activenet1
asked on
ldap query for multiple domains
hello all,
we have a single forest two domains two sites 1 DC(win2k3) in each site.we also have 1 exchnage server on each site hundling its own domain
we are trying to implement the following:
we would like to run an LDAP query(internal query) on one server using port 3268 so we could get a reply with all the users email address within those two domains.
we were trying to query using "ldap admin 3" application using the following string(filter)
(&(|(objectClass=User)(obj
we could perform the query with no error to each of our DC(which is a GC server as well) but the results showed us email addresess only from the domain the DC is belong to.
my questions are:
1.in the end of the filter there is a "))(mail=*)(!(" which suppose to query all the email address on the entire directory as long as the domains are all in the same forest,am i right?
2.based on this MS article http://technet.microsoft.com/en-us/library/cc978012.aspx
"If you bind to port 3268, your search includes all directory partitions in the forest"
does that mean i will be able to query multiple CG servers in the same domain\forest?
or GC servers from any domain in the forest?
3.is that string(filter) looks correct to you guys?
please advice
thanks
we have a single forest two domains two sites 1 DC(win2k3) in each site.we also have 1 exchnage server on each site hundling its own domain
we are trying to implement the following:
we would like to run an LDAP query(internal query) on one server using port 3268 so we could get a reply with all the users email address within those two domains.
we were trying to query using "ldap admin 3" application using the following string(filter)
(&(|(objectClass=User)(obj
we could perform the query with no error to each of our DC(which is a GC server as well) but the results showed us email addresess only from the domain the DC is belong to.
my questions are:
1.in the end of the filter there is a "))(mail=*)(!(" which suppose to query all the email address on the entire directory as long as the domains are all in the same forest,am i right?
2.based on this MS article http://technet.microsoft.com/en-us/library/cc978012.aspx
"If you bind to port 3268, your search includes all directory partitions in the forest"
does that mean i will be able to query multiple CG servers in the same domain\forest?
or GC servers from any domain in the forest?
3.is that string(filter) looks correct to you guys?
please advice
thanks
(&(|(objectClass=User)(objectClass=person)(objectclass=group))(mail=*)(!(userAccountControl:dn:1.2.840.113556.1.4.803:=2)))ASKER
Mike,
i am not an exp in the whole query\syntax\scripting world,the filter i provided here has been given to me by
our spam company,they states they cannot query our domains,what i did was copy and paste the filter
into LDAP admin tool then i connected(internal) to one of our GC server,the connection was successful with no errors,once i saw all AD partitions i made a search for "mail"but all the results i got was for email address within the domain only.
i think the utility i am using is not capable of doing what i need.
can you please recommend me a good tool(with an interface) for LDAP query?\
also,can you please explain me step by step how to perform an ldap query on a GC server using the filter i provided?
thanks.
i am not an exp in the whole query\syntax\scripting world,the filter i provided here has been given to me by
our spam company,they states they cannot query our domains,what i did was copy and paste the filter
into LDAP admin tool then i connected(internal) to one of our GC server,the connection was successful with no errors,once i saw all AD partitions i made a search for "mail"but all the results i got was for email address within the domain only.
i think the utility i am using is not capable of doing what i need.
can you please recommend me a good tool(with an interface) for LDAP query?\
also,can you please explain me step by step how to perform an ldap query on a GC server using the filter i provided?
thanks.
I'd have to download that tool, the filter is just one part, need to see how it connects to the GC.
Did you try the adfind command?
Did you try the adfind command?
I'm rather inclined to suspect it's nothing more than the Search Base you're setting.
The search base needs to encompass all objects you want to find, if the search base is set to the current domain you won't get anything outside of that.
If it works anything like version Ldap Administrator 2.6 the Search Base is set in the connection properties under the general tab. It looks like:
DC=domain,DC=com
Where the domain is domain.com, and should be the Forest Root.
Chris
ASKER
Mike,
im using LDAp admin tool version 3.0,in the filed named "base DN" my line is
"CN=Configuration,DC=mrssi
this line came up automaticly once i clicked the button called ""Fetch Base DNs" it will auto complete one partition from the forest root CN=Configuration,DC=mrssi,
only by doing that i am able to connect and see all the DC AD partition and search for "mail"
i was trying to change the "Base DN line as you told me but when i hit connect it shoed me 1 partition with 0 content.
im using LDAp admin tool version 3.0,in the filed named "base DN" my line is
"CN=Configuration,DC=mrssi
this line came up automaticly once i clicked the button called ""Fetch Base DNs" it will auto complete one partition from the forest root CN=Configuration,DC=mrssi,
only by doing that i am able to connect and see all the DC AD partition and search for "mail"
i was trying to change the "Base DN line as you told me but when i hit connect it shoed me 1 partition with 0 content.
The configuration subtree doesn't contain any information about the mail attribute used in each domain. Configuration will tell you about which partitions are available, but little else of relevance here.
Is it working with that? Not a very logical program if it is ;)
Chris
ASKER
now it doesnt work at all :-) i have no idea what settings i have chnaged but now when i hit connect it showed me only 1 paretition(the configuration partition)here are some screenshots
Untitled.jpg
Untitled1.jpg
Untitled2.jpg
Untitled.jpg
Untitled1.jpg
Untitled2.jpg
One sec, downloading the client you're using :)
Chris
You really have to use this tool? It's pretty crap, pain in the backside to use.
What are you trying to generate? There are 1001 ways to get the information you're after.
Chris
ASKER
i dont have to use that tool at all! just dont know on any other...
all i need is to test our GC server(internal) by query it using port 3268 and once i connect then to be able
to search for all email addresess listed on the entire directory.
please send me a link to a tool you think will be better and easy to use.
thanks
all i need is to test our GC server(internal) by query it using port 3268 and once i connect then to be able
to search for all email addresess listed on the entire directory.
please send me a link to a tool you think will be better and easy to use.
thanks
Well, if you do...
You're better creating a connection with:
Base DN: DC=mrssi,DC=biz
Leave the default filter in (objectClass=*). Then once you have the connection established, use the Search option on the menu. Select Text Filter, then enter your filter at the top. That should show you what you're after, hopefully...
Chris
How about a little VbScript? Then you can just double click on it and it'll generate you a file with all the e-mail addresses in the forest.
Save as .vbs, won't need any changes, it figures out your forest name by itself. The file name it creates is addresses.txt.
Chris
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT proxyAddresses " &_
"FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") &_
"' WHERE mail='*' AND proxyAddresses='*'"
Set objRootDSE = Nothing
' Enable Paging, set depth and a few other properties
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile("Addresses.txt", 2, True, 0)
While Not objRecordSet.EOF
arrAddresses = objRecordSet.Fields("proxyAddresses").Value
For Each strAddress in arrAddresses
If InStr(1, strAddress, "SMTP:", VbTextCompare) > 0 And _
InStr(strAddress, "SystemMailbox") = 0 Then
strAddress = LCase(Replace(strAddress, "SMTP:", "", 1, -1, VbTextCompare))
objFile.WriteLine strAddress
End If
Next
objRecordSet.MoveNext
WEnd
ASKER
well..i did exactly what you told me to do, i was able to established a connection all mrssi.biz partition appeared this time but when choosed "search" and added the filter the results i got were 0
ASKER
i am sorry Mike but i am not allowed to VB scripting. i need to complete the test using a third party application.
i am heading to work will talk to you in 1 hour
thanks so much for your help!
i am heading to work will talk to you in 1 hour
thanks so much for your help!
ASKER
how about i will download Ldap Administrator 2.6? would it be easier for you to guide me?
Really? How very unpleasant :)
Well you could do a hell of a lot worse than ADFind, or does it have to be GUI based?
If you want to try ADFind again then this would work:
adfind -gcb -bit -f "(&(|(objectCategory=perso
Otherwise there's always this one:
http://www.ldapbrowser.com/download.htm
Softerra's is pretty good. To do that...
1. Create a new connection (New Profile)
2. Global Catalog port (3268) in the same way you've done here
3. Set the base DN to DC=mrssi,DC=biz
4. Use the default filter
5. Use Tools / Directory Search and enter your original filter
6. Enter "proxyAddresses" in the attributes field. That's the only field that contains all e-mail addresses (mail only holds the Primary).
Chris
> would it be easier for you to guide me?
Yep :)
ASKER
yes it has to be a GUI.
trying Softerra's will let you know in few minutes how that works
trying Softerra's will let you know in few minutes how that works
ASKER
Chris,something is wrong. i am not longer able to query one of the GC server and search
for any object,i can estublished connection i can see all the partitions but im getting 0 results to any kind of search i do
for any object,i can estublished connection i can see all the partitions but im getting 0 results to any kind of search i do
ASKER
what am i doing wrong?
ASKER
please review the screenshot
Untitled3.jpg
Untitled3.jpg
ASKER
Chris,
on which directory should i right clkick t choose "directory search"?
on which directory should i right clkick t choose "directory search"?
It doesn't (shouldn't) matter if you're specifying a Base DN.
Simplify the search, run:
(objectClass=user)
Just to make sure that returns something.
Chris
ASKER
i went back to the tool i used before and i got all the settings back to the way they should be
now i am able to query the GC only by leaing the section "base DN" empty+the filter
when i hit connect it shows me 5 partitions,i hit search by "mail" and it found all the email address within the domain only,does it make sense to you?
now all i need to accomplish is to know how to query and get all the email addreses from the entire directory.
the GUI tool you provided me keep bugging me once connection is established with an user and pass error.
now i am able to query the GC only by leaing the section "base DN" empty+the filter
when i hit connect it shows me 5 partitions,i hit search by "mail" and it found all the email address within the domain only,does it make sense to you?
now all i need to accomplish is to know how to query and get all the email addreses from the entire directory.
the GUI tool you provided me keep bugging me once connection is established with an user and pass error.
Yuck, they're all as bad as each other. I would guess that without a specific base defined it defaults to the current domain as the base.
May I ask why it has to be a third party application? Just wondering if there's something very specific you're trying to test.
Chris
ASKER
it has to be an application because scripting are not allwed without getting the "scripting team" on board
and they costs a lot :-)
i was trying to put in the "Base DN" the line you told me to " DC=mrssi,DC=biz" but it didnt work
can you think of why it didnt work?is there any other line you can think of to put in the Based DN?
and YES i am trying to test somethjing very specific,i have to make sure out spam filter company is able
to query all the domains email addreses by accesing to one GC server.
once i get that to work on my end(internal) i will go and open 3268 to the internet with the correct acl
Chris,are yoiu from the US?
and they costs a lot :-)
i was trying to put in the "Base DN" the line you told me to " DC=mrssi,DC=biz" but it didnt work
can you think of why it didnt work?is there any other line you can think of to put in the Based DN?
and YES i am trying to test somethjing very specific,i have to make sure out spam filter company is able
to query all the domains email addreses by accesing to one GC server.
once i get that to work on my end(internal) i will go and open 3268 to the internet with the correct acl
Chris,are yoiu from the US?
Really? That's... well, a bit wrong really, this level of scripting is a tool, not a specialisation. Although I'm sure my opinion counts for little in the scheme of things :)
What can you tell me about your Forest? Maybe we're missing something really fundamental. I'm expecting a structure like:
root domain (mrssi.biz)
child domain 1 (child1.mrssi.biz)
child domain 2 (child2.mrssi.biz)
Is that the case? Or does it have more than one tree? e.g.
root domain (mrssi.biz)
other tree (domain1.com)
yet another tree (domain2.com)
Chris
Forgot...
> Chris,are yoiu from the US?
Nope, from England :)
Chris
ASKER
root domain mrssi.biz(GC DC)
1 tree domain highqfoundation.org(GC DC)
2 tree domain chdi-inc.org(GC DC)
1 tree domain highqfoundation.org(GC DC)
2 tree domain chdi-inc.org(GC DC)
Ahh okay.
Is mrssi.biz mostly empty?
That is, can you search with these base DNs?
DC=highqfoundation,DC=org
DC=chdi-inc,DC=org
Chris
ASKER
yes mrssi.biz is mostly empty.
serching,brb
:-)
serching,brb
:-)
ASKER
yep! work like charm for both DNs
Thought it might.
The trouble is, accounting for multiple trees within a forest is a complication as there's no single Base DN. You will have to hope that their application does, because none of the LDAP browsers are likely to (they're all quite simple beasts).
Is being able to do it for individual DNs enough of a test? Or does it have to be a single search?
Chris
ASKER
i have to provide results by doing a single search.
is it possible?
is it possible?
Oh yes, it's possible, but you're constrained by the application.
It needs to perform a search with a Null Search Base, something that neither of these browsers appear willing to allow.
It's troubling because quite a lot of people don't account for it. I know I rarely bother, mainly because I've never had to work with a directory split like that. Hopefully the company you're dealing with will deal with it.
Is there any way it can be tested using their software?
Chris
You know the ADFind command uses a Null Base (-gcb) and should return all the results you're after in a single query. Would that not work as a test?
That should be:
adfind -gcb -bit -f "(&(|(objectCategory=perso
Chris
ASKER
i can send out a test request.
can you please please help me understand your final conclusion ? so i can take that and forward it to the owner of the company and he will deal with the spam filter company.
please explain me why it is not possible for me to do a single search based on our forest environment
also please explain me what the spam company need to do on their end in order to get an ldap query
from one GC server
thanks!
can you please please help me understand your final conclusion ? so i can take that and forward it to the owner of the company and he will deal with the spam filter company.
please explain me why it is not possible for me to do a single search based on our forest environment
also please explain me what the spam company need to do on their end in order to get an ldap query
from one GC server
thanks!
ASKER
adfind -gcb -bit -f "(&(|(objectCategory=perso
all i need to do is just copy and paste it on cmd console? no need to edit it?
all i need to do is just copy and paste it on cmd console? no need to edit it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> all i need to do is just copy and paste it on cmd console? no need to edit it?
Correct :)
Chris
ASKER
do i have do run the command from the cmd? or from the support tool cmd?
do i have to be on the server?
do i have to be on the server?
ASKER
Chris,thank you so much!!! you were a big big help to me!
i will forward my conclusion based on your finding to the company owner hopefuly the spam company will be able to do a NUL base query..
one last thing,i copy and paste the commant into cmd but it gave me an invalid command line
am i missing something?
i will forward my conclusion based on your finding to the company owner hopefuly the spam company will be able to do a NUL base query..
one last thing,i copy and paste the commant into cmd but it gave me an invalid command line
am i missing something?
ASKER
Chris,here is what i got when i was trying to run Adfind
C:\AdFind>adfind -gcb -bit -f "(&(|(objectCategory=perso
ail=*)(!useraccountcontrol
"dn","proxyAddresses"
LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.
C:\AdFind>adfind -gcb -bit -f "(&(|(objectCategory=perso
ail=*)(!useraccountcontrol
"dn","proxyAddresses"
LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.
ASKER
i got Adfind to work for me!
thanks!
thanks!
Answer2: You would not need to query all the GCs, just any GC
Answer3: You can change that to (&(objectcategory=person)(
What I really like for this is adfind by MVP Joe Richards
http://www.joeware.net/fre
Can you try:
adfind -gcb -bit -f "&(objectcategory=person)(
That should their logon name(samacountname) and mail attribute
Thanks
Mike