Solved

Windows Server 2003 dsHeuristics attribute on the DN path

Posted on 2004-10-05
14
1,751 Views
Last Modified: 2012-06-21
With the Windows Server 2003 family version RC1, only authenticated users may initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this new default behavior by changing the seventh character of the dsHeuristics attribute on the DN path:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

I have tried adsiedit and ldp, but cannot find the above string. Can someone provide a bit more detail? I am trying to enable anonymous ldap queries.

Thank you
0
Comment
Question by:xpedia
  • 6
  • 6
  • 2
14 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12235146
xpedia
This article describes what you are trying to achieve and how to do it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;320528

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12237939
Hi James, I did see the article earlier, but is says for :

The information in this article applies to:

    * Microsoft Windows 2000 Server SP1
    * Microsoft Windows 2000 Server SP2
    * Microsoft Windows 2000 Server SP3
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12240418
xpedia
My own research suggests that this will also work for windows 2003.

You are adding a permission to the root of the Domain Naming Context. This is not a destructive change (provided you follow the instructions carefully!) and can easily be reversed out if it does not solve the problem.

It is obviously preferable to test it first in a test environment, but if you don't have that luxury then this is the only option I am aware of.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12240952
Hi James, thanks for the information! I don't have a test environment, so I'll have to play chicken here. The Unix guys will just  have to find a way get their mail clients to authenticatate to a GC for GAL access.

The article I was referring to in my opening  was:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326690
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12246032
xpedia
ok, going back to the original Q. You say you can't find the string. Is it that you can't find the actual setting - or that the entire DN means nothing to you?

Also, Are you running your domain in full native Windows 2003 mode?

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12246627
There are no 2000 DC's but not native mode yet. I cannot find the actual setting, but I think I see where you may be going with this. No string until native?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12248366
xpedia
That's what I'm thinking. Is there a reason you have not gone full native mode yet??

Cheers

JamesDS
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 1

Author Comment

by:xpedia
ID: 12249159
During the past week I moved all the roles off the 2000 servers and ran dcpromo's.  I was waiting to see if anything broke. So far the only thing was the phone list on the company intranet. I changed the ldap port from 389 to 3268. I was planning to wait until next week before going native.

Thanks James!
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 12250654
xpedia
Not promising anything, but I checked my own W2k3 domain (already full native) and it's there.

It occurs to me that you may have been looking in the wrong place :( so, if you send me an email (look in my profile) i'll mail you back a screen dump of mine.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:xpedia
ID: 12250789
Hi James,
You are correct, I just did not look in the right place!
Thank you very much

Eddie
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12250819
Eddie

hey, you're welcome - hope it works for you!

Cheers

James
0
 
LVL 1

Author Comment

by:xpedia
ID: 12254821
For those of you following this thread, anonymous LDAP queries are now working.
0
 

Expert Comment

by:netezza
ID: 13156292
I have the same problem but cannot find this string using either tool. I do not believe my Ad is running in Native mode, as we migrated from a NT4 domain about 6 months ago. Could this be the reason I cannot see it? Authenticated ldap queries work just fine.

Thanks!!

Please help!
0
 

Expert Comment

by:netezza
ID: 13156897
I found my answer digging a bit more. Hope this link will help others.


http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EDAA



Mike
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now