Search Results

Search found 6 results on 1 pages for 'ixe013'.

Page 1/1 | 1 

  • Replication of lockoutTime attribute is not urgent on AD-LDS

    - by ixe013
    I have two LDS servers on the same subnet. They replicate well. If I change an attribute, it gets replicated after 15 seconds. LDS is configured to honor password policies. When a user makes too many wrong password attemps, his account is locked and that user's lockoutTime attribute is set accordingly. But lockoutTime is not replicated as urgent. In fact, it is not replicated unless there is another change somewhere in the directory. The lockoutTime attribute will be replicated. Here is an (edited Wireshark) trace. It shows normal replication trafic No. Time Protocol Length Info 133 16:23:02 DRSUAPI 562 DsGetNCChanges request 134 16:23:02 DRSUAPI 3042 DsGetNCChanges response 152 16:23:17 DRSUAPI 562 DsGetNCChanges request 157 16:23:17 DRSUAPI 242 DsGetNCChanges response 230 16:24:57 DRSUAPI 562 DsGetNCChanges request 231 16:24:57 DRSUAPI 2930 DsGetNCChanges response 246 16:25:12 DRSUAPI 562 DsGetNCChanges request Right after that, I lock the user (with a FOR loop and ldifde). Nothing happens, until I give up and change the description attribute on the user, then about 15 seconds later I see the replication go through. 1984 16:31:05 DRSUAPI 562 DsGetNCChanges request 1985 16:31:05 DRSUAPI 2930 DsGetNCChanges response The lockoutTime and description is replicated. As stated here, if I set lockoutTime to 0, replication occurs after 15 seconds ! I have enabled replication diagnostics, but nothing shows up in the instance's logs - strange. I have enabled change notification between sites, restarted both services, but I did not see any changes. How can I make the lockoutTime replication urgent ?

    Read the article

  • ADSIEdit freezes gettings properties of a group with hundred of thousands members

    - by ixe013
    Doing performance testing on an AD-LDS (Server 2008 R2 64 bits), we created a milion user in a single OU. We also created a single group object and made those milion users member of that group. When we try to list the milion of users ADSIEdit times out with an error message saying it cannot display that many users. Fine. But if we open the properties for the group, ADSIEdit freezes, eating up all available memory and CPU trashing (nearly 60M page faults in under an hour). AD-LDS (running on another computer) is barely hitting the 1% CPU mark, servicing other ldap requests as if nothing were. We can throw more memory at the problem, but more users will have to be managed one day and we will be back at square one. Is there a way to set a limit in ADSIEdit so that it will not hang the computer when retreving a very large multi-value object ?

    Read the article

  • Can I link proxy users from a single LDS instance to multiple domains?

    - by ixe013
    I have an Active Directory Lightweight Directory Services set up. I have objects that represent users in the Active Directory (Domain_A). I have set their objectSID attribute, and users can authenticate to LDS with their Active Directory password. I love it. I want to bring in new users, from a different Active Directory (Domain_B) that has not trust relationship whatsoever with the Active Directory from Domain_A. Is there a way to tell LDS in which domain to look for users or does it always look in the domain it is in, maybe by using another protocol than Kerberos ? +I figured out user provisionning, no need to mention it. Thanks !

    Read the article

  • How many users can be in a AD LDS group?

    - by ixe013
    Microsoft published the recommended maximum limits for users in an Active Directory group. It basically says : Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). and This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000. Given the replication meta data below, can anybody tell me what is the maximum number of users a AD-LDS group can hold ? Getting 'CN=Member,CN=Schema,CN=Configuration,CN={67B333FE-ADB4-430D-AAEE-D4CCE4B98A2E}' metadata... 23 entries. AttID Ver Loc.USN Originating DSA Org.USN Org.Time/Date ===== === ======= =============== ======= ============= 0 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 3 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 20001 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 20002 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 2001e 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 20020 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 20021 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 20032 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 200a9 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 200c2 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 200da 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 200e2 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 200e7 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 20119 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 2014e 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 201cc 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 90001 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 90094 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 90095 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 900aa 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 90177 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 9027f 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49 9030e 1 95 8ba30efb-9aa4-4e55-8f7c-268e3dcc536b 95 2012-07-17 14:25:49

    Read the article

  • Is there a Kerberos testing tool?

    - by ixe013
    I often use openssl s_client to test and debug SSL connections (to LDAPS or HTTPS services). It allows me to isolate the problem down to SSL, without anything getting in the way. I know about klist that allows me to purge the ticket cache. Is there tool that would allow me to ask a Kerberos ticket for a given server, not event sending it ? Just enough to see the whole Kerberos exchange in Wireshark for example ?

    Read the article

  • Create a AD-LDS partition under a child of the primary partition

    - by ixe013
    I have a AD-LDS instance running on a Server 2008 R2. I have this application partition, created at installation : dc=enterprise,dc=example,dc=com I have succesfully followed this procedure to create application partitions. They are named : cn=stuff,dc=enterprise,dc=example,dc=com cn=things,dc=enterprise,dc=example,dc=com If I configure my client(s) to follow referals, I can search from dc=enterprise,dc=example,dc=com and find objects under cn=stuff and cn=things. How can I create (or move after the fact) the stuff and things partitions so they are logically located under a OU under the initial partition, ending up with something like : cn=stuff,ou=applications,dc=enterprise,dc=example,dc=com cn=things,ou=applications,dc=enterprise,dc=example,dc=com

    Read the article

1