[ActiveDir] Recursive serach on Root domain failed.
Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: "Unavailable Critical Extension".but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
RE: [ActiveDir] Windows - MIT Cross-realm auth to domains not in the same dns hierarchy
This looks promising. I'll give a call to Microsoft on Monday and see if this hotfix helps. andrew --On Saturday, June 25, 2005 4:45 AM +0300 Guy Teverovsky [EMAIL PROTECTED] wrote: The preceding solution works great, but I've found that if we establish a trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy as AD.SCHOOL.EDU) then user logons fail. [Guy] There is a similar bug when changing passwords over cross forest trust when the UPN suffix of the account you logon with to trusting forest is different from the trusted forest's DNS name. In this case the DC resolves the domain to \\first_part_of_upn_suffix i.e.: [EMAIL PROTECTED] is AD account in internal.local forest and logs on to other.local forest over cross-forest transitive trust. When trying to change password (when logged on with UPN), the target domain is resolved to COMPANY and not INTERNAL (or internal.local) There is a hotfix that you might want to try (it addresses the way the domains are located when using UPN - might also resolve the MIT Kerb issue): http://support.microsoft.com/?kbid=890953 Also try to logon from W2K3 box in OTHER.AD.SCHOOL.EDU domain with MIT Kerberos principal as it is not experiencing the above behavior. Guy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recursive serach on Root domain failed.
Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
RE : [ActiveDir] Recursive serach on Root domain f ailed.
Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the "to... '"field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE)Date: sam. 25/06/2005 18:25À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 9:01 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: "Unavailable Critical Extension".but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
RE: [ActiveDir][OT] File copy with security intact
with all of the options mentioned (incl. FSMT and RoboCopy) you have to be aware of the limitations of copying ACLs from source to target, which basically depends on how you've ACLed the data on your servers: If you've used Server-Local groups, the tools won't do the work for you to re-create appropriate Server-Local groups on the target machine and convert the SIDs in the ACLs where required (i.e. leave SIDs from non-server-local secprins alone and copy them as is and just replace the server-local stuff with those of the target machine). This is a considerable restriction for consolidating data - but you can also circumvent it by first doing some homework on your own and replace all server-local groups with AD domain-local groups incl. the re-ACLing on the source machine(s). I'm not trying to say that you'd always want to use this approach, as it has other challenges (token group-bloat for user's logging onto the domain etc.), but it may be a valid option depending on your environment. I only know of non-free tools, to do this during the file-copy / consolidation which either give you the option to create new server-local groups on the target server or to convert them to AD Domain-Local groups plus do the appropriate ReAcling of the data on the target machine. Too bad Microsoft's FSMT doesn't have this feature, which is one of the main things I don't like with it. Otherwise it's a useful tool, as it will also copy and re-create the shares etc. for you (no big deal, but...) and has a very useful integration with the DFSroot-consolidation feature of Win2003/SP1 (see Q829885 Distributed File System update to support consolidation roots in Windows Server 2003 if you're unfamiliar with this feature). Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Freitag, 24. Juni 2005 01:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact It's a solid tool that MCS uses for consolidation of multiple systems to one (think a bunch of file servers NT 4, Win2k, whatever), or for hardware to hardware copy after the OS is installed. Nice thing is it brings over the security and is a bit easier for the command-line challenged, or when there are a number of pick this, don't copy this, type decisions that need to be made. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, June 23, 2005 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Hi Rick, I have not had any need to try yet and I was just wondering if any one liked it, had any problems with it and how it compares to RoboCopy. It seems to be a take off of Fastlane's server consolidator that was written for Microsoft several years back. test Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 22, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Yep - what assist do you need, or what information related to it? Happy to help Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, June 21, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Has anyone had any experience using the Microsoft File Server Migration Toolkit? http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc. mspx Jose - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Tuesday, June 21, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact I don't want to seem like I am knocking Robocopy, however from my experience Robocopy also does the same thing. It will stop when a file is locked or in use. It does not copy at the block level like rsync. It is a very useful tool but beware of it's limitations. (Although the version I used was from the 2000 resource kit, so if there has been improvements I may be mistaken). Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 21, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Robocopy is my FRS engine for Dfs. :) :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Webster Sent: Tuesday, June 21, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Subject: RE: [ActiveDir][OT] File copy with security intact My experience with XCOPY
RE: [ActiveDir] Delegation to Child Domain Failing
Title: Delegation to Child Domain Failing can you explain your issue a little more? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Donnerstag, 23. Juni 2005 22:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation to Child Domain Failing Anyone else seeing this? This is the second time Ive had to delete and create the child domain delegation. For some reason, the root NS seems to quit referring. Im running Windows 2003. I cant find anything regarding this problem. The last time I had a case opened with MS but they didnt know of anything either. No errors, etc
[ActiveDir] Exchange SSL Certificate Client Authentication
Hi I have OWA running on Exchange 2003. I have purchased an SSL certificate from GoDaddy.com and installed it. Now, when clients connect using https://webmail.mycompany.com/exchange, they get a prompt (after supplying credentials): Client Authentication: The Web site you want to view requests identification. Select the certificate to use when connecting. There are no certificates supplied in the dialog box. Depending on the version of IE, the text is slightly different. If the user simply clicks OK, they get in and the transations appear to be going over SSL (the little lock is present and closed). Finally, this only seems to happen with clients accessing from the outside; internal machines can see it fine. Any ideas how to prevent this from happening? Thanks. -- nme
RE: [ActiveDir] Exchange SSL Certificate Client Authentication
Noah, I suspect that youre missing a root certificate. Review your process of creating and importing the certificate into the certificate store to ensure that you, in fact, did have and use the proper Root CA, and that its in the correct store. Ironically, (and I know that this is hard to believe) sometimes Microsofts automatic process for getting a cert into the right store doesnt work. ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Saturday, June 25, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange SSL Certificate Client Authentication Hi I have OWA running on Exchange 2003. I have purchased an SSL certificate from GoDaddy.com and installed it. Now, when clients connect using https://webmail.mycompany.com/exchange, they get a prompt (after supplying credentials): Client Authentication: The Web site you want to view requests identification. Select the certificate to use when connecting. There are no certificates supplied in the dialog box. Depending on the version of IE, the text is slightly different. If the user simply clicks OK, they get in and the transations appear to be going over SSL (the little lock is present and closed). Finally, this only seems to happen with clients accessing from the outside; internal machines can see it fine. Any ideas how to prevent this from happening? Thanks. -- nme
RE: [ActiveDir] Recursive serach on Root domain failed.
So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
