| Author | Messages | |
ChrisClemson
Posts:6
 | | 04/29/2008 5:56 AM |
| Please excuse me if this is the wrong place to ask this, but it seems
that other people have posted ADAM-related questions here before.
I am trying to use ADAM to keep a copy of AD, which I hope to achieve
using the ADAMSync utility eventually.
Although ADAM is installed on a machine in our domain, I don't want the
domain to know about it, and the Event ID 2536 (which is generated when
it can't get to the domain), says I can use msDS-DisableForInstances to
stop it trying to register the serviceConnectionPoint object.
This is fine, and I have found it using ADSIedit, but what do I set it
to?
I tried just setting it to "1", but of course this fails as it is
expecting a DN-style attribute.
Also, on
http://groups.google.com/group/microsoft.public.adsi.general/browse_thre
ad/thread/44645e13fc64d5b1/0d97346af6786e86?lnk=st&q=%22msDS-DisableForI
nstances%22#0d97346af6786e86 it mentions:
"Not at install time. But after you install, set enabled=FALSE on the
CN=SCP
Publication Service,CN=Directory
Service,CN=WindowsNT,CN=Services,CN=Configuration,DC={GUID}."
But I can't find this in ADAM.
Does anyone know of any instructions for doing this and what the DN
should be?
On a another note, does anyone know of any ADAM-related mailing lists,
or does this list cover both?
Thank you,
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| lef
Posts:21
| | 04/29/2008 7:16 AM |
|
Hi
-snip-
. To prevent an ADAM instance from updating its SCP object, or to prevent
an ADAM instance from recreating the SCP object after you have deleted the
SCP object, set the registry key value
HKLM\System\CurrentControlSet\Services\instance name\Parameters\Server
information update interval (mins) to 0.
. To prevent the publication of SCPs for all ADAM instances in an ADAM
configuration set, set the attribute Enabled on the object CN=SCP
Publication Service,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,CN={GUID} to False.
-snip-
from the "Modifying SCPs" section of:
http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx
So it's the (boolean) "Enabled" attribute of the CN=SCP
Publication Service object that you want.
msDS-DisableForInstances looks like a linked multivalued DN attribute
on the SCP Publication Service that would allow you to exclude
specific DSAs from appearing in an SCP; I think you just want the
global disable above.
The 2536 error you are getting is fairly harmless.
Lee Flight
On Tue, 29 Apr 2008, Clemson, Chris (IHG) wrote:
> Please excuse me if this is the wrong place to ask this, but it seems
> that other people have posted ADAM-related questions here before.
>
> I am trying to use ADAM to keep a copy of AD, which I hope to achieve
> using the ADAMSync utility eventually.
>
> Although ADAM is installed on a machine in our domain, I don't want the
> domain to know about it, and the Event ID 2536 (which is generated when
> it can't get to the domain), says I can use msDS-DisableForInstances to
> stop it trying to register the serviceConnectionPoint object.
> This is fine, and I have found it using ADSIedit, but what do I set it
> to?
> I tried just setting it to "1", but of course this fails as it is
> expecting a DN-style attribute.
>
> Also, on
> http://groups.google.com/group/microsoft.public.adsi.general/browse_thre
> ad/thread/44645e13fc64d5b1/0d97346af6786e86?lnk=st&q=%22msDS-DisableForI
> nstances%22#0d97346af6786e86 it mentions:
>
> "Not at install time. But after you install, set enabled=FALSE on the
> CN=SCP
> Publication Service,CN=Directory
> Service,CN=WindowsNT,CN=Services,CN=Configuration,DC={GUID}."
>
> But I can't find this in ADAM.
> Does anyone know of any instructions for doing this and what the DN
> should be?
>
> On a another note, does anyone know of any ADAM-related mailing lists,
> or does this list cover both?
>
> Thank you,
>
> Chris
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ChrisClemson
Posts:6
| | 04/29/2008 9:58 AM |
| > -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Lee Flight
> Sent: 29 April 2008 12:16
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] ADAM and AD serviceConnectionPoint object
> from the "Modifying SCPs" section of:
> http://technet2.microsoft.com/WindowsServer/en/library/7cfc899
> 7-bab2-4770-aff2-be424fd03cda1033.mspx
Ah, I guess I should have just searched for SCP instead!
> So it's the (boolean) "Enabled" attribute of the CN=SCP
> Publication Service object that you want.
>
> msDS-DisableForInstances looks like a linked multivalued DN attribute
> on the SCP Publication Service that would allow you to exclude
> specific DSAs from appearing in an SCP; I think you just want the
> global disable above.
Correct, the global disable is exactly what I was after.
> The 2536 error you are getting is fairly harmless.
True, I just want to make sure that it doesn't try to contact our main
AD infrastructure.
Thank you!
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:428
| | 04/29/2008 10:08 AM |
| I am curious why you don't want ADAM registering in Active Directory... This
is a pretty cool feature to help you locate instances of the service as
needed for general service location or service management functionality. I
think in general it would be nice (and a lot of IT management people ask for
this type of information) if more application services did things like that.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Clemson, Chris
(IHG)
Sent: Tuesday, April 29, 2008 9:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM and AD serviceConnectionPoint object
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Lee Flight
> Sent: 29 April 2008 12:16
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] ADAM and AD serviceConnectionPoint object
> from the "Modifying SCPs" section of:
> http://technet2.microsoft.com/WindowsServer/en/library/7cfc899
> 7-bab2-4770-aff2-be424fd03cda1033.mspx
Ah, I guess I should have just searched for SCP instead!
> So it's the (boolean) "Enabled" attribute of the CN=SCP Publication
> Service object that you want.
>
> msDS-DisableForInstances looks like a linked multivalued DN attribute
> on the SCP Publication Service that would allow you to exclude
> specific DSAs from appearing in an SCP; I think you just want the
> global disable above.
Correct, the global disable is exactly what I was after.
> The 2536 error you are getting is fairly harmless.
True, I just want to make sure that it doesn't try to contact our main AD
infrastructure.
Thank you!
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| dmitrig
Posts:59
| | 04/29/2008 11:18 AM |
| You've got the correct info. You have to set enabled=FALSE on the SCP publication service object. You cannot find it in ADAM? Where exactly did you look for it?
That said, AD admins will find you anyway. You cannot hide from their unblinking eye.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Clemson, Chris (IHG)
Sent: Tuesday, April 29, 2008 3:56 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM and AD serviceConnectionPoint object
Please excuse me if this is the wrong place to ask this, but it seems
that other people have posted ADAM-related questions here before.
I am trying to use ADAM to keep a copy of AD, which I hope to achieve
using the ADAMSync utility eventually.
Although ADAM is installed on a machine in our domain, I don't want the
domain to know about it, and the Event ID 2536 (which is generated when
it can't get to the domain), says I can use msDS-DisableForInstances to
stop it trying to register the serviceConnectionPoint object.
This is fine, and I have found it using ADSIedit, but what do I set it
to?
I tried just setting it to "1", but of course this fails as it is
expecting a DN-style attribute.
Also, on
http://groups.google.com/group/microsoft.public.adsi.general/browse_thre
ad/thread/44645e13fc64d5b1/0d97346af6786e86?lnk=st&q=%22msDS-DisableForI
nstances%22#0d97346af6786e86 it mentions:
"Not at install time. But after you install, set enabled=FALSE on the
CN=SCP
Publication Service,CN=Directory
Service,CN=WindowsNT,CN=Services,CN=Configuration,DC={GUID}."
But I can't find this in ADAM.
Does anyone know of any instructions for doing this and what the DN
should be?
On a another note, does anyone know of any ADAM-related mailing lists,
or does this list cover both?
Thank you,
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ChrisClemson
Posts:6
| | 04/29/2008 12:19 PM |
| > I am curious why you don't want ADAM registering in Active
> Directory... This
> is a pretty cool feature to help you locate instances of the
> service as
> needed for general service location or service management
> functionality. I
> think in general it would be nice (and a lot of IT management
> people ask for
> this type of information) if more application services did
> things like that.
Basically, I need to find a way of coping all the information that is
normally in the GAL, into a place that people can browse anonymously (or
with 1 particular account).
We are trying to get rid of our Exchange 5.5 servers, which did allow
anonymous access to the GAL, and was trying replicate this kind of
functionality in ADAM.
I would prefer if it didn't know anything about our AD.
This is partly for security, and also I don't really want internal
network users to access or know anything about this.
I was originally going to use something like OpenLDAP, but have been
having problems with the schemas.
It seems that I need the latest OpenLDAP (2.4.x) to be able to store the
memberOf attribute (via an "overlay"), which means I have to compile it
myself (there are no windows binaries available).
I've been struggling with this as I've never compiled cygwin/mingw
binaries on windows.
If you think I'm going about this the wrong way, feel free to tell me!
Thanks,
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:428
| | 04/29/2008 12:29 PM |
| This is a great use of ADAM IMO. Especially over OpenLDAP unless you already
have an OpenLDAP skill set and really want to use that.
Normal users won't know anything about it due to the SCP publication though
unless they know to go looking for SCPs. The people who would know should be
admins and applicationd devs.
If you don't want ADAM to know anything about AD, then don't make it part of
a domain in the forest. As it is, people will be able to authenticate to the
ADAM instance with their domain accounts if it is part of the forest. They
may not be able to do much if anything with it since it is locked down by
default for viewing, but they could certainly connect to it. If it isn't in
the forest, the best they can do is enumerate the rootdse as that is
anonymous and doesn't go back to AD for anything.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Clemson, Chris
(IHG)
Sent: Tuesday, April 29, 2008 12:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM and AD serviceConnectionPoint object
> I am curious why you don't want ADAM registering in Active
> Directory... This is a pretty cool feature to help you locate
> instances of the service as needed for general service location or
> service management functionality. I think in general it would be nice
> (and a lot of IT management people ask for this type of information)
> if more application services did things like that.
Basically, I need to find a way of coping all the information that is
normally in the GAL, into a place that people can browse anonymously (or
with 1 particular account).
We are trying to get rid of our Exchange 5.5 servers, which did allow
anonymous access to the GAL, and was trying replicate this kind of
functionality in ADAM.
I would prefer if it didn't know anything about our AD.
This is partly for security, and also I don't really want internal network
users to access or know anything about this.
I was originally going to use something like OpenLDAP, but have been having
problems with the schemas.
It seems that I need the latest OpenLDAP (2.4.x) to be able to store the
memberOf attribute (via an "overlay"), which means I have to compile it
myself (there are no windows binaries available).
I've been struggling with this as I've never compiled cygwin/mingw binaries
on windows.
If you think I'm going about this the wrong way, feel free to tell me!
Thanks,
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| tonyszko
Posts:46
| | 04/29/2008 1:54 PM |
| Clemson, Chris (IHG) wrote:
> Basically, I need to find a way of coping all the information that is
> normally in the GAL, into a place that people can browse anonymously (or
> with 1 particular account).
> We are trying to get rid of our Exchange 5.5 servers, which did allow
> anonymous access to the GAL, and was trying replicate this kind of
> functionality in ADAM.
> I would prefer if it didn't know anything about our AD.
> This is partly for security, and also I don't really want internal
> network users to access or know anything about this.
>
(...)
>
> If you think I'm going about this the wrong way, feel free to tell me!
You are definitely going in good direction (at least IMO). ADAM should
serve well for you. I know that ADAM gives You synchronization tool
which is great, however if You are not scared with a bit of .NET coding
You may want to explore also IIFP as possible synchronization engine.
This might give You a bit more flexibility if You will want to make some
modifications during synchronization.
http://www.microsoft.com/downloads/details.aspx?familyid=d9143610-c04d-41c4-b7ea-6f56819769d5&displaylang=en
(as joe is on this thread ... yes, I think I know what You think about
using .NET and IIFP, especially IIFP is based on SQL  )
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ChrisClemson
Posts:6
| | 04/29/2008 1:54 PM |
| > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Dmitri Gavrilov
> Sent: 29 April 2008 16:15
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ADAM and AD serviceConnectionPoint object
>
> You've got the correct info. You have to set enabled=FALSE on
> the SCP publication service object. You cannot find it in
> ADAM? Where exactly did you look for it?
I was looking in the Configuration partition and couldn't see it, but
since I've rebooted and rerun ADAM-adsiedit, it seems to be showing up.
I have now changed enabled to FALSE, but am still getting the 2536
error, can I ignore this.
> That said, AD admins will find you anyway. You cannot hide
> from their unblinking eye.
Hehe!
That's ok, I am an admin
I just don't want normal users to find it as the info will probably be a
day out of sync (once I get it working) and incomplete.
Thanks,
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:428
| | 04/29/2008 5:31 PM |
| Yeah annoying that SQL Requirement...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tomasz Onyszko
Sent: Tuesday, April 29, 2008 1:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADAM and AD serviceConnectionPoint object
Clemson, Chris (IHG) wrote:
> Basically, I need to find a way of coping all the information that is
> normally in the GAL, into a place that people can browse anonymously
> (or with 1 particular account).
> We are trying to get rid of our Exchange 5.5 servers, which did allow
> anonymous access to the GAL, and was trying replicate this kind of
> functionality in ADAM.
> I would prefer if it didn't know anything about our AD.
> This is partly for security, and also I don't really want internal
> network users to access or know anything about this.
>
(...)
>
> If you think I'm going about this the wrong way, feel free to tell me!
You are definitely going in good direction (at least IMO). ADAM should serve
well for you. I know that ADAM gives You synchronization tool which is
great, however if You are not scared with a bit of .NET coding You may want
to explore also IIFP as possible synchronization engine.
This might give You a bit more flexibility if You will want to make some
modifications during synchronization.
http://www.microsoft.com/downloads/details.aspx?familyid=d9143610-c04d-41c4-
b7ea-6f56819769d5&displaylang=en
(as joe is on this thread ... yes, I think I know what You think about using
.NET and IIFP, especially IIFP is based on SQL )
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ChrisClemson
Posts:6
| | 04/30/2008 4:57 AM |
| > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: 29 April 2008 18:38
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] ADAM and AD serviceConnectionPoint object
>
> (...)
>
> >
> > If you think I'm going about this the wrong way, feel free
> to tell me!
>
> You are definitely going in good direction (at least IMO).
> ADAM should
> serve well for you. I know that ADAM gives You synchronization tool
> which is great, however if You are not scared with a bit of
> .NET coding
> You may want to explore also IIFP as possible synchronization engine.
> This might give You a bit more flexibility if You will want
> to make some
> modifications during synchronization.
Hopefully I won't need to make any modifications, other than probably
removing unimportant account information.
> http://www.microsoft.com/downloads/details.aspx?familyid=d9143
> 610-c04d-41c4-b7ea-6f56819769d5&displaylang=en
>
> (as joe is on this thread ... yes, I think I know what You
> think about
> using .NET and IIFP, especially IIFP is based on SQL )
Thanks Thomas, I will check that out.
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|