Dec 30, 2008

How Outlook contact properties map to LDAP attributes

>>>>>>> Taken from OpenLDAP <<<<<<<<

. Outlook Field - LDAP Attribute(s) (1)
. Name - cn, display-name
. E-Mail Address - mail (2)
. Home Phone - homePhone
. Pager - officePager, pager (3)
. Mobile - mobile
. Personal Web Page
. Business Phone - telephoneNumber
. Business FAX - officeFAX, facsimileTelephoneNumber
. Job Title - title

Sep 22, 2008

VB applet that create event logs on Windows 2000 servers

Recently I've been working on a monitoring solution so I need a tool that can generate event logs to trigger the monitoring agent. There are a few tools from MS Support Tools or Resource Kit Tools that can do this but they all have some limitations. For example, some can create logs for existing sources, the other can't create log for existing source/ID.

Blackhole routers and how they affect your AD environment

Recently I've been working on a Kerberos authentication issue with servers that connect to DCs via VPN. The servers can join domain fine, users can log into domain from these servers, and browsing domain resources seem no problem. However, for a particular application, it always fails to get the AS ticket from DC.

Apr 4, 2008

RPC troubleshooting basics

1. Verify the status and startup type for the following services on the server that gets the error:Type of computer RPC service RPC Locator service
Windows Server 2003-based domain controller Started, Automatic Stopped, Manual
Windows Server 2003-based member server Started, Automatic Stopped, Manual
Windows Server 2003-based standalone server Started, Automatic Stopped, Manual
Windows 2000 Server-based domain controller Started, Automatic Started, Automatic
Windows 2000 Server-based member server Started, Automatic Started, Manual
Windows 2000 Server-based standalone server Started, Automatic Stopped, Manual
If you make any changes to the RPC service or to the RPC Locator service settings, restart the computer, and then test for the problem again.
2. Verify that the following keys exist in the registry (the keys are grouped according to operating system).

Windows XP, Windows Server 2003 and Microsoft Windows 2000

Verify that the ClientProtocols key exists under the HKEY_Local_Machine\Software\Microsoft\Rpcregistry subkey and that the ClientProtocolsentry contains at least the following five default values: Name Type Data
ncacn_http REG_SZ rpcrt4.dll
ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll

3. Verify that DNS is working correctly.
4. Verify connectivity:
1) Ports greater than 1024 are not blocked. (portqry)
2) Not blackhole in network path (ping -l -f)
3) Firewall/AV/Backup software/NIC drivers etc.
4) there are ports available for RPC (netstat)

Mar 13, 2008

Beyond AdminSDHolder Object

Many people should know the object AdminSDHolder and what it does by now. It checks and reverts back protected group's ACL periodically, if found modified. This is a desirable feature (if you know how it works otherwise you will really be surprised). However, on the top of the above knowledge, it's also tricky to get a user's permission changed if he is a former member of protected group.

For example, if John was Domain Admin and later became a normal user. You will find out that John's permission still gets reverted periodically. This is very hard to figure if you didn't know the history of John's account. To correct this, two things need to be done before permissions can be changed.

1. Change adminCount's value to 0
2. Enable "inheritance"

Feb 14, 2008

Alternative Way To Recover Deleted Objects

The recommended way to recover a deleted user or group is through Authorized Restore. It's not always desirable, however. It requires you to take the DC offline, normally for a time length that most of business can't tolerant, depending on how fast you can retore from backup.

With Windows 2003 AD, Microsoft provides another way to move tomestoned objects back to their original state, partially. Basically, you have to specify "Return Deleted Objects" in order to search deleted objects; and you then remove its isDeleted attribute and replace the DN with the location you want this object to be.

Side note: Controls are a mechanism, defined in the LDAP standard, used to extend the LDAP protocol to provide additional functionality beyond what is defined in standard LDAP while remaining compatible with other LDAP-compliant software. AD supports 22 controls, including "return Deleted Objects" control.