| Author | Messages | |
josephisenhour
Posts:0
 | | 05/10/2007 6:25 AM |
| I am indeed. I'm calling it in the Finally block and I've confirmed
that it is getting called. I agree it doesn't seem like a big deal. I
use a lot of the win32 ds functions and have never had an issue until
now.
Here's a the actual code. Does anything jump out at you?
public static string GetAddressToSiteName(string IPAddress, string
DomainController)
{
IntPtr pSites = new IntPtr();
IntPtr pSockAddr;
IntPtr pSiteName;
IntPtr pNetworkType = new IntPtr();
try
{
// Determine the site using the IP
address
int rc;
string siteName;
SOCKET_ADDRESS[] oSocketAddresses = new
SOCKET_ADDRESSΏ]
SockAddr oSocketAddr = new SockAddr();
System.Int32 oSocketSize =
Convert.ToInt32(Marshal.SizeOf(oSocketAddr));
rc = WSAStringToAddress(
IPAddress,
System.Net.Sockets.AddressFamily.InterNetwork,
pNetworkType,
ref oSocketAddr,
ref oSocketSize);
WSACleanup();
pSockAddr =
Marshal.AllocHGlobal(Marshal.SizeOf(oSocketAddr));
Marshal.StructureToPtr(oSocketAddr,
pSockAddr, true);
oSocketAddressesΎ].lpSockaddr =
pSockAddr;
oSocketAddressesΎ].iSockaddrLength =
Marshal.SizeOf(oSocketAddr);
Marshal.Release(pSockAddr);
rc =
DsAddressToSiteNames(DomainController, 1, oSocketAddresses, ref pSites);
pSiteName = Marshal.ReadIntPtr(pSites,
0);
siteName =
Marshal.PtrToStringAuto(pSiteName);
return siteName;
}
catch(Exception x)
{
throw new System.Exception();
}
finally
{
NetApiBufferFree(pSites);
}
}
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
Sent: Thursday, May 10, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
That function doesn't look too risky... are you remembering to call
NetApiBufferFree?
On 5/10/07, Isenhour, Joseph wrote:
> Think I found it. It looks like it doesn't have anything to do with
> SDS although the end result is SDS not working.
>
> I wrote a .NET wrapper for the win32 DsAddressToSiteNames function.
>
> private static extern int DsAddressToSiteNames
>
> It looks like the error occurs after this code is executed several
> times. I'm trying to be a good .NET developer and free up my
> unmanaged resources in a finally statement; however, it appears that
> I'm missing something.
>
> Does anyone know of a Microsoft supported .NET method that will give
> me the same functionality as DsAddressToSiteNames?
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Isenhour,
> Joseph
> Sent: Thursday, May 10, 2007 10:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Issues with System.DirectoryServices
>
> Thanks Joe,
>
> So maybe I do need to persist the connections somehow. I do use a
> single account (well one per forest) to do all of my LDAP operations.
>
> So how about something like this:
>
> protected void Application_Start(Object sender, EventArgs e) {
>
> string[] domainNames = {"domain1.net", "domain2.net" };
> System.Collections.Hashtable domains = new Hashtable();
>
> foreach( string domainName in domainNames )
> {
> System.DirectoryServices.DirectoryEntry d = new
> System.DirectoryServices.DirectoryEntry();
>
> d.Path =
> string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
> ",DC="));
> d.Username = SAMTools.GetSvcID( domainName
);
> d.Password = SAMTools.GetSvcPass( domainName
> );
> d.AuthenticationType =
> System.DirectoryServices.AuthenticationTypes.Secure;
> d.RefreshCache();
>
> domains.Add( domainName, d );
> }
> }
>
> What if I add this to the Global.asax Application_Start? Will that
> possibly cache my connections and allow all new sessions to re-use
them?
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> Sent: Wednesday, May 09, 2007 8:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> This is important stuff to know. If there are different user
> identities accessing the directory, ADSI will open up a new connection
> for each one.
> That is by design and is just the way that ADSI works. That makes it
> difficult to get lots of scalability with apps that use an
> impersonation model.
>
> However, if he's seeing 80 connections for just one user when the
> expectation is that there are only 6 forests to connect to, that would
> seem to indicate that connections aren't getting reused and connection
> caching isn't working as expected. That could cause problems.
>
> Ryan suggested earlier to make sure the Dispose is being called
> religiously so that the underlying ADSI objects are being cleaned up
> right when you are done with them and not waiting around for garbage
> collection. This is a good idea, although not as important as it was
> in .NET 1.x where there were bugs that caused ADSI COM objects to not
> get cleaned up if you failed to call Dispose. At least now, the GC
> will eventually get around to it, just maybe not as quickly as you'd
like.
>
> However, the downside of calling Dispose or Close is that if no other
> ADSI objects are also using that LDAP connection, it will close it.
> In general that is a good thing because you want your connections
> closed when you are done with them. The problem comes in when moments
> later, a new web request comes in the site code causes new connections
> to be opened instead of reusing one that is already open. If the
> opening and closing happens over and over again, you'll eventually run
> out of TCP wildcard ports and will get errors. This is because once
> the TCP port closes, it will sit in "time wait" for 60 seconds and
> won't be available for new connections until it releases.
>
> It isn't totally clear to me that this is the issue, but it sounds
> like it might be. It is pretty difficult to diagnose in my
experience.
>
> One thing you can do programmatically to try to make sure your LDAP
> connections stay open so that ADSI will reuse them. If you use a
> single set of credentials for all of your access, then you can
> sometimes accomplish this by opening up connections in something like
> the application_start even and sticking the DirectoryEntry objects
> into static variables or something so they won't be collected.
>
> I hope that helps a bit more.
>
> Joe K.
>
> ----- Original Message -----
> From: "Ryan Dunn"
> To:
> Sent: Wednesday, May 09, 2007 1:15 PM
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
>
> > We need more information here. How are you creating the
connections?
> > For example, show us how you are constructing your DirectoryEntry
> > objects. What is the security context of the application? the
> > user's? a trusted subsystem? impersonated?
> >
> > On 5/9/07, Isenhour, Joseph wrote:
> >> I'm actually seeing around 80 LDAP connections. The app is talking
> to 6
> >> different forests so I'd expect to see around 6 to 10 connections.
> >>
> >> The app is a C# web form so many users will be hitting it at any
> given
> >> time. Right now I'm the only one hitting it and it's taking 80
> >> connections. Is there anyway to ensure that the connections either
> get
> >> re-used or at least get closed imediatley after the objects are
> >> disposed?
> >>
> >> -----Original Message-----
> >> From: ActiveDir-owner@mail.activedir.org
> >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> >> Sent: Tuesday, May 08, 2007 7:45 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >> Another thing that can happen here is the dreaded ADSI connection
> >> caching issue where you run out of wild card ports. If netstat
> >> shows
> a
> >> lot of ports sitting in "time wait" status, that could be the
issue.
> >> This is often the problem when you see somewhat random ADSI
> >> failures
> in
> >> code that was working fine before but where many ADSI calls were
> being
> >> made.
> >>
> >> Joe K.
> >>
> >> ----- Original Message -----
> >> From: "Ryan Dunn"
> >> To:
> >> Sent: Tuesday, May 08, 2007 7:25 PM
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >>
> >> > Oh, I should also mention that anytime you access a method or
> property
> >> > that returns a DirectoryEntry, you are also responsible for
> disposing
> >> > of it. This can be a gotcha. So this code might leak:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent; //do something with Parent
> >> > entry.Dispose(); //what about parent?
> >> >
> >> > Here is an even more insidious one:
> >> >
> >> > Console.WriteLine(entry.Parent.Path);
> >> >
> >> > Most people will forget to call entry.Parent.Dispose() since it
> >> > is
> not
> >> > a local variable.
> >> >
> >> > How to fix:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent;
> >> >
> >> > using (entry)
> >> > using (parent)
> >> > {
> >> > // do stuff
> >> > }// both are disposed here for you...
> >> >
> >> > Remember, this applies to *any* method or Property that returns a
> >> > DirectoryEntry. So be wary of
> DirectorySearcher.GetDirectoryEntry()
> >> > and also DirectoryEntry.Children.Add for instance.
> >> >
> >> >
> >> >
> >> > On 5/8/07, Isenhour, Joseph wrote:
> >> >>
> >> >>
> >> >>
> >> >> I have a web app that I'm developing that seems to having issues
> with
> >> >> System.DirectoryServices. The app uses S.DS pretty heavily and
> >> >> it
> >> plugs
> >> >> along just fine for a while but then all of the sudden anything
> that
> >> >> calls
> >> >> S.DS simply fails. I then have to restart IIS in order for it
> >> >> to
> >> begin
> >> >> working again. I'm assuming that I'm using up some resource
> within
> >> S.DS
> >> >> and
> >> >> never freeing it; however, I don't know of any good way to
> >> >> figure
> out
> >>
> >> >> which
> >> >> resource I'm exausting.
> >> >>
> >> >> I've gone through and looked at all of my DirectoryEntry and
> >> >> DirectorySearcher objects and have ensured that I'm calling
> >> >> .Close
> >> and
> >> >> .Dispose when I'm done with them. It's possible that I'm
> >> >> leaving
> the
> >> >> objects open but I don't really know how to tell. Does anyone
> know
> >> of a
> >> >> good tool or method that I can use to troubleshoot S.DS?
> >> > List info : http://www.activedir.org/List.aspx
> >> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> > List archive: http://www.activedir.org/ma/default.aspx
> >>
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >>
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 05/10/2007 11:52 AM |
| I don't immediately see the problem here. One thing that bothers me is that
there should be a way to do this with SDS.AD. However, I didn't see an
obvious way to do it. It seems like a shortcoming in the API that should be
addressed. However, I might just be missing it.
Joe K.
----- Original Message -----
From: "Isenhour, Joseph"
To:
Sent: Thursday, May 10, 2007 5:25 PM
Subject: RE: [ActiveDir] Issues with System.DirectoryServices
I am indeed. I'm calling it in the Finally block and I've confirmed
that it is getting called. I agree it doesn't seem like a big deal. I
use a lot of the win32 ds functions and have never had an issue until
now.
Here's a the actual code. Does anything jump out at you?
public static string GetAddressToSiteName(string IPAddress, string
DomainController)
{
IntPtr pSites = new IntPtr();
IntPtr pSockAddr;
IntPtr pSiteName;
IntPtr pNetworkType = new IntPtr();
try
{
// Determine the site using the IP
address
int rc;
string siteName;
SOCKET_ADDRESS[] oSocketAddresses = new
SOCKET_ADDRESSΏ]
SockAddr oSocketAddr = new SockAddr();
System.Int32 oSocketSize =
Convert.ToInt32(Marshal.SizeOf(oSocketAddr));
rc = WSAStringToAddress(
IPAddress,
System.Net.Sockets.AddressFamily.InterNetwork,
pNetworkType,
ref oSocketAddr,
ref oSocketSize);
WSACleanup();
pSockAddr =
Marshal.AllocHGlobal(Marshal.SizeOf(oSocketAddr));
Marshal.StructureToPtr(oSocketAddr,
pSockAddr, true);
oSocketAddressesΎ].lpSockaddr =
pSockAddr;
oSocketAddressesΎ].iSockaddrLength =
Marshal.SizeOf(oSocketAddr);
Marshal.Release(pSockAddr);
rc =
DsAddressToSiteNames(DomainController, 1, oSocketAddresses, ref pSites);
pSiteName = Marshal.ReadIntPtr(pSites,
0);
siteName =
Marshal.PtrToStringAuto(pSiteName);
return siteName;
}
catch(Exception x)
{
throw new System.Exception();
}
finally
{
NetApiBufferFree(pSites);
}
}
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
Sent: Thursday, May 10, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
That function doesn't look too risky... are you remembering to call
NetApiBufferFree?
On 5/10/07, Isenhour, Joseph wrote:
> Think I found it. It looks like it doesn't have anything to do with
> SDS although the end result is SDS not working.
>
> I wrote a .NET wrapper for the win32 DsAddressToSiteNames function.
>
> private static extern int DsAddressToSiteNames
>
> It looks like the error occurs after this code is executed several
> times. I'm trying to be a good .NET developer and free up my
> unmanaged resources in a finally statement; however, it appears that
> I'm missing something.
>
> Does anyone know of a Microsoft supported .NET method that will give
> me the same functionality as DsAddressToSiteNames?
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Isenhour,
> Joseph
> Sent: Thursday, May 10, 2007 10:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Issues with System.DirectoryServices
>
> Thanks Joe,
>
> So maybe I do need to persist the connections somehow. I do use a
> single account (well one per forest) to do all of my LDAP operations.
>
> So how about something like this:
>
> protected void Application_Start(Object sender, EventArgs e) {
>
> string[] domainNames = {"domain1.net", "domain2.net" };
> System.Collections.Hashtable domains = new Hashtable();
>
> foreach( string domainName in domainNames )
> {
> System.DirectoryServices.DirectoryEntry d = new
> System.DirectoryServices.DirectoryEntry();
>
> d.Path =
> string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
> ",DC="));
> d.Username = SAMTools.GetSvcID( domainName
);
> d.Password = SAMTools.GetSvcPass( domainName
> );
> d.AuthenticationType =
> System.DirectoryServices.AuthenticationTypes.Secure;
> d.RefreshCache();
>
> domains.Add( domainName, d );
> }
> }
>
> What if I add this to the Global.asax Application_Start? Will that
> possibly cache my connections and allow all new sessions to re-use
them?
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> Sent: Wednesday, May 09, 2007 8:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> This is important stuff to know. If there are different user
> identities accessing the directory, ADSI will open up a new connection
> for each one.
> That is by design and is just the way that ADSI works. That makes it
> difficult to get lots of scalability with apps that use an
> impersonation model.
>
> However, if he's seeing 80 connections for just one user when the
> expectation is that there are only 6 forests to connect to, that would
> seem to indicate that connections aren't getting reused and connection
> caching isn't working as expected. That could cause problems.
>
> Ryan suggested earlier to make sure the Dispose is being called
> religiously so that the underlying ADSI objects are being cleaned up
> right when you are done with them and not waiting around for garbage
> collection. This is a good idea, although not as important as it was
> in .NET 1.x where there were bugs that caused ADSI COM objects to not
> get cleaned up if you failed to call Dispose. At least now, the GC
> will eventually get around to it, just maybe not as quickly as you'd
like.
>
> However, the downside of calling Dispose or Close is that if no other
> ADSI objects are also using that LDAP connection, it will close it.
> In general that is a good thing because you want your connections
> closed when you are done with them. The problem comes in when moments
> later, a new web request comes in the site code causes new connections
> to be opened instead of reusing one that is already open. If the
> opening and closing happens over and over again, you'll eventually run
> out of TCP wildcard ports and will get errors. This is because once
> the TCP port closes, it will sit in "time wait" for 60 seconds and
> won't be available for new connections until it releases.
>
> It isn't totally clear to me that this is the issue, but it sounds
> like it might be. It is pretty difficult to diagnose in my
experience.
>
> One thing you can do programmatically to try to make sure your LDAP
> connections stay open so that ADSI will reuse them. If you use a
> single set of credentials for all of your access, then you can
> sometimes accomplish this by opening up connections in something like
> the application_start even and sticking the DirectoryEntry objects
> into static variables or something so they won't be collected.
>
> I hope that helps a bit more.
>
> Joe K.
>
> ----- Original Message -----
> From: "Ryan Dunn"
> To:
> Sent: Wednesday, May 09, 2007 1:15 PM
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
>
> > We need more information here. How are you creating the
connections?
> > For example, show us how you are constructing your DirectoryEntry
> > objects. What is the security context of the application? the
> > user's? a trusted subsystem? impersonated?
> >
> > On 5/9/07, Isenhour, Joseph wrote:
> >> I'm actually seeing around 80 LDAP connections. The app is talking
> to 6
> >> different forests so I'd expect to see around 6 to 10 connections.
> >>
> >> The app is a C# web form so many users will be hitting it at any
> given
> >> time. Right now I'm the only one hitting it and it's taking 80
> >> connections. Is there anyway to ensure that the connections either
> get
> >> re-used or at least get closed imediatley after the objects are
> >> disposed?
> >>
> >> -----Original Message-----
> >> From: ActiveDir-owner@mail.activedir.org
> >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> >> Sent: Tuesday, May 08, 2007 7:45 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >> Another thing that can happen here is the dreaded ADSI connection
> >> caching issue where you run out of wild card ports. If netstat
> >> shows
> a
> >> lot of ports sitting in "time wait" status, that could be the
issue.
> >> This is often the problem when you see somewhat random ADSI
> >> failures
> in
> >> code that was working fine before but where many ADSI calls were
> being
> >> made.
> >>
> >> Joe K.
> >>
> >> ----- Original Message -----
> >> From: "Ryan Dunn"
> >> To:
> >> Sent: Tuesday, May 08, 2007 7:25 PM
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >>
> >> > Oh, I should also mention that anytime you access a method or
> property
> >> > that returns a DirectoryEntry, you are also responsible for
> disposing
> >> > of it. This can be a gotcha. So this code might leak:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent; //do something with Parent
> >> > entry.Dispose(); //what about parent?
> >> >
> >> > Here is an even more insidious one:
> >> >
> >> > Console.WriteLine(entry.Parent.Path);
> >> >
> >> > Most people will forget to call entry.Parent.Dispose() since it
> >> > is
> not
> >> > a local variable.
> >> >
> >> > How to fix:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent;
> >> >
> >> > using (entry)
> >> > using (parent)
> >> > {
> >> > // do stuff
> >> > }// both are disposed here for you...
> >> >
> >> > Remember, this applies to *any* method or Property that returns a
> >> > DirectoryEntry. So be wary of
> DirectorySearcher.GetDirectoryEntry()
> >> > and also DirectoryEntry.Children.Add for instance.
> >> >
> >> >
> >> >
> >> > On 5/8/07, Isenhour, Joseph wrote:
> >> >>
> >> >>
> >> >>
> >> >> I have a web app that I'm developing that seems to having issues
> with
> >> >> System.DirectoryServices. The app uses S.DS pretty heavily and
> >> >> it
> >> plugs
> >> >> along just fine for a while but then all of the sudden anything
> that
> >> >> calls
> >> >> S.DS simply fails. I then have to restart IIS in order for it
> >> >> to
> >> begin
> >> >> working again. I'm assuming that I'm using up some resource
> within
> >> S.DS
> >> >> and
> >> >> never freeing it; however, I don't know of any good way to
> >> >> figure
> out
> >>
> >> >> which
> >> >> resource I'm exausting.
> >> >>
> >> >> I've gone through and looked at all of my DirectoryEntry and
> >> >> DirectorySearcher objects and have ensured that I'm calling
> >> >> .Close
> >> and
> >> >> .Dispose when I'm done with them. It's possible that I'm
> >> >> leaving
> the
> >> >> objects open but I don't really know how to tell. Does anyone
> know
> >> of a
> >> >> good tool or method that I can use to troubleshoot S.DS?
> >> > List info : http://www.activedir.org/List.aspx
> >> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> > List archive: http://www.activedir.org/ma/default.aspx
> >>
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >>
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 05/10/2007 11:53 AM |
| You could try something like this. I've done similar things.
I noticed in your other branch of this thread that this turns out to not
look like the issue after all, but this is still likely a good idea.
Joe K.
----- Original Message -----
From: "Isenhour, Joseph"
To:
Sent: Thursday, May 10, 2007 12:14 PM
Subject: RE: [ActiveDir] Issues with System.DirectoryServices
Thanks Joe,
So maybe I do need to persist the connections somehow. I do use a
single account (well one per forest) to do all of my LDAP operations.
So how about something like this:
protected void Application_Start(Object sender, EventArgs e)
{
string[] domainNames = {"domain1.net", "domain2.net" };
System.Collections.Hashtable domains = new Hashtable();
foreach( string domainName in domainNames )
{
System.DirectoryServices.DirectoryEntry d = new
System.DirectoryServices.DirectoryEntry();
d.Path =
string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
",DC="));
d.Username = SAMTools.GetSvcID( domainName );
d.Password = SAMTools.GetSvcPass( domainName
);
d.AuthenticationType =
System.DirectoryServices.AuthenticationTypes.Secure;
d.RefreshCache();
domains.Add( domainName, d );
}
}
What if I add this to the Global.asax Application_Start? Will that
possibly cache my connections and allow all new sessions to re-use them?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Wednesday, May 09, 2007 8:25 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
This is important stuff to know. If there are different user identities
accessing the directory, ADSI will open up a new connection for each
one.
That is by design and is just the way that ADSI works. That makes it
difficult to get lots of scalability with apps that use an impersonation
model.
However, if he's seeing 80 connections for just one user when the
expectation is that there are only 6 forests to connect to, that would
seem to indicate that connections aren't getting reused and connection
caching isn't working as expected. That could cause problems.
Ryan suggested earlier to make sure the Dispose is being called
religiously so that the underlying ADSI objects are being cleaned up
right when you are done with them and not waiting around for garbage
collection. This is a good idea, although not as important as it was in
.NET 1.x where there were bugs that caused ADSI COM objects to not get
cleaned up if you failed to call Dispose. At least now, the GC will
eventually get around to it, just maybe not as quickly as you'd like.
However, the downside of calling Dispose or Close is that if no other
ADSI objects are also using that LDAP connection, it will close it. In
general that is a good thing because you want your connections closed
when you are done with them. The problem comes in when moments later, a
new web request comes in the site code causes new connections to be
opened instead of reusing one that is already open. If the opening and
closing happens over and over again, you'll eventually run out of TCP
wildcard ports and will get errors. This is because once the TCP port
closes, it will sit in "time wait" for 60 seconds and won't be available
for new connections until it releases.
It isn't totally clear to me that this is the issue, but it sounds like
it might be. It is pretty difficult to diagnose in my experience.
One thing you can do programmatically to try to make sure your LDAP
connections stay open so that ADSI will reuse them. If you use a single
set of credentials for all of your access, then you can sometimes
accomplish this by opening up connections in something like the
application_start even and sticking the DirectoryEntry objects into
static variables or something so they won't be collected.
I hope that helps a bit more.
Joe K.
----- Original Message -----
From: "Ryan Dunn"
To:
Sent: Wednesday, May 09, 2007 1:15 PM
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> We need more information here. How are you creating the connections?
> For example, show us how you are constructing your DirectoryEntry
> objects. What is the security context of the application? the
> user's? a trusted subsystem? impersonated?
>
> On 5/9/07, Isenhour, Joseph wrote:
>> I'm actually seeing around 80 LDAP connections. The app is talking
to 6
>> different forests so I'd expect to see around 6 to 10 connections.
>>
>> The app is a C# web form so many users will be hitting it at any
given
>> time. Right now I'm the only one hitting it and it's taking 80
>> connections. Is there anyway to ensure that the connections either
get
>> re-used or at least get closed imediatley after the objects are
>> disposed?
>>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
>> Sent: Tuesday, May 08, 2007 7:45 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>>
>> Another thing that can happen here is the dreaded ADSI connection
>> caching issue where you run out of wild card ports. If netstat shows
a
>> lot of ports sitting in "time wait" status, that could be the issue.
>> This is often the problem when you see somewhat random ADSI failures
in
>> code that was working fine before but where many ADSI calls were
being
>> made.
>>
>> Joe K.
>>
>> ----- Original Message -----
>> From: "Ryan Dunn"
>> To:
>> Sent: Tuesday, May 08, 2007 7:25 PM
>> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>>
>>
>> > Oh, I should also mention that anytime you access a method or
property
>> > that returns a DirectoryEntry, you are also responsible for
disposing
>> > of it. This can be a gotcha. So this code might leak:
>> >
>> > DirectoryEntry entry = new DirectoryEntry(...);
>> > DirectoryEntry parent = entry.Parent;
>> > //do something with Parent
>> > entry.Dispose(); //what about parent?
>> >
>> > Here is an even more insidious one:
>> >
>> > Console.WriteLine(entry.Parent.Path);
>> >
>> > Most people will forget to call entry.Parent.Dispose() since it is
not
>> > a local variable.
>> >
>> > How to fix:
>> >
>> > DirectoryEntry entry = new DirectoryEntry(...);
>> > DirectoryEntry parent = entry.Parent;
>> >
>> > using (entry)
>> > using (parent)
>> > {
>> > // do stuff
>> > }// both are disposed here for you...
>> >
>> > Remember, this applies to *any* method or Property that returns a
>> > DirectoryEntry. So be wary of
DirectorySearcher.GetDirectoryEntry()
>> > and also DirectoryEntry.Children.Add for instance.
>> >
>> >
>> >
>> > On 5/8/07, Isenhour, Joseph wrote:
>> >>
>> >>
>> >>
>> >> I have a web app that I'm developing that seems to having issues
with
>> >> System.DirectoryServices. The app uses S.DS pretty heavily and it
>> plugs
>> >> along just fine for a while but then all of the sudden anything
that
>> >> calls
>> >> S.DS simply fails. I then have to restart IIS in order for it to
>> begin
>> >> working again. I'm assuming that I'm using up some resource
within
>> S.DS
>> >> and
>> >> never freeing it; however, I don't know of any good way to figure
out
>>
>> >> which
>> >> resource I'm exausting.
>> >>
>> >> I've gone through and looked at all of my DirectoryEntry and
>> >> DirectorySearcher objects and have ensured that I'm calling .Close
>> and
>> >> .Dispose when I'm done with them. It's possible that I'm leaving
the
>> >> objects open but I don't really know how to tell. Does anyone
know
>> of a
>> >> good tool or method that I can use to troubleshoot S.DS?
>> > List info : http://www.activedir.org/List.aspx
>> > List FAQ : http://www.activedir.org/ListFAQ.aspx
>> > List archive: http://www.activedir.org/ma/default.aspx
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 05/11/2007 2:51 AM |
| I'm not Mr. Joeware (that's the other joe :)), but I could see that approach
potentially working. Would it also be possible use the classes in SDSAD to
enumerate sites based on subnets? I didn't see a way to use IP addresses
directly, but the support for subnets seems to be in there in a reasonable
way.
Joe K. (not Richards)
----- Original Message -----
From: "Isenhour, Joseph"
To:
Sent: Friday, May 11, 2007 11:49 AM
Subject: RE: [ActiveDir] Issues with System.DirectoryServices
I just realized that the DsAddressToSiteNames calls are failing anyway.
I looked in the documentation and DsAddressToSiteNames does not allow
you to pass a user name and password. I'm dealing with a multi-forest
environment and we have a policy of not synching passwords across
forests.
So... Mr. joeware, I found this cool utility called ATSN.exe that seems
to do exactly what I'm trying to do.
What do you think about this solution:
- Set up a scheduled task on each of my forest admin servers that
queries AD for a list of servers and then does a DNS lookup on each.
I'll then put that data into an input text file. (I have around 1000
servers per forest)
- Kick off ATSN.exe to gather the site info for each server.
- Set up a SQL job to go out to each server and pick up my file once or
twice a day.
What do you think? Too clunky?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Thursday, May 10, 2007 8:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
I don't immediately see the problem here. One thing that bothers me is
that there should be a way to do this with SDS.AD. However, I didn't
see an obvious way to do it. It seems like a shortcoming in the API
that should be addressed. However, I might just be missing it.
Joe K.
----- Original Message -----
From: "Isenhour, Joseph"
To:
Sent: Thursday, May 10, 2007 5:25 PM
Subject: RE: [ActiveDir] Issues with System.DirectoryServices
I am indeed. I'm calling it in the Finally block and I've confirmed
that it is getting called. I agree it doesn't seem like a big deal. I
use a lot of the win32 ds functions and have never had an issue until
now.
Here's a the actual code. Does anything jump out at you?
public static string GetAddressToSiteName(string IPAddress, string
DomainController)
{
IntPtr pSites = new IntPtr();
IntPtr pSockAddr;
IntPtr pSiteName;
IntPtr pNetworkType = new IntPtr();
try
{
// Determine the site using the IP
address
int rc;
string siteName;
SOCKET_ADDRESS[] oSocketAddresses = new
SOCKET_ADDRESSΏ]
SockAddr oSocketAddr = new SockAddr();
System.Int32 oSocketSize =
Convert.ToInt32(Marshal.SizeOf(oSocketAddr));
rc = WSAStringToAddress(
IPAddress,
System.Net.Sockets.AddressFamily.InterNetwork,
pNetworkType,
ref oSocketAddr,
ref oSocketSize);
WSACleanup();
pSockAddr =
Marshal.AllocHGlobal(Marshal.SizeOf(oSocketAddr));
Marshal.StructureToPtr(oSocketAddr,
pSockAddr, true);
oSocketAddressesΎ].lpSockaddr =
pSockAddr;
oSocketAddressesΎ].iSockaddrLength =
Marshal.SizeOf(oSocketAddr);
Marshal.Release(pSockAddr);
rc =
DsAddressToSiteNames(DomainController, 1, oSocketAddresses, ref pSites);
pSiteName = Marshal.ReadIntPtr(pSites,
0);
siteName =
Marshal.PtrToStringAuto(pSiteName);
return siteName;
}
catch(Exception x)
{
throw new System.Exception();
}
finally
{
NetApiBufferFree(pSites);
}
}
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
Sent: Thursday, May 10, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
That function doesn't look too risky... are you remembering to call
NetApiBufferFree?
On 5/10/07, Isenhour, Joseph wrote:
> Think I found it. It looks like it doesn't have anything to do with
> SDS although the end result is SDS not working.
>
> I wrote a .NET wrapper for the win32 DsAddressToSiteNames function.
>
> private static extern int DsAddressToSiteNames
>
> It looks like the error occurs after this code is executed several
> times. I'm trying to be a good .NET developer and free up my
> unmanaged resources in a finally statement; however, it appears that
> I'm missing something.
>
> Does anyone know of a Microsoft supported .NET method that will give
> me the same functionality as DsAddressToSiteNames?
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Isenhour,
> Joseph
> Sent: Thursday, May 10, 2007 10:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Issues with System.DirectoryServices
>
> Thanks Joe,
>
> So maybe I do need to persist the connections somehow. I do use a
> single account (well one per forest) to do all of my LDAP operations.
>
> So how about something like this:
>
> protected void Application_Start(Object sender, EventArgs e) {
>
> string[] domainNames = {"domain1.net", "domain2.net" };
> System.Collections.Hashtable domains = new Hashtable();
>
> foreach( string domainName in domainNames )
> {
> System.DirectoryServices.DirectoryEntry d = new
> System.DirectoryServices.DirectoryEntry();
>
> d.Path =
> string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
> ",DC="));
> d.Username = SAMTools.GetSvcID( domainName
);
> d.Password = SAMTools.GetSvcPass( domainName
> );
> d.AuthenticationType =
> System.DirectoryServices.AuthenticationTypes.Secure;
> d.RefreshCache();
>
> domains.Add( domainName, d );
> }
> }
>
> What if I add this to the Global.asax Application_Start? Will that
> possibly cache my connections and allow all new sessions to re-use
them?
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> Sent: Wednesday, May 09, 2007 8:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> This is important stuff to know. If there are different user
> identities accessing the directory, ADSI will open up a new connection
> for each one.
> That is by design and is just the way that ADSI works. That makes it
> difficult to get lots of scalability with apps that use an
> impersonation model.
>
> However, if he's seeing 80 connections for just one user when the
> expectation is that there are only 6 forests to connect to, that would
> seem to indicate that connections aren't getting reused and connection
> caching isn't working as expected. That could cause problems.
>
> Ryan suggested earlier to make sure the Dispose is being called
> religiously so that the underlying ADSI objects are being cleaned up
> right when you are done with them and not waiting around for garbage
> collection. This is a good idea, although not as important as it was
> in .NET 1.x where there were bugs that caused ADSI COM objects to not
> get cleaned up if you failed to call Dispose. At least now, the GC
> will eventually get around to it, just maybe not as quickly as you'd
like.
>
> However, the downside of calling Dispose or Close is that if no other
> ADSI objects are also using that LDAP connection, it will close it.
> In general that is a good thing because you want your connections
> closed when you are done with them. The problem comes in when moments
> later, a new web request comes in the site code causes new connections
> to be opened instead of reusing one that is already open. If the
> opening and closing happens over and over again, you'll eventually run
> out of TCP wildcard ports and will get errors. This is because once
> the TCP port closes, it will sit in "time wait" for 60 seconds and
> won't be available for new connections until it releases.
>
> It isn't totally clear to me that this is the issue, but it sounds
> like it might be. It is pretty difficult to diagnose in my
experience.
>
> One thing you can do programmatically to try to make sure your LDAP
> connections stay open so that ADSI will reuse them. If you use a
> single set of credentials for all of your access, then you can
> sometimes accomplish this by opening up connections in something like
> the application_start even and sticking the DirectoryEntry objects
> into static variables or something so they won't be collected.
>
> I hope that helps a bit more.
>
> Joe K.
>
> ----- Original Message -----
> From: "Ryan Dunn"
> To:
> Sent: Wednesday, May 09, 2007 1:15 PM
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
>
> > We need more information here. How are you creating the
connections?
> > For example, show us how you are constructing your DirectoryEntry
> > objects. What is the security context of the application? the
> > user's? a trusted subsystem? impersonated?
> >
> > On 5/9/07, Isenhour, Joseph wrote:
> >> I'm actually seeing around 80 LDAP connections. The app is talking
> to 6
> >> different forests so I'd expect to see around 6 to 10 connections.
> >>
> >> The app is a C# web form so many users will be hitting it at any
> given
> >> time. Right now I'm the only one hitting it and it's taking 80
> >> connections. Is there anyway to ensure that the connections either
> get
> >> re-used or at least get closed imediatley after the objects are
> >> disposed?
> >>
> >> -----Original Message-----
> >> From: ActiveDir-owner@mail.activedir.org
> >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> >> Sent: Tuesday, May 08, 2007 7:45 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >> Another thing that can happen here is the dreaded ADSI connection
> >> caching issue where you run out of wild card ports. If netstat
> >> shows
> a
> >> lot of ports sitting in "time wait" status, that could be the
issue.
> >> This is often the problem when you see somewhat random ADSI
> >> failures
> in
> >> code that was working fine before but where many ADSI calls were
> being
> >> made.
> >>
> >> Joe K.
> >>
> >> ----- Original Message -----
> >> From: "Ryan Dunn"
> >> To:
> >> Sent: Tuesday, May 08, 2007 7:25 PM
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >>
> >> > Oh, I should also mention that anytime you access a method or
> property
> >> > that returns a DirectoryEntry, you are also responsible for
> disposing
> >> > of it. This can be a gotcha. So this code might leak:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent; //do something with Parent
> >> > entry.Dispose(); //what about parent?
> >> >
> >> > Here is an even more insidious one:
> >> >
> >> > Console.WriteLine(entry.Parent.Path);
> >> >
> >> > Most people will forget to call entry.Parent.Dispose() since it
> >> > is
> not
> >> > a local variable.
> >> >
> >> > How to fix:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent;
> >> >
> >> > using (entry)
> >> > using (parent)
> >> > {
> >> > // do stuff
> >> > }// both are disposed here for you...
> >> >
> >> > Remember, this applies to *any* method or Property that returns a
> >> > DirectoryEntry. So be wary of
> DirectorySearcher.GetDirectoryEntry()
> >> > and also DirectoryEntry.Children.Add for instance.
> >> >
> >> >
> >> >
> >> > On 5/8/07, Isenhour, Joseph wrote:
> >> >>
> >> >>
> >> >>
> >> >> I have a web app that I'm developing that seems to having issues
> with
> >> >> System.DirectoryServices. The app uses S.DS pretty heavily and
> >> >> it
> >> plugs
> >> >> along just fine for a while but then all of the sudden anything
> that
> >> >> calls
> >> >> S.DS simply fails. I then have to restart IIS in order for it
> >> >> to
> >> begin
> >> >> working again. I'm assuming that I'm using up some resource
> within
> >> S.DS
> >> >> and
> >> >> never freeing it; however, I don't know of any good way to
> >> >> figure
> out
> >>
> >> >> which
> >> >> resource I'm exausting.
> >> >>
> >> >> I've gone through and looked at all of my DirectoryEntry and
> >> >> DirectorySearcher objects and have ensured that I'm calling
> >> >> .Close
> >> and
> >> >> .Dispose when I'm done with them. It's possible that I'm
> >> >> leaving
> the
> >> >> objects open but I don't really know how to tell. Does anyone
> know
> >> of a
> >> >> good tool or method that I can use to troubleshoot S.DS?
> >> > List info : http://www.activedir.org/List.aspx
> >> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> > List archive: http://www.activedir.org/ma/default.aspx
> >>
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >>
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| dunnry
Posts:0
| | 05/11/2007 3:28 AM |
| I didn't get a chance to look into your code too much, but nothing
popped out at me. You say that it was failing anyway. When you say
it is failing, is it giving you an error message?
One other thing that comes to mind looking at your code: Are you
running this in a tight loop here? That is, are you calling this one
time per IP address (which is what it looks like to me)? That would
indeed be a reason for a very high socket count. It would be opening
up an RPC session for each call. If you notice, it takes an array of
socket addresses so you can batch the call with multiple IP addresses
there. That would put the calls down to exactly 1 or 2 per forest.
As far as your idea with ATSN goes, it sounds reasonable (though being
a programmer I would of course choose your first method). You realize
that ATSN is just a wrapper around the same API call right? So... if
it is not working when you do it, and assuming you wrote your wrapper
correctly, then it would not be working with the ATSN tool either.
On 5/11/07, Isenhour, Joseph wrote:
> I just realized that the DsAddressToSiteNames calls are failing anyway.
> I looked in the documentation and DsAddressToSiteNames does not allow
> you to pass a user name and password. I'm dealing with a multi-forest
> environment and we have a policy of not synching passwords across
> forests.
>
> So... Mr. joeware, I found this cool utility called ATSN.exe that seems
> to do exactly what I'm trying to do.
>
> What do you think about this solution:
>
> - Set up a scheduled task on each of my forest admin servers that
> queries AD for a list of servers and then does a DNS lookup on each.
> I'll then put that data into an input text file. (I have around 1000
> servers per forest)
>
> - Kick off ATSN.exe to gather the site info for each server.
>
> - Set up a SQL job to go out to each server and pick up my file once or
> twice a day.
>
> What do you think? Too clunky?
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> Sent: Thursday, May 10, 2007 8:52 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> I don't immediately see the problem here. One thing that bothers me is
> that there should be a way to do this with SDS.AD. However, I didn't
> see an obvious way to do it. It seems like a shortcoming in the API
> that should be addressed. However, I might just be missing it.
>
> Joe K.
>
> ----- Original Message -----
> From: "Isenhour, Joseph"
> To:
> Sent: Thursday, May 10, 2007 5:25 PM
> Subject: RE: [ActiveDir] Issues with System.DirectoryServices
>
>
> I am indeed. I'm calling it in the Finally block and I've confirmed
> that it is getting called. I agree it doesn't seem like a big deal. I
> use a lot of the win32 ds functions and have never had an issue until
> now.
>
> Here's a the actual code. Does anything jump out at you?
>
> public static string GetAddressToSiteName(string IPAddress, string
> DomainController)
> {
>
> IntPtr pSites = new IntPtr();
> IntPtr pSockAddr;
> IntPtr pSiteName;
> IntPtr pNetworkType = new IntPtr();
>
> try
> {
> // Determine the site using the IP
> address
> int rc;
>
> string siteName;
>
> SOCKET_ADDRESS[] oSocketAddresses = new
> SOCKET_ADDRESSΏ]
> SockAddr oSocketAddr = new SockAddr();
> System.Int32 oSocketSize =
> Convert.ToInt32(Marshal.SizeOf(oSocketAddr));
>
> rc = WSAStringToAddress(
> IPAddress,
>
> System.Net.Sockets.AddressFamily.InterNetwork,
> pNetworkType,
> ref oSocketAddr,
> ref oSocketSize);
>
>
> WSACleanup();
>
>
> pSockAddr =
> Marshal.AllocHGlobal(Marshal.SizeOf(oSocketAddr));
>
>
> Marshal.StructureToPtr(oSocketAddr,
> pSockAddr, true);
> oSocketAddressesΎ].lpSockaddr =
> pSockAddr;
> oSocketAddressesΎ].iSockaddrLength =
> Marshal.SizeOf(oSocketAddr);
> Marshal.Release(pSockAddr);
>
>
> rc =
> DsAddressToSiteNames(DomainController, 1, oSocketAddresses, ref pSites);
>
> pSiteName = Marshal.ReadIntPtr(pSites,
> 0);
> siteName =
> Marshal.PtrToStringAuto(pSiteName);
>
> return siteName;
> }
> catch(Exception x)
> {
> throw new System.Exception();
> }
> finally
> {
> NetApiBufferFree(pSites);
>
> }
>
> }
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
> Sent: Thursday, May 10, 2007 3:20 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> That function doesn't look too risky... are you remembering to call
> NetApiBufferFree?
>
> On 5/10/07, Isenhour, Joseph wrote:
> > Think I found it. It looks like it doesn't have anything to do with
> > SDS although the end result is SDS not working.
> >
> > I wrote a .NET wrapper for the win32 DsAddressToSiteNames function.
> >
> > private static extern int DsAddressToSiteNames
> >
> > It looks like the error occurs after this code is executed several
> > times. I'm trying to be a good .NET developer and free up my
> > unmanaged resources in a finally statement; however, it appears that
> > I'm missing something.
> >
> > Does anyone know of a Microsoft supported .NET method that will give
> > me the same functionality as DsAddressToSiteNames?
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Isenhour,
> > Joseph
> > Sent: Thursday, May 10, 2007 10:15 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Issues with System.DirectoryServices
> >
> > Thanks Joe,
> >
> > So maybe I do need to persist the connections somehow. I do use a
> > single account (well one per forest) to do all of my LDAP operations.
> >
> > So how about something like this:
> >
> > protected void Application_Start(Object sender, EventArgs e) {
> >
> > string[] domainNames = {"domain1.net", "domain2.net" };
> > System.Collections.Hashtable domains = new Hashtable();
> >
> > foreach( string domainName in domainNames )
> > {
> > System.DirectoryServices.DirectoryEntry d = new
> > System.DirectoryServices.DirectoryEntry();
> >
> > d.Path =
> > string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
>
> > ",DC="));
> > d.Username = SAMTools.GetSvcID( domainName
> );
> > d.Password = SAMTools.GetSvcPass( domainName
> > );
> > d.AuthenticationType =
> > System.DirectoryServices.AuthenticationTypes.Secure;
> > d.RefreshCache();
> >
> > domains.Add( domainName, d );
> > }
> > }
> >
> > What if I add this to the Global.asax Application_Start? Will that
> > possibly cache my connections and allow all new sessions to re-use
> them?
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > Sent: Wednesday, May 09, 2007 8:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >
> > This is important stuff to know. If there are different user
> > identities accessing the directory, ADSI will open up a new connection
>
> > for each one.
> > That is by design and is just the way that ADSI works. That makes it
> > difficult to get lots of scalability with apps that use an
> > impersonation model.
> >
> > However, if he's seeing 80 connections for just one user when the
> > expectation is that there are only 6 forests to connect to, that would
>
> > seem to indicate that connections aren't getting reused and connection
>
> > caching isn't working as expected. That could cause problems.
> >
> > Ryan suggested earlier to make sure the Dispose is being called
> > religiously so that the underlying ADSI objects are being cleaned up
> > right when you are done with them and not waiting around for garbage
> > collection. This is a good idea, although not as important as it was
> > in .NET 1.x where there were bugs that caused ADSI COM objects to not
> > get cleaned up if you failed to call Dispose. At least now, the GC
> > will eventually get around to it, just maybe not as quickly as you'd
> like.
> >
> > However, the downside of calling Dispose or Close is that if no other
> > ADSI objects are also using that LDAP connection, it will close it.
> > In general that is a good thing because you want your connections
> > closed when you are done with them. The problem comes in when moments
>
> > later, a new web request comes in the site code causes new connections
>
> > to be opened instead of reusing one that is already open. If the
> > opening and closing happens over and over again, you'll eventually run
>
> > out of TCP wildcard ports and will get errors. This is because once
> > the TCP port closes, it will sit in "time wait" for 60 seconds and
> > won't be available for new connections until it releases.
> >
> > It isn't totally clear to me that this is the issue, but it sounds
> > like it might be. It is pretty difficult to diagnose in my
> experience.
> >
> > One thing you can do programmatically to try to make sure your LDAP
> > connections stay open so that ADSI will reuse them. If you use a
> > single set of credentials for all of your access, then you can
> > sometimes accomplish this by opening up connections in something like
> > the application_start even and sticking the DirectoryEntry objects
> > into static variables or something so they won't be collected.
> >
> > I hope that helps a bit more.
> >
> > Joe K.
> >
> > ----- Original Message -----
> > From: "Ryan Dunn"
> > To:
> > Sent: Wednesday, May 09, 2007 1:15 PM
> > Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >
> >
> > > We need more information here. How are you creating the
> connections?
> > > For example, show us how you are constructing your DirectoryEntry
> > > objects. What is the security context of the application? the
> > > user's? a trusted subsystem? impersonated?
> > >
> > > On 5/9/07, Isenhour, Joseph wrote:
> > >> I'm actually seeing around 80 LDAP connections. The app is talking
> > to 6
> > >> different forests so I'd expect to see around 6 to 10 connections.
> > >>
> > >> The app is a C# web form so many users will be hitting it at any
> > given
> > >> time. Right now I'm the only one hitting it and it's taking 80
> > >> connections. Is there anyway to ensure that the connections either
> > get
> > >> re-used or at least get closed imediatley after the objects are
> > >> disposed?
> > >>
> > >> -----Original Message-----
> > >> From: ActiveDir-owner@mail.activedir.org
> > >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > >> Sent: Tuesday, May 08, 2007 7:45 PM
> > >> To: ActiveDir@mail.activedir.org
> > >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> > >>
> > >> Another thing that can happen here is the dreaded ADSI connection
> > >> caching issue where you run out of wild card ports. If netstat
> > >> shows
> > a
> > >> lot of ports sitting in "time wait" status, that could be the
> issue.
> > >> This is often the problem when you see somewhat random ADSI
> > >> failures
> > in
> > >> code that was working fine before but where many ADSI calls were
> > being
> > >> made.
> > >>
> > >> Joe K.
> > >>
> > >> ----- Original Message -----
> > >> From: "Ryan Dunn"
> > >> To:
> > >> Sent: Tuesday, May 08, 2007 7:25 PM
> > >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> > >>
> > >>
> > >> > Oh, I should also mention that anytime you access a method or
> > property
> > >> > that returns a DirectoryEntry, you are also responsible for
> > disposing
> > >> > of it. This can be a gotcha. So this code might leak:
> > >> >
> > >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> > >> > parent = entry.Parent; //do something with Parent
> > >> > entry.Dispose(); //what about parent?
> > >> >
> > >> > Here is an even more insidious one:
> > >> >
> > >> > Console.WriteLine(entry.Parent.Path);
> > >> >
> > >> > Most people will forget to call entry.Parent.Dispose() since it
> > >> > is
> > not
> > >> > a local variable.
> > >> >
> > >> > How to fix:
> > >> >
> > >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> > >> > parent = entry.Parent;
> > >> >
> > >> > using (entry)
> > >> > using (parent)
> > >> > {
> > >> > // do stuff
> > >> > }// both are disposed here for you...
> > >> >
> > >> > Remember, this applies to *any* method or Property that returns a
>
> > >> > DirectoryEntry. So be wary of
> > DirectorySearcher.GetDirectoryEntry()
> > >> > and also DirectoryEntry.Children.Add for instance.
> > >> >
> > >> >
> > >> >
> > >> > On 5/8/07, Isenhour, Joseph wrote:
> > >> >>
> > >> >>
> > >> >>
> > >> >> I have a web app that I'm developing that seems to having issues
> > with
> > >> >> System.DirectoryServices. The app uses S.DS pretty heavily and
> > >> >> it
> > >> plugs
> > >> >> along just fine for a while but then all of the sudden anything
> > that
> > >> >> calls
> > >> >> S.DS simply fails. I then have to restart IIS in order for it
> > >> >> to
> > >> begin
> > >> >> working again. I'm assuming that I'm using up some resource
> > within
> > >> S.DS
> > >> >> and
> > >> >> never freeing it; however, I don't know of any good way to
> > >> >> figure
> > out
> > >>
> > >> >> which
> > >> >> resource I'm exausting.
> > >> >>
> > >> >> I've gone through and looked at all of my DirectoryEntry and
> > >> >> DirectorySearcher objects and have ensured that I'm calling
> > >> >> .Close
> > >> and
> > >> >> .Dispose when I'm done with them. It's possible that I'm
> > >> >> leaving
> > the
> > >> >> objects open but I don't really know how to tell. Does anyone
> > know
> > >> of a
> > >> >> good tool or method that I can use to troubleshoot S.DS?
> > >> > List info : http://www.activedir.org/List.aspx
> > >> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >> > List archive: http://www.activedir.org/ma/default.aspx
> > >>
> > >> List info : http://www.activedir.org/List.aspx
> > >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >> List archive: http://www.activedir.org/ma/default.aspx
> > >> List info : http://www.activedir.org/List.aspx
> > >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >> List archive: http://www.activedir.org/ma/default.aspx
> > >>
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 05/11/2007 10:48 AM |
| ATSN is a wrapper around DsAddressToSiteNamesEx. But pretty much the same
thing. Interestingly, I have seen this work both in cases where the ID being
used was valid in the forest and not valid in the forest. I have also seen
it fail before sometimes when the ID wasn't valid, I didn't have an
opportunity to do a trace to figure out why it would work sometimes when it
couldn't be authed but it could other times.
joe (the joeware one...)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
Sent: Friday, May 11, 2007 3:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
I didn't get a chance to look into your code too much, but nothing
popped out at me. You say that it was failing anyway. When you say
it is failing, is it giving you an error message?
One other thing that comes to mind looking at your code: Are you
running this in a tight loop here? That is, are you calling this one
time per IP address (which is what it looks like to me)? That would
indeed be a reason for a very high socket count. It would be opening
up an RPC session for each call. If you notice, it takes an array of
socket addresses so you can batch the call with multiple IP addresses
there. That would put the calls down to exactly 1 or 2 per forest.
As far as your idea with ATSN goes, it sounds reasonable (though being
a programmer I would of course choose your first method). You realize
that ATSN is just a wrapper around the same API call right? So... if
it is not working when you do it, and assuming you wrote your wrapper
correctly, then it would not be working with the ATSN tool either.
On 5/11/07, Isenhour, Joseph wrote:
> I just realized that the DsAddressToSiteNames calls are failing anyway.
> I looked in the documentation and DsAddressToSiteNames does not allow
> you to pass a user name and password. I'm dealing with a multi-forest
> environment and we have a policy of not synching passwords across
> forests.
>
> So... Mr. joeware, I found this cool utility called ATSN.exe that seems
> to do exactly what I'm trying to do.
>
> What do you think about this solution:
>
> - Set up a scheduled task on each of my forest admin servers that
> queries AD for a list of servers and then does a DNS lookup on each.
> I'll then put that data into an input text file. (I have around 1000
> servers per forest)
>
> - Kick off ATSN.exe to gather the site info for each server.
>
> - Set up a SQL job to go out to each server and pick up my file once or
> twice a day.
>
> What do you think? Too clunky?
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> Sent: Thursday, May 10, 2007 8:52 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> I don't immediately see the problem here. One thing that bothers me is
> that there should be a way to do this with SDS.AD. However, I didn't
> see an obvious way to do it. It seems like a shortcoming in the API
> that should be addressed. However, I might just be missing it.
>
> Joe K.
>
> ----- Original Message -----
> From: "Isenhour, Joseph"
> To:
> Sent: Thursday, May 10, 2007 5:25 PM
> Subject: RE: [ActiveDir] Issues with System.DirectoryServices
>
>
> I am indeed. I'm calling it in the Finally block and I've confirmed
> that it is getting called. I agree it doesn't seem like a big deal. I
> use a lot of the win32 ds functions and have never had an issue until
> now.
>
> Here's a the actual code. Does anything jump out at you?
>
> public static string GetAddressToSiteName(string IPAddress, string
> DomainController)
> {
>
> IntPtr pSites = new IntPtr();
> IntPtr pSockAddr;
> IntPtr pSiteName;
> IntPtr pNetworkType = new IntPtr();
>
> try
> {
> // Determine the site using the IP
> address
> int rc;
>
> string siteName;
>
> SOCKET_ADDRESS[] oSocketAddresses = new
> SOCKET_ADDRESSΏ]
> SockAddr oSocketAddr = new SockAddr();
> System.Int32 oSocketSize =
> Convert.ToInt32(Marshal.SizeOf(oSocketAddr));
>
> rc = WSAStringToAddress(
> IPAddress,
>
> System.Net.Sockets.AddressFamily.InterNetwork,
> pNetworkType,
> ref oSocketAddr,
> ref oSocketSize);
>
>
> WSACleanup();
>
>
> pSockAddr =
> Marshal.AllocHGlobal(Marshal.SizeOf(oSocketAddr));
>
>
> Marshal.StructureToPtr(oSocketAddr,
> pSockAddr, true);
> oSocketAddressesΎ].lpSockaddr =
> pSockAddr;
> oSocketAddressesΎ].iSockaddrLength =
> Marshal.SizeOf(oSocketAddr);
> Marshal.Release(pSockAddr);
>
>
> rc =
> DsAddressToSiteNames(DomainController, 1, oSocketAddresses, ref pSites);
>
> pSiteName = Marshal.ReadIntPtr(pSites,
> 0);
> siteName =
> Marshal.PtrToStringAuto(pSiteName);
>
> return siteName;
> }
> catch(Exception x)
> {
> throw new System.Exception();
> }
> finally
> {
> NetApiBufferFree(pSites);
>
> }
>
> }
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
> Sent: Thursday, May 10, 2007 3:20 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> That function doesn't look too risky... are you remembering to call
> NetApiBufferFree?
>
> On 5/10/07, Isenhour, Joseph wrote:
> > Think I found it. It looks like it doesn't have anything to do with
> > SDS although the end result is SDS not working.
> >
> > I wrote a .NET wrapper for the win32 DsAddressToSiteNames function.
> >
> > private static extern int DsAddressToSiteNames
> >
> > It looks like the error occurs after this code is executed several
> > times. I'm trying to be a good .NET developer and free up my
> > unmanaged resources in a finally statement; however, it appears that
> > I'm missing something.
> >
> > Does anyone know of a Microsoft supported .NET method that will give
> > me the same functionality as DsAddressToSiteNames?
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Isenhour,
> > Joseph
> > Sent: Thursday, May 10, 2007 10:15 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Issues with System.DirectoryServices
> >
> > Thanks Joe,
> >
> > So maybe I do need to persist the connections somehow. I do use a
> > single account (well one per forest) to do all of my LDAP operations.
> >
> > So how about something like this:
> >
> > protected void Application_Start(Object sender, EventArgs e) {
> >
> > string[] domainNames = {"domain1.net", "domain2.net" };
> > System.Collections.Hashtable domains = new Hashtable();
> >
> > foreach( string domainName in domainNames )
> > {
> > System.DirectoryServices.DirectoryEntry d = new
> > System.DirectoryServices.DirectoryEntry();
> >
> > d.Path =
> > string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
>
> > ",DC="));
> > d.Username = SAMTools.GetSvcID( domainName
> );
> > d.Password = SAMTools.GetSvcPass( domainName
> > );
> > d.AuthenticationType =
> > System.DirectoryServices.AuthenticationTypes.Secure;
> > d.RefreshCache();
> >
> > domains.Add( domainName, d );
> > }
> > }
> >
> > What if I add this to the Global.asax Application_Start? Will that
> > possibly cache my connections and allow all new sessions to re-use
> them?
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > Sent: Wednesday, May 09, 2007 8:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >
> > This is important stuff to know. If there are different user
> > identities accessing the directory, ADSI will open up a new connection
>
> > for each one.
> > That is by design and is just the way that ADSI works. That makes it
> > difficult to get lots of scalability with apps that use an
> > impersonation model.
> >
> > However, if he's seeing 80 connections for just one user when the
> > expectation is that there are only 6 forests to connect to, that would
>
> > seem to indicate that connections aren't getting reused and connection
>
> > caching isn't working as expected. That could cause problems.
> >
> > Ryan suggested earlier to make sure the Dispose is being called
> > religiously so that the underlying ADSI objects are being cleaned up
> > right when you are done with them and not waiting around for garbage
> > collection. This is a good idea, although not as important as it was
> > in .NET 1.x where there were bugs that caused ADSI COM objects to not
> > get cleaned up if you failed to call Dispose. At least now, the GC
> > will eventually get around to it, just maybe not as quickly as you'd
> like.
> >
> > However, the downside of calling Dispose or Close is that if no other
> > ADSI objects are also using that LDAP connection, it will close it.
> > In general that is a good thing because you want your connections
> > closed when you are done with them. The problem comes in when moments
>
> > later, a new web request comes in the site code causes new connections
>
> > to be opened instead of reusing one that is already open. If the
> > opening and closing happens over and over again, you'll eventually run
>
> > out of TCP wildcard ports and will get errors. This is because once
> > the TCP port closes, it will sit in "time wait" for 60 seconds and
> > won't be available for new connections until it releases.
> >
> > It isn't totally clear to me that this is the issue, but it sounds
> > like it might be. It is pretty difficult to diagnose in my
> experience.
> >
> > One thing you can do programmatically to try to make sure your LDAP
> > connections stay open so that ADSI will reuse them. If you use a
> > single set of credentials for all of your access, then you can
> > sometimes accomplish this by opening up connections in something like
> > the application_start even and sticking the DirectoryEntry objects
> > into static variables or something so they won't be collected.
> >
> > I hope that helps a bit more.
> >
> > Joe K.
> >
> > ----- Original Message -----
> > From: "Ryan Dunn"
> > To:
> > Sent: Wednesday, May 09, 2007 1:15 PM
> > Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >
> >
> > > We need more information here. How are you creating the
> connections?
> > > For example, show us how you are constructing your DirectoryEntry
> > > objects. What is the security context of the application? the
> > > user's? a trusted subsystem? impersonated?
> > >
> > > On 5/9/07, Isenhour, Joseph wrote:
> > >> I'm actually seeing around 80 LDAP connections. The app is talking
> > to 6
> > >> different forests so I'd expect to see around 6 to 10 connections.
> > >>
> > >> The app is a C# web form so many users will be hitting it at any
> > given
> > >> time. Right now I'm the only one hitting it and it's taking 80
> > >> connections. Is there anyway to ensure that the connections either
> > get
> > >> re-used or at least get closed imediatley after the objects are
> > >> disposed?
> > >>
> > >> -----Original Message-----
> > >> From: ActiveDir-owner@mail.activedir.org
> > >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > >> Sent: Tuesday, May 08, 2007 7:45 PM
> > >> To: ActiveDir@mail.activedir.org
> > >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> > >>
> > >> Another thing that can happen here is the dreaded ADSI connection
> > >> caching issue where you run out of wild card ports. If netstat
> > >> shows
> > a
> > >> lot of ports sitting in "time wait" status, that could be the
> issue.
> > >> This is often the problem when you see somewhat random ADSI
> > >> failures
> > in
> > >> code that was working fine before but where many ADSI calls were
> > being
> > >> made.
> > >>
> > >> Joe K.
> > >>
> > >> ----- Original Message -----
> > >> From: "Ryan Dunn"
> > >> To:
> > >> Sent: Tuesday, May 08, 2007 7:25 PM
> > >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> > >>
> > >>
> > >> > Oh, I should also mention that anytime you access a method or
> > property
> > >> > that returns a DirectoryEntry, you are also responsible for
> > disposing
> > >> > of it. This can be a gotcha. So this code might leak:
> > >> >
> > >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> > >> > parent = entry.Parent; //do something with Parent
> > >> > entry.Dispose(); //what about parent?
> > >> >
> > >> > Here is an even more insidious one:
> > >> >
> > >> > Console.WriteLine(entry.Parent.Path);
> > >> >
> > >> > Most people will forget to call entry.Parent.Dispose() since it
> > >> > is
> > not
> > >> > a local variable.
> > >> >
> > >> > How to fix:
> > >> >
> > >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> > >> > parent = entry.Parent;
> > >> >
> > >> > using (entry)
> > >> > using (parent)
> > >> > {
> > >> > // do stuff
> > >> > }// both are disposed here for you...
> > >> >
> > >> > Remember, this applies to *any* method or Property that returns a
>
> > >> > DirectoryEntry. So be wary of
> > DirectorySearcher.GetDirectoryEntry()
> > >> > and also DirectoryEntry.Children.Add for instance.
> > >> >
> > >> >
> > >> >
> > >> > On 5/8/07, Isenhour, Joseph wrote:
> > >> >>
> > >> >>
> > >> >>
> > >> >> I have a web app that I'm developing that seems to having issues
> > with
> > >> >> System.DirectoryServices. The app uses S.DS pretty heavily and
> > >> >> it
> > >> plugs
> > >> >> along just fine for a while but then all of the sudden anything
> > that
> > >> >> calls
> > >> >> S.DS simply fails. I then have to restart IIS in order for it
> > >> >> to
> > >> begin
> > >> >> working again. I'm assuming that I'm using up some resource
> > within
> > >> S.DS
> > >> >> and
> > >> >> never freeing it; however, I don't know of any good way to
> > >> >> figure
> > out
> > >>
> > >> >> which
> > >> >> resource I'm exausting.
> > >> >>
> > >> >> I've gone through and looked at all of my DirectoryEntry and
> > >> >> DirectorySearcher objects and have ensured that I'm calling
> > >> >> .Close
> > >> and
> > >> >> .Dispose when I'm done with them. It's possible that I'm
> > >> >> leaving
> > the
> > >> >> objects open but I don't really know how to tell. Does anyone
> > know
> > >> of a
> > >> >> good tool or method that I can use to troubleshoot S.DS?
> > >> > List info : http://www.activedir.org/List.aspx
> > >> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >> > List archive: http://www.activedir.org/ma/default.aspx
> > >>
> > >> List info : http://www.activedir.org/List.aspx
> > >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >> List archive: http://www.activedir.org/ma/default.aspx
> > >> List info : http://www.activedir.org/List.aspx
> > >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >> List archive: http://www.activedir.org/ma/default.aspx
> > >>
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| josephisenhour
Posts:0
| | 05/11/2007 12:49 PM |
| I just realized that the DsAddressToSiteNames calls are failing anyway.
I looked in the documentation and DsAddressToSiteNames does not allow
you to pass a user name and password. I'm dealing with a multi-forest
environment and we have a policy of not synching passwords across
forests.
So... Mr. joeware, I found this cool utility called ATSN.exe that seems
to do exactly what I'm trying to do.
What do you think about this solution:
- Set up a scheduled task on each of my forest admin servers that
queries AD for a list of servers and then does a DNS lookup on each.
I'll then put that data into an input text file. (I have around 1000
servers per forest)
- Kick off ATSN.exe to gather the site info for each server.
- Set up a SQL job to go out to each server and pick up my file once or
twice a day.
What do you think? Too clunky?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Thursday, May 10, 2007 8:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
I don't immediately see the problem here. One thing that bothers me is
that there should be a way to do this with SDS.AD. However, I didn't
see an obvious way to do it. It seems like a shortcoming in the API
that should be addressed. However, I might just be missing it.
Joe K.
----- Original Message -----
From: "Isenhour, Joseph"
To:
Sent: Thursday, May 10, 2007 5:25 PM
Subject: RE: [ActiveDir] Issues with System.DirectoryServices
I am indeed. I'm calling it in the Finally block and I've confirmed
that it is getting called. I agree it doesn't seem like a big deal. I
use a lot of the win32 ds functions and have never had an issue until
now.
Here's a the actual code. Does anything jump out at you?
public static string GetAddressToSiteName(string IPAddress, string
DomainController)
{
IntPtr pSites = new IntPtr();
IntPtr pSockAddr;
IntPtr pSiteName;
IntPtr pNetworkType = new IntPtr();
try
{
// Determine the site using the IP
address
int rc;
string siteName;
SOCKET_ADDRESS[] oSocketAddresses = new
SOCKET_ADDRESSΏ]
SockAddr oSocketAddr = new SockAddr();
System.Int32 oSocketSize =
Convert.ToInt32(Marshal.SizeOf(oSocketAddr));
rc = WSAStringToAddress(
IPAddress,
System.Net.Sockets.AddressFamily.InterNetwork,
pNetworkType,
ref oSocketAddr,
ref oSocketSize);
WSACleanup();
pSockAddr =
Marshal.AllocHGlobal(Marshal.SizeOf(oSocketAddr));
Marshal.StructureToPtr(oSocketAddr,
pSockAddr, true);
oSocketAddressesΎ].lpSockaddr =
pSockAddr;
oSocketAddressesΎ].iSockaddrLength =
Marshal.SizeOf(oSocketAddr);
Marshal.Release(pSockAddr);
rc =
DsAddressToSiteNames(DomainController, 1, oSocketAddresses, ref pSites);
pSiteName = Marshal.ReadIntPtr(pSites,
0);
siteName =
Marshal.PtrToStringAuto(pSiteName);
return siteName;
}
catch(Exception x)
{
throw new System.Exception();
}
finally
{
NetApiBufferFree(pSites);
}
}
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ryan Dunn
Sent: Thursday, May 10, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Issues with System.DirectoryServices
That function doesn't look too risky... are you remembering to call
NetApiBufferFree?
On 5/10/07, Isenhour, Joseph wrote:
> Think I found it. It looks like it doesn't have anything to do with
> SDS although the end result is SDS not working.
>
> I wrote a .NET wrapper for the win32 DsAddressToSiteNames function.
>
> private static extern int DsAddressToSiteNames
>
> It looks like the error occurs after this code is executed several
> times. I'm trying to be a good .NET developer and free up my
> unmanaged resources in a finally statement; however, it appears that
> I'm missing something.
>
> Does anyone know of a Microsoft supported .NET method that will give
> me the same functionality as DsAddressToSiteNames?
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Isenhour,
> Joseph
> Sent: Thursday, May 10, 2007 10:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Issues with System.DirectoryServices
>
> Thanks Joe,
>
> So maybe I do need to persist the connections somehow. I do use a
> single account (well one per forest) to do all of my LDAP operations.
>
> So how about something like this:
>
> protected void Application_Start(Object sender, EventArgs e) {
>
> string[] domainNames = {"domain1.net", "domain2.net" };
> System.Collections.Hashtable domains = new Hashtable();
>
> foreach( string domainName in domainNames )
> {
> System.DirectoryServices.DirectoryEntry d = new
> System.DirectoryServices.DirectoryEntry();
>
> d.Path =
> string.Format("LDAP://{0}/DC={1}", domainName, domainName.Replace(".",
> ",DC="));
> d.Username = SAMTools.GetSvcID( domainName
);
> d.Password = SAMTools.GetSvcPass( domainName
> );
> d.AuthenticationType =
> System.DirectoryServices.AuthenticationTypes.Secure;
> d.RefreshCache();
>
> domains.Add( domainName, d );
> }
> }
>
> What if I add this to the Global.asax Application_Start? Will that
> possibly cache my connections and allow all new sessions to re-use
them?
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> Sent: Wednesday, May 09, 2007 8:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
> This is important stuff to know. If there are different user
> identities accessing the directory, ADSI will open up a new connection
> for each one.
> That is by design and is just the way that ADSI works. That makes it
> difficult to get lots of scalability with apps that use an
> impersonation model.
>
> However, if he's seeing 80 connections for just one user when the
> expectation is that there are only 6 forests to connect to, that would
> seem to indicate that connections aren't getting reused and connection
> caching isn't working as expected. That could cause problems.
>
> Ryan suggested earlier to make sure the Dispose is being called
> religiously so that the underlying ADSI objects are being cleaned up
> right when you are done with them and not waiting around for garbage
> collection. This is a good idea, although not as important as it was
> in .NET 1.x where there were bugs that caused ADSI COM objects to not
> get cleaned up if you failed to call Dispose. At least now, the GC
> will eventually get around to it, just maybe not as quickly as you'd
like.
>
> However, the downside of calling Dispose or Close is that if no other
> ADSI objects are also using that LDAP connection, it will close it.
> In general that is a good thing because you want your connections
> closed when you are done with them. The problem comes in when moments
> later, a new web request comes in the site code causes new connections
> to be opened instead of reusing one that is already open. If the
> opening and closing happens over and over again, you'll eventually run
> out of TCP wildcard ports and will get errors. This is because once
> the TCP port closes, it will sit in "time wait" for 60 seconds and
> won't be available for new connections until it releases.
>
> It isn't totally clear to me that this is the issue, but it sounds
> like it might be. It is pretty difficult to diagnose in my
experience.
>
> One thing you can do programmatically to try to make sure your LDAP
> connections stay open so that ADSI will reuse them. If you use a
> single set of credentials for all of your access, then you can
> sometimes accomplish this by opening up connections in something like
> the application_start even and sticking the DirectoryEntry objects
> into static variables or something so they won't be collected.
>
> I hope that helps a bit more.
>
> Joe K.
>
> ----- Original Message -----
> From: "Ryan Dunn"
> To:
> Sent: Wednesday, May 09, 2007 1:15 PM
> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
>
>
> > We need more information here. How are you creating the
connections?
> > For example, show us how you are constructing your DirectoryEntry
> > objects. What is the security context of the application? the
> > user's? a trusted subsystem? impersonated?
> >
> > On 5/9/07, Isenhour, Joseph wrote:
> >> I'm actually seeing around 80 LDAP connections. The app is talking
> to 6
> >> different forests so I'd expect to see around 6 to 10 connections.
> >>
> >> The app is a C# web form so many users will be hitting it at any
> given
> >> time. Right now I'm the only one hitting it and it's taking 80
> >> connections. Is there anyway to ensure that the connections either
> get
> >> re-used or at least get closed imediatley after the objects are
> >> disposed?
> >>
> >> -----Original Message-----
> >> From: ActiveDir-owner@mail.activedir.org
> >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
> >> Sent: Tuesday, May 08, 2007 7:45 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >> Another thing that can happen here is the dreaded ADSI connection
> >> caching issue where you run out of wild card ports. If netstat
> >> shows
> a
> >> lot of ports sitting in "time wait" status, that could be the
issue.
> >> This is often the problem when you see somewhat random ADSI
> >> failures
> in
> >> code that was working fine before but where many ADSI calls were
> being
> >> made.
> >>
> >> Joe K.
> >>
> >> ----- Original Message -----
> >> From: "Ryan Dunn"
> >> To:
> >> Sent: Tuesday, May 08, 2007 7:25 PM
> >> Subject: Re: [ActiveDir] Issues with System.DirectoryServices
> >>
> >>
> >> > Oh, I should also mention that anytime you access a method or
> property
> >> > that returns a DirectoryEntry, you are also responsible for
> disposing
> >> > of it. This can be a gotcha. So this code might leak:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent; //do something with Parent
> >> > entry.Dispose(); //what about parent?
> >> >
> >> > Here is an even more insidious one:
> >> >
> >> > Console.WriteLine(entry.Parent.Path);
> >> >
> >> > Most people will forget to call entry.Parent.Dispose() since it
> >> > is
> not
> >> > a local variable.
> >> >
> >> > How to fix:
> >> >
> >> > DirectoryEntry entry = new DirectoryEntry(...); DirectoryEntry
> >> > parent = entry.Parent;
> >> >
> >> > using (entry)
> >> > using (parent)
> >> > {
> >> > // do stuff
> >> > }// both are disposed here for you...
> >> >
> >> > Remember, this applies to *any* method or Property that returns a
> >> > DirectoryEntry. So be wary of
> DirectorySearcher.GetDirectoryEntry()
> >> > and also DirectoryEntry.Children.Add for instance.
> >> >
> >> >
> >> >
> >> > On 5/8/07, Isenhour, Joseph wrote:
> >> >>
> >> >>
> >> >>
> >> >> I have a web app that I'm developing that seems to having issues
> with
> >> >> System.DirectoryServices. The app uses S.DS pretty heavily and
> >> >> it
> >> plugs
> >> >> along just fine for a while but then all of the sudden anything
> that
> >> >> calls
> >> >> S.DS simply fails. I then have to restart IIS in order for it
> >> >> to
> >> begin
> >> >> working again. I'm assuming that I'm using up some resource
> within
> >> S.DS
> >> >> and
> >> >> never freeing it; however, I don't know of any good way to
> >> >> figure
> out
> >>
> >> >> which
> >> >> resource I'm exausting.
> >> >>
> >> >> I've gone through and looked at all of my DirectoryEntry and
> >> >> DirectorySearcher objects and have ensured that I'm calling
> >> >> .Close
> >> and
> >> >> .Dispose when I'm done with them. It's possible that I'm
> >> >> leaving
> the
> >> >> objects open but I don't really know how to tell. Does anyone
> know
> >> of a
> >> >> good tool or method that I can use to troubleshoot S.DS?
> >> > List info : http://www.activedir.org/List.aspx
> >> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> > List archive: http://www.activedir.org/ma/default.aspx
> >>
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >> List info : http://www.activedir.org/List.aspx
> >> List FAQ : http://www.activedir.org/ListFAQ.aspx
> >> List archive: http://www.activedir.org/ma/default.aspx
> >>
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|