Hello folks,
    I have a real hard time synchronizing my ADAM with our AD here.
Here is the steps I perform and where I'm stumped:
(Please note that I will use fictionnal names for the example)

Client OS: Windows XP Pro sp2
Active Directory Server OS: Windows 2003
ADAM R2 version

First, I create a new instance which I name 'MyInstance' on the default
ports (389 and 636)
Then, I create a partition who has the same name of the partition I
want to sync on our AD.
Let's name it DC=OurServer,DC=com.

I do not import any ldif files and finish the setup.

Once this is done, I perform the following commands:

ldifde -i -s localhost -c CN=Configuration,DC=X
#ConfigurationNamingContext -f MS-AdamSchemaW2k3.ldf

then

ldifde -i -s localhost:389 -c CN=Configuration,DC=X
#ConfigurationNamingContext -f MS-AdamSyncMetadata.ldf

Next, I configure the config file which will be used for the sync:

<?xml version="1.0" ?>
<doc>
    <configuration>
        <description>OurServer config file</description>
        <security-mode>object</security-mode>
        <source-ad-name>OurServer.com</source-ad-name>
        <source-ad-partition>DC=OurServer,DC=com</source-ad-partition>
        <source-ad-account></source-ad-account>
        <account-domain></account-domain>
        <target-dn>DC=OurServer,DC=com</target-dn>
        <query>
            <base-dn>DC=OurServer,DC=com</base-dn>
            <object-filter>(objectClass=*)</object-filter>
            <attributes>
                <include></include>
                <exclude>extensionName</exclude>
                <exclude>displayNamePrintable</exclude>
                <exclude>flags</exclude>
                <exclude>isPrivelegeHolder</exclude>
                <exclude>msCom-UserLink</exclude>
                <exclude>msCom-PartitionSetLink</exclude>
                <exclude>reports</exclude>
                <exclude>serviceprincipalname</exclude>
                <exclude>accountExpires</exclude>
                <exclude>adminCount</exclude>
                <exclude>primarygroupid</exclude>
                <exclude>userAccountControl</exclude>
                <exclude>codePage</exclude>
                <exclude>countryCode</exclude>
                <exclude>logonhours</exclude>
                <exclude>lockoutTime</exclude>
            </attributes>
        </query>
        <schedule>
            <aging>
                <frequency>0</frequency>
                <num-objects>0</num-objects>
            </aging>
            <schtasks-cmd></schtasks-cmd>
        </schedule>
    </configuration>
    <synchronizer-state>
        <dirsync-cookie></dirsync-cookie>
        <status></status>
        <authoritative-adam-instance></authoritative-adam-instance>
        <configuration-file-guid></configuration-file-guid>
        <last-sync-attempt-time></last-sync-attempt-time>
        <last-sync-success-time></last-sync-success-time>
        <last-sync-error-time></last-sync-error-time>
        <last-sync-error-string></last-sync-error-string>
        <consecutive-sync-failures></consecutive-sync-failures>
        <user-credentials></user-credentials>
        <runs-since-last-object-update></runs-since-last-object-update>
        <runs-since-last-full-sync></runs-since-last-full-sync>
    </synchronizer-state>
</doc>

Next, I perform these:

ADAMSync /install localhost:389 "c:\adamConfigs\OurServerConfig.xml"

ADAMSync /sync localhost:389 "DC=OurServer,DC=com"

Now, I know that this setup won't work because there are a lot of
custom attributes  on the AD server we have...  So My thoughts was to
use the AD Schema Analyzer to create an ldif file that I would import
in my ADAm to be able to sync it but, that's where it gets ugly...

What I'm doing is this:
I start the ADSchemaAnalyzer.exe program.
I Load the actual AD server for the target schema and in the base
schema, I specify my ADAM server address (localhost:389)
Then, I select only the classes top, user, person and
organisationalUnit since I just want to import these objects.
I create the ldif file and import it in my ADAM.
This works without any errors.
But when I try to sync, I get class violation on several objects in
containers I simply don't want to get which are under the nodes I need.

I tried to specify object filters to include or exclude stuff without
success...

here's an example:

....
<object-filter>(&amp;(objectClass=top)(objectClass=person)(objectClass=user)(objectClass=organizationalUnit)(!(OU=Listes
de distributions)))</object-filter>
....

Is it possible at all?

I need help, I know i'm not far from a solution...
The final result would be to imports every users existing under our AD
which are scattered across it...

Thanks a lot for reading across this lenghty post!

Stéphan Parrot

Bump...

Hi

A few things I would do differently:

ADSchemaAnalyzer is the correct approach but I would simply
use it to create an LDIF of your entire AD schema
("mark all non-present elements as included") and import that
into a new ADAM instance instead of MS-AdamSchemaW2k3.ldf
then import the MS-AdamSyncMetadata.ldf

if I am understanding your requirement you just want user objects
and so your filter would then be:
  (&amp;(objectCategory=person)(objectClass=user))

On a general note you cannot use LDAP filters in ADAMSync to
exclude portions (subtrees or named OUs) of a naming context;
the DirSync view of the directory that ADAMSync has is essentially
flat not-hierarchical.


Lee Flight

    I have a real hard time synchronizing my ADAM with our AD here.
Here is the steps I perform and where I'm stumped:
(Please note that I will use fictionnal names for the example)

Client OS: Windows XP Pro sp2
Active Directory Server OS: Windows 2003
ADAM R2 version

First, I create a new instance which I name 'MyInstance' on the default
ports (389 and 636)
Then, I create a partition who has the same name of the partition I
want to sync on our AD.
Let's name it DC=OurServer,DC=com.

I do not import any ldif files and finish the setup.

Once this is done, I perform the following commands:

ldifde -i -s localhost -c CN=Configuration,DC=X
#ConfigurationNamingContext -f MS-AdamSchemaW2k3.ldf

then

ldifde -i -s localhost:389 -c CN=Configuration,DC=X
#ConfigurationNamingContext -f MS-AdamSyncMetadata.ldf

Next, I configure the config file which will be used for the sync:

<?xml version="1.0" ?>
<doc>
<configuration>
<description>OurServer config file</description>
<security-mode>object</security-mode>
<source-ad-name>OurServer.com</source-ad-name>
<source-ad-partition>DC=OurServer,DC=com</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain></account-domain>
<target-dn>DC=OurServer,DC=com</target-dn>
<query>
<base-dn>DC=OurServer,DC=com</base-dn>
<object-filter>(objectClass=*)</object-filter>
<attributes>
<include></include>
<exclude>extensionName</exclude>
<exclude>displayNamePrintable</exclude>
<exclude>flags</exclude>
<exclude>isPrivelegeHolder</exclude>
<exclude>msCom-UserLink</exclude>
<exclude>msCom-PartitionSetLink</exclude>
<exclude>reports</exclude>
<exclude>serviceprincipalname</exclude>
<exclude>accountExpires</exclude>
<exclude>adminCount</exclude>
<exclude>primarygroupid</exclude>
<exclude>userAccountControl</exclude>
<exclude>codePage</exclude>
<exclude>countryCode</exclude>
<exclude>logonhours</exclude>
<exclude>lockoutTime</exclude>
</attributes>
</query>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>

Next, I perform these:

ADAMSync /install localhost:389 "c:\adamConfigs\OurServerConfig.xml"

ADAMSync /sync localhost:389 "DC=OurServer,DC=com"

Now, I know that this setup won't work because there are a lot of
custom attributes  on the AD server we have...  So My thoughts was to
use the AD Schema Analyzer to create an ldif file that I would import
in my ADAm to be able to sync it but, that's where it gets ugly...

What I'm doing is this:
I start the ADSchemaAnalyzer.exe program.
I Load the actual AD server for the target schema and in the base
schema, I specify my ADAM server address (localhost:389)
Then, I select only the classes top, user, person and
organisationalUnit since I just want to import these objects.
I create the ldif file and import it in my ADAM.
This works without any errors.
But when I try to sync, I get class violation on several objects in
containers I simply don't want to get which are under the nodes I need.

I tried to specify object filters to include or exclude stuff without
success...

here's an example:

....
<object-filter>(&amp;(objectClass=top)(objectClass=person)(objectClass=user)(objectClass=organizationalUnit)(!(OU=Listes
de distributions)))</object-filter>
....

Is it possible at all?

I need help, I know i'm not far from a solution...
The final result would be to imports every users existing under our AD
which are scattered across it...

Thanks a lot for reading across this lenghty post!

Stéphan Parrot

Hi there!
  First, I want to thank you for the time you took to read my post and
to have answered it.
Funny stuff right here:  I did what you are suggesting me about the
ADSchemaAnalyzer yesterday and it worked!  I must have some powers to
read minds!!
;)
So, I've managed to sync our AD server with my ADAM instance and
everything is working fine except one thing: password changes...

I've read a post you were involved in about dsHeuristics set to
something like 00000001001 (whatever) and I could change passwords from
the MMC snap-in correctly.
My problem is when I try to change password from a C# web
application...  For some reason, I can't get it to work...  Everything
seems to work perfectly except that...

I won't post any more details about this issue because I didn't do a
lot of research on it as of now and I always prefer to dig by myself
before asking on boards. But I wanted to let you know about it so if it
rings a bell to you, that you could provide me with some pointers in
the future!

I will keep this thread informed as my researches progresses!

Thanks!

Me again...
Ok, my AD is synched with my ADAM.
Now, when I switch my application to use my ADAM instance instead of
using AD, I cannot let the users to change their password, they just
can't do it...  It returns an HRESULT error when they try to do it.
Same thing happens when I try to create a new user.
For the password changing, I use SetPassword when it's the first time
they log in the application and then, when they wanna change it, I use
ChangePassword... None of them works...
I tried stuff to find out a solution and maybe I am on a good track.  I
use ldp.exe and the connect to my ADAM instance, then I bind using
simple bind with the credentials of a synched user account.  That
doesn't work... So I searched a bit and found out there's a hot fix
from windows XP sp2 which corrects an issue about bindings.  I have
windows xp sp1 so maybe that will help me get somewhere as soon as it
is installed!
But, I tried some other stuff meanwhile like, bind to my ADAM using
domain credentials for a user I know it's creds.  When trying that, I
was successfully bound to my adam. So next, I tried to browse my ADAM
tree and guess what? under DC=MyAdam,DC=com I got "No children"!
So I may have to set somekind of permissions for these users.  But how
do I do that for about 1600 users??
I tried using dsacls.exe but it seems to be for only one user at a
time...  It's a bit unclear on how to use this tool..

So If you guys can point me towards a solution or some comments to help
me out, please do!

Thanks a lot!

Hi

there a quite a few issues to unpack here.

There are definitely some issues with Windows XP SP1. I do
not recall all of the hotfixes required but most of them were
bundled in WinXP SP2.

SetPassword/ChangePassword require special handling for ADAM.
The MSDN sample:

Show quoteHide quote

Great!
Thanks for the pointers!
But I already set that reg key to 0 when I first installed ADAM.
As for the access control stuff, I might not do this correctly. Here's
how I do this:

(Note that I have modified some values to "hide" my setup for security
reasons)

C:\WINDOWS\ADAM>dsacls.exe "\\localhost:389\CN=LastName\,
FirstName,OU=Users,OU=ISI,OU=MyCompanyInfrastructure,DC=MyAdam,DC=com"
/G "CN=Readers,CN=Roles,DC=MyAdam,DC=com":GA;;

This would give Generic All to user "FirstName LastName" in the Readers
Role of my Adam instance...

Am I doing something wrong?

Also, can I do that for a bunch of users or I have to do it for each
and every users in there? (I have 1600+ users and I need to have them
all set)

Thanks a lot!

Hi

I'm not following what that specific example is trying to do,
in my reading it would grant GA to the Readers role for a
specific object in an OU.  GA is Full Control is that really
what you want to grant? (even if it were it make a misnomer
of the "Readers" group.)

A good start would be to use DSACLS and dump out the
existing/default security on your OU you should find e.g.
that the Readers role has Read permissions,  most importantly
you should see that the permissions are inherited. Inheritance is the
key here rather than applying specific permissions to
individual objects.

Have  a look at the tips here:

http://technet2.microsoft.com/WindowsServer/en/Library/373a4e2b-89a6-4ccc-9e20-be07c741f47b1033.mspx

most apply to designing ADAM security as well as AD.

Apologies if I have missed the point here,
Lee Flight

Hi there!
Thanks for answering my questionsthis fast!
What I am trying to achieve is to make our applications that uses an AD
catalog work with ADAM.
The reason behind this is, our applications allows users to change
their passwords and stuff like that.
In order to ensure everthing is working properly, we want a copy of
these users to test our application's methods (like changepassword and
setpassword for instance)
We do not want to test these on actual AD entries for obvious reasons.
So, what I've achieved so far is this:
-Made AD and ADAM sync the structure and data.

What I am missing is:
-Make our applications talk with ADAM the same exact way they are doing
with AD.

Right now, there seems to be a security issue regarding the rights ADAM
has on objects as you said in your previous post.

I tried a lto of stuff but haven't managed to get anything working.

Here's some code I'm stumped on:

//Declaring a directory entry object and binding the user we want to
set the password

....
DirectoryEntry oDE;
oDE = new
DirectoryEntry("LDAP://localhost:389/DC=MyCompanyADAM,DC=com",
"SomeUserName", "SomePassword", AuthenticationTypes.Secure);
....

The object isn't valid after this call, I get an error:
    System.Runtime.InteropServices.COMException
....

Maybe it's just the permissions that aren't correctly set?
How do I attribute permission correctly?
How do I assign all users inside an OU to the readers role?

Thanks a lot again for your much appreciated help!

Stephan Parrot

Hi

inline below...

If the summary is that you are using ADAM to protoype an AD application
against ADAM then testing SetPassword/ChangePassword against ADAM
is a poor choice in my opinion as there are too many differences between
ADAM and AD in this area. If I have that wrong and it's an ADAM application
that you are developing then read on...


Show quoteHide quoteThat looks like a bind to a naming context rather than a user. What type
of account is SomeUserName a domain account in the domain that the
ADAM server is a member of? Check out the SDK samples on MSDN

http://msdn.microsoft.com/library/en-us/adam/adam/using_active_directory_application_mode.asp



I think you just need to get a basic bind to an instance working,
test that with ldp.exe and work up the MSDN samples at the link
above. On the Readers role please check out the ADAM Help file,
the topic to read is "Administering access control".

Lee Flight

Hi,
  Maybe I need to clarify what I want to achieve.
What I am trying to do is have a replica of the AD we have on our
domain for Development purpose.
The reason is that we need to simulate every aspect of our softwares
that we are developping using the account of actual users in the
company (more than 1600 peoples here).
We do not know everyone's user account's password and we shouldn't
anyways!
So we've been told to use ADAM to replicate our AD environment to have
a "DEV" version which could be used for testing purpose.
solution for this kind of situation but now that you mention it may be
a poor choice, if your opinion still stand with this clarification, do
you have a suggestion for an alternative?
Thank you again for your help and feedback!
I appreciate it!

Stephan Parrot

This approach may or may not work for you.  Even though ADAM and AD are both
LDAP directories, there are some significant details in terms of how user
objects work in both environments.  You can't test code that targets AD
against ADAM unless you have an abstraction layer in place that can deal
with the differences. You also can't target other apps that use AD like
Exchange for development purposes, as Exchange does not work on top of ADAM.

You can make significant progress with modeling a lot of the work you would
do with AD in ADAM, but you aren't going to get a 100% fit.

Joe K.

Show quoteHide quote

Great!
It's good to know I'm not screwed on this one right now!
Then, right now, I'm stumped on a simple bind issue...
I cannot get my users bind to my ADAM instance using simple bind.
Is it possible at all?
If so, how do I set this?
What I did so far was to put the OU containing my users member of the
Readers Role.
I'm sure there's something I'm missing there and I cannot point it
out...

Thanks again!

Stephan Parrot

Don't confuse a bind with authorization to see specific objects.  For
example, you can do a simple bind and search for rootDSE (which allows
anyone to view it anonymous), but you might not be authorized to do a search
for a different object.

If you want to grant all your users read access to ADAM, you probably want
to add the authenticated users account to your readers role.  Adding an OU
to a group won't do anything as OUs aren't security principals.

Joe K.

Show quoteHide quote

Thanks Joe for the reply!

So, to add my users to the Readers role, I should add the windows
account of these users?  Then I should preferably add a group
containing all these users I want to the Readers role right?
The way I tried it is to use the ADSI edit tool coming with ADAM.
But when I apply the addition of this group to the "member" attribute
of the Readers role, I get an error saying:
"A directory service error occured."
Am I doing it right or is there another way to achieve this?
Or maybe I must set something first to be able to do this?

Thanks again!

Stephan Parrot

Hi

adding the distinguishedName of a group to the member
attribute of the Readers role should work if you have
appropriate permissions. Are you running as ADAM
administrator?

Lee Flight

Show quoteHide quote

You can add a user or a group to the ADAM group/role.  However, if this user
or a group is a Windows user or group, you must use the SID binding string
to refer to them as a foreign security principal.

I was suggesting that you might want to add the authenticated users
well-known SID to the readers role so that any user who authenticates to
ADAM will be a reader.  This scales much better than constantly adding users
to a group.  On the other hand, it is more open from the security
perspective.  This was originally the default behavior of ADAM when they
designed it, but it was pulled from the final release because it is not
"secure by default", and that's not the way MS likes to install products
anymore.  Who could blame them.

The authenticated users SID is S-1-5-11, so the SID DN would be:
<SID=S-1-5-11>

You would add that to the member attribute and that would create the FSP.

To add other Windows principals to the role, just use their SIDs.  You could
add your domain users group or something if you wanted.

HTH,

Joe K.

Show quoteHide quote

Excellent!!
I will try it out monday morning!!
Thanks a lot guys!!

Have a good week end!!!

Stephan Parrot

Domain controller server planning
snmp
Admin login as user
Replication
Adding a local computer account into AD
access to Server 2K3
Starting a forest over from stratch
Want to create homefolder for users, but get error about create ac
Roaming Profiles and Desktop Icon arrangement
folder redirection, moving to new folders