i'm desperate to get some ldap scripts going on. I figured i'd start by getting to know syntax and schema by playing around with common objects and their properties but it's been a struggle since then.

i'v been reading some posts from the board along with the adsi sdk to figure out what i've been doing wrong, always testing from my laptop. Because i wasn't able to even do a simple getobject on a user to complete succesfully, a figured maybe i got the syntax right, but there is some other problem. I then made my single DC W2K domain to go native, i joined my laptop and configured DCHP DNS etc all for dynamic updates.
I tried a simple script from this topic on my laptop, and it still isn't working, i get the error "-2147016646/The server is not operational."
If i process the exact same script on the dc itsself it does work just fine. I figure there is some setting/permission that is preventing ldap to connect from a remote machine but i cannot figure out what. On both machines i am logged on using the administrator account of the domain.

The domain name is mvdw.nl
The server is named connserver
$fullname = CN=WCWS321,CN=Computers,DC=mvdw,DC=nl
if i use either :
$user = GetObject("LDAP://mvdw.nl/$fullname")
or
$user = GetObject("LDAP://$fullname")
i keep getting the error on my laptop and success on the dc itsself.

Alex/Shawn, you have written quite some ldap, do you have ANY idea what i'm doing wrong ???

the only thing i could find on support.microsoft.com was a bit on multihomed machines that have more than 51 (!!!) ip addresses, i must say that it is a multihomed server, i also have a NIC that connects to my ADSL modem, and the server provides itsself and my laptop internet access through RRAS. Giving the machine 3 ip addresses (LAN, modemLAN and VPN).

ANY help would really be appreciated...

PS: forgot to mention wcws321 is the name of my laptop and i can run the following succesfully from my laptop :
$fullname = createobject("adsysteminfo").computername
? $fullname
output is :
CN=WCWS321,CN=Computers,DC=mvdw,DC=nl

Another weird observation: if i use the dsbrowse utility from teh sdk, my domain shows under the WINNT: provider, not under the LDAP: provider.

[ 02 February 2002: Message edited by: mvdw ]

If not, please, post your script, it would be better for us to help you

[ 02 February 2002: Message edited by: Alex.H ]

the script i actually used was :
break on cls
$fullname = createobject("adsysteminfo").computername
? $fullname
$user = GetObject("LDAP://mvdw.nl/$fullname")
get $k
exit
(runs fine on the dc, does nothing on the laptop)
i just placed the $fullname in the original post to show what i was using.

In the mean time i installed the support tools and using ldp.exe i get the following output when connecting to connserver.mvdw.nl:

ld = ldap_open("connserver.mvdw.nl", 389);
Established connection to connserver.mvdw.nl.
Retrieving base DSA information...
Error<94>: ldap_parse_result failed: No result present in message
Getting 0 entries:
-----------

if i do the same on the dc, i get all the nice output with info on the domain etc. and i can continue to bind to any object or the domain and browse away..

1) did you install the Active directory client on your laptop if it's not a w2k/xp workstation (i suppose yes, but just to be sure)

2) Your laptop is running in a domain or in a workgroup scheme ?

3) are your logon ID and your computer name present on the AD domain ? (check this in the server AD users and computers)

Workstation is Win2K, i have just joined the domain before the experimenting started (i figured there could be some problem in authentication, i've used the winnt: provder succesfully using supplied credentials in the past, but was not too confident on LDAP...)
My computer shows nicely in AD/users and computers.
I am logged on to the laptop as MVDW/administrator (domain account) i am logged on using the same account on the dc when i test the scripts there.

I performed a normal clean install of Win2K on the server and the laptop. A couple of weeks after the install i used the "wizard" to install AD.
I even checked the DNS and that contains an LDAP service entry... it even says full control permission for the administrator account explicitly. But as i said, under the same account etc.. it all runs fine on the dc itsself but not on my laptop.

(just did 70-210 and 70-215 this week, but there were no questions on this one .. )

is there any other prereq you know of ?

What this one does on your laptop
$Ads=createobject("adsysteminfo")
? "Ads creation error "+@error +" " +@serror
$fullname = $Ads.computername
? "Computer name error "+@error +" " +@serror
? "computer "+$fullname

I saw in my network sniffer that it got the info from the server.

Could it be that there is a DNS setting that is preventing ldap service to remote computers ?? or if the above runs fine, all ldap queries should run fine ?
in other words, does this adsysteminfo use ldap ? it looks to me as if it uses some other mechanism ..

What this one does ?
$Computer=getobject("LDAP://CN=WCWS321,CN=Computers,DC=mvdw,DC=nl")
? " computer error "+ @error + " "+@serror
? Computer name " + $Computer.Name

If you get nothing good, get a look here, do a copy/paste of the udf, and call it with this one in the same script :

For each $Line in ADSearch(,"WCWS321*")
? ""+$line
next
exit

Beware, as the correct LDAP path don't include the informations after the first "|"

[ 02 February 2002: Message edited by: Alex.H ]

well, more bad news.
i tried both of the scripts, and again they work like a treat when i run them on the server itsself, but when i run them from my laptop... no such luck.
The first one gives another "server is not operational" and the second one gave a script error.
i ran it in debug mode and noticed it failed on the line :
$AdoCommand.CommandText ="Select AdsPath, samAccountName, GroupType from 'LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")+"' "+$filter
I also noticed that debug mode treated the last part :
.Get("defaultNamingContext")+"' "+$filter
as a separate line, if i am not mistaking that means that the previous statement failed. i then ran the following on my lap to check if i was correct :
$rootdse = GetObject("LDAP://rootDSE")
? @error + "/" + @serror
And that returned :
-2147016646
(No @serror)

I am really starting to believe that there is no error in the syntax part but just some configuration error that is preventing my server to provide ldap services to my laptop.
I just don't have a clue where to begin and what to look for. I think i am going to kill RRAS for a while and disable the other NIC (that is connected to the ADSL Modem).

ADSysteminfo might query AD but i think it uses some other mechanism than ldap ?? See also the output when connecting to the server using ldp.exe in my first reply to you.
It appears that it can open a connection but the server is sending no or malicious data back.

I'm even beginning to consider to format the server, reinstall 2000 advanced server from scratch, first only a domain with single NIC, then try to query AD with LDAP and after that add the rest of the components one by one whilst continuing to test ldap. (that will cost me next weekend though.. )

Is there any information (perhaps from the folks from MS themselves) about the exact conditions that must be met for a server to provide LDAP, you know like some other processes need IIS running or something like that.

Thanks for being this patient with me...

I tried some bindings with the GC: provider in a script, but same errors, server not operational or "the domain could not be contacted or does not exist"

I figured it might have something to do with DNS settings, but all the necessary entries seem to be there (can anyone confirm ?) this is the output for nslookup>ls -d mvdw.nl :
[connserver.mvdw.nl]
mvdw.nl. SOA connserver.mvdw.nl admin. (103 900 600 86400 3600)
mvdw.nl. A ***.***.***.***
mvdw.nl. A 10.0.0.151
mvdw.nl. A 192.168.0.1
mvdw.nl. A 10.0.0.159
mvdw.nl. NS connserver.mvdw.nl
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV priority=0, weight=100, port=88, connserver.mvdw.nl
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV priority=0, weight=100, port=389, connserver.mvdw.nl
_kerberos._tcp.dc._msdcs SRV priority=0, weight=100, port=88, connserver.mvdw.nl
_ldap._tcp.dc._msdcs SRV priority=0, weight=100, port=389, connserver.mvdw.nl
_ldap._tcp.8f49e2d9-5cc4-4610-be0f-e5c72313e067.domains._msdcs SRV priority=0, weight=100, port=389, connserver.mvdw.nl
eba43d5e-6a3a-4192-8e16-59690c39f3cd._msdcs CNAME connserver.mvdw.nl
gc._msdcs A ***.***.***.***
gc._msdcs A 10.0.0.151
gc._msdcs A 192.168.0.1
gc._msdcs A 10.0.0.159
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV priority=0, weight=100, port=3268, connserver.mvdw.nl
_ldap._tcp.gc._msdcs SRV priority=0, weight=100, port=3268, connserver.mvdw.nl
_ldap._tcp.pdc._msdcs SRV priority=0, weight=100, port=389, connserver.mvdw.nl
_gc._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=3268, connserver.mvdw.nl
_kerberos._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=88, connserver.mvdw.nl
_ldap._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=389, connserver.mvdw.nl
_gc._tcp SRV priority=0, weight=100, port=3268, connserver.mvdw.nl
_kerberos._tcp SRV priority=0, weight=100, port=88, connserver.mvdw.nl
_kpasswd._tcp SRV priority=0, weight=100, port=464, connserver.mvdw.nl
_ldap._tcp SRV priority=0, weight=100, port=389, connserver.mvdw.nl
_kerberos._udp SRV priority=0, weight=100, port=88, connserver.mvdw.nl
_kpasswd._udp SRV priority=0, weight=100, port=464, connserver.mvdw.nl
CONNSERVER A 192.168.0.1
wcws321 A 192.168.0.2
mvdw.nl. SOA connserver.mvdw.nl admin. (103 900 600 86400 3600)

(I blocked my outside IP to prevent *curious* people from knocking on the door )

it did come to my mind, but i just installed windows this week and applied SP2.
If anything is FUBAR my first guess is the server.
Tomorrow i will go over to a friend and test against his domains.

... our posts just crossed ...

Anyway, if running locally the scripts on the servers give wanted results, so LDAP is working.
You also may have another possibility than a conflict with the udp port : get a look to policies on the server, maybe something is wrong here and don't allow external request. Try with lower security settings, and if it's works, try to strenghten them until you reach the "not authorized" point.
Also, as Les said, you should really do some other test with another computer/laptop and another account

Something else to check. On your DC, go to the Network and Dial-up Connections folder. Choose the Advanced menu and click on Advanced Settings. Verify that your LAN connection is listed first in the connections. This is important for a multi-homed Win2000 server. (Bitten by that one myself!)

Dean

I'm currently looking for a window to jump throught

Thanks Dean, this one will really be handfull.

Yeah, we had problems with Exchange/Outlook communication that was a result of adding a second network card. Unknown to me, the new card was configured as the primary adapter by default. It took a full week before I found the culprit and whacked it really hard.

BTW, thanks for all your work on KixGUI! What a great tool!!!

Dean

it could well be that you got it spot on.
i tested with my lap against another domain which worked like a champ and i noticed in tcpview that lsass.exe is listening to port 389.
Your tip on the primary NIC seems really plausible. i'll try it tonight..

hmm... just a thought, would this mean that any DC acting as router between two networks would only be accessible from one of the networks ??? that would be a pity

[ 05 February 2002: Message edited by: mvdw ]