The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there.
joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave "staging" until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability > Hmm doesn't look like anyone else has figured this out or just doesn't > deploy LDAPS or alternately makes sure every DC is capable of LDAPS. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Loder > Sent: Friday, October 06, 2006 8:51 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Discovering LDAPS availability > > joe's absolutely right. What's trying to be > accomplished is to publish new LDAPS SRV records for a > 300+ DC environment. But I don't want to just blindly > assume each DC properly enrolled with the CA (we had > problems like that at the beginning), and I'd really > like to avoid the overhead of touching each DC. > Unfortunately, that's about the only viable method I > see. > > We have a DCR in with MS to change the behavior so > that the DCs automatically publish LDAPS if it's > available. But what we're hearing right now is that > it's probably not in the pipeline until LH SP1. > > --- joe <[EMAIL PROTECTED]> wrote: > >> LDAPS records aren't published by DCs, only LDAP >> records. I can assure you >> if it were that easy, David wouldn't have had an >> issue. From what I have >> seen, if a secure LDAP connection is required, the >> internal routines from >> MSFT simply locate a DC and go to the port. If LDAPS >> isn't hot, the >> connection is dropped with server down error. >> >> >> -- >> O'Reilly Active Directory Third Edition - >> http://www.joeware.net/win/ad3e.htm >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of >> [EMAIL PROTECTED] >> Sent: Thursday, October 05, 2006 6:28 PM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] Discovering LDAPS >> availability >> >> Couldn't you just query the DNS for the SRV record >> advertising it... >> >> Matt Duguid >> Systems Engineer for Identity Services >> Department of Internal Affairs >> >> Phone: +64 4 4748028 (wellington) >> Mobile: +64 21 1713290 >> Fax: +64 4 4748894 >> Address: Level 4, 47 Boulcott Street, Wellington CBD >> E-mail: [EMAIL PROTECTED] >> Web: http://www.dia.govt.nz/ >> >> >> >> |---------+----------------------------------> >> | | | >> | | | >> | | | >> | | David Loder | >> | | <[EMAIL PROTECTED]> | >> | | Sent by: | >> | | [EMAIL PROTECTED]| >> | | tivedir.org | >> | | | >> | | | >> | | 06/10/2006 08:56 a.m. | >> | | Please respond to | >> | | ActiveDir | >> | | | >> |---------+----------------------------------> >> >> >>-------------------------------------------------------------------------- - >> -----------------------------------| >> | >> | >> | To: ActiveDir@mail.activedir.org >> | >> | cc: >> | >> | Subject: [ActiveDir] Discovering LDAPS >> availability >> | >> >> >>-------------------------------------------------------------------------- - >> -----------------------------------| >> >> >> Other than directly testing the 636 port on each DC, >> can anyone suggest a method for an unprivledged >> client >> to discover whether or not LDAPS should be available >> on a specific DC? >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam >> protection around >> http://mail.yahoo.com >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.activedir.org/ml/threads.aspx >> >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.activedir.org/ml/threads.aspx >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.activedir.org/ml/threads.aspx >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
