RE: [ActiveDir] LDAP Queries across WAN links
Yeah from your initial description I am guessing you specified your domain name for host. If you do that, depending on the underlying code for the resolution to a specific domain controller you can get ANY DC in the forest. This is a very common issue with folks using LDAP libraries that aren't the MSFT ones. They built a lot of cool logic into their libraries and if you aren't running on Windows you should try and duplicate and if you are, you should be using. I am not sure I would solve this with lmhosts and short hostnames. The best solutions I have seen to date 1. Duplicate the DNS lookups that MSFT does for the locator service. This really isn't too hard and just takes a little bit of DNS code which you should find several examples in the UNIX world. You can even make it considerably smarter than the current Windows location services like looking at site link costs etc to get the next closest site for instance. 2. Have a perl script (or some script) that does the DNS lookups manually and inserts the results into the application configuration every couple of hours or if there is a failure. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al GarrettSent: Monday, July 24, 2006 4:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Queries across WAN links I should have answered my own post, my apologies for being slack. The symptoms were slow application launch on the first occurrence, faster the 2nd and subsequent launches. We solved the problem in the ‘low-tech’ method.LMHOSTS to direct use of the local DC’s. Thanks for the reply. Al -Original Message-From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, July 24, 2006 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Queries across WAN links Couple of things to get you started down the right path: 1) ldap is not an authentication protocol. Remember that as there will be a test later. 2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool. 3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time. Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251 for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methods might make ldap seem less predictable in some cases. Al On 7/24/06, Al Garrett <[EMAIL PROTECTED]> wrote: I'm am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
RE: [ActiveDir] LDAP Queries across WAN links
I should have answered my own post, my apologies for being slack. The symptoms were slow application launch on the first occurrence, faster the 2nd and subsequent launches. We solved the problem in the ‘low-tech’ method.LMHOSTS to direct use of the local DC’s. Thanks for the reply. Al -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, July 24, 2006 12:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Queries across WAN links Couple of things to get you started down the right path: 1) ldap is not an authentication protocol. Remember that as there will be a test later. 2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool. 3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time. Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251 for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methods might make ldap seem less predictable in some cases. Al On 7/24/06, Al Garrett <[EMAIL PROTECTED]> wrote: I'm am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
Re: [ActiveDir] LDAP Queries across WAN links
Couple of things to get you started down the right path: 1) ldap is not an authentication protocol. Remember that as there will be a test later. 2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool. 3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time. Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251 for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methods might make ldap seem less predictable in some cases. Al On 7/24/06, Al Garrett <[EMAIL PROTECTED]> wrote: I'm am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
