[cisco-voip] rights needed for AD integration for ccm6

Ryan Ratliff rratliff at cisco.com
Fri Jan 11 09:52:21 EST 2008 

With Win2k3 AD if you make an ldap search with the search base set to  
the root of the domain you will always get a referral for 3 hosts;
cn=Configuration, dc=domain, dc=com
dc=forestdnszones, dc=domain, dc=com
dc=domaindnszones, dc=domain, dc=com

 From what I've gathered troubleshooting a bijillion of these  
referral issues these DNS entries usually have all DCs in the domain  
listed.   Most of the time if you get a 2nd nic enabled on a DC with  
DHCP enabled but not reachable the server grabs the auto-assigned  
Windows DHCP address and this gets stuck into DNS.  CM (4.x at least)  
had a nasty habit of picking the one address out of all possible DNS  
results and using it to follow the referral.  This causes all kinds  
of ldap issues.

This is why a sniffer capture is so helpful when troubleshooting ldap  
issues.  I've found that customer's AD folks tend to be quite  
protective and don't like to even think of there being a problem on  
their end until I can show them exactly what's going wrong in a  
sniffer capture.

-Ryan

On Jan 10, 2008, at 3:06 PM, Joel Perez wrote:

Gotcha,

Got it now, thought it was some new crazy feature of ccm6.

Thanks,

Joel P


On 1/10/08, Scott Voll <svoll.voip at gmail.com> wrote:
planetcrazy.net was in the trace file.  AD uses the forestdnszones  
and domaindnszones as part of the AD / dns sync.

Scott


On Jan 10, 2008 11:06 AM, Joel Perez <tman701 at gmail.com> wrote:
Pardon my ignorance guys, but what does his issue have to do with   
'planetcrazy.net', ' forestdnszones.planetcrazy.net', and  
'domaindnszones.planetcrazy.net ?

Im just curious.

Thanks,
Joel P


On 1/10/08, Scott Voll <svoll.voip at gmail.com > wrote:
and make sure all are routable. and close.  we had issues with a DC  
going offsite over slower link.

Scott


On Jan 10, 2008 6:47 AM, Jonathan Charles <jonvoip at gmail.com> wrote:
OK, I will try that tonight...

Thanks...


Jonathan

On Jan 10, 2008 8:38 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
 > Yes it does.
 >
 > Just guessing though it looks as if you've got referral issues, just
 > going from some of the errors.   Is this Win2k3 AD?  If so do an
 > nslookup for ' planetcrazy.net', '  
forestdnszones.planetcrazy.net', and
 > ' domaindnszones.planetcrazy.net' and see if there are any bogus
 > entries in any of them.
 >
 > > MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2,  
data
 > > 0, 1 access points
 > >         ref 1: 'planetcrazy.net '
 > >
 >
 >
 > -Ryan
 >
 >
 > On Jan 10, 2008, at 9:38 AM, Jonathan Charles wrote:
 >
 > Not that easy an option... wait...
 >
 > Doesn't CCM have a built in sniffer?
 >
 >
 >
 > Jonathan
 >
 > On Jan 10, 2008 8:09 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
 > > Go for a sniffer capture.  It's the easiest way to see what's going
 > > on.
 > >
 > > -Ryan
 > >
 > >
 > > On Jan 9, 2008, at 7:31 PM, Jonathan Charles wrote:
 > >
 > > The sync is not working tho...
 > >
 > > I am getting these errors in the DirSync trace...
 > >
 > > 2008-01-09 14:11:42,451 ERROR
 > > [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
 > > ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:832) -
 > > LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync] Caught
 > > NamingException
 > > 2008-01-09 14:11:42,452 ERROR
 > > [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
 > > ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:833) -
 > > LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
 > > com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 -
 > > 0000202B: RefErr: DSID-031005E2, data 0, 1 access points
 > >         ref 1: ' planetcrazy.net'
 > >
 > >
 > > MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2,  
data
 > > 0, 1 access points
 > >         ref 1: ' planetcrazy.net'
 > >
 > > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2824)
 > > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
 > > com.sun.jndi.ldap.LdapCtx.searchAux (LdapCtx.java:1808)
 > > com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
 > > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search
 > > (ComponentDirContext.java:368)
 > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
 > > (PartialCompositeDirContext.java:338)
 > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
 > > (PartialCompositeDirContext.java:321)
 > > javax.naming.directory.InitialDirContext.search
 > > (InitialDirContext.java:248)
 > >  
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternalEx
 > > ac
 > > t(DSLDAPSyncImpl.java:1193)
 > > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
 > > (DSLDAPSyncImpl.java:823)
 > > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
 > > (DSLDAPSyncImpl.java:296)
 > >
 > > 2008-01-09 14:11:42,452 ERROR
 > > [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
 > > ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:325) -
 > > LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[Run]
 > > com.cisco.ccm.dir.dirsync.common.DSException
 > > MESSAGE null
 > > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
 > > (DSLDAPSyncImpl.java:841)
 > > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
 > > (DSLDAPSyncImpl.java:296)
 > >
 > >
 > > I have no idea what they mean....
 > >
 > > And no users are being brought over...
 > >
 > >
 > > Jonathan
 > >
 > > On Jan 9, 2008 3:34 PM, Craig Staffin < cmstaffin at gmail.com> wrote:
 > >> It just needs to be a member of Domain Users
 > >>
 > >> There are no special rights needed
 > >>
 > >> Craig
 > >>
 > >>
 > >> On Jan 9, 2008 2:50 PM, Jonathan Charles < jonvoip at gmail.com >  
wrote:
 > >>>
 > >>> So, what rights does the LDAP user need to AD for it to sync...?
 > >>>
 > >>>
 > >>>
 > >>> Jonathan
 > >>> _______________________________________________
 > >>> cisco-voip mailing list
 > >>> cisco-voip at puck.nether.net
 > >>> https://puck.nether.net/mailman/listinfo/cisco-voip
 > >>>
 > >>
 > >>
 > >>
 > >> --
 > >> Craig Staffin
 > >> Craig at staffin.org
 > >> (H) 262-437-7313
 > >> (C) 262-613-6003
 > > _______________________________________________
 > > cisco-voip mailing list
 > > cisco-voip at puck.nether.net
 > > https://puck.nether.net/mailman/listinfo/cisco-voip
 > >
 > >
 >
 >
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip




_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20080111/715a80c1/attachment-0001.html

More information about the cisco-voip mailing list