Solved

Windows Server 2003 dsHeuristics attribute on the DN path

Posted on 2004-10-05
14
1,754 Views
Last Modified: 2012-06-21
With the Windows Server 2003 family version RC1, only authenticated users may initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this new default behavior by changing the seventh character of the dsHeuristics attribute on the DN path:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

I have tried adsiedit and ldp, but cannot find the above string. Can someone provide a bit more detail? I am trying to enable anonymous ldap queries.

Thank you
0
Comment
Question by:xpedia
  • 6
  • 6
  • 2
14 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12235146
xpedia
This article describes what you are trying to achieve and how to do it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;320528

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12237939
Hi James, I did see the article earlier, but is says for :

The information in this article applies to:

    * Microsoft Windows 2000 Server SP1
    * Microsoft Windows 2000 Server SP2
    * Microsoft Windows 2000 Server SP3
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12240418
xpedia
My own research suggests that this will also work for windows 2003.

You are adding a permission to the root of the Domain Naming Context. This is not a destructive change (provided you follow the instructions carefully!) and can easily be reversed out if it does not solve the problem.

It is obviously preferable to test it first in a test environment, but if you don't have that luxury then this is the only option I am aware of.

Cheers

JamesDS
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:xpedia
ID: 12240952
Hi James, thanks for the information! I don't have a test environment, so I'll have to play chicken here. The Unix guys will just  have to find a way get their mail clients to authenticatate to a GC for GAL access.

The article I was referring to in my opening  was:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326690
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246032
xpedia
ok, going back to the original Q. You say you can't find the string. Is it that you can't find the actual setting - or that the entire DN means nothing to you?

Also, Are you running your domain in full native Windows 2003 mode?

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12246627
There are no 2000 DC's but not native mode yet. I cannot find the actual setting, but I think I see where you may be going with this. No string until native?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12248366
xpedia
That's what I'm thinking. Is there a reason you have not gone full native mode yet??

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12249159
During the past week I moved all the roles off the 2000 servers and ran dcpromo's.  I was waiting to see if anything broke. So far the only thing was the phone list on the company intranet. I changed the ldap port from 389 to 3268. I was planning to wait until next week before going native.

Thanks James!
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 12250654
xpedia
Not promising anything, but I checked my own W2k3 domain (already full native) and it's there.

It occurs to me that you may have been looking in the wrong place :( so, if you send me an email (look in my profile) i'll mail you back a screen dump of mine.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12250789
Hi James,
You are correct, I just did not look in the right place!
Thank you very much

Eddie
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12250819
Eddie

hey, you're welcome - hope it works for you!

Cheers

James
0
 
LVL 1

Author Comment

by:xpedia
ID: 12254821
For those of you following this thread, anonymous LDAP queries are now working.
0
 

Expert Comment

by:netezza
ID: 13156292
I have the same problem but cannot find this string using either tool. I do not believe my Ad is running in Native mode, as we migrated from a NT4 domain about 6 months ago. Could this be the reason I cannot see it? Authenticated ldap queries work just fine.

Thanks!!

Please help!
0
 

Expert Comment

by:netezza
ID: 13156897
I found my answer digging a bit more. Hope this link will help others.


http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EDAA



Mike
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question