Solved

Windows Server 2003 dsHeuristics attribute on the DN path

Posted on 2004-10-05
14
1,760 Views
Last Modified: 2012-06-21
With the Windows Server 2003 family version RC1, only authenticated users may initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this new default behavior by changing the seventh character of the dsHeuristics attribute on the DN path:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

I have tried adsiedit and ldp, but cannot find the above string. Can someone provide a bit more detail? I am trying to enable anonymous ldap queries.

Thank you
0
Comment
Question by:xpedia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
14 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12235146
xpedia
This article describes what you are trying to achieve and how to do it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;320528

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12237939
Hi James, I did see the article earlier, but is says for :

The information in this article applies to:

    * Microsoft Windows 2000 Server SP1
    * Microsoft Windows 2000 Server SP2
    * Microsoft Windows 2000 Server SP3
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12240418
xpedia
My own research suggests that this will also work for windows 2003.

You are adding a permission to the root of the Domain Naming Context. This is not a destructive change (provided you follow the instructions carefully!) and can easily be reversed out if it does not solve the problem.

It is obviously preferable to test it first in a test environment, but if you don't have that luxury then this is the only option I am aware of.

Cheers

JamesDS
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 1

Author Comment

by:xpedia
ID: 12240952
Hi James, thanks for the information! I don't have a test environment, so I'll have to play chicken here. The Unix guys will just  have to find a way get their mail clients to authenticatate to a GC for GAL access.

The article I was referring to in my opening  was:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326690
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246032
xpedia
ok, going back to the original Q. You say you can't find the string. Is it that you can't find the actual setting - or that the entire DN means nothing to you?

Also, Are you running your domain in full native Windows 2003 mode?

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12246627
There are no 2000 DC's but not native mode yet. I cannot find the actual setting, but I think I see where you may be going with this. No string until native?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12248366
xpedia
That's what I'm thinking. Is there a reason you have not gone full native mode yet??

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12249159
During the past week I moved all the roles off the 2000 servers and ran dcpromo's.  I was waiting to see if anything broke. So far the only thing was the phone list on the company intranet. I changed the ldap port from 389 to 3268. I was planning to wait until next week before going native.

Thanks James!
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 12250654
xpedia
Not promising anything, but I checked my own W2k3 domain (already full native) and it's there.

It occurs to me that you may have been looking in the wrong place :( so, if you send me an email (look in my profile) i'll mail you back a screen dump of mine.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12250789
Hi James,
You are correct, I just did not look in the right place!
Thank you very much

Eddie
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12250819
Eddie

hey, you're welcome - hope it works for you!

Cheers

James
0
 
LVL 1

Author Comment

by:xpedia
ID: 12254821
For those of you following this thread, anonymous LDAP queries are now working.
0
 

Expert Comment

by:netezza
ID: 13156292
I have the same problem but cannot find this string using either tool. I do not believe my Ad is running in Native mode, as we migrated from a NT4 domain about 6 months ago. Could this be the reason I cannot see it? Authenticated ldap queries work just fine.

Thanks!!

Please help!
0
 

Expert Comment

by:netezza
ID: 13156897
I found my answer digging a bit more. Hope this link will help others.


http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EDAA



Mike
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question