Solved

Windows Server 2003 dsHeuristics attribute on the DN path

Posted on 2004-10-05
14
1,757 Views
Last Modified: 2012-06-21
With the Windows Server 2003 family version RC1, only authenticated users may initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this new default behavior by changing the seventh character of the dsHeuristics attribute on the DN path:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

I have tried adsiedit and ldp, but cannot find the above string. Can someone provide a bit more detail? I am trying to enable anonymous ldap queries.

Thank you
0
Comment
Question by:xpedia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
14 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12235146
xpedia
This article describes what you are trying to achieve and how to do it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;320528

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12237939
Hi James, I did see the article earlier, but is says for :

The information in this article applies to:

    * Microsoft Windows 2000 Server SP1
    * Microsoft Windows 2000 Server SP2
    * Microsoft Windows 2000 Server SP3
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12240418
xpedia
My own research suggests that this will also work for windows 2003.

You are adding a permission to the root of the Domain Naming Context. This is not a destructive change (provided you follow the instructions carefully!) and can easily be reversed out if it does not solve the problem.

It is obviously preferable to test it first in a test environment, but if you don't have that luxury then this is the only option I am aware of.

Cheers

JamesDS
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 1

Author Comment

by:xpedia
ID: 12240952
Hi James, thanks for the information! I don't have a test environment, so I'll have to play chicken here. The Unix guys will just  have to find a way get their mail clients to authenticatate to a GC for GAL access.

The article I was referring to in my opening  was:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326690
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246032
xpedia
ok, going back to the original Q. You say you can't find the string. Is it that you can't find the actual setting - or that the entire DN means nothing to you?

Also, Are you running your domain in full native Windows 2003 mode?

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12246627
There are no 2000 DC's but not native mode yet. I cannot find the actual setting, but I think I see where you may be going with this. No string until native?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12248366
xpedia
That's what I'm thinking. Is there a reason you have not gone full native mode yet??

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12249159
During the past week I moved all the roles off the 2000 servers and ran dcpromo's.  I was waiting to see if anything broke. So far the only thing was the phone list on the company intranet. I changed the ldap port from 389 to 3268. I was planning to wait until next week before going native.

Thanks James!
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 12250654
xpedia
Not promising anything, but I checked my own W2k3 domain (already full native) and it's there.

It occurs to me that you may have been looking in the wrong place :( so, if you send me an email (look in my profile) i'll mail you back a screen dump of mine.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12250789
Hi James,
You are correct, I just did not look in the right place!
Thank you very much

Eddie
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12250819
Eddie

hey, you're welcome - hope it works for you!

Cheers

James
0
 
LVL 1

Author Comment

by:xpedia
ID: 12254821
For those of you following this thread, anonymous LDAP queries are now working.
0
 

Expert Comment

by:netezza
ID: 13156292
I have the same problem but cannot find this string using either tool. I do not believe my Ad is running in Native mode, as we migrated from a NT4 domain about 6 months ago. Could this be the reason I cannot see it? Authenticated ldap queries work just fine.

Thanks!!

Please help!
0
 

Expert Comment

by:netezza
ID: 13156897
I found my answer digging a bit more. Hope this link will help others.


http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EDAA



Mike
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question