Active Directory Performance Counter Searches per second is High
We are running Windows Server 2008 R2 (without integrated DNS). We have 6 domain controllers, and one of them is showing high searches per second, hanging around 800, while the others are around 200.
Can someone please advise how can I find out which server, or service, is generating the high number of searches on that particular DC?
I'm using SCOM 2012 SP1 for the performance monitoring.
Thank you.
We are running Windows Server 2008 R2 (without integrated DNS). We have 6 domain controllers, and one of them is showing high searches per second, hanging around 800, while the others are around 200.
Can someone please advise how can I find out which server, or service, is generating the high number of searches on that particular DC?
I'm using SCOM 2012 SP1 for the performance monitoring.
Thank you.
Give a try to ADInsight tool from Sysinternal suite.
http://technet.microsoft.com/en-in/sysinternals/bb897539
You can try performance tuning guidelines suggested in the below article.
http://msdn.microsoft.com/en-us/library/windows/hardware/dn529134
Try reliability monitor might able to help you.
http://technet.microsoft.com/en-us/library/cc771692%28v=ws.10%29.aspx
http://support.microsoft.com/kb/983386
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Similar Messages
-
Router Switching Performance in Packets Per Second (PPS) : ISR 4431 and 4431
Hi,
In this document, I am able to find the Routing Performance for all routeurs except ISR 4000 series.
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
I would like to know what is the Router Switching Performance in Packets Per Second (PPS) and Mbps for ISR 4431 and 4431 routers.
Fast/CEF Switching : PPS and Mbps
Anybody had a documents or information about this ?
Regards,
Nurul Kabir KHANDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I've not been able to find anything beyond a bandwidth capacity rating, such as 500 Mbps upgradable to 1 Gbps for the 4431.
I did find http://www.cisco.com/c/dam/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/enterprise-routing-portfolio-poster.pdf?mdfid=283967372
The point of interest for the foregoing, is the performance listings for the 800 series routers. Assuming their bandwidth performances ratings are using a similar performance methodology for all the routers, we can look at whitepapers, like the attached, and presume the 4000 series bandwidths are a total aggregate for typical traffic with most typical "WAN" features enabled. I.e. presume 500/1,000 Mbps is maximum recommended aggregate bandwidth usage with typical "WAN" traffic and typical "WAN" features.
PS:
Documents like: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf can be very easily misunderstood when trying to predict real-world performance. I suspect Cisco's latest bandwidth recommendations are trying to provide an easy to understand values for sizing routers for typical usage.
The attachment shows how feature usage, and traffic content, impacts ISR performance, which is why the older document can so easily mislead. -
JNDI, Active Directory and Persistent Searches (part 2)
The original post of this title which was located at http://forum.java.sun.com/thread.jspa?threadID=578342&tstart=200 subsequently disappeared into the ether (as with many other posts).
By request I am reposting the sample code which demonstrates receiving notifications of object changes on the Active Directory.
Further information on both the Active Directory and dirsynch and ldap notification mechanisms can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/overview_of_change_tracking_techniques.asp
* ldapnotify.java
* December 2004
* Sample JNDI application that uses AD LDAP Notification Control.
import java.util.Hashtable;
import java.util.Enumeration;
import javax.naming.*;
import javax.naming.ldap.*;
import com.sun.jndi.ldap.ctl.*;
import javax.naming.directory.*;
class NotifyControl implements Control {
public byte[] getEncodedValue() {
return new byte[] {};
public String getID() {
return "1.2.840.113556.1.4.528";
public boolean isCritical() {
return true;
class ldapnotify {
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "CN=Administrator,CN=Users,DC=antipodes,DC=com";
String adminPassword = "XXXXXXXX";
String ldapURL = "ldap://mydc.antipodes.com:389";
String searchBase = "DC=antipodes,DC=com";
//For persistent search can only use objectClass=*
String searchFilter = "(objectClass=*)";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//bind to the domain controller
LdapContext ctx = new InitialLdapContext(env,null);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[] = null;
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Specifiy the search time limit, in this case unlimited
searchCtls.setTimeLimit(0);
//Request the LDAP Persistent Search control
Control[] rqstCtls = new Control[]{new NotifyControl()};
ctx.setRequestControls(rqstCtls);
//Now perform the search
NamingEnumeration answer = ctx.search(searchBase,searchFilter,searchCtls);
SearchResult sr;
Attributes attrs;
//Continue waiting for changes....forever
while(true) {
System.out.println("Waiting for changes..., press Ctrl C to exit");
sr = (SearchResult)answer.next();
System.out.println(">>>" + sr.getName());
//Print out the modified attributes
//instanceType and objectGUID are always returned
attrs = sr.getAttributes();
if (attrs != null) {
try {
for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.println("Attribute: " + attr.getID());
for (NamingEnumeration e = attr.getAll();e.hasMore();System.out.println(" " + e.next().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
catch (NamingException e) {
System.err.println("LDAP Notifications failure. " + e);
}Hi Steven
How can I detect what change was made ? Is there an attribute that tell us ?
Thanks
MHM -
Hello,
I am working on an existing 2010 Exchange implementation. The site has one Exchange 2010 server with no other Exchange servers running and/or available. I looked through the application logs and I see multiple Event ID 5013 errors that state,
"The routing group for Exchange server <ServerName>.<DomainName>.LOCAL was not determined in routing tables with timestamp 6/24/2014 8:01:48 PM. Recipients will not be routed to this server."
I would like to know if by having this old 2003 Exchange server in AD, if it could be causing performance issues or if it is just a warning message only. I have located the old server name using ADSIedit under, "CN=Configuration,DC=<DomainName>DC=Local\CN=Services\CN=Microsoft
Exchange\CN=First Organization\CN=Administrative Groups\CN=First Administrative Group\CN=Servers". The old 2003 Exchange server is then listed in the right window pane so it could be deleted but I would need to know if this would effect the Exchange
environment other than removing the error from the event logs.
Thank you for your help,
MichaelHi,
When you install Exchange 2010 in an existing Exchange 2003 environment, a routing group connector is created automatically. If you remove Exchange 2003 from you environment, you should also delete this routing group connector.
Besides, here is a related article about Event ID 5013 which may help you for your reference.
http://technet.microsoft.com/en-us/library/ff360498(v=exchg.140).aspx
Best regards,
Belinda Ma
TechNet Community Support -
Benchmark report: obtain 17,000 searches per second, DS52p6, x4250 8-core
The benchmark described in this post involved a requirement for a Consumer Directory Server for 13,8000,000 user entries with Directory Server 5.2 patch 6 running on Sun Netra x4250 hardware and Solaris 10 update 7. -- http://bit.ly/8p8RI
Frederic's right... you're summing up too many statspacks ..
Can't see anything specific apart from the fact that Statspack itself is showing up in the top statements.
First : define 'Slow' . What is your goal for 'Ok' ?
Start thinking about sql_trace, tkprof and 10046 traces -
Counting pulses and measuring flow rate per second
Hi everyone
I am using a compactField Point (cFP-2220) controller to measure the flow rate. The flow sensor that i have, gives the output in terms of the pulses. I need to count the number of pulses for a particular interval and divide it by a K-factor( constant value) to get the flow rate. If i select the interval to be of a second, i would want to count number of pulses per second and divide it by K-factor to get flow rate ( per second).
How do i count pulses per second and consequently measure flow rate using this count and K-factor.
Any kind of help would be highly appreciated.
Thanks in advance.You may be able to use the Edit Tempo function to work this out. With you waveform in Edit view Right Click on the time scale at bottom of waveform and select Bars and Beats display. Select a number of beats by highlighting with the cursor. Then again on the Time bar select Edit Tempo. In that dialogue you can try clicking on Extract to find the Tempo ie. beats per minute. Also you can try adjusting the tempo by entering avalue manually to see how close that gets to your waveform.
Haven't used this function of Audition much so you may have to refer to the help file to find out more about it. -
Is it possible to modify the timeout of the userID on my active directory domain when off network?
My work Macbook Pro is using a domain account from my office. When I travel and the domain controller is not reachable it takes 30 to 60 secs longer to log into my system because it has to wait for the active directory domain controller search to timeout before it will use cached credentials (i.e. a mobile account). Does anyone know how to modify my system settings to reduce the timeout or even eliminate the delay all together? I am running the latest version of Yosemite.
Thanks,
MikeHere is the modified VI, saved in LabVIEW 2012. Follow these steps to patch your system:
1. Close LabVIEW 2012.
2. Backup the following file: LabVIEW 2012\resource\Framework\Providers\VILibrary\libFrame_OpenPageRef.vi
3. Replace it with the version attached to this post.
4. Restart LabVIEW 2012.
Now you should no longer experience the 30 second timeout when the class property page loads. I set the timeout to "-1", so it should wait as long as necessary to open the page.
Note that if you ever repair or reinstall LabVIEW 2012, you'll need to patch this file again. Also, I wouldn't try patching any version other than 2012, since there may be other changes made to this VI across LabVIEW upgrades.
Darren Nattinger, CLA
LabVIEW Artisan and Nugget Penman
Attachments:
libFrame_OpenPageRef.vi 24 KB -
Weblogic with Active Directory Authentication provider problem: DN for user ....: null
I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MyOwnADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
<wls:host>10.20.150.4</wls:host>
<wls:port>5000</wls:port>
<wls:ssl-enabled>false</wls:ssl-enabled>
<wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
<wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject : CN=wl,DC=at,DC=com
# scope : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit : 1000
# timeLimit : 0
# typesOnly : False
# filter : (&(cn=tadmin)(objectclass=user))
# attributes : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> -
Snow Leopard and Windows 2003 Active Directory Binding Issues
Ok I have a new imac 27" with snow leopard (completely patched).
I am attempting to join it to an active directory domain.
First the prequel:
* I have opened full traffic to and from the machine and our domain controllers
* I have enabled full logging on the firewall and there are no blocked packets
* I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
* I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
* The domain admin account in question has Enterprise, Schema and Domain Admin rights
* I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
I am getting the following error at the very end of the process:
"Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
I enabled debugging on Directory Services and will post a log in a reply.
Anyone have any ideas? I have been banging my head on this for a week with no luck.Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
obviously machine names, usernames and ip addresses have been munged.
2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
Message was edited by: aelana -
Setting up Wiki Calendars in iCal with Active Directory Accounts
I'm Having a little trouble wrapping my head around our Wiki Calendar Solution,
Id like to find a way to get the 10.6 Wiki Server Calendar's in iCal Client - using our active directory authentication.
I have a test 10.6 Server bound to our Active Directory with Wiki's up and running and am able to log in with AD account's and view and manage the Wiki Calendar - I can see how to subscribe to the calendar's - But I need full integration with iCal and maybe even Outlook - subscribing only provides read access.
anyone have any idea how his can be accomplished in and active directory setting - my searches have lead me to OD solutions and thats not going to work.I don't know how much I'll be able to help, but I do have AD accounts using wiki services. Can you verify a few things:
1. The AD group is listed in the "Wiki Creators" box in Server Admin, yes?
2. If you open Terminal and run "sudo serveradmin settings teams:enableClearTextAuth", does it return "teams:enableClearTextAuth = yes"?
3. If you open System Preferences -> Accounts and then edit the directory servers, does the AD domain show as working normally?
Also, have you worked to isolate the problem? Have you tried creating an OD user to test against the wiki? Are the logs showing anything? -
How to add a new schema in active directory by jndi?
I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?
You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
The following snippet illustrates how to extend the schema using JNDI.....
String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
LdapContext ctx = new InitialLdapContext(env,null);
Attributes attr = new BasicAttributes(true);
attr.put("cn","ms-ShoeSize");
attr.put("objectClass","attributeSchema");
attr.put("ldapDisplayName","msShoeSize");
attr.put("isSingleValued","TRUE");
attr.put("attributeID","1.2.840.113556.1.4.7000.141");
attr.put("attributeSyntax","2.5.5.9");
Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
changetype: add
objectClass: attributeSchema
cn: ms-ShoeSize
ldapDisplayName: msShoeSize
attributeID: 1.2.840.113556.1.4.7000.141
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
dn:
changetype: modify
replace: schemaupdatenow
schemaupdatenow: 1
dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
changetype: modify
add: mayContain
mayContain: mSShoeSize
dn:
changetype: modify
replace: schemaupdatenow
schemaupdatenow: 1
- -
Changes in Microsoft Active Directory Services into a file
I am in need of sample code to capture changes in Active Directory services into a flat file.
Here is my requirement:
I would like to capture user information changes from the Active directory server into a flat file.
For an example, When a user is newly created in Actives Directory Server, I need to Capture that user info and write into a flat file. Similarly for update and delete user in Activer Directory server, i need to capture the changes and write into a file.
Would appreciate, if any could help me on this
Thanks in advance
Thanks
KumarRefer to:
JNDI, Active Directory & Persistent Searches (part 1) http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
There was another topic that I posted called JNDI, Active Directory and Persistent Searches (part 2) in which I described teh LDAPNotification Control.
It had the following URL http://forum.java.sun.com/thread.jspa?threadID=578342&tstart=200 however it seems as though I have suffered another case of the forum losing my posts. -
Connect Active Directory Sync Error - operation-size-error
We are on Connect 9. We have our Active Directory Sync running once per day. I received a sync log error as follows:
E-Learning-All-Empl-grps
G
error
Change$Update$Group: SyncTargetException: StatusException$OperationSizeError: <status code="operation-size-error"/>
The E-Learning-All-Empl-grps is a distribution list in Active Driectory that is used to contain one of 9 sublists. Each sub-list has up to 800 names. This was to get around an earlier issue with their being a limitation when we are on Breeze that only a max of 800 names could be in any group.
What does this error mean and how can I correct this?
DaveI tried all of this, I still can not bind my Mac 10.6.3 to Microsoft Windows 2003 R2 Active Directory, and the failure I receive that Time settings between both computers is not synced although the time is the same on both machines, and I restart the NNTP on Windows Server, and added the Active Directory IP Address on the Date & time Settings on Mac.
Any Help -
Unable to login @ login window with Active Directory User
I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.
When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.
Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.
Thanks,
KenI have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.
I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:
31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services
31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname
31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing -
Handling events on Microsoft Active Directory
Hi
Is it somehow possible to catch events made on AD?I did find only that it is not supported.But there must be way to do something like that...Can you help me please?
Thanks for any answer.
AndyRefer to:
JNDI, Active Directory & Persistent Searches (part 1)
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
JNDI, Active Directory and Persistent Searches (part 2)
http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90
Maybe you are looking for
-
Trying to do a software update, but my macbook pro does nothing after it prompts me to restart
I am trying to do a software update on my Macbook Pro so I can update the new iTunes so I can start using my new iPod. Every time I go through the process of the computer searching for updates and confirming there are software updates, then being pro
-
Hey guys! I was wondering if you could help me with this 'Anonymous UUID' thing? As I've only had this mac for just over a month, I was a little frightened to think that I may have done something wrong to receive a crash report such as this? Here is
-
Can i install Oracle ADF Essentials 11.1.2.3 on weblogic 10.6 ?
can i install Oracle ADF Essentials 11.1.2.3 on weblogic 10.6 ? what the difference between ADF Essentials 11.1.2.3 and Application Development Run time 11.1.1.6 ? can i use ADF Essentials 11.1.2.3 instead of Application Development Run time 11.1.1.6
-
Where can I find the PDF manual for Premiere Elements?
Does Adobe have a full manual in PDF file format for Premiere Elements 9.0? P.S. Watch out for trying to handle large (> 700meg) AVI files. Phone support says I'm SOL on bringing in my 6.5 gig 24 minute file. Their solution? Bring it in small chunk
-
Portal run time error when clicking on top level-navigation
Hi, When I select a link from the top level-navigation I get the message <b>Portal Run Time Error</b>. I found the log file with this entry : <i>#1.5#001438EE39C6006F0000130F000031E800041ABD6F12C098#1155300821516#com.sap.portal.portal#sap.com/irj#com