DCPROMO fails with LDAP bind errors
DCPROMO fails with LDAP bind errors
I'm running into problems trying to build a replica DC for an existing domain at a new site.After supplying credentials (which is the administrator account for the forest root) I come to the 'select a domain' screen. After picking the domain and hitting next, 'Examining Active Directory Forest fails with,
CODE
Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui.log shows:
CODE
dcpromoui 110.B6C 02D5 08:52:52.578 Enter ValidateForestConfig
dcpromoui 110.B6C 02D6 08:52:52.593 Enter DS::ExamineForest
dcpromoui 110.B6C 02D7 08:52:52.593 Enter State::GetOperation REPLICA
dcpromoui 110.B6C 02D8 08:52:52.593 Enter State::GetForestName example.local
dcpromoui 110.B6C 02D9 08:52:52.593 Enter State::GetReplicationPartnerDomainName
dcpromoui 110.B6C 02DA 08:52:52.593 Enter State::GetOperation REPLICA
dcpromoui 110.B6C 02DB 08:52:52.593 Enter State::GetReplicaDomainDNSName example.local
dcpromoui 110.B6C 02DC 08:52:52.593 ldapUserName <- 'administrator'
dcpromoui 110.B6C 02DD 08:52:52.593 ldapPassword <- '<password>'
dcpromoui 110.B6C 02DE 08:52:52.593 ldapDomain <- 'example.local'
dcpromoui 110.B6C 02DF 08:52:52.593 domainDnsName <- 'example.local'
dcpromoui 110.B6C 02E0 08:52:52.593 forestDnsName <- 'example.local'
dcpromoui 110.B6C 02E1 08:52:52.593 operationType <- 'replica'
dcpromoui 110.B6C 02E2 08:52:52.593 Enter CLdapContext::ExecuteScript opMode=run-read-only
dcpromoui 110.B6C 02E3 08:52:52.593 Enter CLdapOperationBlock::Execute
dcpromoui 110.B6C 02E4 08:52:52.593 Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02E5 08:52:52.593 Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02E6 08:52:52.593 Enter CLdapExpressionPresent::Compute pattern=domainDnsName
dcpromoui 110.B6C 02E7 08:52:52.593 > true (example.local)
dcpromoui 110.B6C 02E8 08:52:52.593 > false
dcpromoui 110.B6C 02E9 08:52:52.593 Condition false
dcpromoui 110.B6C 02EA 08:52:52.593 Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02EB 08:52:52.593 Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02EC 08:52:52.593 Enter CLdapExpressionPresent::Compute pattern=forestDnsName
dcpromoui 110.B6C 02ED 08:52:52.593 > true (example.local)
dcpromoui 110.B6C 02EE 08:52:52.593 > false
dcpromoui 110.B6C 02EF 08:52:52.593 Condition false
dcpromoui 110.B6C 02F0 08:52:52.593 Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02F1 08:52:52.593 Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02F2 08:52:52.593 Enter CLdapExpressionPresent::Compute pattern=operationType
dcpromoui 110.B6C 02F3 08:52:52.593 > true (replica)
dcpromoui 110.B6C 02F4 08:52:52.593 > false
dcpromoui 110.B6C 02F5 08:52:52.593 Condition false
dcpromoui 110.B6C 02F6 08:52:52.593 Enter CLdapOperationConnect::Execute target=$(domainDnsName), options=0x10
dcpromoui 110.B6C 02F7 08:52:52.593 DsGetDcNameW() returned SERVER.example.local
dcpromoui 110.B6C 02F8 08:52:52.750 Calling ldap_bind_sW(ld, NULL, pCreds, 1158)
dcpromoui 110.B6C 02F9 08:52:56.609 _lastLdapError_ <- '1326'
dcpromoui 110.B6C 02FA 08:52:56.609 ldap_bind() failed, err=53
dcpromoui 110.B6C 02FB 08:52:56.609 Enter GetErrorMessage 8007052E
dcpromoui 110.B6C 02FC 08:52:56.609 ***** EXCEPTION: 8007052e The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.B6C 02FD 08:52:56.609 ExecuteScript() failed:
The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.B6C 02FE 08:52:56.609 ExamineForest failed. The error is The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.0EC 02FF 08:52:56.609 Enter Popup::Error
dcpromoui 110.0EC 0300 08:52:56.609 MessageBox: Active Directory Domain Services Installation Wizard : Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.0EC 0301 08:53:27.343 Enter Wizard::SetNextPageID id = -1
My credentials are fine (you can't even get this far in dcpromo without having them validated, and I can use these credentials in ADSIedit to bind to the domain from this site.) I haven't been able to find anything related to the errors that are being thrown.dcpromoui 110.B6C 02D6 08:52:52.593 Enter DS::ExamineForest
dcpromoui 110.B6C 02D7 08:52:52.593 Enter State::GetOperation REPLICA
dcpromoui 110.B6C 02D8 08:52:52.593 Enter State::GetForestName example.local
dcpromoui 110.B6C 02D9 08:52:52.593 Enter State::GetReplicationPartnerDomainName
dcpromoui 110.B6C 02DA 08:52:52.593 Enter State::GetOperation REPLICA
dcpromoui 110.B6C 02DB 08:52:52.593 Enter State::GetReplicaDomainDNSName example.local
dcpromoui 110.B6C 02DC 08:52:52.593 ldapUserName <- 'administrator'
dcpromoui 110.B6C 02DD 08:52:52.593 ldapPassword <- '<password>'
dcpromoui 110.B6C 02DE 08:52:52.593 ldapDomain <- 'example.local'
dcpromoui 110.B6C 02DF 08:52:52.593 domainDnsName <- 'example.local'
dcpromoui 110.B6C 02E0 08:52:52.593 forestDnsName <- 'example.local'
dcpromoui 110.B6C 02E1 08:52:52.593 operationType <- 'replica'
dcpromoui 110.B6C 02E2 08:52:52.593 Enter CLdapContext::ExecuteScript opMode=run-read-only
dcpromoui 110.B6C 02E3 08:52:52.593 Enter CLdapOperationBlock::Execute
dcpromoui 110.B6C 02E4 08:52:52.593 Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02E5 08:52:52.593 Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02E6 08:52:52.593 Enter CLdapExpressionPresent::Compute pattern=domainDnsName
dcpromoui 110.B6C 02E7 08:52:52.593 > true (example.local)
dcpromoui 110.B6C 02E8 08:52:52.593 > false
dcpromoui 110.B6C 02E9 08:52:52.593 Condition false
dcpromoui 110.B6C 02EA 08:52:52.593 Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02EB 08:52:52.593 Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02EC 08:52:52.593 Enter CLdapExpressionPresent::Compute pattern=forestDnsName
dcpromoui 110.B6C 02ED 08:52:52.593 > true (example.local)
dcpromoui 110.B6C 02EE 08:52:52.593 > false
dcpromoui 110.B6C 02EF 08:52:52.593 Condition false
dcpromoui 110.B6C 02F0 08:52:52.593 Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02F1 08:52:52.593 Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02F2 08:52:52.593 Enter CLdapExpressionPresent::Compute pattern=operationType
dcpromoui 110.B6C 02F3 08:52:52.593 > true (replica)
dcpromoui 110.B6C 02F4 08:52:52.593 > false
dcpromoui 110.B6C 02F5 08:52:52.593 Condition false
dcpromoui 110.B6C 02F6 08:52:52.593 Enter CLdapOperationConnect::Execute target=$(domainDnsName), options=0x10
dcpromoui 110.B6C 02F7 08:52:52.593 DsGetDcNameW() returned SERVER.example.local
dcpromoui 110.B6C 02F8 08:52:52.750 Calling ldap_bind_sW(ld, NULL, pCreds, 1158)
dcpromoui 110.B6C 02F9 08:52:56.609 _lastLdapError_ <- '1326'
dcpromoui 110.B6C 02FA 08:52:56.609 ldap_bind() failed, err=53
dcpromoui 110.B6C 02FB 08:52:56.609 Enter GetErrorMessage 8007052E
dcpromoui 110.B6C 02FC 08:52:56.609 ***** EXCEPTION: 8007052e The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.B6C 02FD 08:52:56.609 ExecuteScript() failed:
The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.B6C 02FE 08:52:56.609 ExamineForest failed. The error is The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.0EC 02FF 08:52:56.609 Enter Popup::Error
dcpromoui 110.0EC 0300 08:52:56.609 MessageBox: Active Directory Domain Services Installation Wizard : Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.0EC 0301 08:53:27.343 Enter Wizard::SetNextPageID id = -1
Anyone have any ideas?
David Everett here again with an interesting issue that causes the Advertising test in DCdiag.exe to fail when verifying the role of a global catalog (GC).
A customer called Microsoft Product Support to determine why the Advertising test in dcdiag.exe was reporting that the global catalog role was not working on a Windows Server 2008 Read-only domain controller (RODC) when all other indicators suggested it was functioning normally. DCDiag.exe reported the DC was advertising as a GC but DCDiag couldn’t perform a search against the GC when the command was issued local to the server or remotely:
Dcdiag /test:advertising /v /s:RODC
<.snip.>
Doing primary tests
Testing server: SITEZRODC01
Starting test: Advertising
The DC RODC01 is advertising itself as a DC and having a DS.
The DC RODC01 is advertising as an LDAP server
The DC RODC01 is not advertising as having a writeable directory because it is an RODC
The DC RODC01 is advertising as a Key Distribution Center
The DC RODC01 is advertising as a time server
Ldap search capabality attribute search failed on server RODC01,
return value = 81
Server RODC01 is advertising as a global catalog, but
it could not be verified that the server thought it was a GC.
……………………. RODC01 failed test Advertising
<.snip.>
Doing primary tests
Testing server: SITEZRODC01
Starting test: Advertising
The DC RODC01 is advertising itself as a DC and having a DS.
The DC RODC01 is advertising as an LDAP server
The DC RODC01 is not advertising as having a writeable directory because it is an RODC
The DC RODC01 is advertising as a Key Distribution Center
The DC RODC01 is advertising as a time server
Ldap search capabality attribute search failed on server RODC01,
return value = 81
Server RODC01 is advertising as a global catalog, but
it could not be verified that the server thought it was a GC.
……………………. RODC01 failed test Advertising
Determine the health of the Global Catalog
There are some simple tests that can be done to verify the DC is advertising the Global Catalog role. First, make a connection to the W2K8 DC’s ROOTDSE over port 389 or 3268 to determine if the DC has sourced and is advertising the global catalog:
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
isSynchronized: TRUE;
Another useful test to verify the DC is advertising as a GC is to use the /GC parameter in nltest.exe and observe that GC is listed in the Flags:
nltest /dsgetdc:contoso /force /gc
DC: RODC01
Address: 11.11.11.25
Dom Guid: a238ef59-eeef-11d2-a123-00805f9f123
Dom Name: CONTOSO
Forest Name: contoso.com
Dc Site Name: SITEX
Our Site Name: SITEX
Flags: GC DS LDAP KDC TIMESERV DNS_FOREST CLOSE_SITE PARTIAL_SECRET
The command completed successfully
DC: RODC01
Address: 11.11.11.25
Dom Guid: a238ef59-eeef-11d2-a123-00805f9f123
Dom Name: CONTOSO
Forest Name: contoso.com
Dc Site Name: SITEX
Our Site Name: SITEX
Flags: GC DS LDAP KDC TIMESERV DNS_FOREST CLOSE_SITE PARTIAL_SECRET
The command completed successfully
The first two tests essentially confirm what dcdiag.exe already reports, namely that the server is advertising as a GC. The real question now is, “Do LDAP searches correctly retrieve objects from the global catalog?” Since the DC resides in contoso.com (the forest root domain) the search should be made to query an object from a different domain in the same forest over global catalog LDAP port 3268. The example below shows the GC successfully returns the child domain’s Administrator account:
repadmin.exe /showattr RODC01 “DC=child,DC=contoso,DC=com” /subtree /filter:“(&(objectClass=user)(name=Administrator))” /atts:name /gc
DN: CN=Administrator,CN=users,DC=child,DC=contoso,DC=com
1> name: Administrator
DN: CN=Administrator,CN=users,DC=child,DC=contoso,DC=com
1> name: Administrator
Understanding why LDAP search in the Advertising test is failing
This problem occurs when an administrator removes a domain controller machine account using adsiedit.mscbutfails to remove the objects from the Configuration partition and then promotes a new DC with the same name into a different site.
Ldap Error 81 (server Down Win32 Err 58 Code
Apparently an RODC account was pre-created in the wrong Active Directory site using the Pre-created Read-only Domain Controller account… option in DSA.MSC. The Active Directory Promotion Wizard prompts the administrator to type the hostname and select the Site where the prospective DC will reside. The wizard uses this information to create the computer account and its corresponding NTDS Settings object. At some point, the unoccupied RODC machine account was deleted from the Domain Controllers OU using adsiedit.msc but its corresponding NTDS Settings object was left in the Configuration partition. Eventually the server was promoted as a DC into the correct site and successfully promoted to be a GC.
Ldap Error 81 (server Down Win32 Err 58 0
It’s important to note that this condition isn’t specific to RODCs. The same issue occurs if a writable DC is removed from metadata in the same way and a server with the same name is later promoted into a different site.
All NTDS Settings objects have a parent server object named after the DC. This parent server object contains a dNSHostName attribute that is populated with the fully qualified domain name of the DC. In this case the identically named stale and valid NTDS Settings objects in different sites have a dNSHostName attribute with the same FQDN.
The DCDIAG Advertising test searches the CN=Sites,CN=Configuration,DC=Contoso,DC=Com container for a Server object whose dNSHostName attribute matches the fully qualified computer name of the DC being targeted. Once it finds the object with the matching dNSHostname it retrieves the objectGUID of the subordinate NTDS Settings object and attempts to contact the target domain controller by its fully qualified CNAME which would normally be registered under the DNS zone “_msdcs.contoso.com”.
The DCDIAG Advertising test searches the CN=Sites,CN=Configuration,DC=Contoso,DC=Com container for a Server object whose dNSHostName attribute matches the fully qualified computer name of the DC being targeted. Once it finds the object with the matching dNSHostname it retrieves the objectGUID of the subordinate NTDS Settings object and attempts to contact the target domain controller by its fully qualified CNAME which would normally be registered under the DNS zone “_msdcs.contoso.com”.
If DCDIAG discovers a Server object whose dNSHostName attribute matches the targeted DC but the ObjectGUID on the subordinate NTDS Settings object wasn’t created by the last DCPROMO promotion or machine account pre-creation, then the LDAP bind to the targeted DC will fail with LDAP error 81. To get a better understanding of what this error means, download Err.exe and pass it the error code and you find it translates to “LDAP_SERVER_DOWN”.
Identify Valid and Invalid NTDS Settings objects and clean up
1. Determine the DSA object GUID and Site name that the DC is currently registering in DNS as a CNAME record by running this command:
C:>repadmin /showreps <name of dc> |more
<AD Site Name>RODC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 52399da1-87ba-4da6-bce3-71dcf0d85f34
DSA invocationID: 18bce5ac-d9f4-46dc-bccf-f3e39da103f9
<AD Site Name>RODC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 52399da1-87ba-4da6-bce3-71dcf0d85f34
DSA invocationID: 18bce5ac-d9f4-46dc-bccf-f3e39da103f9
2. Use the repadmin.exe command below to locate the Site that the invalid NTDS Settings object is in:
C:>repadmin.exe /showattr RODC01 “CN=Sites,CN=Configuration,DC=contoso,DC=com” /subtree /filter:“(&(objectClass=server)(name=RODC01))” /atts:name
DN: CN=RODC01,CN=Servers,CN=SITE-A,CN=Sites,DC=Configuration,DC=contoso,DC=com
1> name: RODC01
DN: CN=RODC01,CN=Servers,CN=SITE-Z,CN=Sites,DC=Configuration,DC=contoso,DC=com
1> name: RODC01
DN: CN=RODC01,CN=Servers,CN=SITE-A,CN=Sites,DC=Configuration,DC=contoso,DC=com
1> name: RODC01
DN: CN=RODC01,CN=Servers,CN=SITE-Z,CN=Sites,DC=Configuration,DC=contoso,DC=com
1> name: RODC01
3. Verify the wrong server object in the undesirable site is causing the failure:
a. Open adsiedit.msc and view the Properties of the invalid Server object.
b. Select the Attribute Editor tab and Edit the dNSHostName attribute.
c. Click Clear, OK and Apply to remove the FQDN of the RODC from the invalid object.
d. Once AD replication of this change makes it to the RODC run:
dcdiag /test:advertising /v /s:RODC01
e. Verify the DC is now advertising as a GC.
4. Now that DCdiag is free of errors delete the invalid server object using the preferred method of metadata cleanup.
a. Right-click the NTDS Settings object of the invalid RODC in Active Directory Sites and Services and select Delete
b. Click Yes at the Active Directory Domain Services prompt to delete the NTDS Settings object
c. Uncheck all three boxes in the Deleting Domain Controller window and click Delete
d. Once the subordinate NTDS Settings object has been removed, delete the invalid server object that is just superior to the NTDS Settings object that was just deleted.
NOTE: Because the serverReference attribute is NULL on the invalid NTDS Settings object the corresponding DC object in the domain partition will not be removed.
One way to ensure you never encounter this issue with dcdiag.exe is to start using this last step to remove a domain controller from the metadata instead of adsiedit.msc.
David “Mad Men” Everett
-->Windows contains an implementation of the LDAP resultCode ([RFC2251]section 4.1.10) which is used by higher-layer protocols to interpret theresults of an LDAP operation.
Each LDAP error value is also mapped to the closest Win32error value, for use by the higher-layer protocols. This mapping is as shown inthe following table:
Value: Decimal | Value: Hexadecimal representation | LDAPResult.resultCode: RFC 1777 | LDAPResult.resultCode: RFC 2251 | Windows: Ldap Error (LDAP_RETCODE from winldap.w) | Windows: Win32 error (from LdapMapErrorToWin32 / winmaindsdssrcldapclientutil.cxx) |
---|---|---|---|---|---|
0 | 0x0 | success | success | LDAP_SUCCESS | NO_ERROR |
1 | 0x1 | operationsError | operationsError | LDAP_OPERATIONS_ERROR | ERROR_OPEN_FAILED |
2 | 0x2 | protocolError | protocolError | LDAP_PROTOCOL_ERROR | ERROR_INVALID_LEVEL |
3 | 0x3 | timeLimitExceeded | timeLimitExceeded | LDAP_TIMELIMIT_EXCEEDED | ERROR_TIMEOUT |
4 | 0x4 | sizeLimitExceeded | sizeLimitExceeded | LDAP_SIZELIMIT_EXCEEDED | ERROR_MORE_DATA |
5 | 0x5 | compareFalse | compareFalse | LDAP_COMPARE_FALSE | ERROR_DS_GENERIC_ERROR |
6 | 0x6 | compareTrue | compareTrue | LDAP_COMPARE_TRUE | ERROR_DS_GENERIC_ERROR |
7 | 0x7 | authMethodNotSupported | authMethodNotSupported | LDAP_AUTH_METHOD_NOT_SUPPORTED | ERROR_ACCESS_DENIED |
8 | 0x8 | strongAuthRequired | strongAuthRequired | LDAP_STRONG_AUTH_REQUIRED | ERROR_ACCESS_DENIED |
9 | 0x9 | 9 reserved | LDAP_REFERRAL_V2, LDAP_PARTIAL_RESULTS | ERROR_MORE_DATA | |
10 | 0xA | referral | LDAP_REFERRAL | ||
11 | 0xB | adminLimitExceeded | LDAP_ADMIN_LIMIT_EXCEEDED | ERROR_NOT_ENOUGH_QUOTA | |
12 | 0xC | unavailableCriticalExtension | LDAP_UNAVAILABLE_CRIT_EXTENSION | ERROR_CAN_NOT_COMPLETE | |
13 | 0xD | confidentialityRequired | LDAP_CONFIDENTIALITY_REQUIRED | ||
14 | 0xE | saslBindInProgress | LDAP_SASL_BIND_IN_PROGRESS | ||
15 | 0xF | ||||
16 | 0x10 | noSuchAttribute | noSuchAttribute | LDAP_NO_SUCH_ATTRIBUTE | ERROR_INVALID_PARAMETER |
17 | 0x11 | undefinedAttributeType | undefinedAttributeType | LDAP_UNDEFINED_TYPE | ERROR_DS_GENERIC_ERROR |
18 | 0x12 | inappropriateMatching | inappropriateMatching | LDAP_INAPPROPRIATE_MATCHING | ERROR_INVALID_PARAMETER |
19 | 0x13 | constraintViolation | constraintViolation | LDAP_CONSTRAINT_VIOLATION | ERROR_INVALID_PARAMETER |
20 | 0x14 | attributeOrValueExists | attributeOrValueExists | LDAP_ATTRIBUTE_OR_VALUE_EXISTS | ERROR_ALREADY_EXISTS |
21 | 0x15 | invalidAttributeSyntax | invalidAttributeSyntax | LDAP_INVALID_SYNTAX | ERROR_INVALID_NAME |
22 | 0x16 | ||||
23 | 0x17 | ||||
24 | 0x18 | ||||
25 | 0x19 | ||||
26 | 0x1A | ||||
27 | 0x1B | ||||
28 Pornography, pro-Nazi, child abuse, etc).We will not remove any content for bad language alone, or being criticalof a particular book. Flag AbuseFlagging a post will send it to the Goodreads Customer Care team for review.We take abuse seriously in our discussion boards.Only flag comments that clearly need our attention.As a general rule we do not censor any content on the site.The only content we will consider removing is spam,slanderous attacks on other members,or extremely offensive content (eg. Xxakanexx pdf. | 0x1C | ||||
29 | 0x1D | ||||
30 | 0x1E | ||||
31 | 0x1F | ||||
32 | 0x20 | noSuchObject | noSuchObject | LDAP_NO_SUCH_OBJECT | ERROR_FILE_NOT_FOUND |
33 | 0x21 | aliasProblem | aliasProblem | LDAP_ALIAS_PROBLEM | ERROR_DS_GENERIC_ERROR |
34 | 0x22 | invalidDNSyntax | invalidDNSyntax | LDAP_INVALID_DN_SYNTAX | ERROR_INVALID_PARAMETER |
35 | 0x23 | isLeaf | 35 reserved for undefined isLeaf | LDAP_IS_LEAF | ERROR_DS_GENERIC_ERROR |
36 | 0x24 | aliasDereferencingProblem | aliasDereferencingProblem | LDAP_ALIAS_DEREF_PROBLEM | ERROR_DS_GENERIC_ERROR |
37 | 0x25 | 37-47 unused | |||
38 | 0x26 | ||||
39 | 0x27 | ||||
40 | 0x28 | ||||
41 | 0x29 | ||||
42 | 0x2A | ||||
43 | 0x2B | ||||
44 | 0x2C | ||||
45 | 0x2D | ||||
46 | 0x2E | ||||
47 | 0x2F | ||||
48 | 0x30 Dog armor fallout 4 mod. | inappropriateAuthentication | inappropriateAuthentication | LDAP_INAPPROPRIATE_AUTH | ERROR_ACCESS_DENIED |
49 | 0x31 | invalidCredentials | invalidCredentials | LDAP_INVALID_CREDENTIALS | ERROR_LOGON_FAILURE |
50 | 0x32 | insufficientAccessRights | insufficientAccessRights | LDAP_INSUFFICIENT_RIGHTS | ERROR_ACCESS_DENIED |
51 | 0x33 | busy | busy | LDAP_BUSY | ERROR_BUSY |
52 | 0x34 | unavailable | unavailable | LDAP_UNAVAILABLE | ERROR_DEV_NOT_EXIST |
53 | 0x35 | unwillingToPerform | unwillingToPerform | LDAP_UNWILLING_TO_PERFORM | ERROR_CAN_NOT_COMPLETE |
54 | 0x36 | loopDetect | loopDetect | LDAP_LOOP_DETECT | ERROR_DS_GENERIC_ERROR |
55 | 0x37 | 55-63 unused | |||
56 | 0x38 | ||||
57 | 0x39 | ||||
58 | 0x3A | ||||
59 | 0x3B | ||||
60 | 0x3C | LDAP_SORT_CONTROL_MISSING | ERROR_DS_SORT_CONTROL_MISSING | ||
61 | 0x3D | LDAP_OFFSET_RANGE_ERROR | ERROR_DS_OFFSET_RANGE_ERROR | ||
62 | 0x3E | ||||
63 | 0x3F | ||||
64 | 0x40 | namingViolation | namingViolation | LDAP_NAMING_VIOLATION | ERROR_INVALID_PARAMETER |
65 | 0x41 | objectClassViolation | objectClassViolation | LDAP_OBJECT_CLASS_VIOLATION | ERROR_INVALID_PARAMETER |
66 | 0x42 | notAllowedOnNonLeaf | notAllowedOnNonLeaf | LDAP_NOT_ALLOWED_ON_NONLEAF | ERROR_CAN_NOT_COMPLETE |
67 | 0x43 | notAllowedOnRDN | notAllowedOnRDN | LDAP_NOT_ALLOWED_ON_RDN | ERROR_ACCESS_DENIED |
68 | 0x44 | entryAlreadyExists | entryAlreadyExists | LDAP_ALREADY_EXISTS | ERROR_ALREADY_EXISTS |
69 | 0x45 | objectClassModsProhibited | objectClassModsProhibited | LDAP_NO_OBJECT_CLASS_MODS | ERROR_ACCESS_DENIED |
70 | 0x46 | 70 reserved for CLDAP | LDAP_RESULTS_TOO_LARGE | ERROR_INSUFFICIENT_BUFFER | |
71 | 0x47 | affectsMultipleDSAs | LDAP_AFFECTS_MULTIPLE_DSAS | ERROR_CAN_NOT_COMPLETE | |
72 | 0x48 | 72-79 unused | |||
73 | 0x49 | ||||
74 | 0x4A | ||||
75 | 0x4B | ||||
76 | 0x4C | LDAP_VIRTUAL_LIST_VIEW_ERROR | |||
77 | 0x4D | ||||
78 | 0x4E | ||||
79 | 0x4F | ||||
80 | 0x50 | other | other | LDAP_OTHER | ERROR_DS_GENERIC_ERROR |
81 | 0x51 | 81-90 reserved for APIs | LDAP_SERVER_DOWN | ERROR_BAD_NET_RESP | |
82 | 0x52 | LDAP_LOCAL_ERROR | ERROR_DS_GENERIC_ERROR | ||
83 | 0x53 | LDAP_ENCODING_ERROR | ERROR_UNEXP_NET_ERR | ||
84 | 0x54 | LDAP_DECODING_ERROR | ERROR_UNEXP_NET_ERR | ||
85 | 0x55 | LDAP_TIMEOUT | ERROR_SERVICE_REQUEST_TIMEOUT | ||
86 | 0x56 | LDAP_AUTH_UNKNOWN | ERROR_WRONG_PASSWORD | ||
87 | 0x57 | LDAP_FILTER_ERROR | ERROR_INVALID_PARAMETER | ||
88 | 0x58 | LDAP_USER_CANCELLED | ERROR_CANCELLED | ||
89 | 0x59 | LDAP_PARAM_ERROR | ERROR_INVALID_PARAMETER | ||
90 | 0x5A | LDAP_NO_MEMORY | ERROR_NOT_ENOUGH_MEMORY | ||
91 | 0x5B | LDAP_CONNECT_ERROR | ERROR_CONNECTION_REFUSED | ||
92 | 0x5C | LDAP_NOT_SUPPORTED | ERROR_CAN_NOT_COMPLETE | ||
93 | 0x5D | LDAP_NO_RESULTS_RETURNED | ERROR_MORE_DATA | ||
94 | 0x5E | Two onedrive accounts on same computer. LDAP_CONTROL_NOT_FOUND | ERROR_NOT_FOUND | ||
95 | 0x5F | LDAP_MORE_RESULTS_TO_RETURN | ERROR_MORE_DATA | ||
96 | 0x60 | LDAP_CLIENT_LOOP | |||
97 | 0x61 | LDAP_REFERRAL_LIMIT_EXCEEDED | |||
98 | 0x62 |
return codes; result codes; resultCode; ldap resultcode; ldap result code; ldap exception; ldap operations; 0x00; 0x01; 0x02; 0x03; 0x04; 0x05; 0x06; 0x07; 0x08; 0x09; 0x0A; 0x0B; 0x0C; 0x0D; 0x0E; 0x0F; 0x10; 0x11; 0x12; 0x13; 0x14; 0x15; 0x20; 0x21; 0x22; 0x23; 0x24; 0x30; 0x31; 0x32; 0x33; 0x34; 0x35; 0x36 ; 0x40; 0x41; 0x42; 0x43; 0x44; 0x45; 0x46; 0x47 ; 0x50; 0x51; 0x52; 0x53; 0x54; 0x55; 0x56; 0x57; 0x58; 0x59; 0x5a; 0x5b; 0x5c; 0x5d; 0x5e; 0x5f; 0x60; 0x61; LDAP_SUCCESS; LDAP_OPERATIONS_ERROR; LDAP_PROTOCOL_ERROR; LDAP_TIMELIMIT_EXCEEDED; LDAP_SIZELIMIT_EXCEEDED; LDAP_COMPARE_FALSE; LDAP_COMPARE_TRUE; LDAP_AUTH_METHOD_NOT_SUPPORTED; LDAP_STRONG_AUTH_REQUIRED; LDAP_REFERRAL; LDAP_ADMINLIMIT_EXCEEDED; LDAP_UNAVAILABLE_CRITICAL_EXTENSION; LDAP_CONFIDENTIALITY_REQUIRED; LDAP_SASL_BIND_IN_PROGRESS; LDAP_NO_SUCH_ATTRIBUTE; LDAP_UNDEFINED_TYPE; LDAP_INAPPROPRIATE_MATCHING; LDAP_CONSTRAINT_VIOLATION; LDAP_TYPE_OR_VALUE_EXISTS; LDAP_INVALID_SYNTAX; LDAP_NO_SUCH_OBJECT; LDAP_ALIAS_PROBLEM; LDAP_INVALID_DN_SYNTAX; LDAP_IS_LEAF; LDAP_ALIAS_DEREF_PROBLEM; LDAP_INAPPROPRIATE_AUTH; LDAP_INVALID_CREDENTIALS; LDAP_INSUFFICIENT_ACCESS; LDAP_BUSY; LDAP_UNAVAILABLE; LDAP_UNWILLING_TO_PERFORM; LDAP_LOOP_DETECT; LDAP_NAMING_VIOLATION; LDAP_OBJECT_CLASS_VIOLATION; LDAP_NOT_ALLOWED_ON_NONLEAF; LDAP_NOT_ALLOWED_ON_RDN; LDAP_ALREADY_EXISTS; LDAP_NO_OBJECT_CLASS_MODS; LDAP_AFFECTS_MULTIPLE_DSAS; LDAP_OTHER; LDAP_SERVER_DOWN; LDAP_LOCAL_ERROR; LDAP_ENCODING_ERROR; LDAP_DECODING_ERROR; LDAP_TIMEOUT; LDAP_AUTH_UNKNOWN; LDAP_FILTER_ERROR; LDAP_USER_CANCELLED; LDAP_PARAM_ERROR; LDAP_NO_MEMORY; LDAP_CONNECT_ERROR; LDAP_NOT_SUPPORTED; LDAP_CONTROL_NOT_FOUND; LDAP_NO_RESULTS_RETURNED; LDAP_MORE_RESULTS_TO_RETURN; LDAP_CLIENT_LOOP; LDAP_REFERRAL_LIMIT_EXCEEDED
Repadmin is legend. I mean, who hasn't impressed their friends, family and pets with the /experthelp switch? And, when it comes to administering and troubleshooting Active Directory replication, repadmin is king. Now, though.. there's a young pretender to the throne in the guise of the Windows Server 2012 Active Directory replication cmdlets.
Why use these cmdlets instead of repadmin, you ask? Well, the answer is the same as the answer to the question 'why use a cmdlet instead of an executable'? And here it is..
A cmdlet outputs objects rather than text. An object has a rich set of properties and methods (for getting stuff and doing stuff) that are easily accessed. An object is easily passed down the PowerShell pipeline. Text is, well, just text and it can be quite tricky to parse and manipulate the weird and wonderful patterns returned to the host.
Today, I'm going to try and mimic a popular repadmin command switch, /showrepl, with PowerShell and the AD replication cmdlets. Take a look at the following, hybrid command:
repadmin/showrepl*/csv|ConvertFrom-Csv|Out-GridView
The /showrepl switch tells repadmin to show the inbound replication status, for all partitions for a designated domain controller. The * tells repadmin to execute against ALL domain controllers. The /csv switch produces output that can be saved to a CSV files. If an executable can produce output in a CSV format, it's much easier to get that output into objects so PowerShell can do its amazing stuff. We pipe the output of the repadmin command into ConvertFrom-CSV; the resultant objects are then piped into Out-Gridview for an interactive table. Here's a sample:
Now, let's do something similar with the Get-ADReplicationPartnerMetaData cmdlet:
Get-ADReplicationPartnerMetadata-Target*-Partition*|
Select-ObjectServer,Partition,Partner,ConsecutiveReplicationFailures,LastReplicationSuccess,LastRepicationResult|
Out-GridView
We're targeting all servers the wildcard supplied to the -Target parameter. The wildcard supplied to the -Partition parameter ensures that details for the Schema, Configuration and Domain partitions are included. Select-Object is used to provide a view similar to that of repadmin. Again, Out-Gridview is used to provide an interactive table. Here's a sample:
Right, I'm off to see what other repadmin functionality I can reproduce with the Active Directory replication cmdlets. The king is dead.. well, actually, the king is probably going to be round for a little while yet, so long live the young pretender!