Windows Server 2003 - More Examples of ADSI Edit
Windows Server 2003 - ADSI Edit
You can never get too much of a good thing! ADSI Edit is that 'good thing'. Never waste a chance to configure Active Directory with ADSI Edit. If TechNet offers or solution by editing Active Directory properties, then call for ADSI Edit to make the suggested changes.
On this page, what I am preparing you for is that day when the only way to solve a desperate problem is to change an attribute with ADSI Edit; the reason you need this tool is because no other GUI displays the low level objects.
Topics for ADSI Edit
Getting Started with ADSI Edit
Complete instructions on installing, launching and getting to know ADSI Edit are covered on this Introduction To ADSI Edit page.
There is only a chance in a million that you actually need this particular ADSI Edit fix. It is most unlikely that you will have a problem Raising Forest Function Level, despite this, msDS-Behavior-Version is a most instructive example of ADSI Edit in action.
The real life scenario is that you
cannot raise the Forest Level to Window 2003. We assume that a bug has struck, Mr Nobody fouled up or that the GUI controlling Raise Forest Function Level GUI has jammed. The scene is set for ADSI
Edit to ride to the rescue. Researching TechNet reveals that we need to edit an attribute called:
Here are your instructions:
1) Get a good reference source, for example TechNet.
2) Pay close attention to the correct top level container. Is it Domain, or Schema? No, in this instance you need to start at the Configuration Container. If you fail to start at the right place you are doomed to frustration.
3) Once you get off to a good start, it's just a matter of following the TechNet instructions.
4) The point is that you could not configure msDS-Behavior-Version through Active Directory Users and Computers.
5) Remember that all changes are live and instant, unlike other GUIs the operating does not perform any safety checks.
I like the Permissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try - it's free!
Symptoms of a bizarre connection problem.
When you try to connect to network resources from an affected domain controller with a command such
[DC1] LDAP bind failed with error 31
Conformation from NetDiag
The Netdiag tool may display the following error messages:
ADSI Edit Solution
1) This is a job for the Domain partition of Active Directory.
2) While normal values for userAccountControl are 512 or 514, Domain Controllers need a value of decimal 532480.
3) Note how you need to be a minor expert in three areas, ADSI Edit, DCDiag and TechNet. -
Scenarios for ADSI Edit
SolarWinds' Network Performance Monitor will help you discover what's happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
Example 3 - Installing Exchange 2003. An invalid ADSI pathname was passed (Error code 80005000)
When you run Microsoft Exchange 2003 (2000) Server Setup with the /forestprep switch, the installation fails and you may receive the error message: 'An invalid ADSI pathname was passed'. You may also get an error code of: 80005000.
The Cause of error 80005000 in Exchange
You run setup /forestprep, but it does not complete properly. Active Directory 'flags' that it has been run, but in reality it did not finish.
Check the server progress log for entries like.
The Solution for An invalid ADSI pathname was passed (Error code 80005000)
Open ADSI Edit.
Right-click CN=Microsoft Exchange, and then click Properties. From the Attributes tab, under Select which properties to view, click Both.
Solution, reset the Heuristics property, click Clear, and then click Apply. The Value(s) field will have change to 'not set'.
Set Functional Levels Manually
Forest Level Setting
The attribute that you want is: msDS-Behavior-Version on the CN=Partitions, CN=Configurations, DC=ForestRootDom, DC=tld object.
Note When you increase the msDS-Behavior-Version
attribute from 0 to 1, you receive the following error message, just ignore it!
To check that your change has worked, refresh the attribute list and check the current setting.
Domain Functional Level Setting
Download ADSI Edit
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top Windows Server 2003 techie without configuring the Domain and Configuration partitions with ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While this is not a difficult tool, you have to be careful as there is no error checking.
If you like this page then please share it with your friends
See more Windows tools