<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
With Win2k3 AD if you make an ldap search with the search base set to the root of the domain you will always get a referral for 3 hosts;<div>cn=Configuration, dc=domain, dc=com</div><div>dc=forestdnszones, dc=domain, dc=com</div><div>dc=domaindnszones, dc=domain, dc=com</div><div><br class="webkit-block-placeholder"></div><div>From what I've gathered troubleshooting a bijillion of these referral issues these DNS entries usually have all DCs in the domain listed. Most of the time if you get a 2nd nic enabled on a DC with DHCP enabled but not reachable the server grabs the auto-assigned Windows DHCP address and this gets stuck into DNS. CM (4.x at least) had a nasty habit of picking the one address out of all possible DNS results and using it to follow the referral. This causes all kinds of ldap issues.</div><div><br class="webkit-block-placeholder"></div><div>This is why a sniffer capture is so helpful when troubleshooting ldap issues. I've found that customer's AD folks tend to be quite protective and don't like to even think of there being a problem on their end until I can show them exactly what's going wrong in a sniffer capture.</div><div><br><div><div> <p style="margin: 0.0px 0.0px 0.0px 0.0px"><font face="Helvetica" size="3" style="font: 12.0px Helvetica">-Ryan</font></p> </div><br><div><div>On Jan 10, 2008, at 3:06 PM, Joel Perez wrote:</div><br class="Apple-interchange-newline"><div>Gotcha,</div> <div> </div> <div>Got it now, thought it was some new crazy feature of ccm6.</div> <div> </div> <div>Thanks,</div> <div> </div> <div>Joel P<br><br> </div> <div><span class="gmail_quote">On 1/10/08, <b class="gmail_sendername">Scott Voll</b> <<a href="mailto:svoll.voip@gmail.com">svoll.voip@gmail.com</a>> wrote:</span> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://planetcrazy.net/" target="_blank">planetcrazy.net</a> was in the trace file. AD uses the forestdnszones and domaindnszones as part of the AD / dns sync. </div><span class="sg"> <div> </div> <div>Scott<br><br> </div></span> <div><span class="e" id="q_117654a355dc1e0a_2"> <div class="gmail_quote">On Jan 10, 2008 11:06 AM, Joel Perez <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:tman701@gmail.com" target="_blank">tman701@gmail.com</a>> wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div>Pardon my ignorance guys, but what does his issue have to do with '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://planetcrazy.net/" target="_blank">planetcrazy.net</a>', '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://forestdnszones.planetcrazy.net/" target="_blank"> forestdnszones.planetcrazy.net</a>', and '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://domaindnszones.planetcrazy.net/" target="_blank">domaindnszones.planetcrazy.net</a> ?</div> <div> </div> <div>Im just curious. </div> <div> </div> <div>Thanks,</div> <div>Joel P<br><br> </div> <div> <div></div> <div> <div><span class="gmail_quote">On 1/10/08, <b class="gmail_sendername">Scott Voll</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:svoll.voip@gmail.com" target="_blank">svoll.voip@gmail.com</a> > wrote:</span> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div>and make sure all are routable. and close. we had issues with a DC going offsite over slower link.</div><span> <div> </div> <div>Scott<br><br> </div></span> <div><span> <div class="gmail_quote">On Jan 10, 2008 6:47 AM, Jonathan Charles <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:jonvoip@gmail.com" target="_blank">jonvoip@gmail.com</a>> wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">OK, I will try that tonight...<br><br>Thanks...<br><font color="#888888"><br><br>Jonathan<br></font> <div> <div></div> <div><br>On Jan 10, 2008 8:38 AM, Ryan Ratliff <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>> wrote:<br>> Yes it does.<br>> <br>> Just guessing though it looks as if you've got referral issues, just <br>> going from some of the errors. Is this Win2k3 AD? If so do an<br>> nslookup for '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://planetcrazy.net/" target="_blank"> planetcrazy.net</a>', '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://forestdnszones.planetcrazy.net/" target="_blank"> forestdnszones.planetcrazy.net</a>', and<br>> '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://domaindnszones.planetcrazy.net/" target="_blank"> domaindnszones.planetcrazy.net</a>' and see if there are any bogus<br>> entries in any of them. <br>><br>> > MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2, data<br>> > 0, 1 access points <br>> > ref 1: '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://planetcrazy.net/" target="_blank">planetcrazy.net </a>'<br>> ><br>><br>><br>> -Ryan<br>><br>> <br>> On Jan 10, 2008, at 9:38 AM, Jonathan Charles wrote:<br>><br>> Not that easy an option... wait...<br>><br>> Doesn't CCM have a built in sniffer? <br>><br>><br>><br>> Jonathan<br>><br> > On Jan 10, 2008 8:09 AM, Ryan Ratliff <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>> wrote:<br>> > Go for a sniffer capture. It's the easiest way to see what's going <br>> > on.<br>> ><br>> > -Ryan<br>> ><br>> ><br>> > On Jan 9, 2008, at 7:31 PM, Jonathan Charles wrote:<br>> ><br>> > The sync is not working tho...<br>> ><br>> > I am getting these errors in the DirSync trace... <br>> ><br>> > 2008-01-09 14:11:42,451 ERROR<br>> > [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]<br>> > ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:832) -<br>> > LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync] Caught <br>> > NamingException<br>> > 2008-01-09 14:11:42,452 ERROR<br>> > [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]<br>> > ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:833) -<br>> > LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync] <br>> > com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 -<br>> > 0000202B: RefErr: DSID-031005E2, data 0, 1 access points<br>> > ref 1: '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://planetcrazy.net/" target="_blank"> planetcrazy.net</a>'<br>> ><br>> ><br>> > MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2, data<br>> > 0, 1 access points<br>> > ref 1: '<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://planetcrazy.net/" target="_blank"> planetcrazy.net</a>'<br>> ><br>> > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2824)<br>> > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)<br>> > com.sun.jndi.ldap.LdapCtx.searchAux (LdapCtx.java:1808)<br>> > com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)<br>> > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search<br>> > (ComponentDirContext.java:368)<br>> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search <br>> > (PartialCompositeDirContext.java:338)<br>> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search<br>> > (PartialCompositeDirContext.java:321)<br>> > javax.naming.directory.InitialDirContext.search <br>> > (InitialDirContext.java:248)<br>> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternalEx<br>> > ac<br>> > t(DSLDAPSyncImpl.java:1193)<br>> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync <br>> > (DSLDAPSyncImpl.java:823)<br>> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run<br>> > (DSLDAPSyncImpl.java:296)<br>> ><br>> > 2008-01-09 14:11:42,452 ERROR<br>> > [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)] <br>> > ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:325) -<br>> > LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[Run]<br>> > com.cisco.ccm.dir.dirsync.common.DSException<br>> > MESSAGE null<br> > > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync<br>> > (DSLDAPSyncImpl.java:841)<br>> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run<br>> > (DSLDAPSyncImpl.java:296) <br>> ><br>> ><br>> > I have no idea what they mean....<br>> ><br>> > And no users are being brought over...<br>> ><br>> ><br>> > Jonathan<br>> ><br>> > On Jan 9, 2008 3:34 PM, Craig Staffin < <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cmstaffin@gmail.com" target="_blank">cmstaffin@gmail.com</a>> wrote:<br>> >> It just needs to be a member of Domain Users<br>> >> <br>> >> There are no special rights needed<br>> >><br>> >> Craig<br>> >><br>> >><br>> >> On Jan 9, 2008 2:50 PM, Jonathan Charles <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:jonvoip@gmail.com" target="_blank"> jonvoip@gmail.com</a> > wrote:<br>> >>><br>> >>> So, what rights does the LDAP user need to AD for it to sync...? <br>> >>><br>> >>><br>> >>><br>> >>> Jonathan <br>> >>> _______________________________________________ <br>> >>> cisco-voip mailing list<br>> >>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank"> cisco-voip@puck.nether.net</a><br>> >>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip </a><br>> >>><br>> >><br>> >><br>> >><br>> >> --<br>> >> Craig Staffin<br>> >> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Craig@staffin.org" target="_blank"> Craig@staffin.org</a><br>> >> (H) 262-437-7313 <br>> >> (C) 262-613-6003<br>> > _______________________________________________<br>> > cisco-voip mailing list<br>> > <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank"> cisco-voip@puck.nether.net</a><br>> > <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip </a><br>> ><br>> ><br>><br>><br>_______________________________________________ <br>cisco-voip mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank"> cisco-voip@puck.nether.net</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip </a> <br> </div></div></blockquote></div><br></span></div><br>_______________________________________________<br>cisco-voip mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank"> cisco-voip@puck.nether.net</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a> <br></blockquote></div><br> </div></div></blockquote></div><br></span></div></blockquote></div><br><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">cisco-voip mailing list</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></div> </div><br></div></div></body></html>