Windows Server 2003 - ADSI EditYou can never get too much of a good thing! ADSI Edit is that 'good
thing'. Never waste a chance to configure Active Directory with ADSI Edit. If TechNet offers or solution by editing Active Directory properties, then call for ADSI Edit to make the suggested
changes. On this page, what I am preparing you for is that day when the only way to
solve a desperate problem is to change an attribute with ADSI Edit; the reason you need this tool is because no other GUI displays the low level objects. Topics for ADSI Edit
‡
Getting Started with ADSI Edit
Complete instructions on installing, launching and getting to know ADSI Edit are covered on this Introduction To ADSI Edit page.
There is only a chance in a million that you actually need this particular ADSI Edit fix. It is most unlikely that you will have a problem Raising Forest Function Level, despite this, msDS-Behavior-Version is a
most instructive example of ADSI Edit in action. The real life scenario is that you
cannot raise the Forest Level to Window 2003. We assume that a bug has struck, Mr Nobody fouled up or that the GUI controlling Raise Forest Function Level GUI has jammed. The scene is set for ADSI
Edit to ride to the rescue. Researching TechNet reveals that we need to edit an attribute called:
msDS-Behavior-Version. Here are your instructions:
Launch ADSI Edit. Install from the Windows 2003 Server CD \support folder. Navigate
to the Configuration partition. (The beginner's mistake is to select Domain instead of Configuration). Expand: CN=Configuration,DC=<forestname> Right-click on the CN=Partitions node, select Properties On the properties
sheet, scroll down to the
msDS-Behavior-Version attribute, and then click Edit Set the Value to numeric 1, and then click OK.
Learning Points1) Get a good reference source, for
example TechNet. 2) Pay close attention to the correct top level container. Is it Domain, or Schema? No, in this instance you need to start at the Configuration Container. If you
fail to start at the right place you are doomed to frustration. 3) Once you get off to a good start, it's just a matter of following the TechNet instructions. 4) The point is that you
could not configure msDS-Behavior-Version through Active Directory Users and Computers. 5) Remember that all changes are live and instant, unlike other GUIs the operating does not perform any
safety checks.
Guy Recommends: SolarWinds Engineer's Toolset v10
The Engineer's Toolset v10 provides a
comprehensive console of utilities for troubleshooting computer problems. Guy says
it helps me monitor what's occurring on the network, and the tools
teaches me more about how the system literally operates.
There are so many good gadgets, it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.
Download your copy of the Engineer's Toolset v 10
Symptoms of a bizarre connection problem. When you try to connect to network resources from an affected domain controller with a command such
as
\\ server \share, you get the following error message:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS") DCDiag SYMPTOMS [DC1] LDAP bind failed with error 31
When you run the REPADMIN /SHOWREPS
utility locally on a domain controller, you may receive an error message such as:
[C:\Windows\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error). Conformation from NetDiag
The Netdiag tool may display the following error messages:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to <servername>.<fqdn> (<ip address>). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
LDAP test. . . . . . . . . . . . .
: Passed
[WARNING] Failed to query SPN registration on DC <hostname>\<fqdn> ADSI Edit Solution
Launch ADSI Edit Navigate to the Domain [xyz.com], expand DC=domain, and then expand OU=Domain
Controllers. Right-click the affected domain controller, and then click Properties. Click userAccountControl in the Attributes box. If the value is not 532480, type 532480 in the Edit Attribute box, click Set, click Apply, and then click OK.
Learning Points
1) This is a job for the Domain partition of Active Directory.
2) While normal values for userAccountControl are 512 or 514, Domain Controllers need a value of decimal 532480.
3) Note how you need to be a minor expert in three areas, ADSI Edit, DCDiag and TechNet. -
Scenarios for ADSI EditVBScript - Researching the LDAP properties of user objects. Exchange 2003 - Configuring GAL Search order. Security - Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to
the Address Lists. Learning - Discovering about attributes such as tombstoneLifetime. -
TechNet - Following through on TechNet's suggested solutions. For example,
Raise Forest Level
with msDS-Behavior-Version.
 Guy
recommends: The SolarWinds ipMonitor
I am attracted to
ipMonitor
because it inhabits that zone of part work, part play; Guy just could not put
the dashboard away. This excellent performance monitor will get you
started in the quest to remove bottlenecks on your network. SolarWinds
provides this fully-functioning product free for 21 days. So download and
install ipMonitor, then start scrutinizing your computers CPU, memory and disk
performance.
Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake, and
install SNMP on each computer that you wish to monitor. What sealed my
unreserved recommendation of SolarWinds is their support team, you will get
expert help even when you are evaluating the ipMonitor.
Download SolarWinds ipMonitor (21 days eval)
When you run Microsoft Exchange 2003 (2000) Server Setup with the /forestprep
switch, the installation fails and you may receive the error message: 'An invalid ADSI pathname was passed'. You may also get an error code of: 80005000.
The Cause of error 80005000 in Exchange
You run setup /forestprep, but it does not complete properly. Active Directory 'flags' that it has been run, but in reality it did not finish.
Check the server progress log for entries like.
(G:\admin\src\udog\setupbase\basecomp\baseatom.cxx:775)
Error code 0X80005000 (20480): An invalid ADSI pathname was passed.
The Solution for An invalid ADSI pathname was passed (Error code 80005000)
Open ADSI Edit.
Navigate to this location under the Configuration container:
CN=Configuration; CN=Services; select CN=Microsoft Exchange
Right-click CN=Microsoft Exchange, and then click Properties. From the Attributes tab, under Select which properties to view, click Both.
From the Select what property to view pull-down menu, select Heuristics.
If the value is set to 2, then you have already run ForestPrep.
Solution, reset the Heuristics property, click Clear, and then click Apply. The Value(s) field will have
change to 'not set'. Set Functional Levels Manually
It is possible as a last resort modify
the current domain and forest functional level settings with ADSI Edit. When you modify the attributes manually, it is best to target the FSMO authoritative for the increase as the change is actually written to
the authoritative FSMO then replicated. Forest Level Setting
The attribute that you want is: msDS-Behavior-Version on the CN=Partitions, CN=Configurations, DC=ForestRootDom, DC=tld object.
Value of 0 or not set=mixed level forest
Value of 1=Windows Server 2003 interim forest level
Value of 2=Windows Server 2003 forest level
Note When you increase the msDS-Behavior-Version
attribute from 0 to 1, you receive the following error message, just ignore it!
Illegal modify operation. Some aspect of the modification is not permitted. Click OK to continue. To
check that your change has worked, refresh the attribute list and check the current setting. Domain Functional Level Setting
The attribute is msDS-Behavior-Version on the NC head root of each domain DC=Mydomain, DC=ForestRootDom, DC=tld object.
Value of 0 or not set=mixed level domain
Value of 1=Windows Server 2003 domain level
Value of 2=Windows Server 2003 domain level
Download ADSI Edit
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top Windows Server 2003 techie without configuring the Domain and Configuration partitions with
ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While this is not a difficult tool, you have to be careful as there is no error checking.
See Also●
Authoritative Restore
● Windiff ●
ESEutil ●
NTDSUtil
●
Performance Monitor Tool
|
