK to save the settings and return to the main DNS console window.

  6. Under the same [domainname], expand the _sites key.

  7. In the left pane, select and then right-click on Default-First-Site-Name and select Other New Records from the context menu.

  8. Repeat steps 3 through 5 for each DigitalPersona AD server that you want to register.

If the DP Service Resource Records (SRV RRs) are not added, either dynamically or manually, the DigitalPersona AD Workstation will not be able to find the Servers and will perform fingerprint enrollment and authentication locally.

Improving Performance

The Priority and Weight settings can be modified to achieve better response time and load-balancing in the _dpproent.Properties dialog box, which is accessible by double-clicking _dpproent in the DNS Console.

The _dpproent SRV RRs can be found in the following paths in the DNS Console:

DNS/[DNS server]/Forward Lookup Zones/[domain]/_tcp

DNS/[DNS server]/Forward Lookup Zones/[domain]/sites/[site name]/_tcp

Adding SRV RRs Manually

If your DNS does not support dynamic registration, you will have to add these SRV RRs manually. For your convenience, these entries are stored in a file, UareUPro.DNS, which is located in the folder in which you installed DigitalPersona AD Server.

Configuring DNS Dynamic Registration

Additional parameters for configuring DNS registration are available in the DigitalPersona AD Administrative Template when added to the governing GPO.