[cisco-voip] rights needed for AD integration for ccm6

Ryan Ratliff rratliff at cisco.com
Mon Jan 14 09:09:09 EST 2008 

Not sure what to tell you.  Can you try setting the search base to  
something other than the root of the domain?

All you can do is get a sniffer capture and show them what we are  
searching for and how their ldap server is responding.

-Ryan

On Jan 11, 2008, at 5:51 PM, Jonathan Charles wrote:

The customer is saying that forestdnszones is in a different domain...
(cproot.net)...




Jonathan

On Jan 11, 2008 8:52 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>  With Win2k3 AD if you make an ldap search with the search base set  
> to the
> root of the domain you will always get a referral for 3 hosts;
> cn=Configuration, dc=domain, dc=com
> dc=forestdnszones, dc=domain, dc=com
> dc=domaindnszones, dc=domain, dc=com
>
> From what I've gathered troubleshooting a bijillion of these  
> referral issues
> these DNS entries usually have all DCs in the domain listed.   Most  
> of the
> time if you get a 2nd nic enabled on a DC with DHCP enabled but not
> reachable the server grabs the auto-assigned Windows DHCP address  
> and this
> gets stuck into DNS.  CM (4.x at least) had a nasty habit of  
> picking the one
> address out of all possible DNS results and using it to follow the  
> referral.
> This causes all kinds of ldap issues.
>
> This is why a sniffer capture is so helpful when troubleshooting ldap
> issues.  I've found that customer's AD folks tend to be quite  
> protective and
> don't like to even think of there being a problem on their end  
> until I can
> show them exactly what's going wrong in a sniffer capture.
>
>
>
>
> -Ryan
>
>
> On Jan 10, 2008, at 3:06 PM, Joel Perez wrote:
> Gotcha,
>
> Got it now, thought it was some new crazy feature of ccm6.
>
> Thanks,
>
> Joel P
>
>
> On 1/10/08, Scott Voll <svoll.voip at gmail.com> wrote:
>>
>> planetcrazy.net was in the trace file.  AD uses the forestdnszones  
>> and
> domaindnszones as part of the AD / dns sync.
>>
>> Scott
>>
>>
>>
>> On Jan 10, 2008 11:06 AM, Joel Perez <tman701 at gmail.com> wrote:
>>
>>>
>>> Pardon my ignorance guys, but what does his issue have to do with
> 'planetcrazy.net', ' forestdnszones.planetcrazy.net', and
> 'domaindnszones.planetcrazy.net ?
>>>
>>> Im just curious.
>>>
>>> Thanks,
>>> Joel P
>>>
>>>
>>>
>>>
>>>
>>> On 1/10/08, Scott Voll <svoll.voip at gmail.com > wrote:
>>>>
>>>> and make sure all are routable. and close.  we had issues with a DC
> going offsite over slower link.
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>> On Jan 10, 2008 6:47 AM, Jonathan Charles <jonvoip at gmail.com>  
>>>> wrote:
>>>>
>>>>> OK, I will try that tonight...
>>>>>
>>>>> Thanks...
>>>>>
>>>>>
>>>>> Jonathan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Jan 10, 2008 8:38 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>>>>>> Yes it does.
>>>>>>
>>>>>> Just guessing though it looks as if you've got referral issues,
> just
>>>>>> going from some of the errors.   Is this Win2k3 AD?  If so do an
>>>>>> nslookup for ' planetcrazy.net', '
> forestdnszones.planetcrazy.net', and
>>>>>> ' domaindnszones.planetcrazy.net' and see if there are any bogus
>>>>>> entries in any of them.
>>>>>>
>>>>>>> MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2,
> data
>>>>>>> 0, 1 access points
>>>>>>>         ref 1: 'planetcrazy.net '
>>>>>>>
>>>>>>
>>>>>>
>>>>>> -Ryan
>>>>>>
>>>>>>
>>>>>> On Jan 10, 2008, at 9:38 AM, Jonathan Charles wrote:
>>>>>>
>>>>>> Not that easy an option... wait...
>>>>>>
>>>>>> Doesn't CCM have a built in sniffer?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jonathan
>>>>>>
>>>>>> On Jan 10, 2008 8:09 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>>>>>>> Go for a sniffer capture.  It's the easiest way to see what's
> going
>>>>>>> on.
>>>>>>>
>>>>>>> -Ryan
>>>>>>>
>>>>>>>
>>>>>>> On Jan 9, 2008, at 7:31 PM, Jonathan Charles wrote:
>>>>>>>
>>>>>>> The sync is not working tho...
>>>>>>>
>>>>>>> I am getting these errors in the DirSync trace...
>>>>>>>
>>>>>>> 2008-01-09 14:11:42,451 ERROR
>>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
>>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:832) -
>>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
> Caught
>>>>>>> NamingException
>>>>>>> 2008-01-09 14:11:42,452 ERROR
>>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
>>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:833) -
>>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
>>>>>>> com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 -
>>>>>>> 0000202B: RefErr: DSID-031005E2, data 0, 1 access points
>>>>>>>         ref 1: ' planetcrazy.net'
>>>>>>>
>>>>>>>
>>>>>>> MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2,
> data
>>>>>>> 0, 1 access points
>>>>>>>         ref 1: ' planetcrazy.net'
>>>>>>>
>>>>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2824)
>>>>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
>>>>>>> com.sun.jndi.ldap.LdapCtx.searchAux (LdapCtx.java:1808)
>>>>>>> com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
>>>>>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search
>>>>>>> (ComponentDirContext.java:368)
>>>>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
>>>>>>> (PartialCompositeDirContext.java:338)
>>>>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
>>>>>>> (PartialCompositeDirContext.java:321)
>>>>>>> javax.naming.directory.InitialDirContext.search
>>>>>>> (InitialDirContext.java:248)
>>>>>>>
> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternalEx
>>>>>>> ac
>>>>>>> t(DSLDAPSyncImpl.java:1193)
>>>>>>>
> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
>>>>>>> (DSLDAPSyncImpl.java:823)
>>>>>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
>>>>>>> (DSLDAPSyncImpl.java:296)
>>>>>>>
>>>>>>> 2008-01-09 14:11:42,452 ERROR
>>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
>>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:325) -
>>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[Run]
>>>>>>> com.cisco.ccm.dir.dirsync.common.DSException
>>>>>>> MESSAGE null
>>>>>>>
> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
>>>>>>> (DSLDAPSyncImpl.java:841)
>>>>>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
>>>>>>> (DSLDAPSyncImpl.java:296)
>>>>>>>
>>>>>>>
>>>>>>> I have no idea what they mean....
>>>>>>>
>>>>>>> And no users are being brought over...
>>>>>>>
>>>>>>>
>>>>>>> Jonathan
>>>>>>>
>>>>>>> On Jan 9, 2008 3:34 PM, Craig Staffin < cmstaffin at gmail.com>
> wrote:
>>>>>>>> It just needs to be a member of Domain Users
>>>>>>>>
>>>>>>>> There are no special rights needed
>>>>>>>>
>>>>>>>> Craig
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jan 9, 2008 2:50 PM, Jonathan Charles < jonvoip at gmail.com >
> wrote:
>>>>>>>>>
>>>>>>>>> So, what rights does the LDAP user need to AD for it to
> sync...?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jonathan
>>>>>>>>> _______________________________________________
>>>>>>>>> cisco-voip mailing list
>>>>>>>>> cisco-voip at puck.nether.net
>>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Craig Staffin
>>>>>>>> Craig at staffin.org
>>>>>>>> (H) 262-437-7313
>>>>>>>> (C) 262-613-6003
>>>>>>> _______________________________________________
>>>>>>> cisco-voip mailing list
>>>>>>> cisco-voip at puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

More information about the cisco-voip mailing list