joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see.
We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe <[EMAIL PROTECTED]> wrote: > LDAPS records aren't published by DCs, only LDAP > records. I can assure you > if it were that easy, David wouldn't have had an > issue. From what I have > seen, if a secure LDAP connection is required, the > internal routines from > MSFT simply locate a DC and go to the port. If LDAPS > isn't hot, the > connection is dropped with server down error. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 6:28 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Discovering LDAPS > availability > > Couldn't you just query the DNS for the SRV record > advertising it... > > Matt Duguid > Systems Engineer for Identity Services > Department of Internal Affairs > > Phone: +64 4 4748028 (wellington) > Mobile: +64 21 1713290 > Fax: +64 4 4748894 > Address: Level 4, 47 Boulcott Street, Wellington CBD > E-mail: [EMAIL PROTECTED] > Web: http://www.dia.govt.nz/ > > > > |---------+----------------------------------> > | | | > | | | > | | | > | | David Loder | > | | <[EMAIL PROTECTED]> | > | | Sent by: | > | | [EMAIL PROTECTED]| > | | tivedir.org | > | | | > | | | > | | 06/10/2006 08:56 a.m. | > | | Please respond to | > | | ActiveDir | > | | | > |---------+----------------------------------> > > >--------------------------------------------------------------------------- > -----------------------------------| > | > | > | To: ActiveDir@mail.activedir.org > | > | cc: > | > | Subject: [ActiveDir] Discovering LDAPS > availability > | > > >--------------------------------------------------------------------------- > -----------------------------------| > > > Other than directly testing the 636 port on each DC, > can anyone suggest a method for an unprivledged > client > to discover whether or not LDAPS should be available > on a specific DC? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
