| Author | Messages | |
theo22
Posts:44
 | | 01/28/2011 3:22 PM |
| This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| pbbergs
Posts:287
| | 01/28/2011 3:26 PM |
| When I see "No Endpoints" I think firewall issue. Check to see if you have rpc being blocked.
Thanks
Paul
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| theo22
Posts:44
| | 01/28/2011 5:26 PM |
| I checked with the network team. Nothing is blocked internally related to rpc. We have McAfee installed on our boxes but I turned it off and that didn't help either.
No one else has seen this? Does everyone log into a DC to run these commands?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Friday, January 28, 2011 7:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
When I see "No Endpoints" I think firewall issue. Check to see if you have rpc being blocked.
Thanks
Paul
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| listmail
Posts:824
| | 01/28/2011 5:28 PM |
| RepAdmin is using RPC to get the information, the no endpoints would mean an
issue with RPC on one or the other machine or possible a port filtering
issue (firewall or other network shaping device).
AdFind on the other hand uses LDAP for this so if you can retrieve anything
from a the given DC through AdFind, you should be able to get this info,
assuming it is on the this DC. The fact that you get 0 objects returned
means that you are connecting fine and AD is responding to the search
request. Since you don't show the output from the run ON the DC, my question
is, does the run on your host hit the SAME DC? I.E. Does
DC1.mydomain.mycorp.com have that app partition on it? If so, can you query
that NC for anything?
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would
like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a
DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f
name=somehost.
Same for the repadmin statement:
repadmin /showmeta
"dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=co
m"
But if I run those statements from my host or any other non-DC hosts I get
no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and
capture its output to a file when triggered. I have a DNS record that goes
missing and I want the meta data on the record when this happens so I can
pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1
<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin
statement)
If I run the psexec statement from the cmd line on the monitoring host
without trying to redirect to a file, I get the expected output. But when I
try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this
should have been a fairly simple task but now I'm stumped. I'm looking to
the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| pbbergs
Posts:287
| | 01/28/2011 5:30 PM |
| If 2008 is the firewall on the DC's running?
Thanks
Paul
pbergson@allete.com<mailto:pbergson@allete.com> (e-mail)
pbbergs@msn.com<mailto:pbbergs@msn.com> (IM)
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 11:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
I checked with the network team. Nothing is blocked internally related to rpc. We have McAfee installed on our boxes but I turned it off and that didn't help either.
No one else has seen this? Does everyone log into a DC to run these commands?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Friday, January 28, 2011 7:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
When I see "No Endpoints" I think firewall issue. Check to see if you have rpc being blocked.
Thanks
Paul
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| Gil
Posts:315
| | 01/28/2011 5:34 PM |
| >> DsBindWithCred to localhost failed with status 1753 (0x6d9):
Repadmin seems to trying to bind locally. Did you try specifying the DC name on the command line? Not sure why DC locator wouldn't work here... maybe a DNS thing?
-gil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
I checked with the network team. Nothing is blocked internally related to rpc. We have McAfee installed on our boxes but I turned it off and that didn't help either.
No one else has seen this? Does everyone log into a DC to run these commands?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Friday, January 28, 2011 7:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
When I see "No Endpoints" I think firewall issue. Check to see if you have rpc being blocked.
Thanks
Paul
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| theo22
Posts:44
| | 01/28/2011 11:16 PM |
| Thank you everyone for helping out on this. Much appreciated!!!
Let me see if I can answer all the questions:
Paul - I am working with all Server 2003 DC's. No 2008 DC's. It doesn't appear that any port blocking was a problem. See my response to Gil.
Gil - You nailed it. I changed my command line to this and it worked:
C:\> repadmin /showobjmeta DC1 "dc=hostname,dc=lucasfilm.com,cn=microsoftdns,dc=forestdnszones,dc=mycorp,dc=com" > hostname_meta_log.txt
I needed to add the DC name to the repadmin statement when running the command from a host other than a DC.
Joe - Thank you for the distinction between repadmin and adfind. I was not aware of the difference between the underlying calls of the two statements. However I still cannot get the adfind command to work consistently which is actually my tool of choice (although I'm still learning). Clearly I do not understand what is happening here.
1) If I run this from my host it works:
C:\> adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=hostname
Using server: DC1.domain.mycorp.com:389
Directory: Windows Server 2003
...
2) If I run the same command on another host it fails. Notice it uses a different DC. I get this:
Using server: DC2. domain.mycorp.com:389
Directory: Windows Server 2003
ldap_get_next_page_s: [DC2. domain.mycorp.com] Error 0x57 (87) - Filter Error
0 Objects returned
3) If I run the following command on my host (adding the -h to adfind cmd) it fails. It used to work when I didn't enter the host to connect to. I get this:
C:\> adfind -h DC1.domain.mycorp.com:389 -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=hostname
Using server: DC1. domain.mycorp.com:389
Directory: Windows Server 2003
ldap_get_next_page_s: [DC1. domain.mycorp.com] Error 0x57 (87) - Filter Error
0 Objects returned
4) I get the same result on the other server when using the -h command to connect to the DC that worked in case 1.
Why does it work on my host when I don't use the -h flag but fails when I use it? Am I just using the -h flag incorrectly?
And why can't I get the same working command in Ex 1. to work on my other host? Is it because it is hitting a different DC?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Friday, January 28, 2011 9:31 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
>> DsBindWithCred to localhost failed with status 1753 (0x6d9):
Repadmin seems to trying to bind locally. Did you try specifying the DC name on the command line? Not sure why DC locator wouldn't work here... maybe a DNS thing?
-gil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
I checked with the network team. Nothing is blocked internally related to rpc. We have McAfee installed on our boxes but I turned it off and that didn't help either.
No one else has seen this? Does everyone log into a DC to run these commands?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Friday, January 28, 2011 7:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
When I see "No Endpoints" I think firewall issue. Check to see if you have rpc being blocked.
Thanks
Paul
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
| theo22
Posts:44
| | 01/28/2011 11:24 PM |
| Ooops. I forgot to mention.
I changed the repadmin statement from:
Repadmin /showmeta
To
Repadmin /showobjmeta.
One wonder if that had anything to do with it also.
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 3:15 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
Thank you everyone for helping out on this. Much appreciated!!!
Let me see if I can answer all the questions:
Paul - I am working with all Server 2003 DC's. No 2008 DC's. It doesn't appear that any port blocking was a problem. See my response to Gil.
Gil - You nailed it. I changed my command line to this and it worked:
C:\> repadmin /showobjmeta DC1 "dc=hostname,dc=lucasfilm.com,cn=microsoftdns,dc=forestdnszones,dc=mycorp,dc=com" > hostname_meta_log.txt
I needed to add the DC name to the repadmin statement when running the command from a host other than a DC.
Joe - Thank you for the distinction between repadmin and adfind. I was not aware of the difference between the underlying calls of the two statements. However I still cannot get the adfind command to work consistently which is actually my tool of choice (although I'm still learning). Clearly I do not understand what is happening here.
1) If I run this from my host it works:
C:\> adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=hostname
Using server: DC1.domain.mycorp.com:389
Directory: Windows Server 2003
...
2) If I run the same command on another host it fails. Notice it uses a different DC. I get this:
Using server: DC2. domain.mycorp.com:389
Directory: Windows Server 2003
ldap_get_next_page_s: [DC2. domain.mycorp.com] Error 0x57 (87) - Filter Error
0 Objects returned
3) If I run the following command on my host (adding the -h to adfind cmd) it fails. It used to work when I didn't enter the host to connect to. I get this:
C:\> adfind -h DC1.domain.mycorp.com:389 -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=hostname
Using server: DC1. domain.mycorp.com:389
Directory: Windows Server 2003
ldap_get_next_page_s: [DC1. domain.mycorp.com] Error 0x57 (87) - Filter Error
0 Objects returned
4) I get the same result on the other server when using the -h command to connect to the DC that worked in case 1.
Why does it work on my host when I don't use the -h flag but fails when I use it? Am I just using the -h flag incorrectly?
And why can't I get the same working command in Ex 1. to work on my other host? Is it because it is hitting a different DC?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Friday, January 28, 2011 9:31 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
>> DsBindWithCred to localhost failed with status 1753 (0x6d9):
Repadmin seems to trying to bind locally. Did you try specifying the DC name on the command line? Not sure why DC locator wouldn't work here... maybe a DNS thing?
-gil
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
I checked with the network team. Nothing is blocked internally related to rpc. We have McAfee installed on our boxes but I turned it off and that didn't help either.
No one else has seen this? Does everyone log into a DC to run these commands?
-Ted
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Friday, January 28, 2011 7:24 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Can't show an objects meta data from all hosts
When I see "No Endpoints" I think firewall issue. Check to see if you have rpc being blocked.
Thanks
Paul
It is the responsibility of Windows Server Services department to only provide those powers which are absolutely essential to perform an end users job. Although this can sometimes lead to frustration, this process is in place to protect the enterprise assests (POLP).
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ted Osheroff
Sent: Friday, January 28, 2011 9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can't show an objects meta data from all hosts
This has got to be some kind of a permission thing but I'm puzzled and would like to know what is going here.
(I have Domain Admin credentials.)
If I run this statement from a cmd window to show an objects meta data on a DC, I get the output I'm looking for:
adfind -b "dc=forestdnszones,dc=mycorp,dc=com" -sc objsmeta -f name=somehost.
Same for the repadmin statement:
repadmin /showmeta "dc=somehost,dc=myzone.com,cn=microsoftDNS,DC=forestdnszones,dc=mycorp,dc=com"
But if I run those statements from my host or any other non-DC hosts I get no output. Here's what I get:
Adfind:
Using server: DC1.mydomain.mycorp.com:389
Directory: Windows Server 2003
0 Objects returned
Repadmin:
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
Problem I'm trying to solve:
I would like my monitoring to system to run one of these statements and capture its output to a file when triggered. I have a DNS record that goes missing and I want the meta data on the record when this happens so I can pinpoint where to find the Event in the logs and on which DC it is located.
I've even tried to have the monitoring system run C:> psexec \\DC1<file:///\\DC1> adfind statement > myfile.txt. (or the equivlant repadmin statement)
If I run the psexec statement from the cmd line on the monitoring host without trying to redirect to a file, I get the expected output. But when I try to dump it to a file it fails. I get an empty file.
I've spent way too much time on this and need some help. In my mind this should have been a fairly simple task but now I'm stumped. I'm looking to the heavens of ActiveDir.org for some guidance.
Thank you,
Ted Osheroff
| | | |
|
|