RE: [ActiveDir] Recursive serach on Root domain failed with Php scripts - Now succeed !
Hello all, After hard searches, I found the way php scripts can definitively do a recursive query in AD 2003 from root domain (dc=domain,dc=fr). For all of you that uses php for querying AD as 90 % of the people in my University :(, this is the way u have to do for suchquery to successfully works: Ujust have to put this 2 lines in your php scripts: ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); - to tell php thatAD 2003 is ldap V3ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);- to disable chase referrals which is by default activated These should be called after connect but before binding. The 2 lines *MUST* be together otherwise u will get an error operations pretty much similar to the one for Outlook 2kX. I thought it was the anonymous logon that is disabled on AD 2003, so i set the Dsheuristic attribute to 002, and no way :( So justadd the 2 lines in your php scripts, and that works fine. Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: lundi 27 juin 2005 10:46À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it wont find it. If the PHP scripts just use VLV w/o first checking, theyll still fail (though Id argue while what we did isnt ideal, what they would be doing is just as bad if not worse, because you shouldnt use something like VLV w/o first checking that the DSA supports it). I dont really know what that Outlook thing you tried does from the Outlook side, Im an AD guy, not an Outlook guy. Ive been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didnt mention. Maybe you dont have a late enough Outlook binary that understands it. Maybe you didnt do the magic DisableVLVBrowsing dance. I dont know. As I mentioned before, Im doing a write-up of this which Ill probably blog. Ill post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first Im afraid. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, June 27, 2005 1:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] "DisableVLVBrowsing"=dword:0001" added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: dimanche 26 juin 2005 00:45À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts . From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly . If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later) .. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 12:54 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach wi
RE: [ActiveDir] Recursive serach on Root domain failed.
ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] "DisableVLVBrowsing"=dword:0001" added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: dimanche 26 juin 2005 00:45À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts . From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly . If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later) .. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 12:54 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the "to... '"field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE)Date: sam. 25/06/2005 18:25À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bug contact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 9:01 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: "Unavailable Critical Extension".but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Crit
RE: [ActiveDir] Recursive serach on Root domain failed.
Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it wont find it. If the PHP scripts just use VLV w/o first checking, theyll still fail (though Id argue while what we did isnt ideal, what they would be doing is just as bad if not worse, because you shouldnt use something like VLV w/o first checking that the DSA supports it). I dont really know what that Outlook thing you tried does from the Outlook side, Im an AD guy, not an Outlook guy. Ive been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didnt mention. Maybe you dont have a late enough Outlook binary that understands it. Maybe you didnt do the magic DisableVLVBrowsing dance. I dont know. As I mentioned before, Im doing a write-up of this which Ill probably blog. Ill post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first Im afraid. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 1:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] DisableVLVBrowsing=dword:0001 added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman Envoyé: dimanche 26 juin 2005 00:45 À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS
RE: [ActiveDir] Recursive serach on Root domain failed.
Eric, For the Outlook Side, when added the value "DisableVLVBrowsing"=dword:0001" per workstations, the browsing did not show any users as u stated (blank list). Without the RegValue, the error "Unavailable Critical Extension" appears with, again, no users showing in the browsing list. So the regkey seems to disable the VLV feature at the client side BUT without showing any users :( Ifound a way to LDAP search in my AD by contourning this problem :) With your regkey set in the configuration partition,that resolve definitively my pb, the browsing in Outlook 2003 works. And at the time of writing, i tested the ldap browsing in 10 worstations that have outlook 2003 in LDAP, and that works, whereas they did not work before and with the same error !! All the outlook i've installed have all the necessary binaries,have all the last pacthes :) I will forward u the network trace of the php search. Thanks for help :) PS: let us know when u will publish a KB on the VLV feature please :) Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: lundi 27 juin 2005 10:46À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it wont find it. If the PHP scripts just use VLV w/o first checking, theyll still fail (though Id argue while what we did isnt ideal, what they would be doing is just as bad if not worse, because you shouldnt use something like VLV w/o first checking that the DSA supports it). I dont really know what that Outlook thing you tried does from the Outlook side, Im an AD guy, not an Outlook guy. Ive been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didnt mention. Maybe you dont have a late enough Outlook binary that understands it. Maybe you didnt do the magic DisableVLVBrowsing dance. I dont know. As I mentioned before, Im doing a write-up of this which Ill probably blog. Ill post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first Im afraid. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, June 27, 2005 1:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] "DisableVLVBrowsing"=dword:0001" added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: dimanche 26 juin 2005 00:45À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts . From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly . If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later) .. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 12:54 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unava
RE: [ActiveDir] Recursive serach on Root domain failed.
Eric, I would blog it and then those that are interested can pull the blog post. What is your blog address? Chris Haaker ITS Infrastructure x7841 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, June 25, 2005 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support
RE: [ActiveDir] Recursive serach on Root domain failed.
http://blogs.technet.com/efleis Not much there, I dont blog often. Ill try and get to it today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris Sent: Monday, June 27, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Eric, I would blog it and then those that are interested can pull the blog post. What is your blog address? Chris Haaker ITS Infrastructure x7841 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, June 25, 2005 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp
RE: [ActiveDir] Recursive serach on Root domain failed.
Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
RE: [ActiveDir] Recursive serach on Root domain failed.
So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
