Windows Tips &amp Tricks UPDATE, August 22, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add Windows_TipsandTricks_UPDATE@list.windowsitpro.com to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

Download a Tool that will Benefit any Sys Admin
https://www.tntsoftware.com/wintipstrickspri082205

Consolidate Your SQL Server Infrastructure
http://www.windowsitpro.com/whitepapers/polyserve/dataclustering/index.cfm?code=TipsMid_822


Sponsor Download a Tool that will Benefit any Sys Admin

Are you searching for an affordable real-time monitoring toolset that will support your proactive system management objectives? Start NOW and download ELM Enterprise Manager from TNT Software. Within an hour, you will experience for yourself why ELM is recognized as the tool that will benefit any System Administrator. Before the 30 Day full feature trial is completed, the Monitoring, Alerting and Reporting will have saved you time and provided you the data for prompt corrective action. Be Proactive; and download ELM Enterprise Manager from the link below:
https://www.tntsoftware.com/wintipstrickspri082205


FAQs

  • Q. Why do I receive an error message when I try to change an Active Directory Application Mode (ADAM) user's password?
  • Q. I'm trying to populate Active Directory (AD) by reading in a text file that has distinguished name (DN) values containing commas. How do I denote the commas within the DN?
  • Q. How do I import data into Active Directory (AD) or an Active Directory Application Mode (ADAM) instance from a comma-separated value (.csv) file?
  • Q. How can I prevent my branch office domain controllers (DCs) from registering generic DNS service records?
  • Q. I created a custom .adm file and imported it into a Group Policy Object's (GPO's) Administrative Templates. Why can't I see any of the settings in Group Policy Editor (GPE)?

Commentary
by John Savill, FAQ Editor, jsavill@windowsitpro.com

In this week's issue of Windows Tips & Tricks UPDATE, I explain why you might receive an error message if you try to change an Active Directory Application Mode (ADAM) user's password; how to populate Active Directory (AD) by reading in a text file that has distinguished name (DN) values containing commas; and how to import data into AD or an ADAM instance from a comma-separated value (.csv) file. I also tell you how to prevent branch office domain controllers (DCs) from registering generic DNS service records. Finally, I explain why you can't use Group Policy Editor (GPE) to view settings in a Group Policy Object's (GPO) Administrative Templates.


Sponsor: Consolidate Your SQL Server Infrastructure

Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free white paper learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances and more! Find out how you can reduce the overall Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years! Download your free copy now.
http://www.windowsitpro.com/whitepapers/polyserve/dataclustering/index.cfm?code=TipsMid_822


FAQs

Q. Why do I receive an error when I try to change an Active Directory Application Mode (ADAM) user's password?

A. By default, ADAM requires that you perform password operations over a secure channel. If you try to reset a password over a nonsecure channel (e.g., a default LDAP connection through ADSI Edit), you'll receive the error message: "Illegal modify operation. Some aspect of the modification is not permitted."

To resolve this problem, you should use an LDAP over Secure Sockets Layer (SSL) connection (which will require a certificate in place) or use the ldap_opt_encrypt option of ldp.exe to secure the connection. The ADAM Help file has information about these options under "Set or modify the password of an ADAM user" in the document's "How To" section.

If this password reset is for a test environment and not for a production system, you can disable the secure-channel requirement so that you can reset the password over a nonsecure LDAP connection via ADSI Edit. To disable the secure-channel requirement, perform these steps:

  1. Start the ADAM ADSI Edit tool (%systemroot%\ADAM\ADAM-adsiedit.msc).
  2. Right-click the root of the "ADAM ADSI Edit" navigation branch in the left hand pane of the Microsoft Management Console (MMC) and select "Connection to..."
  3. Under the Connection name, enter "Configuration partition." Enter the server name and port. If you're running ADSI Edit on the ADAM server, the server name can be localhost and the port is the value set during installation (typically 389). Under "Connect to the following node," click "Well-known naming context:" and select Configuration, as the figure shows. Click OK.
  4. Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN=\{GUID of the ADAM\}.
  5. Right-click "CN=Directory Service" and select Properties.
  6. Double-click the dSHeuristics attribute.
  7. Set the value to 0000000001001 and click OK, as the figure shows.
  8. Click OK to the CN=Directory Service properties box.

You can now reset passwords over nonsecure channels; however, if this system's role changes so that it holds useful or sensitive data, you should disable the nonsecure channel ability and use one of the options specified earlier.

Q. I'm trying to populate Active Directory (AD) by reading in a text file that has distinguished name (DN) values containing commas. How do I denote the commas within the DN?

A. An object's DN is usually in a format similar to "cn=john savill,dc=savilltech,dc=com." However, if the cn component of the name is instead "savill, john", simply using the format "cn=savill, john,dc=savilltech,dc=com" won't work. The directory service component that checks and parses the submitted data won't understand what comes after the first comma; it will be expecting a valid type for a DN. The fix is to place the escape character (\) in front of the first comma, so it would read "cn=savill\, john,dc=savilltech,dc=com". However, if this data is being read from a file, you need to double the escape character so that the program reading in the file doesn't try to interpret the escape sequence (which it will if it sees a single slash). Thus you would write it as "cn=savill\\, john,dc=savilltech,dc=com". If, after you import the data, you use a tool such as ADSI Edit to view the data, you'll see only a single slash, which is the correct format.

Q. How do I import data into Active Directory (AD) or an Active Directory Application Mode (ADAM) instance from a comma-separated value (.csv) file?

A. There are two main methods to import data into AD or ADAM from a file. You can use the Ldifde tool, which reads in files in the LDAP Data Interchange Format (LDIF), or you can use the Comma Separated Value Directory Exchange (Csvde) tool, which imports data in a .csv format into AD or ADAM. The first line of the file tells the utility which properties you'll provide for the object you're creating. For example, to create a user object with very basic information, the first line might read:

DN,objectClass,name,samaccountname

which tells the tool to expect the records that follow to have the object's distinguished name (DN), class, name, and SAM account, as the following example shows:

"CN=beavis,cn=users,dc=savilltech,dc=com",user,beavis,beavis If I run the Csvde tool on a domain controller (DC), I could simply run the following command:

D:\temp>csvde -i -f d:\temp\users.csv -v -k
Which results in the following output:
Connecting to "(null)"
Logging in as current user using SSPI
Importing directory from file "d:\temp\users.csv"
Loading entries
2: CN=beavis,cn=users,dc=savilltech,dc=com
Entry modified successfully.
1 entry modified successfully.

The command has completed successfully.

The more attributes you want to set for the objects you create, the more attributes you'd list in the file's first line as the header record. Then ensure you have a value for each "column" for each actual data record.

If you use the Csvde tool, you can't set passwords for the object you're creating. You need to set passwords by either manually resetting the password for each created user or by writing a script to change the passwords. The Ldifde tool doesn't have this limitation, so you can set passwords. For more information, see the Microsoft article "How to set a user's password with Ldifde" (http://support.microsoft.com/?kbid=263991 ).

If you need to create a complex Csvde import file, you might want to export existing objects to see the columns and values the tool sets. For example, to dump the user objects for my domain's Users container, I use this command:

D:\temp>csvde -f d:\temp\export.csv -d "cn=users,dc=savilltech,dc=com" -r "(objectClass=user)"
which results in the following output:
Connecting to "(null)"
Logging in as current user using SSPI
Exporting directory to file d:\temp\export.csv
Searching for entries...
Writing out entries
.............
Export Completed. Post-processing in progress...
13 entries exported

The command has completed successfully

When you examine the file the command creates, you'll see a very large header line: DN,objectClass,cn,sn,givenName,distinguishedName,instanceType,whenCreated,whenChanged,displayName,uSNCreated,memberOf,uSNChanged,name, objectGUID,userAccountControl,badPwdCount,codePage,countryCode,badPasswordTime,lastLogoff,lastLogon,pwdLastSet,primaryGroupID,objectSid, adminCount,accountExpires,logonCount,sAMAccountName,sAMAccountType,userPrincipalName,objectCategory,lastLogonTimestamp,description, proxyAddresses,showInAddressBook,legacyExchangeDN,isCriticalSystemObject,textEncodedORAddress,mail,msExchUserAccountControl,mDBUseDefaults, msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchALObjectVersion,homeMDB,homeMTA,msExchPoliciesIncluded,msExchHomeServerName, mailNickname,dSCorePropagationData,showInAdvancedViewOnly,servicePrincipalName,initials,logonHours,userParameters,comment,msNPAllowDialin

You can't set all the values listed above. Some items, such as the user's globally unique identifier (GUID) must be created by AD, but the example gives you a good starting point for what's possible and the format the utility expects. Remember that applications such as Microsoft Excel can read, edit, and save data in .csv format, so you might find this easier to manipulate the data.

Q. How can I prevent my branch office domain controllers (DCs) from registering generic DNS service records?

A. By default, DCs publish service DNS records in a generic portion of the DNS namespace and a site-specific portion of the namespace. If a client can't find a DC in its local site DNS space (maybe the local DC is offline), the client will query the generic portion of the DNS namespace. In a default configuration, the client will just as likely be returned a DC in another branch office instead of one in a hub or central location, and that isn't a desirable situation. To ensure that clients without a local DC available are returned only records from the central locations, you need to configure DCs in branch offices to register only site-specific DNS service records. To perform this change, you need to edit the Group Policy for the Default Domain Controllers and enable the “DC Locator DNS records not registered by the DCs” option (which is found in the Computer Configuration, Administrative Templates, System, Net Logon, DC Locator DNS Records) and set it to the following: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc These settings are explained fully in the "Windows Server 2003 Active Directory Branch Office Guide," but essentially, they stop DCs from registering any non-site-specific entries. The problem is that configuring these settings makes the change for all DCs, so contrary to what the Microsoft document says, I prefer to change the settings on DCs via the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\DnsAvoidRegisterRecords registry subkey. You can set the same options that enabling the “DC Locator DNS records not registered by the DCs” option via Group Policy sets. After this change is applied, the generic portions of the DNS namespace (e.g., _ldap._tcp.<domain>) should contain service records for only DCs that didn't receive the registry change.

Q. I created a custom .adm file and imported it into a Group Policy Object's (GPO's) Administrative Templates. Why can't I see any of the settings in Group Policy Editor (GPE)?

A. By default, GPE shows only fully managed settings and not settings that update non-policy areas of the registry. The settings under a GPO's Administrative Templates are considered preferences instead of real policies. The big difference between policies and preferences is that policy settings are removed if the GPO that implemented them is unlinked from the container, whereas preferences stay in place on the end client even if you remove the GPO link. To enable viewing of preferences, open GPE, select View, Filtering, then clear the "Only show policy settings that can be fully managed" check box.

Hot Release (advertisement)

  • Hot Release

  • EXPERT SAYS "ARGENT IS MORE SCALABLE THAN MOM" Network Testing Labs, one of the world's leading independent research companies, concluded that "Argent's suite had a smaller footprint, was more scalable, supported more platforms, had a more responsive and intuitive user interface and gave us more useful reports." FREE Download Here:
    http://list.windowsitpro.com/t?ctl=CEED:380033

    Events and Resources
    (A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

  • SQL Server 2005 Roadshow is Coming to a City Near You

  • Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!
    http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0824emailannc

  • Windows Connections 2005 Conference

  • October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego. Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register by September 12 to save $100 off your conference registration and attend sessions at Microsoft Exchange Connections free!
    http://www.winconnections.com

  • Avoid The 5 Major Compliance Pitfalls

  • Based on real-world examples, this Web seminar will help C-level executives, as well as IT directors and managers, avoid common mistakes and give their organization a head start in ensuring a successful compliance implementation. Register today and find out how you can avoid the mistakes of others, improve IT security, and reduce the cost of continually maintaining and demonstrating compliance.
    http://www.windowsitpro.com/seminars/compliance/index.cfm?code=0831emailannc

  • Roll Back Data to Any Point in Time: Not Just the Last Snapshot or Backup

  • Have you lost data because it was saved right after your last backup? Most of us have been in this situation. Continuous, or real-time, backup systems provide real-time protection, but are they right for you? In this free Web seminar, you'll learn about the design principles that underlie continuous data protection solutions, how to integrate them with your existing backup infrastructure, and how to best apply continuous protection technologies to your Windows-based servers.
    http://www.windowsitpro.com/seminars/continuousbackup/index.cfm?code=0824emailannc

  • High Risk Internet Access: Are You In Control?

  • Defending against Internet criminals, spyware, phishing and addressing the points of risk that Internet-enabled applications expose your organization to can seem like an epic battle with Medusa. So how do you take control of these valuable resources? In this free Web seminar, you'll get the tools you need to help you analyze the impact Internet-based threats have on your organization and tools to aid you in the construction of Acceptable-Use Policies (AUPs).
    http://www.windowsitpro.com/seminars/internetsecurity/index.cfm?code=0824emailannc

    Featured White Paper
    (from Windows IT Pro and its partners)

  • Consolidate Your SQL Server Infrastructure

  • Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free white paper learn how shared data-clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances, and more! Download your free copy now.
    http://www.windowsitpro.com/whitepapers/polyserve/dataclustering/index.cfm?code=0824emailannc

    Announcements
    (from Windows IT Pro and its partners)

  • Windows IT Pro Gives IT Professionals What They Need

  • The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price!
    http://www.windowsitpro.com/rd.cfm?code=theu2058wu

  • Try a Sample Issue of Windows Scripting Solutions!

  • If you haven't seen the Windows Scripting Solutions newsletter, you are missing out on an exclusive monthly resource that shows you how to automate time-consuming, administrative tasks by using our expert-reviewed downloadable code and scripting techniques. Sign up for a FREE sample issue and find out how you can save both time and money. Plus, get online access to our popular "Shell Scripting 101" series--click here:
    http://www.winscriptingsolutions.com/rd.cfm?code=fseu2658su

    Sponsored Links

  • Professional and secure remote control from all major platforms


  • http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/1112745096/x14/Penton/WN_Danware_Aug05_NLsplink_118338/1x1.gif/1

  • Argent Versus MOM 2005

  • Experts Pick the Best Windows Monitoring Solution
    http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_Aug05_NLSplink116193/1x1.gif/1

  • Tech jobs at Dice

  • Search 65K+ new IT jobs daily--Tech expert jobs at top companies!
    http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Dice_AUG_eNL_Splink/1x1.gif/1

    Contact Us
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.
    https://store.pentontech.com/index.cfm?s=1&promocode=eu205xxb