Hey Eric;
If really want to make Windows AD better make the DHCP scopes
tie in to the AD. As follows. If you make a scope on the DHCP server
prompt for "Do want to define this subnet to a site in the AD" It
would save time and help some of us.
Thanks
Jon
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, August 12, 2004 10:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM attribute value
Even if you create an NC that is of type DomainDNS it doesn't assume
that you have the DNS namespace or want to register in it. For example,
in my environment here on my machine I have an NC that has the same name
as an actual domain on the corporate network. I don't think the IT group
would appreciate me registering in to their DNS zone. :)
However that is not to say that you couldn't do something different.
You're welcome to register SRV records for whatever you would like. We
just don't do that for you today. In the future, who knows. There's
always discussion around how to make these things better out of the box.
~Eric
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Sent: Thursday, August 12, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM attribute value
Eric,
"SCPs are a realiable way to detect ADAM instances assuming that ADAM/AD
are configured to allow the registration of them. However using SCPs
assumes 1) ADAM is running in a domain that is >=2k (not NT4) 2) ADAM
service account is successfully registering those SCPs 3) You know what
forest an instance is running in (further remember that not all
instances have to run in the same forest)."
It assumes quite a bit the main one is that you connected to the network
at installation of ADAM, if you are not then it obviously does not
create the SCP's.
The assumption that you have permissions to register the SCP's is also
quite interesting as - "The application that creates a connection point
object, or any object, must have create child permissions for the object
class to be created in the container where the object will be created."
--- this assuming you are a Administrator or someone with similar power
when installing ADAM.
I am not saying my two methods are robust at all, I am just saying that
the SCP's are not that great either.
"The lack of robust DSA discovery was an intentional tradeoff we made
when we allowed you to create NCs that have no alignment with DNS in any
way. The fact that domain NCs align with a DNS namespace and we
manditate the registration of those records means we can assume that
certain records (SRV, A, etc.) are present for DSAs in that domain.
Since ADAM has no such mandate to give the administrator flexibility, we
lost the ability to make that assumption."
How about the wizard to Select NC's and select which type of record to
set in the Domain's DNS......... -- not that difficult.
Always love these post :)
C
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, August 12, 2004 3:44 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM attribute value
I just read what your code is trying to do (should have before I posted,
not just reply's).
An additional point above and beyond discovery is detection of the DSA
once connected. For that the most reliable mechanism is looking at
supportedCapabilities off of RootDSE. Through that you can figure out if
it is AD vs. ADAM, and also what version of each (AD on 2000, 2003,
etc.)
~Eric
________________________________
From: Eric Fleischman
Sent: Thu 8/12/2004 8:37 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM attribute value
It is worth noting that the detection of ADAM, even using mechanisms
Carlos outlined, is not nearly as robust as AD. It is a much higher
overhead and he is also making assumptions (like you are an admin on all
remote systems that you scan if looking in the registry, or you blindly
scan ports across the network and probably annoy some others).
SCPs are a realiable way to detect ADAM instances assuming that ADAM/AD
are configured to allow the registration of them. However using SCPs
assumes 1) ADAM is running in a domain that is >=2k (not NT4) 2) ADAM
service account is successfully registering those SCPs 3) You know what
forest an instance is running in (further remember that not all
instances have to run in the same forest).
The lack of robust DSA discovery was an intentional tradeoff we made
when we allowed you to create NCs that have no alignment with DNS in any
way. The fact that domain NCs align with a DNS namespace and we
manditate the registration of those records means we can assume that
certain records (SRV, A, etc.) are present for DSAs in that domain.
Since ADAM has no such mandate to give the administrator flexibility, we
lost the ability to make that assumption.
My $0.02
~Eric
________________________________
From: [EMAIL PROTECTED] on behalf of Harpreet_Kapoor
Sent: Thu 8/12/2004 5:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM attribute value
Hi ,
Thank you so much... I have not worked much on ADAM and you being a
great help..
Can you send me the tool that you have prepared and tell me the changes
that I need to make to my code in order to detect ADAM ? I shall be
thankful if you do so.
Also, how do I set the defaultNamingContext manually?
Thanks,
Harry
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Sent: Thursday, August 12, 2004 1:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM attribute value
Harry,
ADAM does not implement the domainDNS structure like Active Directory
does, instead it uses Application Partitions in your case
"dc=abcd,dc=com" , I am not saying that you can not add or use
domainDNS, I am just trying to highlight that ADAM was not designed to
work with the domainDNS structure like Active Directory was.
You will also find that your RootDSE - defaultNamingContext is not
populated by default as it is in Active Directory. You have to populate
this attribute manually (very easy).
Now about your code, I am not sure what you mean by "trying to find the
value of ObjectClass" are you trying to find all objects using the LDAP
filter "ObjectClass=*" ?
The objectClass attribute contains the class of which the object is an
instance, as well as all classes from which that class is derived.
If you would like to see more detail including some code (which is what
I think you trying to do) here is the link -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/r
etrieving_the_objectclass_property.asp
Let us know how it goes. I also strongly suggest that you read ADAM's
technical reference document, alot of work was put into it explaining
these concepts and is one of the best ADAM documents around you can find
it here --
http://www.microsoft.com/downloads/details.aspx?familyid=96c660f7-d932-4
f59-852c-2844b343f3e0&displaylang=en
AD, ADAM or any LDAP programming? -
http://groups.yahoo.com/group/adsianddirectoryservices
Carlos Magalhaes Active Directory Programming MVP
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harpreet_Kapoor
Sent: Thursday, August 12, 2004 9:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] ADAM attribute value
We are trying to find the value of the "objectClass" attribute in ADAM.
For this we wrote the following code :
char *attrs[2] = {"objectClass", NULL};
LDAPMessage* result = NULL;
int nResult = ldap_search_s (ld, "dc=abcd,dc=com", LDAP_SCOPE_SUBTREE,
"objectClass=*", attrs, 0, &result);
if (nResult != LDAP_SUCCESS)
{
return LDAPUTIL_GETVERSIONFAIL;
}
int nentries = ldap_count_entries(ld, result);
if (nentries <= 0)
{
if (result != NULL)
ldap_msgfree (result);
return LDAPUTIL_SUCCESS;
}
LDAPMessage* e = ldap_first_entry (ld, result);
char** vals = ldap_get_values (ld, e, attrs[0] );
int i=0;
if (vals != NULL)
{
if (vals[i] != NULL)
{
cout<<"\n val[i] "<<vals[i]<<endl;
i++;
}
ldap_value_free (vals);
}
if (result != NULL)
ldap_msgfree (result);
nResult = ldap_compare_s (ld, dcRoot, "objectClass","domainDNS");
if ((nResult == LDAP_COMPARE_TRUE))
{
cout<<"Active Directory Application Mode(ADAM)";
return LDAP_SUCCESS;
}
Actually,our main aim is to find the value of objectClass for
ADAM(Active Directory Application Mode)for use in ldap_compare_s().This
is why we wrote the code above to find the value of the objectclass
parameter.
I have the following questions:
1)We have observed that domainDNS works for Active Directory.Does it
also work for ADAM? In our case,it does not.If it does not,what is the
attribute value of objectClass in case of ADAM?In my case,
ldap_compare_s returns the value 0x10 which means that the attribute
does not exist. However,in ADAM ,I can clearly see the attribute.But
when I give this value in ldap_compare_s(), it returns the error code
0x10.Is there any other attribute which can be used to identify the dc
objects on ADAM just as objectclass and its value domainDNS work for
Active Directory.
2)ldap_get_values() returns a NULL .What could be the possible solution?
My configuration settings:
Root DN : dc=abcd,dc=com
Thanks,
Harry
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
