RE: [ActiveDir] Recursive serach on Root domain failed.

[TIROA YANN]

Eric,   For the Outlook Side, when added the value "DisableVLVBrowsing"=dword:00000001" per workstations, the browsing did not show any users as u stated (blank list). Without the RegValue, the error "Unavailable Critical Extension" appears with, again, no users showing in the browsing list. So the regkey seems to disable the VLV feature at the client side BUT without showing any users :( I found a way to LDAP search in my AD by contourning this problem :)   With your regkey set in the configuration partition,that resolve definitively my pb, the browsing in Outlook 2003 works. And at the time of writing, i tested the ldap browsing in 10 worstations that have outlook 2003 in LDAP, and that works, whereas they did not work before and with the same error !!   All the outlook i've installed have all the necessary binaries, have all the last pacthes :)   I will forward u the network trace of the php search.   Thanks for help :)   PS: let us know when u will publish a KB on the VLV feature please :)   Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman Envoyé : lundi 27 juin 2005 10:46 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it won’t find it. If the PHP scripts just use VLV w/o first checking, they’ll still fail (though I’d argue while what we did isn’t ideal, what they would be doing is just as bad if not worse, because you shouldn’t use something like VLV w/o first checking that the DSA supports it).   I don’t really know what that Outlook thing you tried does from the Outlook side, I’m an AD guy, not an Outlook guy. I’ve been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didn’t mention. Maybe you don’t have a late enough Outlook binary that understands it. Maybe you didn’t do the magic DisableVLVBrowsing dance. I don’t know.   As I mentioned before, I’m doing a write-up of this which I’ll probably blog. I’ll post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first I’m afraid.   ~Eric           From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 1:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed.   ERIC !!! You're the BEST !!! THAT WORKS FINE !!!!!!   I have never found the solution of my problem for one year :(   For oulook 2003, the search succeeded thanks to your Value added with adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] "DisableVLVBrowsing"=dword:00000001" added per workstations !!!   But I noticed that for php scripts, the error still remaining... any thoughts ?   Thank u very much eric for the invaluable help u provided me :-)   Cheers,   Yann   De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman Envoyé : dimanche 26 juin 2005 00:45 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes we’ve thrown at it and why, but haven’t finished yet, and am trying to decide if it is best done in a blog post or an email to this list (it’s 2 pages so far).   In the interim, a couple of thoughts . From the DSID you’re getting, I’d speculate you’re still doing VLV. I don’t know what you’ve tweaked on the Outlook side, but that’s my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly .   If you implement this change as your “fix”, you’ll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, you’d need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later) .. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: “DisableVLVSupport=1”. Click Add. Give that a try, let us know how it goes. J   ~Eric         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Recursive serach on Root domain failed.   Thanks for reply :)   Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003: the browsing is then disable  -> The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the "to... '" field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users...   I Have already installed sp1 for w2k3 a months ago, and no way :(   The same problem is reproduced in an other French University.   The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 20000 instead of the default value of 1000.... I wondering if this can be the reason...   Cheers,   Yann   De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here:   820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864   If that solves your problem then you might be hitting a known bug contact PSS for the hotfix (or install SP1 which I believe has the fix).   Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed.   Hello,   When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003 MAPI or php scripts)  througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: "Unavailable Critical Extension".but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked.   When I used Outlook Express configured in  LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. I did an in place upgrade from AD 2000 native mode to AD 2003.   Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works !!!!   So I suspect that i is the migration that causes the problem but, I didn't know if such request worked before migration :(   My network trace between my workstation and any DCs confirmed the error:   LDAP: ProtocolOp = SearchResponse (simple)         LDAP: Result Code = Unavailable Critical Extension         LDAP: Error Message =000020EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION)         LDAP: Controls            LDAP: Sort Response Control            LDAP: Criticality = 0 (0x0)          LDAP: Sort Result Code = Unwilling to Perform   I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-us that seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section    any ideas  ?   Cherrs,   Yann