Quorum information and Witness directory contains
can anyone tell, where the quorum information will be stored in a two nodes DAG?
also what information the File share witness directory contains in a two nodes DAG cluster?
Thanks
The quorum information will be stored where you define it. Standard practice for a two-node DAG is to put the file share witness on a CAS. If you combine the CAS and Mailbox roles then you'll have to come up with another server. A file
and print server is a good alternative for that.
There is no real information stored on the FSW. It's just a stamp that lets cluster nodes know where the tie-breaking vote is.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Similar Messages
-
We are in the process of removing a child domain from the forest and are down to two DCs. These are both Server 2008r2 sp1 servers, one physical and virtual (PDC). When I try to remove a DC (not the PDC emulator) I get the following error:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=mydomain,DC=local to
Active Directory Domain Controller \\V-Svr03.mydomain.local.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I have checked replication with repadmin /showrepl and all connections were successful. The dcdiag /test:kccEvent test on all servers passed.
Most DCdiag tests are successful. The only failure is on NCSecDesc when running dcdiag /test:NCSecDesc
Testing server: Default-First-Site\DC1-DEV-OFC
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=hookemup,DC=local
......................... DC1-DEV-OFC failed test NCSecDesc
In researching this I find "If you do not plan to add an RODC to the forest, you can disregard this error."
We have not successfully run ADprep /rodcPrep nor do we plan on having any Read-Only DCs, so I think we can ignor this error. We did try running ADprep /rodcPrep but got an LDAP error which I can duplicate if this is important.
Schema and Naming FSMOs are on a DC higher in the forest. RID, PDC, and Infrastructure FSMOs for the child domain are on the Virtual server (PDC).
Any guidance on where to go from here would be greatly appreciated as I have no more hair on my head to pull.Ok... I ran repadmin /showreps /v again and it shows no errors
C:\>repadmin /showreps /v
Default-First-Site\DC1-DEV-OFC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: b294c59f-8b46-4133-89c5-0f30bfd49607
DSA invocationID: 1054285d-cffe-42b4-8074-e2d44adbb151
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=mydomain,DC=local
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 16381490/OU, 16381490/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114817/OU, 114817/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 66047/OU, 66047/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8098197/OU, 8098197/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
CN=Schema,CN=Configuration,DC=mydomain,DC=local
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8097482/OU, 8097482/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 65239/OU, 65239/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114149/OU, 114149/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 16381373/OU, 16381373/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
DC=ForestDnsZones,DC=mydomain,DC=local
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 66295/OU, 66295/PU
Last attempt @ 2012-10-29 13:57:48 was successful.
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8098367/OU, 8098367/PU
Last attempt @ 2012-10-29 13:58:13 was successful.
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 115032/OU, 115032/PU
Last attempt @ 2012-10-29 13:58:25 was successful.
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 16381653/OU, 16381653/PU
Last attempt @ 2012-10-29 13:58:34 was successful.
DC=mySUBdomain,DC=local
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114871/OU, 114871/PU
Last attempt @ 2012-10-29 13:54:02 was successful.
DC=DomainDnsZones,DC=mySUBdomain,DC=local
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114017/OU, 114017/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
DC=mydomain,DC=local
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 114017/OU, 114017/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 16381614/OU, 16381614/PU
Last attempt @ 2012-10-29 13:56:52 was successful.
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 66325/OU, 66325/PU
Last attempt @ 2012-10-29 13:58:34 was successful.
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 8098385/OU, 8098385/PU
Last attempt @ 2012-10-29 13:58:38 was successful. -
DNS and Active Directory error 4000 server 2008
Hello all,
My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
of my budget haven't given me the option to do so and it's the only back up we have.
Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory.
This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
the tombstone lifetime. Replication has been stopped with this source."
Followed by more text I can post if needed.
Under File Services error 1202 "The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the
next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
I'm not sure where to start or what to post that might help. Any and all help is appreciated.
Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.It's the other way around. Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
1.) You do a force demote of the 2008 server because it's tombstoned. This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate. If it could replicate, we'd just do a graceful demotion
and be done with it.
2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD. From that server we run a metadata cleanup using the ntdsutil utility. We use that utility to clean out references to the 2008 server which is
no longer a DC.
3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory. Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
Hopefully that clarifies things. -
Directory Binding Script (Active and Open Directory) 10.7
Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
SeeHi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See -
I have a web page that contains a ReportViewer control. I am trying to display a report, which is an .rdl file located on the SSRS server, in this ReportViewer control. I have set the ReportPath and ReportServerUrl correctly. I am
getting an error message.
Am I suppose to use an .rdlc file rather than a .rdl file? Does the web server configuration need to use a certain account?
I am getting the following error message:
The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version.
The request failed with HTTP status 404: Not Found.Hi bucaroov,
The error "The request failed with HTTP status 404: Not Found." means the ReportServerURL configured in the ReportViewer control is invalid.
Please follow these steps to solve the issue:
Logon the Report Server machine.
Open the Reporting Services Configuration Manager.
Copy the Report Server URL from 'Web Services URL'.
Logon the application server(in this case, it is the server that host the web page), check if we can use the URL we got from step 3 to access the Report Server. If so, please replace the ReportServerURL in the ReportViewer control with this URL. If it is
not available, could you please post the error message.
Additionaly, we don't need to provide the extension for a server report. The ReportPath should be like: /<reports folder>/<report name>
For more information, please see:
Walkthrough: Using the ReportViewer Control in Remote Mode:
http://msdn.microsoft.com/en-us/library/ms251669(VS.80).aspx
If you have any more questions, please feel free to ask.
Thanks,
Jin Chen
Jin Chen - MSFT -
Hi,
I have a solution that used to contain one SharePoint 2010 project. The project is named along the following lines:
<Company>.<Product>.SharePoint - let's call it Project1 for future reference. It contains a number of features which have been named according
to their purpose, some are reasonably long and the paths fairly deep. As far as I am concerned we are using sensible namespaces and these reflect our company policy of "doing things properly".
I first encountered the following error message when packaging the aforementioned SharePoint project into a wsp:
"The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters."
I went through a great deal of pain in trying to rename the project, shorten feature names and namespaces etc... until I got it working. I then went about gradually
renaming everything until eventually I had what I started with, and it all worked. So I was none the wiser...not ideal, but I needed to get on and had tight delivery timelines.
Recently we wanted to add another SharePoint project so that we could move some of our core functinality out into a separate SharePoint solution - e.g. custom workflow
error logging. So we created another project in Visual Studio called:
<Company>.<Product>.SharePoint.<Subsystem> - let's call it Project2 for future reference
And this is when the error has come back and bitten me! The scenario is now as follows:
1. project1 packages and deploys successfully with long feature names and deep paths.
2. project2 does not package and has no features in it at all. The project2 name is 13 characters longer than project1
I am convinced this is a bug with Visual Studio and/or the Package MSBuild target. Why? Let me explain my findings so far:
1. By doing the following I can get project2 to package
In Visual Studio 2010 show all files of project2, delete the obj, bin, pkg, pkgobj folders.
Clean the solution
Shut down Visual Studio 2010
Open Visual Studio 2010
Rebuild the solution
Package the project2
et voila the package is generated!
This demonstrates that the package error message is in fact inaccurate and that it can create the package, it just needs a little help, since Visual Studio seems to
no longer be hanging onto something.
Clearly this is fine for a small time project, but try doing this in an environment where we use Continuous Integration, Unit Testing and automatic deployment of SharePoint
solutions on a Build Server using automated builds.
2. I have created another project3 which has a ludicrously long name, this packages fine and also has no features contained within it.
3. I have looked at the length of the path under the pkg folder for project1 and it is large in comparison to the one that is generated for project2, that is when it
does successfully package using the method outlined in 1. above. This is strange since project1 packages and project2 does not.
4. If I attempt to add project2 to my command line build using MSBuild then it fails to package and when I then open up Visual Studio and attempt to package project2
from the Visual Studio UI then it fails with the path too long error message, until I go through the steps outlined in 1. above to get it to package.
5. DebugView shows nothing useful during the build and packaging of the project.
6. The error seems to occur in
CreateSharePointProjectService target called at line 365 of
Microsoft.VisualStudio.SharePoint.targetsCurrently I am at a loss to work out why this is happening? My next task is to delete
project2 completely and recreate it and introduce it into my Visual Studio solution.
Microsoft, can you confirm whether this is a known issue and whether others have encountered this issue? Is it resolved in a hotfix?
Anybody else, can you confirm whether you have come up with a solution to this issue? When I mean a solution I mean one that does not mean that I have to rename my namespaces,
project etc... and is actually workable in a meaningful Visual Studio solution.Hi
Yes, I thought I had fixed this my moving my solution from the usual documents to
c:\v2010\projectsOverflow\DetailedProjectTimeline
This builds ok, but when I come to package I get the lovely error:
Error 2 The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters. C:\VS2010\ProjectsOverflow\DetailedProjectTimeline\VisualDetailedProjectTimelineWebPart\Features\Feature1\Feature1.feature VisualDetailedProjectTimeline
Now, the error seems to be related to
Can anyone suggest what might be causing this. Probably some path in an XML file somewhere. Here is my prime suspect!
<metaData>
<type name="VisualDetailedProjectTimelineWebPart.VisualProjectTimelineWebPart.VisualProjectTimeline, $SharePoint.Project.AssemblyFullName$" />
<importErrorMessage>$Resources:core,ImportErrorMessage;</importErrorMessage>
</metaData>
<data>
<properties>
<property name="Title" type="string">VisualProjectTimelineWebPart</property>
<property name="Description" type="string">My Visual WebPart</property>
</properties>
</data>
</webPart>
</webParts>
.... Unless I can solve this I will have to remove the project and recreate but with simple paths. Tho I will be none the wiser if I come across this again.
Daniel -
I am having problems saving documents back to SharePoint when any of the document properties (metadata columns) are set to be "managed metadata". The check-in/save fails with error:
The document could not be saved. The server said:
“The operation failed because an unexpected error occurred. (Result code 0×80020005)”
Please ensure you have completed all required properties with the correct information and try again.
I have seen similar threads that suggest this is a known issue with this version of Acrobat but I would like conformation from Adobe that this is a known issue and whether it is fixed in a newer version?
Adobe Acrobat version 10.1.13
SharePoint 2010Hi quodd,,
We are sorry for the issue being faced by you. I need some information from you so that I take further steps:
1. Which Adobe product are you using Acrobat or Adobe reader- what is the complete version?
2. How are you opening and saving the PDF, the exact workflow?
Are you doing it from within Adobe Reader/Acrobat application or opening it from browser, doing changes and saving it using browser itself.
3. Can you try to save a PDF to library with Custom template and managed metadata columns using browser directly.
4. Please verify that columns name do not contain spaces or some other special characters.
Can you try to save PDF to library with Custom template and just a single managed metadata column with a simple name
Thanks,
Nikhil Gupta -
To begin, I utterly despise the changes to the URL Bar and the removal of the Status bar. In order to stay with the latest version of Firefox I am attempting to recreate the look and feel as best I can.
I have already installed the Status-4-Evar extension. The only thing that remains is to remove the status information and the target URL from the bar.
Are there any settings in about:config that will allow me to make these changes?
EDIT: Status information can be removed by toggling. status4evar.statusInUrlBar. Still looking for a way to remove the target URL...This code in [http://kb.mozillazine.org/UserChrome.css userChrome.css] below the @namespace line seems to remove the links that appear on hover.
<pre><nowiki>@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
.urlbar-textbox-container {color: inherit !important;}
.urlbar-textbox-container-children {opacity: 1 !important;}
.urlbar-over-link-box {opacity: 0 !important;}
</nowiki></pre>
See http://kb.mozillazine.org/Editing_configuration#How_to_edit_configuration_files -
Can not login after changing account short name and home directory
Hi,
I did sth rather stupid while trying a get timemachine working on my iMac 10.5.5.
I changed the short name, login shell and home directory of my account. (didn't listen to the waning that I may not be able to login if I change those information Now I can not log into my account anymore. I tried to use fileVault master password to change the password of my account, but it didn't help. Can anyone tell me how do I fix this problem?
Thanks a lot!xyz2008 wrote:
No, I still can not log in as that user.
I did as you advised, but it gave the following message:
"attache failed, no such file or directory"
then I suspect you may be entering the command incorrectly. another possibility is this. I noticed you said in one of the previous posts that if you cd into the main user home directory you only see user.sparseimage. It actually should be user.sparsebundle. Or have you upgraded to leopard from tiger with filevault turned on? then it could have remained sparseimage rather than sparsebundle.
run the following in terminal
sudo ls -la /users/username
and post the results.
does it list sparsebundle or sparseimage?
Another thing, when I typed in the command, it didn't take the admin (root) password, but the password of the account I was logged in got me through.
that's what it has to be. it takes the password of the user (it jhas to be an admin user) which is currently logged in.
I am wondering if I can recover the problem user's files from the sparseimage file, then copied all the files to a new user.
Message was edited by: V.K. -
Good evening, my name is gianluca. Let me ask you this information and courtesy : you could write me step by step procedures (or email me the link to the instructions in Italian or alternatively in English) to be followed in Photoshop to resize in one fell swoop with the same height and width in cm all jpg file (containing passport photos) present within the same folder, thus avoiding open every single jpg file and resize it?
I hope for your help
Best Regardsgianlu1874 wrote:
Good evening, my name is gianluca. Let me ask you this information and courtesy : you could write me step by step procedures (or email me the link to the instructions in Italian or alternatively in English) to be followed in Photoshop to resize in one fell swoop with the same height and width in cm all jpg file (containing passport photos) present within the same folder, thus avoiding open every single jpg file and resize it?
I hope for your help
Best Regards
A process can be automated in Photoshop in different ways using one of Photoshop batching feature ther are more then one and it can be done by other image processing programs. However in all cases your image files will need to to opened decoded into an image processed to produce the images files you want and output files saved.
It not possible to give you a step by step for you left out much needed infomation. Like will all files being process have the same aspect ratio and if its the same aspect ratio as your desired passport images. Passport images should not be distorted. If Aspect ratios differ will a centered crop be OK. etc -
After Update to 19.0, Crash Frequently and Plug-in Container Issues
Ever since I updated to FF 19.0, I noticed that FF crash more often than usual, without any reason (I was in the middle of reading a website). And also the plug-in container for Adobe Flash kept consuming high cpu usage, thus slow down or even freeze FF. I have to end it before FF back to normal.
Am I the only one has problem or it's a bug in FF 19 waiting to be fixed?
Any suggestions/comments are much appreciated. Thank you.
PS: No add-on has been added, and I have cleared cache often.We're sorry to hear that Firefox is crashing. In order to assist you better, please follow the steps below to provide us crash ID's to help us learn more about your crash.
#Enter about:crashes in the address bar (that's where you enter your website URL) and press Enter. You should now see a list of submitted crash reports.
#Copy the 5 most recent crash ID's that you see in the crash report window and paste them into your response here.
Thank you for your cooperation!
More information and further troubleshooting steps can be found in the [[Firefox crashes]] article. -
Hello All,
We would like to have iTunes U podcasts available based on a user's course and role info. Furthermore, we are looking to have Active Directory provide this info. I am currently researching possibilities and have discovered two potential solutions:
1) Group membership
2) Extend the Active Directory schema
a) Do you recommend one over the other, or have you successfully implemented an alternative?
b) Is there any step by step documentation available on a successful implementation?We're using eDirectory rather than Active Directory, but we're having much the same discussion. I think it's a question of what you'd ultimately like to do with iTunes.
Right now, I'm doing simple authentication against eDirectory, checking to make sure the user has a valid username and password, and then determining what group they belong in: Student, Faculty or College (the last of which is a catch all for those not belonging to the first two groups). Most of the content is identical, but I expect to post different welcome messages and how to's to the home page based on groups, particularly the Student ("how do I get my club's content into iTunes?") and Faculty ("How do I use this with my courses?") roles.
This authentication is handled via Perl, using Perl's LDAP functions to retrieve directory information and then build credentials based on that. I have an example version of that script; if anyone would like a copy, please e-mail me off-list at newquisk (at) lafayette.edu.
That's good for big groups and even smaller ones, depending on how you've got your directory set up (for example, we have a group for our department that we're using to distribute department-specific materials). But I think it breaks down at the course level which is why we're looking to extend eDirectory to support the eduCourse object class (and while we're at it, eduPerson).
The goal here would be able to have a person's course information and roles for those courses in LDAP and then use that to authenticate against iTunes and other web-based applications (in particular, Moodle). We expect to populate these fields based on regular imports from our administrative system.
We're at the beginning of that process, and have just started experimenting with expanding our eDirectory schema. I'm in the process of looking for schools that have implemented the eduCourse and eduPerson object classes so that we can get a better idea of what an operational system looks like.
I hope this helps,
Ken Newquist
Lafayette College -
How do you set up an iPod that is used - it contains another person's library?
I would connect to the computer you plan to use and restore it to factory defaults/new iPod via iTunes on the computer. See:
iTunes: Backing up, updating, and restoring your iPhone, iPad, or iPod touch software
Alternately, you can:
Connect iPod touch to your computer or a power
adapter. Choose Settings>General > Reset and tap “Erase All Content and Settings.”
This resets all settings, and erases all your information and media by removing the
encryption key to the data (which is encrypted using 256-bit AES encryption). -
After adding the Witness Server to the Mirror session, the Witness Connection state between the Mirror and Witness Connection is Disconnected and the state between Principal and Witness Connection is Connected.
The procedures defined in Books Online was used to setup Database Mirroring...when the Witness server was added to the Mirror session, only the alter database T-SQL statement was executed on the Principal server.
ALTER DATABASE <db_name> SET WITNESS = 'TCP://<servername>:<port>'
After executing the above statement, a few seconds later the state between Principal and Witness Connection changed to Connected and the state between Mirror and Witness Connection remains Disconnected.
The Mirror session is not using Certificates, every server is on the same domain, using the same domain login account, and all servers have SP2 installed running Enterprise Edition.
Any idea's why the state between Mirror and Witness Connection remains Disconnected?
Thanks,I have the same problem. All 3 servers are on a workgroup and I'm using certificates. All three servers are connected via switch. This is a test environment, with the principal server being a 64 bit OS with Windows Server 2003 R2 with SQL Server standard x64, the witness server is a Windows server 2003 SP2 x32 with SQL Server Express, and the mirror is Windows XP x32 with Sql Server Standard. Using hard coded static IP addresses (FQDN makes no difference, and they get resolved to IP addresses anyway!). The mirror server log shows
'The server instance Witness rejected configure request, read its error log file for more information
but of course there are no errors logged on the witness server - not by SQL, nor in the event log. When the witness is set on the princial server, the Database mirroring monitor shows almost immediately that the witness and prinicapl servers are connected, but it takes quite a few seconds before the witness/mirror state is shown as disconnected. Until then the entry is blank. The monitor also shows High Saftey with automatic failover, which isn;t true - since the mirror and witness are not connected, no failover occurs when the principal is taken offline.
Since I'm running terminal services on the XP machine to interact with the witness and principal server, I find it hard to image that there are network issues.
If the witness can connect with the principal and the principal can conect with the mirror, under what circumstances will the witness NOT connect with the mirror? When I check the witness server for entries in the database_mirroring_witness view the following is shown:
RTJobs TCP://primary-sql:5022 TCP://192.168.100.14:5022 2 FULL 1 1 2263BD97-1004-4D73-9966-7AFB89E5626E A6EE18DF-19C4-48EC-8C06-77074EF5A275 0 1
Interestingly the IP address of the prinical server is replaced by the Sql Server instance name (primary-sql) but this doesn't happen for the witness. -
### How to make integration between UCCX and Active Directory##
Hello,
I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
Waiting Yours Reply,,,,
Thanks a lot......What version?
Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure.
Maybe you are looking for
-
I need help. i bought a itunes card and i reddemed it to pay off my debt. how can i use store credit to pay it off ?
-
I am trying to answer a reply from Ed-meister to my problem about Firefox starting when I turn on my PC. I keep getting a message saying that I have to submit a subject. I hit every button there and it still doesn't submit, so I'm doing it this way.
-
Dear Friends, Please help how to generate file from the F110 Automatic Program and f-58 Vendor Payment we had a requirment to generate file on documents posted on the these transactions generate file and send it to other addon sys
-
What can i do?
-
Reliability of mini-mac G4 ?????
hi, How Reliabeis minimac G4 with Built-in airport and bluetooth, 512 mb memory and 80 gb HD....... since they are cheaper now cuz of new minimacs intels in market. My Q.. is how good is this machine in terms of wireless networking and in general how