LDAP multidirectory with sub-domains
Hi,
i have some difficulties using LDAP COM object that comes with the IP phone Services SDK. I would like to search the whole AD, which has multiple subdomains. I would like to search the whole directory structure, with the base: DC=company, DC=country, without specifying any particular OU. However, the connection with this kind of directory base configuration fails (the COM object is not created), so i can not search the whole directory, only specific OUs. Is there any way to achieve searching the whole directory structure?
Regards
Marko
Originally Posted by hwoess
Hello to the commmunity!
I have been done with our it-partners a DSfW-Setup. There are two OES2 Domain-Controllers which holds the "main-domain". Connected to this "main-domain" were two configured sub-domains (OES2, too). They have been setup virtually (VMWare). And there is the problem with our DSfW-Installation. If the VPN-tunnel (the sub-domains are connected through) is broken or I reboot the first "main-domain"-Controller, all the sub's didn't work. I mean, the don't reboot, but they have no "domain-functionality". I have seen, that the all the controllers make a (I guess) LDAP-connection to the first installed OES2 Domain-Controller. I don't know why. Is this normal? Can I change this?
What I have to say is, that we connected to each (Sub-)Domain through a trust or a forrest a real MS AD. We put our workstations into the real AD and through the trust or forrest we get the users from eDir or DSfW.
As I know no one has a construct like our company here in Austria, so nobody could help me. Maybe the community does!
With kindest regards
Hans-Christian Wssner
Hi,
When the VPN tunnel is broken or the first domain controller of the DSfW parent (first) domain is down, is the complete of eDirectory tree (all the partitions) still available (reachable)to the domain controllers of the DSfW sub-domains (child domains). You can place additional read-write replicas on the other DCs (for the partitions that are missing) if the complete eDirectory tree is not available when one of the above two conditions occur.
Thanks,
Praveen Kumar
Similar Messages
-
Hello,
I found a test environment and I just trying to understand how it works.
If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.Hello,
I found a test environment and I just trying to understand how it works.
If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.
Make each domain controller as a DNS server too. Reverse lookup zones & forwarders are not replicated automatically. You can create AD-Integrated reverse lookup zone & set the replication scope.
You can create AD-Integrated DNS zones in the parent/root domain, set the replication scope to the forest-wide & delegate the zones for handling request locally. Once you create AD-Integrated DNS zone & set the replication scope forest wide, all
the zones will appear automatically in each domain's DNS server.
http://awinish.wordpress.com/2011/04/09/configuring-dns-in-child-domain/
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
LDAP Authentication with sub-contexts?
Is it possible to authenticate to an ldap server with a user that belongs under different sub contexts?
We have one LDAP JAAS login module that we want to use to authenticate ANY user under the LDAP ROOT Context. Which means if a we have:
O=COMPANY
|
|-> OU = DIVISION ONE
|
|-> USER1
|
|-> OU = DIVISION TWO
|
|-> USER2I'd want to set up my login module to always build the DN for the user as:
cn=<username>,O=COMPANY and have the server itself look in the sub contexts (OU=DIVISION ONE and OU=DIVISION TWO) below when trying to make the initial context.
Is this possible?
Thanks,
- TimThe problem with that is that the AD GPO will not let me set the
password i am using...
So change your non-LDAP account password in UCM to a password that AD will accept, test that it works for login on CCX, and then do the LDAP integration.
Besides when i removed LDAP authentication i logged into the UCCX again
and added the Administrator rights to my LDAP account but it wont
autheticate me.
No idea, but one guess would be that changes to the account may not hold when the account is marked as inactive in UCM. Just a guess though. -
Replication with Domain and Sub domain in Active directory sites and services
I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically because
it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically
because it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?
Two way transitive trusts are configured automatically when you create a child domain or tree root domain. You don't have to worry about site/subnet or replication part at least from trust perspective. But make sure site's names are unique in each domain.
How Domain and Forest Trusts Work
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc730868.aspx
http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Convert database IP link with the sub-domain name
Can someone help me to covert the database ip with the SUB-domain name ?
Kind regards,
Shar Kurtishi
Freelance Consultant
10000 Prishtina, KOSOVO
+377.44.210.456Hi Shar,
You can use unix "nslookup" to get the domain from up or viceversa.
The aim to get the info frm the dns server.
Regards,
Chandan -
How to make a route for sub domains with same IP but another Port
Hello ,
I have Windows Server 2008 R2 Domain Controller . the IP address is 172.16.0.200 and the Domain is ( BTC.local ) . I have software login page ( localhost:6090 ) the port of service is 6090 . and if i want to access this page from another PC then i write
( 172.16.0.200:6090 ) . My question is how i can change the IP address and the port to sub domain like ( IQ.BTC.local ) so that i can access from another PC by writing the sub domain .> question is how i can change the IP address and the port to sub domain
> like ( IQ.BTC.local ) so that i can access from another PC by writing
> the sub domain .
Create CName records in your subdomains DNS servers.
Greetings/Grüße,
Martin
Mal ein
gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me -
coke bottle design refreshment (-: -
Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest
Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
AdamThanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam -
How to redirect a sub domain to a specific page in Sharepoint Online
Hi,
My Organisation has a O365 account, and hoisted the public website on it, now user requests to have a friendly url for a specific page on the public website. I've added a sub domain on O365. but i cant find ways to redirect this domain
to the page. How can i do so?Hi,
If you need to redirect the sub domain to a specific page in SharePoint Online, you need to rename the Public Website with the sub domain.
Then configure the friendly URL for the page in the Public Website.
http://office.microsoft.com/en-001/office365-sharepoint-online-enterprise-help/upgrade-your-public-website-HA102801184.aspx?CTT=5&origin=HA102828142#_Step_5_%E2%80%93
Or you can use the managed metadata navigation for the Public Web site and configure the friendly URL for the page.
http://jeffkelly.com/2014/05/office-365-public-website-what-no-managed-metadata-mms-navigation/
In the meanwhile, you can post your question to the forum for Office 365: http://community.office365.com/en-us/f/default.aspx.
More experts will assist you, then you will get more information relation to SharePoint Online.
Best regards.
Thanks
Victoria Xia
TechNet Community Support -
Solution to using Site Root with Sub-folders on Testing Server & Browser Previews
Hi Everyone
Have found an elegant solution when using Site Root relative linking for a website, that allows browser previews, even when the testing server uses sub-folders and the live code references just the server site root " / " of the live server and not the sub-folder structure of the testing server. This is really useful when you don't want to use document relative linking, which normally takes care of this problem in Dreamweaver.
The solution is to use sub-domains referencing the sub-folders on the testing server, so the sub-folders appear as the root of each website and the html code pointing to the site root works correctly on both testing & live servers without alteration.
Testing Server Setup
One testing server domain is used for all client development work:
For example: www.testingserver.com
On the testing server there are multiple sub-folder (one for each client website being developed):
For example: www.testingserver.com/clientA/ , www.testingserver.com/clientB/ , www.testingserver.com/clientC/
Live Server Setup
The site code needs to be developed with the final live server folder structure (url references) in mind:
For example: www.livesite.com (with all pages referencing the root of the live site server)
Page URLs on Testing & Live Servers
/page-name.html
Testing server url: www.testingserver.com/clientA/page-name.html
Live server url: www.livesite.com/page-name.html (without /clientA/ sub-folder)
Browser Previews Don't Work
You want to be able to run browser previews on the testing server while developing the website. To do this you normally have to reference the sub-folder structure of the testing server in the url for things to work right:
For example www.testingserver.com/clientA/page-name.html
What do you do, when you can't keep switching all the urls in the code from pointing to the sub-folder to pointing to the site root, and you don't want to use document relative linking?
One Solution - Sub-domains on Testing Server
In your domain hosting (outside of Dreamweaver) setup a sub-domain to point to the testing server sub-folder.
For example: Sub-domain clientA.testingserver.com points to www.testingserver.com/clientA (sub-folder)
So now when you reference the sub-domain it sees the sub-folder as the site root and all your problems are solved.
Dreamweaver Site Definition Setup
Site Definition under "Local Info"
Links relative to: Site Root
Site Definition under "Remote Info" (live server)
Access: FTP
FTP host: ftp.livesite.com
Host directory: /
Site Definition under "Testing Server"
Access: FTP
FTP host: clientA.testingserver.com
Host directory: /
URL prefix: http://clientA.testingserver.com
(location of the site's root folder on the testing server, the sub-domain redirection takes care of pointing to the sub-folder)
This is just one solution but it works well for me as it doesn't have any cost associated with it under our hosting package where you can have multiple sub-domains setup.
Hope this helps someone in a similar situation.
AlyJust Google it, or run out and buy a copy of David Powers' Foundations Dreamweaver CS4 with CSS, Ajax and PHP, a book that is never out of reach for me. He details the process explicitly for both Mac and PC.
For me, on W7, I edit the C:/Windows/System32/drivers/etc/hosts file, and add the ip of my testing server along with the site alias -
192.168.1.82 site.local
Then I add this same designation to my httpd.conf file in Apache on the testing server. Finally I restart Apache.
Now from my production machine if I browse to "http://site.local", I get to see either the default file in the root of the site on the testing server, or a directory of the site on the testing server (my testing server is a unix box running on my LAN at that ip address). Furthermore, all of my root relative links now work as they would if the pages were being browsed from the live server. -
LDAP Synchronisation with CUCM with multiple forest
Hello,
We have CUCM 10.5.
We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
If it not possible is there an easy way to achieve that?
Any help would be appreciate.
Thank youhttp://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454
-
What is the best practice way of stopping a sub-domain from being indexed?
Hi there
I notice that a client site is being indexed as both xxx.com.au [their primary domain] as well as xxx.PARTNERDOMAIN.com.au.
I have Googled quite a bit on the subject and have browsed the forums, but can't seem to find any specific best practice approach to only having the primary domain indexed.
One method that seems to be the most recommended is having a second robots.txt site for the sub-domain xxx.PARTNERDOMAIN.com.au with Disallow: /
Does anyone have a definitive recommendation?
Many thanks
GavinSorry I assumed they were two different sites, they are the same "content" just two different URLs?
Canonical links will help but it wont stop or remove you being indexed it only adds higher index weight to the Canonical linked URL. Plus only search engines that support that meta tag will work.
You essentially need two robots.txt to do this effectively or add the META TAG if you can split the sites somehow.
There is a more complex way, you could host the second domain somewhere else, use htaccess or similar to do a reverse proxy to the main site to pull the contents in realtime, all except the robots.txt file. This way you could have two sites with only 1 to update but still have two robots.txt's
http://en.wikipedia.org/wiki/Reverse_proxy
I've done this for a few sites, you are essentially adding a middle man, it will be a tad slower depending on how far the two servers are apart, but it is like having a cname domain but with total control. -
I cannot access the sharefolder in W2008R2 in sub-domain.
We cannot access the network shareholder in W2008R2 DC of the sub-domain.
Our scenario is as follows:
The main-domain(AAA.com) has two DCs (W2008R2+W2003R2).
The sub-domain(BBB.AAA.com) has two DCs(W2008R2+W2003R2).
There is trust relation between AAA.com and BBB.AAA.com.
There are network sharefolders in both W2008R2 and W2003R2 of domain BBB.AAA.com.
Those sharefolders gave access rights to the users in domain AAA.com.
The domain users in AAA.com can access W2003R2 of BBB.AAA.com but cannot access W2008R2 with the error message “no access right”.
The domain users in BBB.AAA.com can access both DCs in BBB.AAA.com.
Presumably there is something wrong with W2008R2 of BBB.AAA.com.
Please guide to manage this issue.
Thanks a lot in advance!Thanks for your reply.
*Access rights*
I have made the screen copy.
How can I post it?
I am not allowed to use our Webserver.
I try to describe the screens.
Sharing:
Administrator
Read/Write
Administrator
Read/Write
Administrators
Owner
Group A
Read/Write
Group B
Read/Write.
Security:
Group B (AAA\GroupB)
FullControl
Group A (AAA\GroupA)
FullControl
Administrator
FullControl
Administrator
FullControl
Administrators (BBB\Administrators)
FullControl.
Two administrators are on the list.
One is Administrator of domain AAA.com
The other one is administrator of domain BBB.AAA.com
*Search suffix*
DCs and the member server have the search suffix AAA.com.
Thanks for your help in advance.
Best regards -
Content Management in Sub-Domain vs Primary Domain
I have created a sub-domain (abc.ourURL.com) for one of our
sites (www.ourURL.com). If I make any changes to the primary site,
it is carried through to the sub-domain, and visa versa. Is there a
way to stop this from happening and put a "wall" between the
changes made on one versus the other. If not, we are going to be
forced to move to Joomla.Have you created a seperate connection to both urls?
Normally it's possible to create seperate connections on one
domain in Contribute, but I only have experience with situations
like this:
site (connection) 1: www.domain.com/
site (connection) 2: www.domain.com/site2/
site (connection) 3: www.domain.com/site3/
I all situations the ftp information only differs in the url
you connect to. The contact info (ftp) is the same at all sites.
I think you should try to set up something like this (or did
you already try that?):
site (connection) 1:
http://www.ourURL.com/
site (connection) 2:
http://abc.ourURL.com/ -
Map Sub-Domain to specific port
Hi,
I installed Tomcat 5 separatly from the built-in one, listening at port 8080.
What I would like to do now is have a sub-domain, that points to this port.
sub.mydomain.com -> www.myotherdomain.com:8080
Is this possible with the Admin Tool, and how?
Thanks for any help
Aldo
Mac OS X Server (10.4.9)I tried again with this two line an it worked.
Here the rewrite_log:
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (2) init rewrite engine with requested uri /
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (3) applying pattern '.*' to uri '/'
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (4) RewriteCond: input='GET' pattern='^TRACE' => not-matched
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (3) applying pattern '^/(.*)$' to uri '/'
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (4) RewriteCond: input='sub.mydomain.com' pattern='sub.mydomain.com' => matched
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (2) rewrite / -> http://localhost:8080/
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (2) forcing proxy-throughput with http://localhost:8080/
83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (1) go-ahead with proxy request proxy:http://localhost:8080/ [OK]
Hope it helps.
Mac OS X (10.4.9) -
LDAP setup with SSL - Can't use tls auth type
I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
JayWhen using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts).
Maybe you are looking for
-
How to change last page header under TOP-OF-PAGE in a report
hi, there are 20 pages in the report for which same header is diplayed for 20 pages by using follow. TOP-OF-PAGE. PERFORM write_doc_header. now the requirement is to change the last page heading. for this i've another perform statement. so plz let me
-
Lenovo b570e "Plugged In, Not Charging"
Recently Bought the new laptop Lenovo B570e. Few days back, the battery icon said "Plugged In, Not Charging" After googling with the issue I found one fix that worked, it is as follows: Disconnect AC Shutdown Remove battery Connect AC Startup Under t
-
What is the equivalent Oracle datatype for the access Memo type?
Hi, I would like to know what the oracle equivalent of the Access Memo datatype is. Thanks Adam
-
Hi,+ I have created jasper report page..+ when i am running Some times it shows the the following exception+ please give any idea how to avoid the exception+ exception java.lang.IllegalStateException: getOutputStream() has already been called for thi
-
Can't stop pop-up ads on Safari
Using OS X 10.9.2, Mavericks. Safari preferences has pop-up blocker turned on, but in the lower left corner of the Safari window, a square pops up with some sort of ad. There is a button that when clicked, causes the ad to reduce in size, but not dis