System.DirectoryServices.AccountManagement for a Forest of domains

Similar Messages

• Check if user is part of AD group using System.DirectoryServices.AccountManagement namespace

  I am trying to validate a user from SharePoint to see if a user exists within an AD group. SharePoint does not allow you to do this so I am using the:
  using
  System.DirectoryServices.AccountManagement;
  to validate user existance within that AD group. I found the following method that allows me to validate but bombing on me:
  public bool IsUserInGroup(string username, string groupname, ContextType type)
  PrincipalContext context = new PrincipalContext(type);
  UserPrincipal user = UserPrincipal.FindByIdentity( context, IdentityType.Name, username);
  GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupname);
  return user.IsMemberOf(group);
  When I call my method, i get
  An operations error occurred.
  I read that it might be an impersination error but I have my web.config set up already with:
  <
  authentication mode="Windows" />
  <
  identity impersonate="true" />
  Any suggestions from someone that has worked with that namespace on SharePoint? I just want to plainly check to see if a user is part of a certain group on AD from SharePoint.
  Victor Palma

  “An operations error occurred. “ may suggest a COMException is occurred.
  I wrote an simple console application that works:
      static void Main(string [] args)
          Console .WriteLine(IsUserInGroup("Administrator" , "Domain Admins" ));
      public static bool IsUserInGroup(string username, string groupname)
          var foundUser = false ;
          var context = new PrincipalContext (ContextType .Domain, "DC" );
          var group = GroupPrincipal .FindByIdentity(context, groupname);
          if (group == null )
              context.Dispose();
              throw new Exception ("Group could not be found: " + groupname);
          // GetMembers(true) is recursive (groups-within-groups)
          foreach (var member in group.GetMembers(true ))
              try
                  if (member.SamAccountName.Equals(username))
                      foundUser = true ;
                      break ;
              catch (Exception )
                  // One of the members could not be retrieved, moving on...
          group.Dispose();
          context.Dispose();
          return foundUser;
  Reference:
  Recursive Active Directory group membership using System.DirectoryServices in .NET 3.5(http://www.lessanvaezi.com/recursive-active-directory-group-membership-using-system-directoryservices-in-net-3-5/)
  Another important notice:
  How to use the System.DirectoryServices namespace in ASP.NET(http://support.microsoft.com/default.aspx/kb/329986)
  Keep It Simple and Stupid.

• Understanding Lync 2013 Deployment for Single forest multiple domain Infrastructure

  Hello Everyone,
  I have an issue in understanding a deployment scenario of Lync 2013 Enterprise edition.
  We have a single forest multiple domain infra. 
  My My question here is, while AD prep, do we need to run Domainprep on every domain in the forest. 
  Thanks!
  Thank You!!! BR, Ammi.

  Hi Ammi,
  To prepare Active Directory Domain Services for your Lync Server 2013 deployment, you must perform three steps in a specific sequence.
  1.
   Preparing the Active Directory schema in Lync Server 2013
  Extends the Active Directory schema by adding new classes and attributes that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  2. Preparing the forest for Lync Server 2013
  Creates global settings and universal groups that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  3. Preparing domains for Lync Server 2013
  Adds permissions on objects to be used by members of universal groups.
  Run once per user domain or server domain.
  Hope it can be helpful.
  Best regards,
  Eric

• SPNego for multi-forest using IBM JDK

  Hi All,
  I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
  Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
  Thanks in Advance,
  Anthony

  Jan,
  ok, thanks. I will now explain how I think we can help.
  Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
  I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
  Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
  Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
  Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
  So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
  1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
  2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
  I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
  Thanks,
  Tim

• Identity firewall with Single Forest/Multi-Domain

  I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.
  Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:
  I have 3 domains.
  domain1.test.com
  domain2.domain1.test.com
  domain3.domain2.domain1.test.com
  Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2\user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.
  The cisco documentation states the following:
  •Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine).
  Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.
  Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.  I wanted to ask though before I blow everything up and start over.  The instructions are not overwhelming clear on what needs to done in this scenario.  Suggestions?

  Hi Matthew,
  If I understand your post correctly, the problem is that the ASA is unable to search users in domain2, correct? This portion of the communication is unrelated to the AD Agent, but it sounds like the Agent can talk to the DC just fine. The ASA searches for users directly on the DC via LDAP queries. The communication between the ASA and the Agent is all done via RADIUS.
  If the above is correct, I would focus on why the LDAP queries are failing between the ASA and the domain2 DC. Feel free to open a TAC case on this as well for additional assistance from the AAA experts.
  -Mike

• SCCM 2012 AD Publishing in a Single Forest Multiple Domains

  Hi there,
  Let me explain the situation first so that you get the idea. We have a single forest, multiple child domains AD environment. For some reasons each domain is being managed separately by their geographic location IT.
  Forest has been extended for SCCM by the site who holds the forest root domain. Since everyone wants to manage their own domain and systems, each child domain have their own primary site server.
  In one of the domains I have installed brand new SCCM 2012 R2. I haven't done anything yet, havent turned on any discovery except Heartbeat. Now I see one device, which belongs to another domain with totally separate IP address, shows in my SCCM site. I dont
  know why.
  From here question arises for me. Correct me if I'm wrong and please advice what to do domain/forest wide.
  1. System Container is needed in each child domain, not in the forest, right?
  2. Where does/should each SCCM primary site publish information; in each domain or in the forest root domain?
  3. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing I see forest root domain name and its checked. 
  Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain hoping
  to cure the possible problem.
  So, why would that one device show up in this site? I have disabled Heartbeat together with other discoveries for now till I make everything ready.
  Thanks for your help in advance.

  1. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing If I uncheck forest root domain will devices on my child domain still be able to find my site server?
  2. Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain
  hoping to cure the possible problem. Is this a good practice?
  3. "When clients look for ConfigMgr info, they use GC lookups meaning they return objects from every System Management container in the forest." So, which one do clients choose and how?
  4. "For that one device, have you opened its properties and examined it?" Yes, what abou it? Its found based on Heartbeat Discovery agent (when heartbeat was enabled).
  5. "Have you reviewed the boundaries and boundary groups set up for site assignment?" Yes, as I mentioned this device belongs to different domain and totally outside of my AD site and SCCM boundaries.
  This is fresh install and not in production yet. I have disabled Heartbeat temporarily so that I fix this problem. I will enable it after. 

• [Fwd: Client accessing MBeanHome for more than one domain receives SecurityException]

  Fwd'ing to security newsgroup
  -------- Original Message --------
  Subject: Client accessing MBeanHome for more than one domain receives
  SecurityException
  Date: 4 Mar 2004 07:27:33 -0800
  From: Dinesh Bhat <[email protected]>
  Reply-To: Dinesh Bhat <[email protected]>
  Organization: BEA NEWS SITE
  Newsgroups: weblogic.developer.interest.management
  Hi,
  When a client accesses MBeans of more than one domains (Weblogic 8.1)
  that have
  different passwords, it receives a SecurityException. This occurs when
  the MBeanHome
  for each domain is looked up at initialization and reused for each
  request ( to
  access MBeans ). The security exception does not occur if the MBeanHome
  for each
  domain is looked up for each request. On initial review, this behavoir
  seems inconsistent.
  Looking up the MBeanHome for each request may introduce a significant
  overhead.
  I am not sure if concurrent lookups would also cause the same problem.
  I have read on another post that we can work around this problem by
  establishing
  a trust relationship between the servers, but this may not be feasible
  when one
  is monitoring a lot of servers and the overhead of configuration may be
  an issue.
  I have attached code that can reproduce the problem.
  Please advise on the correct approach.
  Thanks
  Dinesh Bhat
  Panacya Inc.
  import java.util.ArrayList;
  import java.util.Set;
  import java.util.HashMap;
  import java.util.Iterator;
  import java.util.Hashtable;
  import javax.management.MBeanServer;
  import javax.naming.Context;
  import weblogic.jndi.Environment;
  import weblogic.management.MBeanHome;
  * This class reproduces the Security Exception that is caused when a client tries to access
  * MBeans of more than one domain with different weblogic passwords. Here is the stacktrace of the
  * exception
  * java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
       at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
       at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
       at weblogic.management.internal.AdminMBeanHomeImpl_811_WLStub.getDomainName(Unknown Source)
       at WLSecurityTest.getWeblogicInfo(WLSecurityTest.java:140)
       at WLSecurityTest.runTest(WLSecurityTest.java:75)
       at WLSecurityTest.<init>(WLSecurityTest.java:66)
       at WLSecurityTest.main(WLSecurityTest.java:51)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at com.intellij.rt.execution.application.AppMain.main(Unknown Source)
  Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
       at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
       at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:181)
       at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:814)
       at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:299)
       at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:920)
       at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:841)
       at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
       at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
       at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
       at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
       at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  * Note: the exception is caused only when the MBeanHome for each domain is cached and used for subsequent
  * transactions. The exception does not occur if the MBeanHome for each domain is looked up for each transaction. This
  * would significant overhead in practice. Also the transactions across the various domains occurs serially, hence
  * the effect of concurrent lookups has to be tested.
  * Usage:
  * This class has been tested with weblogic 8.1
  * The class needs weblogic.jar in its classpath
  * One can specify the weblogic details as System properties. The properties need to be specified in
  * the following format:
  * wls.host.n, wls.userId.n, wls.password.n where n is the weblogix instance number. Also specify
  * the boolean system property reconnect.each.iteration to toggle between reconnecting or not reconnecting
  * for each iteration. When not reconnecting for each iteration, the MBeanHome is reused and the Security Exception
  * occurs.
  * Following is the example of system properties
  * -Dwls.host.0=localhost:7001 -Dwls.userId.0=weblogic -Dwls.password.0=weblogic
  * -Dwls.host.1=localhost:7011 -Dwls.userId.1=weblogic -Dwls.password.1=weblogic1
  * -Dwls.host.2=localhost:7021 -Dwls.userId.2=weblogic -Dwls.password.2=weblogic2
  * -Dreconnect.each.iteration=false
  public class WLSecurityTest
  ArrayList wlsDetailsList = new ArrayList();
  HashMap connectionMap = new HashMap();
  public static void main(String[] args)
  try
  WLSecurityTest wlSecurityTest = new WLSecurityTest();
  catch (Exception e)
  e.printStackTrace();
  * Constructor
  * @throws Exception
  public WLSecurityTest() throws Exception
  int noOfTries = 10;
  getWLSDetails();
  for( int i=0; i <= noOfTries; i++)
  runTest();
  * Runs the test
  private void runTest()
  for (int i = 0; i < wlsDetailsList.size(); i++)
  WLSDetails wlsDetails = (WLSDetails) wlsDetailsList.get(i);
  getWeblogicInfo(wlsDetails);
  * Get Weblogic details from System properties
  * @throws Exception
  private void getWLSDetails() throws Exception
  wlsDetailsList = new ArrayList();
  String hostKeyTmpl = "wls.host";
  String userIdKeyTmpl = "wls.userId";
  String passwordKeyTmpl = "wls.password";
  boolean done = false;
  for (int i = 0; !done; i++)
  WLSDetails wlsDetails = new WLSDetails();
  String hostKey = hostKeyTmpl + "." + Integer.toString(i);
  String userIdKey = userIdKeyTmpl + "." + Integer.toString(i);
  String passwordKey = passwordKeyTmpl + "." + Integer.toString(i);
  wlsDetails.hostName = System.getProperty(hostKey);
  done = (wlsDetails.hostName == null) || (wlsDetails.hostName.length() == 0);
  if (!done)
  wlsDetails.userId = System.getProperty(userIdKey);
  wlsDetails.password = System.getProperty(passwordKey);
  connect(wlsDetails);
  wlsDetailsList.add(wlsDetails);
  * Lookup the MBeanHome for the specified weblogic server
  * @param wlsDetails
  * @throws Exception
  public synchronized void connect(WLSecurityTest.WLSDetails wlsDetails) throws Exception
  Context ctx = null;
  MBeanHome mbHomeLocal = null;
  try
  Environment env = new Environment();
  env.setProviderUrl("t3://" + wlsDetails.hostName);
  env.setSecurityPrincipal(wlsDetails.userId);
  env.setSecurityCredentials(wlsDetails.password);
  Hashtable hashtable = env.getProperties();
  System.out.println(hashtable.toString());
  ctx = env.getInitialContext();
  wlsDetails._mBeanHome = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
  catch (Exception e)
  e.printStackTrace();
  * Gets weblogic information using MBeans
  * @param wlsDetails
  public synchronized void getWeblogicInfo(WLSDetails wlsDetails)
  try
  boolean reconnectEachIteration =
  Boolean.getBoolean("reconnect.each.iteration");
  if( (reconnectEachIteration) || ((wlsDetails._mBeanHome == null) && (!reconnectEachIteration) ))
  connect(wlsDetails);
  MBeanHome mbHomeLocal = wlsDetails._mBeanHome;
  String domainName = mbHomeLocal.getDomainName();
  Set allMBeans = mbHomeLocal.getAllMBeans();
  System.out.println("Size: " + allMBeans.size());
  Set clusterMBeans = mbHomeLocal.getMBeansByType("Cluster", domainName);
  System.out.println(clusterMBeans);
  MBeanServer mBeanServer = mbHomeLocal.getMBeanServer();
  catch (Exception ex)
  ex.printStackTrace();
  * Class that holds weblogic server details
  class WLSDetails
  String hostName = "";
  String userId = "";
  String password = "";
  MBeanHome _mBeanHome = null;

  If Server version is 61.
  Make user "system" password of all weblogic servers same.
  If Server version above 61(70,81)
  In the Security Advanced Settings un check generated credential and specify a common credentail for all the weblogic servers(domains).

• How many ADFS farms can you have in a single forest/single domain?

  Hi
  I may have some terminology incorrect...please let me know if I do. :)
  My question is, how many ADFS farms can you have in a single forest/single domain? If you want to know why I am asking...please read on.
  We have 1 ADFS Farm and we are looking adding services to it. However not every cloud vendor provides a "Identity Broker" with there services.
  We have a consultant that is advising that we need to enable a SAML-based IdP-initiated single sign-on (SSO) ie using "IdpInitiatedSignOnPage"
  However to do this we need to modify the ADFS website to have "drop down" list so the user can select the "Relying Party" and then authentication with them.
  This means we are exposing a list of every company/party we have federated with. The exposure of this information, is deemed a security concern by our company....which I agree with.
  So the consultant advises that we need a separate ADFS farm. I have searched online, but haven't found any information that confirms multiple ADFS farms can be implemented in a single forest/single domain.
  Thanks for reading and if you have any other suggestions...I'd appreciate it.
  Nyobi

  This is not exactly FIM related question - there is ADFS forum available on Technet. However - technically there is no limit of ADFS farms in a forest \ domain. It is just a service which uses AD and is not altering it in any way or storing some forest-wide
  information like Exchange. So you can setup two ADFS services in single forest - no problem. 
  If it is a best solution to your problem? I can't say with that limited information but maybe just customization of pages on ADFS side would be enough? 
  Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

• Strange info in "Bypass Proxy Settings for These Hosts and Domains"

  For my Mac Mini my Network IP Address always has a self-assigned 169.254 number that I cannot change. Strangely, this same IP number is similar to info that is in the Proxies section (of Network Settings) under "Bypass Proxy Settings for These Hosts and Domains".
  No matter what I do, this info (*,local, 169.254/16) appears in my Network Settings in the Proxies section under "Bypass Proxy Settings for These Hosts and Domains". (I tried removing the info and it would cause the "Configure Proxies" selection to default to "Always Use PAC File". Had to go back and retrash all the plist files to have Proxies go back to "Configure Proxies-Manually". Still, the info (*,local, 169.254/16) continues to appear in the "Bypass Proxy Settings for These Hosts and Domains" section and my IP address is always a 169.254 number.)
  Comcast cable modem via direct hardwired Ethernet works fine with my other computer, so not the modem. Also, other computer does not have any info in the "Bypass Proxy Settings for These Hosts and Domains" section.
  Installed a fresh copy of OS X 11.5 on a new hard drive. Still the same problem.
  I posted this issue before but only got one responder and the problem still exists. Any clues? Somebody must know about this stuff. Help please.
  Thanks

  When your Mac wakes up, it does not yet have an IP Addresss. It wants to send a request to a Router for an apprpriste IP address to use now. But it needs to have an IP address (like a return address) to receive any messages. So, ... wait for it,
  ... it (your Mac) makes one up. There are rules that ensure it is a random address, but they always start with 169.254. It is on the same subnet with any low-order 16 bits This is the "self-assigned" range of IP Addresses. This address is only good for talking on a local network segment, for things like asking for a valid IP Address from a DHCP-enabled Router.
  In most cases, on most networks, the 169.254 self-assigned IP Address is replaced by a valid Local IP Address such as 192.168.xxx yyy or 10.0.xxx.yyy so quickly that you never even see the 169.254 Address.
  If you do see the 169.254 Address, it can be read as "Nobody will talk to me" or "Nobody will give me an IP Address". When you have this IP Address for more than an instant, you should suspect bad cables for Ethernet connections, bad signal strength or interference for wireless, Router configuration problems, or Mac configuration problems.
  Mac configuration problems are often solved by using the "Assist Me" button is System Preferences > Network  and choosing to set up again.
  Another diagnostic is to try using Network Utility and the Ping function, and Ping-ing the address of your Airport base Station, often 192.168.0.1 or 10.0.0.1 or similar. This will tell you if the Router is reachable, or there are cabling/wirelss signal problems.
  In this case, proxies are not an issue, and are simply a distraction from the real problems.

• System.DirectoryServices.Protocols.SearchRequest Ldap Query Execution Problem

  Hi,
       I am using DirectorySearcher class to query the active directory. It gives all the records in a single page (more than 5000). I want to get 100 records per page. So I moved to SearchRequest class. Using SearchRequest class I can
  get 100 records per page. But for particular query it is not working. I want to get all the users with their
  "samaccountname or displayname starts with 'a'" works fine. Then I want to get all the users with their
  "samaccountname and displayname starts with 'a'", this it is not working. I can guess the reason, some of the users starts their samaccountname with a not having any displayname. Any workaround for this issue? Please guide me
  Please refer the following code
  //This query works fine
  //string filter = "(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(|(samaccountname=a*)(displayname=a*)))";
  /* Not works */
  string filter = "(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(&(samaccountname=a*)(displayname=a*)))";
  LdapConnection connection = new LdapConnection(serverName);
  string[] attribs = { "samaccountname", "displayname" };
  // create a SearchRequest object
  SearchRequest searchRequest = new SearchRequest
  (scope,
  filter,
  System.DirectoryServices.Protocols.SearchScope.Subtree,
  attribs);
  SortRequestControl sortRequest = new SortRequestControl("samaccountname", false);
  searchRequest.Controls.Add(sortRequest);
  VlvRequestControl vlvRequest =
  new VlvRequestControl(0, numEntries, offsetVal);
  searchRequest.Controls.Add(vlvRequest);
  SearchResponse searchResponse =
  (SearchResponse)connection.SendRequest(searchRequest);
  if (searchResponse.Controls.Length != 2 ||
  !(searchResponse.Controls[0] is SortResponseControl))
  Console.WriteLine("The server does not support VLV");
  return null;

  Your exception condition
              if
  (searchResponse.Controls.Length
  != 2 ||
  !(searchResponse.Controls[0]
  is SortResponseControl))
  Console.WriteLine("The server does not support VLV");
  return null;
  is not correct. Why (?) - if you get back no hits from your query there will be no SortResponseControl because there was nothing to sort. Since your query filter has proved that there were no objects with sAMAccountName & displayName equals
  a* in your AD you will not get back a SortResponseControl.
  A better approach would be to check the DirectoryControls on the SearchResponse for the existance of a VlvResponseControl - like this:
         if (GetControl(sresponse.Controls, new VlvRequestControl().Type) == null)
         { Console.WriteLine("The server does not support VLV"); }
          protected DirectoryControl GetControl(DirectoryControl[] controls, string OID)
              DirectoryControl dcret = null;
              try
              { dcret = controls.ToList().Where(d => d.Type == OID).FirstOrDefault(); }
              catch (Exception ex)
              { ex.ToDummy(); } // *see below
              return dcret;
  * Just for completeness and to explain the ex.ToDummy() thing - it's a custom extension:
      public static class ExtensionMethods
          public static void ToDummy(this Exception ex)
  By itself there's nothing wrong with the filter - it's just unecessarly complicated - just write:
  "(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(samaccountname=a*)(displayname=a*))"
  Another thing that could be of some interest for you:
  The filter "(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(samaccountname=a*)(displayname=a*))" uses displayName as index.
  "(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(|(samaccountname=a*)(displayname=a*)))"; get's translated from the QueryOptimizer on the DC to  ( |  ( &  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mfp-labs,DC=labsetup,DC=org) 
  (objectClass=user) ( !  (sAMAccountType=805306370) )  (displayName=a*) )  ( &  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mfp-labs,DC=labsetup,DC=org)  (objectClass=user) ( !  (sAMAccountType=805306370) ) 
  (sAMAccountName=a*) ) )  and uses sAMAccountName and displayname as index for the search
  @Richard M. : sAMAccountType=805306370 (0x30000002) translates to SAM_TRUST_ACCOUNT - so I guess your AD doesn't have any trusts established .-)
  Hth
  Michael

• Persistent search using system.directoryservices.protocols

  My goal is to develop an application in VB.NET that monitors eDirectory
  using an LDAP persistent search. As user objects are added, moved,
  renamed and deleted in eDirectory, the program will construct an event
  notification in XML format and send it to an email account for
  processing by other programs.
  I've tried implementing the above functionality using the now
  unsupported Novell Internet Directory ActiveX control (NWIDir), which
  supports a PersistentSearch method and change notification via a
  DirectoryModified event. But have found that it will only run for a few
  minutes and then crashes either when run in the VB6 IDE or as an
  executable. Since the these ActiveX controls are now unsupported (a
  real shame, since they offer AMAZING functionality and INCREDIBLE ease
  of use), I decided to go with a pure VB.NET solution.
  I settled on using the System.DirectoryServices.protocols name space
  and have tried to implement a persistent search with the following code:
  Dim error_message As String = ""
  Dim ldapcon As LdapConnection = LDAP_Connect(error_message)
  If ldapcon Is Nothing Then
  'Failed to connect to the ldap server.
  MessageBox.Show("Failed to connect to ldap server,
  Exception: " & error_message)
  Exit Sub
  End If
  Dim attributesList() As String = {"cn", "SSN", "sn",
  "givenname", "initials", "l", "ou", "telephonenumber",
  "facsimiletelephonenumber", "title", "description", "uid",
  "logindisabled", "logintime", "passwordexpirationtime",
  "passwordexpirationinterval"}
  Dim ctrlData As Byte() = BerConverter.Encode("{ibb}", New
  Object() {1, True, True})
  Dim persistentSearchControl As New
  DirectoryControl("2.16.840.1.113730.3.4.3", ctrlData, True, True)
  Dim searchRequest As New SearchRequest("o=oes",
  "(&(objectclass=inetorgperson)(cn=*))",
  System.DirectoryServices.Protocols.SearchScope.Sub tree, attributesList)
  searchRequest.Controls.Add(persistentSearchControl )
  Dim asyncCallBack As New AsyncCallback(AddressOf
  PersistentSearchCallBack)
  Dim timeSpan As New TimeSpan(1, 0, 0, 0, 0)
  ldapcon.BeginSendRequest(searchRequest, timeSpan,
  PartialResultProcessing.ReturnPartialResults, asyncCallBack,
  searchRequest)
  Here's my Asynch callback subroutine definition:
  Sub PersistentSearchCallBack(ByVal ar As IAsyncResult)
  End Sub
  Here's my function library that I developed for connecting to
  eDirectory VIA SSL just for reference:
  Function LDAP_Connect(ByRef Error_Message As String) As
  LdapConnection
  'This function connects to an LDAP server and returns an
  LDAPConnection object.
  'If a connection cannot be established, the function will
  return Nothing, and the
  'Error_Message parameter will be set to the error returned by
  the LDAP server.
  Error_Message = ""
  Try
  Dim ldapcon As LdapConnection = New LdapConnection(New
  LdapDirectoryIdentifier(LDAP_Server_IP & ":" & LDAP_Port), New
  System.Net.NetworkCredential(LDAP_Authentication_D N, ldap_Password))
  ldapcon.SessionOptions.SecureSocketLayer = True
  ldapcon.SessionOptions.VerifyServerCertificate = New
  VerifyServerCertificateCallback(AddressOf ServerCallback)
  ldapcon.AuthType = AuthType.Basic
  ldapcon.Bind()
  Return ldapcon
  Catch ex As Exception
  'Failed to bind to ldap server.
  Error_Message = ex.Message.ToString
  Return Nothing
  End Try
  End Function
  Public Function ServerCallback(ByVal connection As LdapConnection,
  ByVal certificate As
  System.Security.Cryptography.X509Certificates.X509 Certificate) As
  Boolean
  'Validate that the exchanged public keys match each other.
  Try
  Dim expectedCert As X509Certificate = New
  X509Certificate(LDAP_SSL_Certificate)
  If expectedCert.GetRawCertDataString =
  certificate.GetRawCertDataString Then
  Return True
  Else
  Return False
  End If
  Catch ex As Exception
  'Certificate could not be loaded.
  Return False
  End Try
  End Function
  When I run the code, I get an the following error message:
  The server does not support the control. The control is
  critical.
  Any help from someone who has successfully done an LDAP persistent
  search against eDirectory using the System.DirectoryServices.Protocols
  name space would be greatly appreciated, I've been trying to figure this
  out in my spare time for a few weeks now. Thanks in advance!
  jstaffor
  jstaffor's Profile: http://forums.novell.com/member.php?userid=18218
  View this thread: http://forums.novell.com/showthread.php?t=414012

  On 6/23/2010 8:03 AM, Michael Bell wrote:
  > On 6/23/2010 7:06 AM, jstaffor wrote:
  >>
  >> My goal is to develop an application in VB.NET that monitors eDirectory
  >> using an LDAP persistent search. As user objects are added, moved,
  >> renamed and deleted in eDirectory, the program will construct an event
  >> notification in XML format and send it to an email account for
  >> processing by other programs.
  >>
  >> I've tried implementing the above functionality using the now
  >> unsupported Novell Internet Directory ActiveX control (NWIDir), which
  >> supports a PersistentSearch method and change notification via a
  >> DirectoryModified event. But have found that it will only run for a few
  >> minutes and then crashes either when run in the VB6 IDE or as an
  >> executable. Since the these ActiveX controls are now unsupported (a
  >> real shame, since they offer AMAZING functionality and INCREDIBLE ease
  >> of use), I decided to go with a pure VB.NET solution.
  >>
  >> I settled on using the System.DirectoryServices.protocols name space
  >> and have tried to implement a persistent search with the following code:
  >>
  >>
  >> ************************************************** *******
  >> Dim error_message As String = ""
  >> Dim ldapcon As LdapConnection = LDAP_Connect(error_message)
  >>
  >> If ldapcon Is Nothing Then
  >> 'Failed to connect to the ldap server.
  >> MessageBox.Show("Failed to connect to ldap server,
  >> Exception: "& error_message)
  >> Exit Sub
  >> End If
  >> Dim attributesList() As String = {"cn", "SSN", "sn",
  >> "givenname", "initials", "l", "ou", "telephonenumber",
  >> "facsimiletelephonenumber", "title", "description", "uid",
  >> "logindisabled", "logintime", "passwordexpirationtime",
  >> "passwordexpirationinterval"}
  >>
  >> Dim ctrlData As Byte() = BerConverter.Encode("{ibb}", New
  >> Object() {1, True, True})
  >>
  >> Dim persistentSearchControl As New
  >> DirectoryControl("2.16.840.1.113730.3.4.3", ctrlData, True, True)
  >> Dim searchRequest As New SearchRequest("o=oes",
  >> "(&(objectclass=inetorgperson)(cn=*))",
  >> System.DirectoryServices.Protocols.SearchScope.Sub tree, attributesList)
  >>
  >> searchRequest.Controls.Add(persistentSearchControl )
  >> Dim asyncCallBack As New AsyncCallback(AddressOf
  >> PersistentSearchCallBack)
  >> Dim timeSpan As New TimeSpan(1, 0, 0, 0, 0)
  >>
  >> ldapcon.BeginSendRequest(searchRequest, timeSpan,
  >> PartialResultProcessing.ReturnPartialResults, asyncCallBack,
  >> searchRequest)
  >> ************************************************** ******
  >> Here's my Asynch callback subroutine definition:
  >>
  >> Sub PersistentSearchCallBack(ByVal ar As IAsyncResult)
  >>
  >> End Sub
  >>
  >> Here's my function library that I developed for connecting to
  >> eDirectory VIA SSL just for reference:
  >>
  >> Function LDAP_Connect(ByRef Error_Message As String) As
  >> LdapConnection
  >> 'This function connects to an LDAP server and returns an
  >> LDAPConnection object.
  >> 'If a connection cannot be established, the function will
  >> return Nothing, and the
  >> 'Error_Message parameter will be set to the error returned by
  >> the LDAP server.
  >> Error_Message = ""
  >>
  >> Try
  >> Dim ldapcon As LdapConnection = New LdapConnection(New
  >> LdapDirectoryIdentifier(LDAP_Server_IP& ":"& LDAP_Port), New
  >> System.Net.NetworkCredential(LDAP_Authentication_D N, ldap_Password))
  >> ldapcon.SessionOptions.SecureSocketLayer = True
  >> ldapcon.SessionOptions.VerifyServerCertificate = New
  >> VerifyServerCertificateCallback(AddressOf ServerCallback)
  >> ldapcon.AuthType = AuthType.Basic
  >> ldapcon.Bind()
  >> Return ldapcon
  >> Catch ex As Exception
  >> 'Failed to bind to ldap server.
  >> Error_Message = ex.Message.ToString
  >> Return Nothing
  >> End Try
  >> End Function
  >>
  >> Public Function ServerCallback(ByVal connection As LdapConnection,
  >> ByVal certificate As
  >> System.Security.Cryptography.X509Certificates.X509 Certificate) As
  >> Boolean
  >> 'Validate that the exchanged public keys match each other.
  >> Try
  >> Dim expectedCert As X509Certificate = New
  >> X509Certificate(LDAP_SSL_Certificate)
  >>
  >> If expectedCert.GetRawCertDataString =
  >> certificate.GetRawCertDataString Then
  >> Return True
  >> Else
  >> Return False
  >> End If
  >> Catch ex As Exception
  >> 'Certificate could not be loaded.
  >> Return False
  >> End Try
  >> End Function
  >>
  >> When I run the code, I get an the following error message:
  >>
  >> The server does not support the control. The control is
  >> critical.
  >>
  >> Any help from someone who has successfully done an LDAP persistent
  >> search against eDirectory using the System.DirectoryServices.Protocols
  >> name space would be greatly appreciated, I've been trying to figure this
  >> out in my spare time for a few weeks now. Thanks in advance!
  >>
  >>
  > That error is telling you plain and simple the control you want to use
  > doesn't exist in the RootDSE.
  Also see,
  http://www.novell.com/documentation/...a/agpcvpg.html
  You have to enable persistant searches.

• AD FS in Forest Root Domain

  I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child
  domain or if that should just magically happen because of the Parent Child trust relationship.
  Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times
  and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.

  I have been using the "AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation".
  I am trying to federate with a diffrent organization where I am the IP and I have no control over the SAML 2.0 side... That being said, I changed my DNS and now I can get to my server using the IDPInitiatedlogon URL. When I run
  through the URL that bounces me between the other organization and then back to my AD FS server.... I get stuck in a loop where it asks me for credentials 3 times and then tells me I am "Not Authorized"
  Here is a bit of the fiddler trace:
  <a href="https:///adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust">https://<other-org-adfs>/adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust
  http://<my-org-adfs>:443
  http://<my-org-adfs>:443
  http://<my-org-adfs>:443
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  http://<my-org-adfs>:443
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  http://<my-org-adfs>:443
  It seems to be stuck looping between /adfs/ls and /adfs/ls/auth/integrated . It then times out and gives me the error in the browser.

• Technical system in SLD for Exchange Infrastructure prod entry deleted

  Hello,
  Technical system in SLD for Exchange Infracture  does not have any entries.
  Integration server entry is also not existing.
  adapter engine,domain,integration server,integration directory,integration repository,rwb do not exists.
  My main concern is there is no entry for Integration Server - how can I get back this entry . I restarted J2EE engine from NWA but still I am not able to see Integration server entry under Exchange Infrastructure technical system.
  I also did RZ70 but no use.
  Please suggest.

  Hi
  One of the steps, when applying note #764176, is to delete all 6 of these entries in the SLD. So deleting the entries is not a big problem. These entries should be automatically created when you have successfully completed all the steps in note #764176. So, I'd recommend to apply all steps in this note.
  Also, ensure the system is consistently patched i.e. ABAP, Java and XI components must be on the same SP level. An inconsistently patched system is another possible cause of this error.
  What happens when you run the SLDCHECK transaction? Do you see errors here?
  Regards
  Mark

• How to collect info in AD about operational system, installed on all computers in AD domain?

  The problem is to collect info in AD about operational system, installed on all computers in AD domain?

  The problem is to collect info in AD about operational system, installed on all computers in AD domain?
  In addition this is a nice article which covers your needs with good explanation:
  Count the number of Windows XXX computers with PowerShell and Active Directory
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Query/Enumerate eDirectory in Powershell via System.DirectoryServices

  Hello Scripting Guy,
      I have been tasked with taking a .Net program/project and converting it to PowerShell.  The .Net program exported three sources of information and inserts those exports into a SQL database for multiple functions and reasons. 
  The three sources are AD, eDirectory, and PeopleSoft.  The AD was simple with the "Module for Active Directory" and "SQLPS".  Now, I need to connect to eDirectory via LDAP and query the source.  I am able to connect/bind
  to the eDirectory and search but I need to enumerate the directory and insert that into a SQL table.  Given the logic I have developed for AD, it will be no problem inserting the records into SQL but I have not found anything to get my over the hurdle
  of enumerating the directory.  Below is the code that I found to successfully connect with eDirectory and perform a search.  Thank you.
  Connection Setup
  $eDir = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier('1.2.3.4','389')
  $eDirCreds = New-Object System.Net.NetworkCredential('cn=ConnectID,o=Home','MyConnectPS')
  $ED = New-Object System.DirectoryServices.Protocols.LdapConnection($eDir,$eDirCreds)
  $ED.SessionOptions.SecureSocketLayer = $False
  $ED.AuthType = 'Basic'
  $ED.Bind();
  Search eDirectory records
  $SearchScope = [System.DirectoryServices.Protocols.SearchScope]::SubTree
  $SearchAttributeList = ,"*" <--- Not quit sure why the "," proceeds the "*"
  $SearchBaseDN = "o=Home"
  $SearchFilter = "(uid=SomeUser)"
  $SearchReq = new-object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $SearchBaseDN,$SearchFilter,$SearchScope,$SearchAttributeList
  $SR = $ED.SendRequest($SearchReq)
      $SR displays ResultCode of success found or not found but if found contains DN in the "Entries" field.
  MatchedDN    :
  Controls     : {}
  ResultCode   : Success
  ErrorMessage :
  Referral     : {}
  References   : {}
  Entries      : {cn=MyID,ou=OU1,ou=OU2,o=Home}
  RequestId    :

  I found my answer via this link at the Script Library:
  ---http://www.thescriptlibrary.com/Default.asp?Action=Display&Level=Category3&ScriptLanguage=Powershell&Category1=Active%20Directory&Category2=User%20Accounts&Title=Scripting%20Ldap%20Searches%20using%20PowerShell---
  In answer to your question JRV, I wanted to perform a LDAP query for all directory ENTRIES in the eDirectory LDAP and then process the results into a SQL destination.  The LDAP search that I was successful with only returned the success or fail
  of finding a single object that I search for not the entire LDAP directory.
  There was also an unanswered post from 2007 under the subject of "querying Edirectory using System.DirectoryServices.Protocols" that I was referred to when I filled the subject to this question.  It went unanswered
  and acknowledged for two years.
  Here is the code and a small sample of data so that it may help others.  The GetType() for $SearchResults returns as a System.Array with a sub System.Array as the Properties column.  Also code to handle the results.
  #Load Support Modules and Assemblies
  Import-Module ActiveDirectory
  Import-Module SQLPS -DisableNameChecking
  Add-Type -AssemblyName System.DirectoryServices
  #Setup eDirectory Connection Variables
  $eDirPath = 'LDAP://1.1.1.1:389/o=home' (Whatever the eDir)
  $eDirUser = 'cn=MyLDAPID,o=Home' (DN of UID)
  $eDirPWD = 'MyLDAPPWD'
  $eDIrAuthType = 'None' (Equates to basic)
  #Establish eDirectory Connection and Enumerate
  $Root = New-Object System.DirectoryServices.DirectoryEntry -argumentlist $eDirPath,$eDirUser,$eDirPWD,$eDIrAuthType
  $Query = New-Object System.DirectoryServices.DirectorySearcher
  $Query.SearchRoot = $Root
  $Query.Filter = "(ObjectClass=Person)" (or whatever LDAP query you want)
  $SearchResults = $Query.FindAll()
  Path Properties
  LDAP://1.1.1.1:389/cn=Account1,o=home {loginshell, telephonenumber, uniqueid, securityequals...}
  LDAP://1.1.1.1:389/cn=Account2,o=home {loginshell, telephonenumber, uniqueid, securityequals...}
  LDAP://1.1.1.1:389/cn=Account3,o=home {loginshell, uniqueid, securityequals, gidnumber...}
  #For processing each entry in the results
  ForEach ($Result in $SearchResults) `
  #Convert object to utilize named values like CN, SN, UniqueID
  $eDirObject = [PSCustomObject]$Result.Properties
  write-host "$eDirObject.cn $eDirObject.sn $eDirObject.UniqueID"