Venkata Dendukuri Messages: 1 Registered: November 2009 Location: NULL
Junior Member
Hi,
with reference to your query there is some possibility to query Active Directory with Qmail.
But not on already implemented Infrastructure.
On a new Windows Server before implementing you Active Directory install Services for Unix and then implement Active Directory, on User account properties you will find another tab as Unix Attribute.
mention the LDAP and query.
Try this out and reply.
Matte wrote:
QMAIL - AD 2003 INTEGRATION
12-Nov-07
Dear all,
anyone have some material useful to enable me to integrate qmail and 2003 ad
schema?
I would to authenticate qmail users with ad credentials? is it possible? The
it chief doesn't like to pass to exchange so I have no other ways, is it
available a step by step guide?
thank you
Matteo
Previous Posts In This Thread:
On Monday, November 12, 2007 12:02 PM
Matte wrote:
QMAIL - AD 2003 INTEGRATION
Dear all,
anyone have some material useful to enable me to integrate qmail and 2003 ad
schema?
I would to authenticate qmail users with ad credentials? is it possible? The
it chief doesn't like to pass to exchange so I have no other ways, is it
available a step by step guide?
thank you
Matteo
On Monday, November 12, 2007 1:33 PM
Anthony wrote:
Re: QMAIL - AD 2003 INTEGRATION
Matteo,
You need to look into LDAP for QMail, this for example: http://www.qmail-ldap.org/wiki/Main_Page. I don't know whether QMail produce
any schema extensions. If not, you'd have to script something.
Hope that helps,
Anthony, http://www.airdesk.co.uk
On Tuesday, November 13, 2007 4:06 AM
Matte wrote:
Actually I found this but what you can read into the installation guide could
Actually I found this but what you can read into the installation guide could
really scaring you: the beginning is:
WARNING: USE AT YOUR OWN RISK!
This software comes with NO WARRANTY.
I make no guarantees that this software will work on your system,
that it will compile on your system, or that it won't
irrecoverably destroy your system. Nothing bad should happen,
but as soon as you say it is usually when it does.
Many software houses say this but...
Ok anyone did authentication into qmail via Active directory before also in
other ways?
Thank you.
ps.
Is there a more specific newsgroup where I could insert this thread?
Matteo
"Anthony" wrote:
On Tuesday, November 13, 2007 7:23 AM
Anthony wrote:
Hi Matteo,Well really it's a question purely about qmail.
Hi Matteo,
Well really it's a question purely about qmail. You would be best off asking
in some kind of qmail forum. Active Directory will act as a compliant LDAP
directory for any application that asks to authenticate over ldap. So its
legitimate to ask if anyone happens to be using qmail with AD, but there is
no specific windows server or AD connection.
Anthony, http://www.airdesk.com
On Tuesday, November 13, 2007 8:35 AM
Matte wrote:
Yep, that true, I am trying to find more infos as I can, in our environment
Yep, that true, I am trying to find more infos as I can, in our environment
the unix tecnhician found a way that require the extension of the ad schema,
so I before to start I would try to find another way letting it as out of the
box...
Sincerely I don't wanna extend the schema with product not produced by
Microsoft.
Domain migration :Disabling SID history and allowing anonymous SID [message #595587]
Thu, 05 November 2009 15:37
polilop Messages: 13 Registered: September 2006 Location: NULL
Junior Member
After trying to disable SID history i ran to a problem that on the source DC
after running the :
Netdom trust SourceDomain.com /domain:target.com /quarantine:No /userD:User
/passwordD:Password
command i got access denied.
found in an articile i have to enable following in the Group policy:
DFS won't work, get RPC is unavailable [message #595134]
Wed, 04 November 2009 15:16
Gonzo Messages: 46 Registered: July 2006 Location: NULL
Member
Hello,
I have created a cloned domain controller for our test domain, we have 3 DC
on our love network. Anyway I have cleaned up the metadata, etc and
everything is working fine apart from DFS. If load the DFS manager and show
root then select our DFS share it says "RPC unavailable".
petefisher78 Messages: 1 Registered: November 2009 Location: NULL
Junior Member
Is it possible, to setup an DNS alias in the same domain, but to 2
different machines, and depending on your location, the alias would
point to a specific machine. What I mean is, we are one 1 domain. We
have 2 DC in both locations and DNS is being replicated between
them. We have an alias pointing to Sharepoint. Sharepoint is being
replicated in real-time in both locations. What we would like is, if
someone tries to get to the alias from pointA, we would like them to
be directed to the pointA server. If someone from pointB tries to get
to the alias, point them to thepointB server. Is this possible, and
if so, how?
Re: DNS has wrong server holding PDC FSMO role [message #593501]
Thu, 29 October 2009 01:11
aceman Messages: 2324 Registered: April 2009 Location: NULL
Senior Member
"eaglesix" <mhanntest@gmail.com> wrote in message
news:a42836d7-7db2-430c-b200-150c05e02217@l2g2000yqd.googlegroups.com...
>I have a 2003 AD network with three DC running 2003 AD mixed mode and
> one NT4 BDC. The person i had help setup the DNS advised we not set
> the msdcs forward zone as dynamic.
>
> My problem is the DNS entry for the PDC is pointing to the wrong DC.
> DNS is pointing to the machine that was the first DC in the domain and
> I assume the PDC entry pointing to it is in there due to that.
>
> Using ntdsutil shows the role of the PDC with the correct DC.
>
> nslookup -type=SRV _ldap._tcp.pdc._msdcs.<domainname> pulls up the
> wrong PDC entry.
>
> Can i just modify the DNS entry for the PDC to point to the new
> machine so everything matches? Do I need to wait until most users are
> off the network? Or can this be done at any time? The network has
> been working fine this way for quite awhile. But if machines query
> DNS for the DC offering the PDC service they will get the wrong
> machine.
>
> I appreciate any help as always
>
Sounds like this is an AD issue. I am cross-posting this to the AD newsgroup
for your convenience. Although many of the folks respond to both groups, I
think it would be better for specific exposure to the AD group. However you
can just check back here for responses.
What do you mean by not setting the _msdcs.yourdomain.local zone as dynamic?
You mean not to set as AD Integrated (store data in AD) or not to allow
Dynamic Updates? That's ill advised. I suggest to keep it AD integrated,
using the Forest Replication scope as well as to allow updates, otherwise
any changes in AD do not get registered.
I suggest you ask a qualified engineer who is familiar with AD and DNS how
to set it up. Or post here. But looks like we may need more info from you.
Read below for more info.
As for the PDC Emulator and other roles, are you sure that DC you are
referring to is the actual PDC Emulator Role holder? Run the following to
verify all Role holders:
netdom query fsmo
No, you can't simply alter the SRV records to change what you believe is the
PDC Emulator compared to what is in the SRV records in DNS. The SRV records
are automatically published (registered into DNS) automatically by the
Netlogon service based on what the service finds in the AD database.
To insure that the records are accurate, or at least to make sure the
Netlogon service is accurately publishing the records, perform the
following:
rename the system32\config\netlogon.dns and netlogon.bak files.
ipconfig /registerdns
net stop netlogon
net start netlogon
Go back to DNS and refresh the records to manually look at the records.
Re-run your nslookup command. Compare to what the netdom output gave you. If
the netdom output says it's DC2, but DC1 is registering as the PDC Emulator,
then it appears the problem is deeper, such as a replication issue.
What can cause issues with AD? The following is a list, but not limited to,
the causes of AD issues.
1. Using the ISP's DNS addrresses in your DCs. Since AD relies on DNS, it
will be asking your ISP, 'where is my domain controller?' The ISP's DNS does
not have that info. Only use your DCs for DNS and configure a Forwarder (DNS
properties, Forwarding tab) to your ISP's DNS. If you have multiple DCs (not
including the NT4, which should NOT be running DNS) - in each DC, DNS#1
entry should be itself, and DNS#2 entry should be another DC in the same
subnet, or one across the WAN if no other DCs are on the same subnet. For
the NT4 box, point it to two of your DCs, not matter which order. Whatever
you do, do NOT use the ISP's DNS other than as a forwarder. The same goes on
all client and other machines on the network.
2. Single label name. This is a common issue many years ago when some admins
upgraded their NT4 domains to AD but did not choose a proper AD DNS domain
name, such as domain.com, domain.local, etc. A single label name example is
"DOMAIN" (without the TLD - top level domainname - of .com, .net, .local,
etc). This issue is extremely, extremely problematic.
3. Multihomed DC - DC has more than one NIC and/or IP address, and/or has
RRAS installed. Very problematic and requires registry changes to make it
work. Suggest to disable or team the NICs and use your routers for routing
data across subnets.
4. Disjointed namespace - Primary DNS Suffix does not match the zone name in
DNS, which muct have updates allowed.
5. Dynamic Updates are not allowed. Extremely problematic. Registration with
Windows 2003 AD is every 24 hours. If not allowed, you will get (IIRC)
EventID 5782 errors, among other errors associated with incorrect SRV data.
That;s just for starters. There are more issues associated wtih AD
functionality problems.
To better assist if you feel there is a problem that needs further
investigation and evaluation, please post the following:
1. Unedited ipconfig /all from your DCs.
2. Run dcdiag /v and netdiag /v and post any errors in the results.
3. Event log errors - post the eventID# and Source name
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
lots of event 4662 related to DomainDNSZones [message #588978]
Tue, 13 October 2009 10:42
paulreims Messages: 2 Registered: April 2009 Location: NULL
Junior Member
Hello,
We are working with AD-integrated DNS zones. Workstations are
configured to update their own DNS-entries(register the connections
addresses in DNS).
The problem is that I see a lot of events 4662 in the AD Security log
(every few minutes), showing objects updating their entries in the
DomainDNSZone Partition. For me it seems like if the computers do not
have the right to update their own DNS entries
Concerning the Rights of the DNS-objects, "enterprise Domain
Controllers has full control" and System has Full control and
"Everyone" has Read-access.
Could there be something wrong in the DNS-server security
configuration or is there any modification to do if I want
workstations to update their own entries in DNS?
Here the detail about the event shown in the event log:
The Articel describes how to set the file association within an Active
Directory.
We also upgrade our SAP CRM system and now have problems with opening
files through our document archive solution.
Happen to read in one of the RODC presentations and didnt quite =
understand what it meant. This was identified as one of the challenges =
of Admin Role Separation.
"Memberships are not visible through NetLocalGroup APIs, since the =
"extensions" from RODC groups are only examined at token construction =
time"
jeremy Messages: 42 Registered: September 2006 Location: NULL
Member
I am in the process of migrating a domain from 2000/2003 to 2008. This is a
complete side-by-side migration to new forest, using ADMT 3.1 to migrate
accounts. In the source domain the company is running LCS 2005. I have a
feeling I will run into issues after migrating user accounts to the target
domain with access to the LCS 2005 environment that is still in the source
domain.
Does anyone have any experience with such a migration? Any advice,
suggestions, or pitfalls to watch out for?
Can not use javascript operate AD objectSid. [message #582076]
Sun, 27 September 2009 03:36
liyong Messages: 15 Registered: June 2009 Location: NULL
Junior Member
I have a script to get AD's object sid, I can using vbscript do it, but I
must use java script in product Env. Now
the java script has error, anyone can help me?
my issue is I cannot operate the field 'objectSid' in javascript.
I have post both VBscript code and javascript ( javascript is only a little,
which include the error)
//javascript code for test, the code must run under a domain context, that
means you must login to a domain before you test
var ObjRootDSE=GetObject("LDAP://rootDSE");
var strDomain = ObjRootDSE.Get("defaultNamingContext");
alert(strDomain);
var rootGroups=GetObject("LDAP://" + strDomain);
var enumRoot = new Enumerator( rootGroups);
for (;!enumRoot .atEnd();enumRoot.moveNext())
{
var rootItem=enumRoot.item();
var x=rootItem.objectSid; //or rootItem.objectsid; have the same error
rootItem.Name; //ok
x==null; // false; not null
//x+""; // error,
//rootItem.objectSid.valueOf(); // error, rootItem.objectsid.valueOf()
also error
//x.length; // error ?
}
' VB script////////////////////////////////////////////////
sub GetLDAP()
Set ObjRootDSE = GetObject("LDAP://rootDSE")
strDomain = ObjRootDSE.Get("defaultNamingContext")
Set groups = GetObject("LDAP://" & strDomain)
For Each GroupItem In groups
Debug.Print GroupItem.Name & ", SID=" &
Module1.HexStrToDecStr(Module1.OctetToHexStr(GroupItem.objec tsid))
Set childgroups = GetObject("LDAP://" & GroupItem.Name & "," &
strDomain)
For Each childgroupItem In childgroups
'Debug.Print vbTab & childgroupItem.Name & ", SID=" &
Module1.OctetToHexStr(childgroupItem.objectsid)
'Debug.Print vbTab & childgroupItem.Name & ", SID=" &
Module1.HexStrToDecStr(Module1.OctetToHexStr(childgroupItem. objectsid))
Next
Next
End sub
'''''''''''''''''''''''''''''''''
Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.
Dim k
OctetToHexStr = ""
For k = 1 To LenB(arrbytOctet)
OctetToHexStr = OctetToHexStr & Right("0" & Hex(AscB(MidB(arrbytOctet, k,
1))), 2)
Next
End Function
''''''''''''''''''''''''''''''''''''''''
Function HexStrToDecStr(strSid)
' Function to convert hex Sid to decimal (SDDL) Sid.
If strSid = "" Then Exit Function
Dim arrbytSid, lngTemp, j
ReDim arrbytSid(Len(strSid) / 2 - 1)
For j = 0 To UBound(arrbytSid)
arrbytSid(j) = CInt("&H" & Mid(strSid, 2 * j + 1, 2))
Next
HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
& arrbytSid(1) & "-" & arrbytSid(8)
If UBound(arrbytSid) >= 15 Then
Charles Stevenson Messages: 1 Registered: September 2009 Location: NULL
Junior Member
In my case I had only created one setting when, for whatever reason, the process stopped responding. I removed the registry.pol file and created the setting again. All is well :)
Posted as a reply to:
Restoring Registry.pol file
14-Dec-07
I have encountered an issue where it appears my Machine\registry.pol file has
become corrupted on my main Domain GPO. I have an Windows 2003 AD enviroment
with some Windows 2000 Domain Controllers. When I try to edit the Domain GPO
I get an error saying "Failed to open the Group Policy Object. You may not
have appropriate rights."
When I go into the Group Policy Management MMC under Computer Configuration
Administrative templates I see the following:
The following errors were encountered:
The file
" \\servername.hoc.nrc.gov\sysvol\hoc.nrc.gov\Policies\{GUID}\ Machine\registry.pol "
is not in a valid format. The file might be corrupt. Use Group Policy Object
Editor to reconfigure the settings in this extension.
Do I have to do a complete system state restore to restore the registry.pol
file? Or is there a way to just restore that file?
I am able to access all other GPOs in all other containers other than the
main GPO.
David Robson1 Messages: 5 Registered: August 2009 Location: NULL
Junior Member
Hi,
I've got a forest called forest_a. All my users and servers and workstations
are in here.
I'm planning on creating a forest_b. In here will sit my web servers.
I will then set a trust so forest_b trusts forest_a which will allow admins
to admin the new forest.
I will then set only certain accounts via selective authentication that can
run as a service.
For example:
Web server sits on forest_b (Used to sit on forest_a)
SQL server sits on forest_a
Previously i had a service account that the website would run under to query
the sql server.
I plan on doing the same. I'm guessing the service account from forest_a
will work in forest_b with my trust in place?
Is this good security?
(The thinking being is someone hacked my web server and got domain admin
they would not be able to do anyhting to my internal network/doman). Is this
correct?
Should i consider ADAM (or ADFS) in any part of this? How would this
integrate?
alo.jacko.3x9evc Messages: 1 Registered: August 2009 Location: NULL
Junior Member
Marked! Jacko will be back to check it soon !thanks a lot.:-)
'_simulation_taux_banque_credit_immobilier_de_France_'
(http://creditimmobilierdefrance.org/) - Credit immobilier de France,
simulation credit immobilier. Résultat mitigé pour le crédit immobilier
de France.'_simulation_taux_banque_credit_immobilier_de_France_ '
(http://creditimmobilierdefrance.org/)
Sundarram Messages: 1 Registered: August 2009 Location: NULL
Junior Member
I am updating the AD user details in my application using a generic login.
The problem is it fails for few user detail update saying "General access
denied error" at
System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.Se tInfo()
exception, but the users permission level is similar to other user.
Can any one help me out in the problem? What right i have to give for my
generic account to allow it to edit all the AD user? (other than adding it in
admin group)
gcatech Messages: 1 Registered: August 2009 Location: NULL
Junior Member
on new server running 2008 64bit, when i try to run ADUC, i get MVC++ runtime
library error...this application has requested the Runtime to terminate in an
unusual way. there is no other program specified.
in reviewing my logs, it appears explorer.exe hung upon ADUC request. all
other nodes of AD open fine, just not users and computers.
Ftp Download! Cracked Software/software Cracks/dongle Cracks/warez Cd Cracks/serials! CRACKED SOFTWARE(CAD/CAE/CAM/EDA/PCB/GIS/CNC/FEA)! if you need some softwares, please email me: hunker@bk.ru
DD[1] Messages: 211 Registered: October 2006 Location: NULL
Senior Member
> We have an IAS running on Win2K DC , we intend to replace the current DC
with
> the new H/W and downgrade existing DC to member server.IAS services will
> still stay on the existing server.
>
> 1) can the IAS running on member server
> 2) any impact of the IAS if we change the existing DC ip address
Can't authenticate against the same username (identical usernames) in [message #560011]
Mon, 03 August 2009 04:55
KevinC[2] Messages: 2 Registered: August 2009 Location: NULL
Junior Member
I have a java (JRE 1.6) application in Linux that uses Active
Directory (AD) (on Windows Server 2003 service pack 2) via LDAP to
authenticate users. There are two AD servers: one providing domain
PARENT (parent.local) and the second CHILD (child.parent.local). Both
of these servers have two-way trust with each other.
I have users PARENT\userA, PARENT\userB, CHILD\userB and CHILD\userC.
All users have the same password apart from CHILD\userB whose password
is different to the rest - including PARENT\userB.
My java application can target (make requests to) the PARENT AD server
and successfully authenticate PARENT\userA, PARENT\userB and CHILD
\userC when I provide the correct domain, username and password values/
triples. The application can target the CHILD AD server and
successfully authenticate PARENT\userA, CHILD\userB and CHILD\userC.
But I can not authenticate CHILD\userB when targetting the PARENT
server: PARENT\userB is authenticated against if I provide its
password. And I can not authenticate PARENT\userB when targetting the
CHILD server: CHILD\userB is authenticated against if I provide its
password.
Why do these authentications concerning the same username not work? Is
there anyway of configuring the AD servers so they will work?
Kevin
PS: I use the com.sun.jndi.ldap.LdapCtxFactory context factory code
like this in java:
Members
Search
Help
Register
Login
Outlook Forum
