Windows Server 2003 dsHeuristics attribute on the DN path

With the Windows Server 2003 family version RC1, only authenticated users may initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this new default behavior by changing the seventh character of the dsHeuristics attribute on the DN path:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

I have tried adsiedit and ldp, but cannot find the above string. Can someone provide a bit more detail? I am trying to enable anonymous ldap queries.

Thank you
LVL 1
xpediaAsked:
Who is Participating?
 
JamesDSConnect With a Mentor Commented:
xpedia
Not promising anything, but I checked my own W2k3 domain (already full native) and it's there.

It occurs to me that you may have been looking in the wrong place :( so, if you send me an email (look in my profile) i'll mail you back a screen dump of mine.

Cheers

JamesDS
0
 
JamesDSCommented:
xpedia
This article describes what you are trying to achieve and how to do it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;320528

Cheers

JamesDS
0
 
xpediaAuthor Commented:
Hi James, I did see the article earlier, but is says for :

The information in this article applies to:

    * Microsoft Windows 2000 Server SP1
    * Microsoft Windows 2000 Server SP2
    * Microsoft Windows 2000 Server SP3
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
JamesDSCommented:
xpedia
My own research suggests that this will also work for windows 2003.

You are adding a permission to the root of the Domain Naming Context. This is not a destructive change (provided you follow the instructions carefully!) and can easily be reversed out if it does not solve the problem.

It is obviously preferable to test it first in a test environment, but if you don't have that luxury then this is the only option I am aware of.

Cheers

JamesDS
0
 
xpediaAuthor Commented:
Hi James, thanks for the information! I don't have a test environment, so I'll have to play chicken here. The Unix guys will just  have to find a way get their mail clients to authenticatate to a GC for GAL access.

The article I was referring to in my opening  was:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326690
0
 
JamesDSCommented:
xpedia
ok, going back to the original Q. You say you can't find the string. Is it that you can't find the actual setting - or that the entire DN means nothing to you?

Also, Are you running your domain in full native Windows 2003 mode?

Cheers

JamesDS
0
 
xpediaAuthor Commented:
There are no 2000 DC's but not native mode yet. I cannot find the actual setting, but I think I see where you may be going with this. No string until native?
0
 
JamesDSCommented:
xpedia
That's what I'm thinking. Is there a reason you have not gone full native mode yet??

Cheers

JamesDS
0
 
xpediaAuthor Commented:
During the past week I moved all the roles off the 2000 servers and ran dcpromo's.  I was waiting to see if anything broke. So far the only thing was the phone list on the company intranet. I changed the ldap port from 389 to 3268. I was planning to wait until next week before going native.

Thanks James!
0
 
xpediaAuthor Commented:
Hi James,
You are correct, I just did not look in the right place!
Thank you very much

Eddie
0
 
JamesDSCommented:
Eddie

hey, you're welcome - hope it works for you!

Cheers

James
0
 
xpediaAuthor Commented:
For those of you following this thread, anonymous LDAP queries are now working.
0
 
netezzaCommented:
I have the same problem but cannot find this string using either tool. I do not believe my Ad is running in Native mode, as we migrated from a NT4 domain about 6 months ago. Could this be the reason I cannot see it? Authenticated ldap queries work just fine.

Thanks!!

Please help!
0
 
netezzaCommented:
I found my answer digging a bit more. Hope this link will help others.


http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EDAA



Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.