| Author | Messages | |
johnserban
Posts:12
 | | 04/24/2008 10:24 AM |
| Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.
Thanks,
John
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| johnserban
Posts:12
| | 04/24/2008 10:34 AM |
| To further clarify, we would like to accomplish this without impersonating logon local or do any remoting. We would like to use only LDAP calls to get Advertising status.
Thanks,
John
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 10:22 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.
Thanks,
John
.+w֧�B��+v*����r�z��+v*�k}
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| lef
Posts:21
| | 04/24/2008 12:41 PM |
|
Hi
as you are probably aware DCDIAG /test:advertising uses RPC,
it's basically calling DsGetDCName
http://msdn2.microsoft.com/en-us/library/ms675983(VS.85).aspx
and what you see output is a parsing of the DOMAIN_CONTROLLER_INFO
struct
http://msdn2.microsoft.com/en-us/library/ms675912(VS.85).aspx
The flags are here:
http://msdn2.microsoft.com/en-us/library/cc223802.aspx
So for LDAP only it would be a case of looking at the flags
as above used in the output:
The DC W2K8-2 is advertising itself as a DC and having a DS.
The DC W2K8-2 is advertising as an LDAP server
The DC W2K8-2 is advertising as having a writeable directory
The DC W2K8-2 is advertising as a Key Distribution Center
The DC W2K8-2 is advertising as a time server
The DS W2K8-2 is advertising as a GC.
and deciding which could be gleaned over LDAP say from rootDSE
queries. A clue might be obtained from looking at the LDAP ping
that Windows clients use in DC location:
http://msdn2.microsoft.com/en-us/library/cc223811.aspx
I do not think there is anything pre-packaged for *exactly*
this behaviour over LDAP but maybe you do not need that but
just your own set of checks drawn from tools like dsdiag, repadmin
and replmon. Looking at MOM and 3rd party AD monitoring
would also give you a few ideas...
Lee Flight
On Thu, 24 Apr 2008, Serban, John wrote:
> To further clarify, we would like to accomplish this without impersonating logon
> local or do any remoting. We would like to use only LDAP calls to get
> Advertising status.
>
> Thanks,
> John
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
> Sent: Thursday, April 24, 2008 10:22 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
>
> Does anyone have a programmatic method to test if a domain controller is advertising
> that would replicate the functionality of DCDIAG /test:advertising ? We
> patch our domain controllers in groups to ensure continued availability
> and would like an easily scriptable way to make sure all
> patched/rebooted DCs are back up and advertising before proceeding with
> the next group.
>
>
> Thanks,
> John
> .+w �B��+v*����r�z��+v*�k}
> .+-?w??i??0g-??+??? ?�??@B�m????�??+?v*?� ?E��??�? r�?z�m????�??+?v*?�?k?^}????)
| | | |
| nathanielbahta
Posts:5
| | 04/24/2008 12:46 PM |
|
Send a query to the netlogon service on the server using NLTEST.
nltest /server:<servername> /query
> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising> Date: Thu, 24 Apr 2008 07:28:52 -0700> From: john.serban@wamu.net> To: ActiveDir@mail.activedir.org> > To further clarify, we would like to accomplish this without impersonating logon local or do any remoting. We would like to use only LDAP calls to get Advertising status.> > Thanks,> John> > -----Original Message-----> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John> Sent: Thursday, April 24, 2008 10:22 AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising> > Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.> > > Thanks,> John> .+w֧�B��+v*����r�z��+v*�k}> ��ا~�m���� �rدyث��?.+-j�q.+-��!��� 0i�b��b�������P�j�q.+-j�!������ 0i�b��b����f�u�ں[Z�� | | | |
| dmitrig
Posts:59
| | 04/24/2008 1:26 PM |
| Strictly speaking, it is not possible over LDAP alone. Checking rootDse/isSynchronized is a good first approximation -- it indicates that the "DS part" of the DC is ready. However, netlogon is also checking that NTFRS/DFSR are ready as well, before advertising. Usually, I check their state by looking at HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
The "correct" way to check if the DC is advertising or not is calling DsGetDcName targeting the DC in question (ComputerName parameter), with NULL domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then check Flags in the returned dcinfo struct.
Dmitri
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
To further clarify, we would like to accomplish this without impersonating logon local or do any remoting. We would like to use only LDAP calls to get Advertising status.
Thanks,
John
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 10:22 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.
Thanks,
John
.+w֧�B��+v*����r�z��+v*�k}
��ا~�m���� �rدyث��?.+-j�q.+-��!��� 0i�b��b�������P�j�q.+-j�!������ 0i�b��b����f�u�ں[Z��
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| johnserban
Posts:12
| | 04/25/2008 3:56 PM |
| Thanks for the information on the "correct" way to check if a DC is advertising Dmitri. This method has the added benefit that its results should match the results of "nltest /dsgetdc:" if the tool results need to be independently validated manually by an admin.
John
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Thursday, April 24, 2008 1:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
Strictly speaking, it is not possible over LDAP alone. Checking rootDse/isSynchronized is a good first approximation -- it indicates that the "DS part" of the DC is ready. However, netlogon is also checking that NTFRS/DFSR are ready as well, before advertising. Usually, I check their state by looking at HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
The "correct" way to check if the DC is advertising or not is calling DsGetDcName targeting the DC in question (ComputerName parameter), with NULL domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then check Flags in the returned dcinfo struct.
Dmitri
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
To further clarify, we would like to accomplish this without impersonating logon local or do any remoting. We would like to use only LDAP calls to get Advertising status.
Thanks,
John
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 10:22 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.
Thanks,
John
.+w֧�B��+v*����r�z��+v*�k}
��ا~�m���� �rدyث��?.+-j�q.+-��!��� 0i�b��b�������P�j�q.+-j�!������ 0i�b��b����f�u�ں[Z��
.+w֧�B��+v*����r�z��+v*�k}
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| grincik50
Posts:3
| | 07/16/2008 6:47 PM |
| | Hi,
I am using following methd:
DOMAIN_CONTROLLER_INFO domainInfo;
const int ERROR_SUCCESS = 0;
IntPtr pDCI = IntPtr.Zero;
try{
int val = DsGetDcName(dnsName,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
out pDCI);
if(ERROR_SUCCESS == val){
domainInfo = (DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI, typeof
(DOMAIN_CONTROLLER_INFO));
}else{ throw new Win32Exception(val); }
dnsName = format is: server FQDN. (EX: server1.domain.domain.net)
what happens is that for most of DC's it works fine but on some I get
"val=5" (access is denied) error. I check DC and it is good (dcdiag, nltest,
etc.) I would appreciate any help.
Thanks
--Greg
> -----Original Message-----
>
> From: ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
>
> Sent: Thursday, April 24, 2008 1:26 PM
>
> To: ActiveDir@mail.activedir.org
>
> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
> Advertising
>
>
>
> Strictly speaking, it is not possible over LDAP alone. Checking
> rootDse/isSynchronized is a good first approximation -- it indicates that
> the "DS part" of the DC is ready. However, netlogon is also checking that
> NTFRS/DFSR are ready as well, before advertising. Usually, I check their
> state by looking at
> HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
>
>
>
> The "correct" way to check if the DC is advertising or not is calling
> DsGetDcName targeting the DC in question (ComputerName parameter), with NULL
> domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then
> check Flags in the returned dcinfo struct.
>
>
>
> Dmitri
>
>
>
> -----Original Message-----
>
> From: ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>
> Sent: Thursday, April 24, 2008 7:29 AM
>
> To: ActiveDir@mail.activedir.org
>
> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
> Advertising
>
>
>
> To further clarify, we would like to accomplish this without impersonating
> logon local or do any remoting. We would like to use only LDAP calls to get
> Advertising status.
>
>
>
> Thanks,
>
> John
>
>
>
> -----Original Message-----
>
> From: ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>
> Sent: Thursday, April 24, 2008 10:22 AM
>
> To: ActiveDir@mail.activedir.org
>
> Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
>
>
>
> Does anyone have a programmatic method to test if a domain controller is
> advertising that would replicate the functionality of DCDIAG
> /test:advertising ? We patch our domain controllers in groups to ensure
> continued availability and would like an easily scriptable way to make sure
> all patched/rebooted DCs are back up and advertising before proceeding with
> the next group.
>
>
>
>
>
> Thanks,
>
> John
>
> .+w֧ B+v* rz+v*k}
>
> Ώ]�ا~�m���� rدyث��?.+-j�q.+-
> ------------------------------
>
> !�� � 0i�b��b�������Pj�q.+-j�!����� � 0i�b��b����f�u�ں[Z��
>
> .+w֧ B+v* rz+v*k}
>
| | | |
| j.isenhour
Posts:6
| | 07/16/2008 6:49 PM |
| When you pass DsGetDCName an fqdn I believe it will actually attempt to remote the call via RPC to which ever server is specified. So for example:
int val = DsGetDcName(someserver.company.net,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired), out pDCI);
If I’m not mistaken that call will actually tell someserver.company.net to run the dsgetdcname call. If that’s the case then what ever security context is running the command must have the necessary rights on someserver.company.net to run the function. You might be running into a scenario where the account issuing the dsgetdcname call does not have the rights it needs on the remote server.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Greg Reevosh
Sent: Wednesday, May 28, 2008 2:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Programmatic Method to check if a DC is Advertising
Hi,
I am using following methd:
DOMAIN_CONTROLLER_INFO domainInfo;
const int ERROR_SUCCESS = 0;
IntPtr pDCI = IntPtr.Zero;
try{
int val = DsGetDcName(dnsName,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired), out pDCI);
if(ERROR_SUCCESS == val){
domainInfo = (DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI, typeof(DOMAIN_CONTROLLER_INFO));
}else{ throw new Win32Exception(val); }
dnsName = format is: server FQDN. (EX: server1.domain.domain.net<http://server1.domain.domain.net>
what happens is that for most of DC's it works fine but on some I get "val=5" (access is denied) error. I check DC and it is good (dcdiag, nltest, etc.) I would appreciate any help.
Thanks
--Greg
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Dmitri Gavrilov
Sent: Thursday, April 24, 2008 1:26 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
Strictly speaking, it is not possible over LDAP alone. Checking rootDse/isSynchronized is a good first approximation -- it indicates that the "DS part" of the DC is ready. However, netlogon is also checking that NTFRS/DFSR are ready as well, before advertising. Usually, I check their state by looking at HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
The "correct" way to check if the DC is advertising or not is calling DsGetDcName targeting the DC in question (ComputerName parameter), with NULL domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then check Flags in the returned dcinfo struct.
Dmitri
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 7:29 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
To further clarify, we would like to accomplish this without impersonating logon local or do any remoting. We would like to use only LDAP calls to get Advertising status.
Thanks,
John
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 10:22 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.
Thanks,
John
.+w֧ B+v* rz+v*k}
Ώ]�ا~�m���� rدyث��?.+-j�q.+-
________________________________
!�� � 0i�b��b�������Pj�q.+-j�!����� � 0i�b��b����f�u�ں[Z��
.+w֧ B+v* rz+v*k}
| | | |
| grincik50
Posts:3
| | 07/16/2008 6:53 PM |
| | Hi Joe,
It works fine for most DC's and returns "Access is denied" for a very few.
It runs under the same account for the ones that work and for the ones that
fail in the same domain. is there anything else that might cause it?
Thanks
--Greg
On 5/29/08, Greg Reevosh <grincik50@gmail.com> wrote:
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Joseph Isenhour
> *Sent:* Wednesday, May 28, 2008 5:40 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Programmatic Method to check if a DC is
> Advertising
>
>
>
> When you pass DsGetDCName an fqdn I believe it will actually attempt to
> remote the call via RPC to which ever server is specified. So for example:
>
>
>
> int val = DsGetDcName(someserver.company.net,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
> out pDCI);
>
>
>
> If I'm not mistaken that call will actually tell someserver.company.net to
> run the dsgetdcname call. If that's the case then what ever security
> context is running the command must have the necessary rights on
> someserver.company.net to run the function. You might be running into a
> scenario where the account issuing the dsgetdcname call does not have the
> rights it needs on the remote server.
>
>
> On 5/28/08, Greg Reevosh <grincik50@gmail.com> wrote:
>>
>> Hi,
>>
>> I am using following methd:
>>
>>
>> DOMAIN_CONTROLLER_INFO domainInfo;
>> const int ERROR_SUCCESS = 0; IntPtr pDCI = IntPtr.Zero;
>> try{
>> int val = DsGetDcName(dnsName,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
>> out pDCI);
>> if(ERROR_SUCCESS == val){
>> domainInfo = (DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI,
>> typeof(DOMAIN_CONTROLLER_INFO));
>> }else{ throw new Win32Exception(val); }
>>
>> dnsName = format is: server FQDN. (EX: server1.domain.domain.net)
>> what happens is that for most of DC's it works fine but on some I get
>> "val=5" (access is denied) error. I check DC and it is good (dcdiag, nltest,
>> etc.) I would appreciate any help.
>> Thanks
>> --Greg
>>
>>
>>
>>> -----Original Message-----
>>>
>>> From: ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
>>>
>>> Sent: Thursday, April 24, 2008 1:26 PM
>>>
>>> To: ActiveDir@mail.activedir.org
>>>
>>> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> Strictly speaking, it is not possible over LDAP alone. Checking
>>> rootDse/isSynchronized is a good first approximation -- it indicates that
>>> the "DS part" of the DC is ready. However, netlogon is also checking that
>>> NTFRS/DFSR are ready as well, before advertising. Usually, I check their
>>> state by looking at
>>> HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
>>>
>>>
>>>
>>> The "correct" way to check if the DC is advertising or not is calling
>>> DsGetDcName targeting the DC in question (ComputerName parameter), with NULL
>>> domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then
>>> check Flags in the returned dcinfo struct.
>>>
>>>
>>>
>>> Dmitri
>>>
>>>
>>>
>>> -----Original Message-----
>>>
>>> From: ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>>>
>>> Sent: Thursday, April 24, 2008 7:29 AM
>>>
>>> To: ActiveDir@mail.activedir.org
>>>
>>> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> To further clarify, we would like to accomplish this without
>>> impersonating logon local or do any remoting. We would like to use only
>>> LDAP calls to get Advertising status.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> John
>>>
>>>
>>>
>>> -----Original Message-----
>>>
>>> From: ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>>>
>>> Sent: Thursday, April 24, 2008 10:22 AM
>>>
>>> To: ActiveDir@mail.activedir.org
>>>
>>> Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
>>>
>>>
>>>
>>> Does anyone have a programmatic method to test if a domain controller is
>>> advertising that would replicate the functionality of DCDIAG
>>> /test:advertising ? We patch our domain controllers in groups to ensure
>>> continued availability and would like an easily scriptable way to make sure
>>> all patched/rebooted DCs are back up and advertising before proceeding with
>>> the next group.
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> John
>>>
>>> .+w֧ B+v* rz+v*k}
>>>
>>> Ώ]�ا~�m���� rدyث��?.+-j�q.+-
>>> ------------------------------
>>>
>>> !�� � 0i�b��b�������Pj�q.+-j�!����� � 0i�b��b����f�u�ں[Z��
>>>
>>> .+w֧ B+v* rz+v*k}
>>>
>>
>>
>
| | | |
| j.isenhour
Posts:6
| | 07/16/2008 6:55 PM |
| Hmm,
Ok it’s a long shot now, but are you calling NetApiBufferFree(pDCI); each time when you’re done finding the DC?
Joe Isenhour – Program Manager | Enterprise Engineering Center | office: 425.703.7961| email: josephi@microsoft.com<mailto:josephi@microsoft.com>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Greg Reevosh
Sent: Thursday, May 29, 2008 8:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Programmatic Method to check if a DC is Advertising
I've tried it with no flag, passing FQDN, WIN name and passing name and domain as second parameter. Can connect to mos of DC except those specific ones. Same access denied.error. Same version.
On 5/29/08, Joseph Isenhour <Josephi@microsoft.com<mailto:Josephi@microsoft.com>> wrote:
Same version of windows other than architecture?
For grins, give it a try with no flags. Meaning drop the GetDCFlags.DirectoryServiceRequired flag and see what you get back in the DOMAIN_CONTROLLER_INFO structure.
Joe Isenhour – Program Manager | Enterprise Engineering Center | office: 425.703.7961| email: josephi@microsoft.com<mailto:josephi@microsoft.com>
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Greg Reevosh
Sent: Thursday, May 29, 2008 5:29 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: Re: [ActiveDir] Programmatic Method to check if a DC is Advertising
Yes. Exactly the same ones. Initially I thought it might be related to x64 but there are some that works fine.
On 5/29/08, Joseph Isenhour <Josephi@microsoft.com<mailto:Josephi@microsoft.com>> wrote:
Well if it's the same domain and the same account then it probably isn't related to rights unless something is really screwy. Is it always the same ones that fail?
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Greg Reevosh
Sent: Thursday, May 29, 2008 5:01 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: Re: [ActiveDir] Programmatic Method to check if a DC is Advertising
Hi Joe,
It works fine for most DC's and returns "Access is denied" for a very few. It runs under the same account for the ones that work and for the ones that fail in the same domain. is there anything else that might cause it?
Thanks
--Greg
On 5/29/08, Greg Reevosh <grincik50@gmail.com<mailto:grincik50@gmail.com>> wrote:
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Joseph Isenhour
Sent: Wednesday, May 28, 2008 5:40 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
When you pass DsGetDCName an fqdn I believe it will actually attempt to remote the call via RPC to which ever server is specified. So for example:
int val = DsGetDcName(someserver.company.net<http://someserver.company.net/>,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired), out pDCI);
If I'm not mistaken that call will actually tell someserver.company.net<http://someserver.company.net/> to run the dsgetdcname call. If that's the case then what ever security context is running the command must have the necessary rights on someserver.company.net<http://someserver.company.net/> to run the function. You might be running into a scenario where the account issuing the dsgetdcname call does not have the rights it needs on the remote server.
On 5/28/08, Greg Reevosh <grincik50@gmail.com<mailto:grincik50@gmail.com>> wrote:
Hi,
I am using following methd:
DOMAIN_CONTROLLER_INFO domainInfo;
const int ERROR_SUCCESS = 0;
IntPtr pDCI = IntPtr.Zero;
try{
int val = DsGetDcName(dnsName,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired), out pDCI);
if(ERROR_SUCCESS == val){
domainInfo = (DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI, typeof(DOMAIN_CONTROLLER_INFO));
}else{ throw new Win32Exception(val); }
dnsName = format is: server FQDN. (EX: server1.domain.domain.net<http://server1.domain.domain.net/>
what happens is that for most of DC's it works fine but on some I get "val=5" (access is denied) error. I check DC and it is good (dcdiag, nltest, etc.) I would appreciate any help.
Thanks
--Greg
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Dmitri Gavrilov
Sent: Thursday, April 24, 2008 1:26 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
Strictly speaking, it is not possible over LDAP alone. Checking rootDse/isSynchronized is a good first approximation -- it indicates that the "DS part" of the DC is ready. However, netlogon is also checking that NTFRS/DFSR are ready as well, before advertising. Usually, I check their state by looking at HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
The "correct" way to check if the DC is advertising or not is calling DsGetDcName targeting the DC in question (ComputerName parameter), with NULL domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then check Flags in the returned dcinfo struct.
Dmitri
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 7:29 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Programmatic Method to check if a DC is Advertising
To further clarify, we would like to accomplish this without impersonating logon local or do any remoting. We would like to use only LDAP calls to get Advertising status.
Thanks,
John
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Serban, John
Sent: Thursday, April 24, 2008 10:22 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
Does anyone have a programmatic method to test if a domain controller is advertising that would replicate the functionality of DCDIAG /test:advertising ? We patch our domain controllers in groups to ensure continued availability and would like an easily scriptable way to make sure all patched/rebooted DCs are back up and advertising before proceeding with the next group.
Thanks,
John
.+w֧ B+v* rz+v*k}
Ώ]�ا~�m���� rدyث��?.+-j�q.+-
________________________________
!�� � 0i�b��b�������Pj�q.+-j�!����� � 0i�b��b����f�u�ں[Z��
.+w֧ B+v* rz+v*k}
| | | |
| grincik50
Posts:3
| | 07/16/2008 7:01 PM |
| | This is ASP.net app runs within default app pool and no special parameters
passed to this function. Like I said works fine for most of DC. Same
policies applied. However, when I impersonate domain user and call this
functon and de-personate -- works fine for all DC's. We do not allow
anonymous binds -- there must be an explanation.
NetApiBufferFree(pDCI); -- is run every time in finally statement; nltest is
fine.
On 5/29/08, joe <listmail@joeware.net> wrote:
>
> My thoughts...
>
> 1. Does nltest /dsgetdc work?
>
> 2. Are these DCs using some "special" policy? I.E. Are you "one of those"
> companies that set up different DCs in the same domain with different
> policies?
>
> 3. Can you do a dir of the netlogon or sysvol shares with that ID on those
> DCs?
>
> 4. What happens if you set up a null session connection to the problematic
> DCs and run your tool or nltest against the DC? This API call shouldn't
> require any perms to run if I recall.
>
> 5. Have you gotten a network trace and compared it to the trace from a DC
> you can query to see where exactly it is blowing out at?
>
>
> Likely you can force this to work by making a null session connection to
> each DC, making the call, then breaking the connection. However, I would
> highly recommend working out where that access denied is coming from, it
> could be a symptom of something wrong.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Greg Reevosh
> *Sent:* Thursday, May 29, 2008 11:30 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Programmatic Method to check if a DC is
> Advertising
>
>
> I've tried it with no flag, passing FQDN, WIN name and passing name and
> domain as second parameter. Can connect to mos of DC except those specific
> ones. Same access denied.error. Same version.
>
> On 5/29/08, Joseph Isenhour <Josephi@microsoft.com> wrote:
>>
>> Same version of windows other than architecture?
>>
>>
>>
>> For grins, give it a try with no flags. Meaning drop the GetDCFlags.DirectoryServiceRequired
>> flag and see what you get back in the DOMAIN_CONTROLLER_INFO structure.
>>
>>
>>
>>
>>
>> Joe Isenhour – Program Manager | Enterprise Engineering Center | office:
>> 425.703.7961| email: josephi@microsoft.com
>>
>>
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Greg Reevosh
>> *Sent:* Thursday, May 29, 2008 5:29 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Programmatic Method to check if a DC is
>> Advertising
>>
>>
>>
>> Yes. Exactly the same ones. Initially I thought it might be related to x64
>> but there are some that works fine.
>>
>> On 5/29/08, *Joseph Isenhour* <Josephi@microsoft.com> wrote:
>>
>> Well if it's the same domain and the same account then it probably isn't
>> related to rights unless something is really screwy. Is it always the same
>> ones that fail?
>>
>>
>>
>>
>>
>>
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Greg Reevosh
>> *Sent:* Thursday, May 29, 2008 5:01 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Programmatic Method to check if a DC is
>> Advertising
>>
>>
>>
>> Hi Joe,
>>
>>
>>
>> It works fine for most DC's and returns "Access is denied" for a very few.
>> It runs under the same account for the ones that work and for the ones that
>> fail in the same domain. is there anything else that might cause it?
>>
>>
>> Thanks
>>
>> --Greg
>>
>>
>> On 5/29/08, *Greg Reevosh* <grincik50@gmail.com> wrote:
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Joseph Isenhour
>> *Sent:* Wednesday, May 28, 2008 5:40 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* RE: [ActiveDir] Programmatic Method to check if a DC is
>> Advertising
>>
>>
>>
>> When you pass DsGetDCName an fqdn I believe it will actually attempt to
>> remote the call via RPC to which ever server is specified. So for example:
>>
>>
>>
>> int val = DsGetDcName(someserver.company.net,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
>> out pDCI);
>>
>>
>>
>> If I'm not mistaken that call will actually tell someserver.company.netto run the dsgetdcname call. If that's the case then what ever security
>> context is running the command must have the necessary rights on
>> someserver.company.net to run the function. You might be running into a
>> scenario where the account issuing the dsgetdcname call does not have the
>> rights it needs on the remote server.
>>
>>
>>
>> On 5/28/08, *Greg Reevosh* <grincik50@gmail.com> wrote:
>>
>> Hi,
>>
>>
>>
>> I am using following methd:
>>
>>
>>
>>
>>
>> DOMAIN_CONTROLLER_INFO domainInfo;
>>
>> const int ERROR_SUCCESS = 0;
>>
>> IntPtr pDCI = IntPtr.Zero;
>>
>> try{
>>
>> int val =
>> DsGetDcName(dnsName,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
>> out pDCI);
>>
>> if(ERROR_SUCCESS == val){
>>
>> domainInfo = (DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI,
>> typeof(DOMAIN_CONTROLLER_INFO));
>>
>> }else{ throw new Win32Exception(val); }
>>
>>
>>
>> dnsName = format is: server FQDN. (EX: server1.domain.domain.net)
>>
>> what happens is that for most of DC's it works fine but on some I get
>> "val=5" (access is denied) error. I check DC and it is good (dcdiag, nltest,
>> etc.) I would appreciate any help.
>>
>> Thanks
>>
>> --Greg
>>
>>
>>
>>
>> -----Original Message-----
>>
>> From: ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
>>
>> Sent: Thursday, April 24, 2008 1:26 PM
>>
>> To: ActiveDir@mail.activedir.org
>>
>> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
>> Advertising
>>
>>
>>
>> Strictly speaking, it is not possible over LDAP alone. Checking
>> rootDse/isSynchronized is a good first approximation -- it indicates that
>> the "DS part" of the DC is ready. However, netlogon is also checking that
>> NTFRS/DFSR are ready as well, before advertising. Usually, I check their
>> state by looking at
>> HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
>>
>>
>>
>> The "correct" way to check if the DC is advertising or not is calling
>> DsGetDcName targeting the DC in question (ComputerName parameter), with NULL
>> domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then
>> check Flags in the returned dcinfo struct.
>>
>>
>>
>> Dmitri
>>
>>
>>
>> -----Original Message-----
>>
>> From: ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>>
>> Sent: Thursday, April 24, 2008 7:29 AM
>>
>> To: ActiveDir@mail.activedir.org
>>
>> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
>> Advertising
>>
>>
>>
>> To further clarify, we would like to accomplish this without impersonating
>> logon local or do any remoting. We would like to use only LDAP calls to get
>> Advertising status.
>>
>>
>>
>> Thanks,
>>
>> John
>>
>>
>>
>> -----Original Message-----
>>
>> From: ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>>
>> Sent: Thursday, April 24, 2008 10:22 AM
>>
>> To: ActiveDir@mail.activedir.org
>>
>> Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
>>
>>
>>
>> Does anyone have a programmatic method to test if a domain controller is
>> advertising that would replicate the functionality of DCDIAG
>> /test:advertising ? We patch our domain controllers in groups to ensure
>> continued availability and would like an easily scriptable way to make sure
>> all patched/rebooted DCs are back up and advertising before proceeding with
>> the next group.
>>
>>
>>
>>
>>
>> Thanks,
>>
>> John
>>
>> .+w֧ B+v* rz+v*k}
>>
>> Ώ]�ا~�m���� rدyث��?.+-j�q.+-
>> ------------------------------
>>
>> !�� � 0i�b��b�������Pj�q.+-j�!����� � 0i�b��b����f�u�ں[Z��
>>
>> .+w֧ B+v* rz+v*k}
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
| | | |
| bdesmond
Posts:374
| | 07/16/2008 7:01 PM |
| | There is some issue with calling these APIs under Network Service on IIS. I
don't remember what though. Joe Kaplan usually is around here - he would
know.
--brian
On Fri, May 30, 2008 at 6:06 PM, Greg Reevosh <grincik50@gmail.com> wrote:
> This is ASP.net app runs within default app pool and no special parameters
> passed to this function. Like I said works fine for most of DC. Same
> policies applied. However, when I impersonate domain user and call this
> functon and de-personate -- works fine for all DC's. We do not allow
> anonymous binds -- there must be an explanation.
>
> NetApiBufferFree(pDCI); -- is run every time in finally statement; nltest
> is fine.
>
>
>
>
>
> On 5/29/08, joe <listmail@joeware.net> wrote:
>>
>> My thoughts...
>>
>> 1. Does nltest /dsgetdc work?
>>
>> 2. Are these DCs using some "special" policy? I.E. Are you "one of those"
>> companies that set up different DCs in the same domain with different
>> policies?
>>
>> 3. Can you do a dir of the netlogon or sysvol shares with that ID on those
>> DCs?
>>
>> 4. What happens if you set up a null session connection to the problematic
>> DCs and run your tool or nltest against the DC? This API call shouldn't
>> require any perms to run if I recall.
>>
>> 5. Have you gotten a network trace and compared it to the trace from a DC
>> you can query to see where exactly it is blowing out at?
>>
>>
>> Likely you can force this to work by making a null session connection to
>> each DC, making the call, then breaking the connection. However, I would
>> highly recommend working out where that access denied is coming from, it
>> could be a symptom of something wrong.
>>
>> joe
>>
>>
>> --
>> O'Reilly Active Directory Third Edition -
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> ------------------------------
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Greg Reevosh
>> *Sent:* Thursday, May 29, 2008 11:30 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Programmatic Method to check if a DC is
>> Advertising
>>
>>
>> I've tried it with no flag, passing FQDN, WIN name and passing name and
>> domain as second parameter. Can connect to mos of DC except those specific
>> ones. Same access denied.error. Same version.
>>
>> On 5/29/08, Joseph Isenhour <Josephi@microsoft.com> wrote:
>>>
>>> Same version of windows other than architecture?
>>>
>>>
>>>
>>> For grins, give it a try with no flags. Meaning drop the GetDCFlags.DirectoryServiceRequired
>>> flag and see what you get back in the DOMAIN_CONTROLLER_INFO structure.
>>>
>>>
>>>
>>>
>>>
>>> Joe Isenhour – Program Manager | Enterprise Engineering Center | office:
>>> 425.703.7961| email: josephi@microsoft.com
>>>
>>>
>>>
>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Greg Reevosh
>>> *Sent:* Thursday, May 29, 2008 5:29 PM
>>> *To:* ActiveDir@mail.activedir.org
>>> *Subject:* Re: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> Yes. Exactly the same ones. Initially I thought it might be related to
>>> x64 but there are some that works fine.
>>>
>>> On 5/29/08, *Joseph Isenhour* <Josephi@microsoft.com> wrote:
>>>
>>> Well if it's the same domain and the same account then it probably isn't
>>> related to rights unless something is really screwy. Is it always the same
>>> ones that fail?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Greg Reevosh
>>> *Sent:* Thursday, May 29, 2008 5:01 PM
>>> *To:* ActiveDir@mail.activedir.org
>>> *Subject:* Re: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> Hi Joe,
>>>
>>>
>>>
>>> It works fine for most DC's and returns "Access is denied" for a very
>>> few. It runs under the same account for the ones that work and for the ones
>>> that fail in the same domain. is there anything else that might cause it?
>>>
>>>
>>> Thanks
>>>
>>> --Greg
>>>
>>>
>>> On 5/29/08, *Greg Reevosh* <grincik50@gmail.com> wrote:
>>>
>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Joseph Isenhour
>>> *Sent:* Wednesday, May 28, 2008 5:40 PM
>>> *To:* ActiveDir@mail.activedir.org
>>> *Subject:* RE: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> When you pass DsGetDCName an fqdn I believe it will actually attempt to
>>> remote the call via RPC to which ever server is specified. So for example:
>>>
>>>
>>>
>>> int val = DsGetDcName(someserver.company.net,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
>>> out pDCI);
>>>
>>>
>>>
>>> If I'm not mistaken that call will actually tell someserver.company.netto run the dsgetdcname call. If that's the case then what ever security
>>> context is running the command must have the necessary rights on
>>> someserver.company.net to run the function. You might be running into a
>>> scenario where the account issuing the dsgetdcname call does not have the
>>> rights it needs on the remote server.
>>>
>>>
>>>
>>> On 5/28/08, *Greg Reevosh* <grincik50@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> I am using following methd:
>>>
>>>
>>>
>>>
>>>
>>> DOMAIN_CONTROLLER_INFO domainInfo;
>>>
>>> const int ERROR_SUCCESS = 0;
>>>
>>> IntPtr pDCI = IntPtr.Zero;
>>>
>>> try{
>>>
>>> int val =
>>> DsGetDcName(dnsName,"",0,"",Convert.ToUInt32(GetDCFlags.DirectoryServiceRequired),
>>> out pDCI);
>>>
>>> if(ERROR_SUCCESS == val){
>>>
>>> domainInfo = (DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI,
>>> typeof(DOMAIN_CONTROLLER_INFO));
>>>
>>> }else{ throw new Win32Exception(val); }
>>>
>>>
>>>
>>> dnsName = format is: server FQDN. (EX: server1.domain.domain.net)
>>>
>>> what happens is that for most of DC's it works fine but on some I get
>>> "val=5" (access is denied) error. I check DC and it is good (dcdiag, nltest,
>>> etc.) I would appreciate any help.
>>>
>>> Thanks
>>>
>>> --Greg
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>>
>>> From: ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
>>>
>>> Sent: Thursday, April 24, 2008 1:26 PM
>>>
>>> To: ActiveDir@mail.activedir.org
>>>
>>> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> Strictly speaking, it is not possible over LDAP alone. Checking
>>> rootDse/isSynchronized is a good first approximation -- it indicates that
>>> the "DS part" of the DC is ready. However, netlogon is also checking that
>>> NTFRS/DFSR are ready as well, before advertising. Usually, I check their
>>> state by looking at
>>> HKLM/System/CCS/Services/Netlogon/Parameters/SysvolReady.
>>>
>>>
>>>
>>> The "correct" way to check if the DC is advertising or not is calling
>>> DsGetDcName targeting the DC in question (ComputerName parameter), with NULL
>>> domain and DS_DIRECTORY_SERVICE_REQUIRED flag. It should return itself. Then
>>> check Flags in the returned dcinfo struct.
>>>
>>>
>>>
>>> Dmitri
>>>
>>>
>>>
>>> -----Original Message-----
>>>
>>> From: ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>>>
>>> Sent: Thursday, April 24, 2008 7:29 AM
>>>
>>> To: ActiveDir@mail.activedir.org
>>>
>>> Subject: RE: [ActiveDir] Programmatic Method to check if a DC is
>>> Advertising
>>>
>>>
>>>
>>> To further clarify, we would like to accomplish this without
>>> impersonating logon local or do any remoting. We would like to use only
>>> LDAP calls to get Advertising status.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> John
>>>
>>>
>>>
>>> -----Original Message-----
>>>
>>> From: ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] On Behalf Of Serban, John
>>>
>>> Sent: Thursday, April 24, 2008 10:22 AM
>>>
>>> To: ActiveDir@mail.activedir.org
>>>
>>> Subject: [ActiveDir] Programmatic Method to check if a DC is Advertising
>>>
>>>
>>>
>>> Does anyone have a programmatic method to test if a domain controller is
>>> advertising that would replicate the functionality of DCDIAG
>>> /test:advertising ? We patch our domain controllers in groups to ensure
>>> continued availability and would like an easily scriptable way to make sure
>>> all patched/rebooted DCs are back up and advertising before proceeding with
>>> the next group.
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> John
>>>
>>> .+w֧ B+v* rz+v*k}
>>>
>>> Ώ]�ا~�m���� rدyث��?.+-j�q.+-
>>> ------------------------------
>>>
>>> !�� � 0i�b��b�������Pj�q.+-j�!����� � 0i�b��b����f�u�ں[Z��
>>>
>>> .+w֧ B+v* rz+v*k}
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
|
|