Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Hmmm...that's a bit of a problem.
The trusted domains are more or less a no go, without being able to
stipulate more than two domains, as referrals and the like are forest
specific (unless you create external crossRef objects).
For the internal referrals (the child domains), you can point everything to
the root and they will get referred but only if the user name is passed with
the details of the domain -at this point I'm not 100% sure whether this has
to be in the format of a DN or if it can be other formats, providing the
domain is passed too. I'm thinking DN only, but I'd have to check my notes.
Have a look at this, and see what you think:
--
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_gzoq.asp
(be wary of the line wrap, if any)
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
news:C652E5F0-F9CD-4F65-B1FB-972F3D20F3E2@microsoft.com...
That is the problem. We can only pass a maximum of 2 Domains.
We have a new ERP system that can either authenticate with it's own user
database or we can set it up to authenticate via Active Directory. We would
much prefer authenticating via Active Directory as it makes Administration
much easier. In order to set that up, we must edit a properties file from
the application. This file allows you to specify 2 Domain Controllers, or
you can specifiy LDAP. If you specify an LDAP server, these are the
parameters that you can pass:
# comments out the line.
# Logon properties for LDAP/AD
#type:I
dir.logon.ldap.server=
dir.logon.ldap.port=
dir.logon.ldap.top=
dir.logon.ldap.prefix=
dir.logon.ldap.sufix=
Keep in mind that this will work just fine if we are only authenticating a
single Domain's users. The problem comes in because we are a WorldWide
company and have several child and trusted domains.
"ptwilliams" wrote:
> No, that's the problem -without a DN it won't.
>
> You'll need to 'aim' the request at the appropriate DC.
>
> Can you pass the domain?
>
> Perhaps if you can explain a little more what you are trying to achieve we
> can better assist?
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
> news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
> I have run these commands and they were successful. Should the Domain
> Controllers from the site that this application is located pass the
> username
> on to the proper child domain? Even without a Domain identifier?
>
> "ptwilliams" wrote:
>
> > In order to successfully logon, you must be able to resolve the _ldap
> > SRV
> > records.
> >
> > Ensure that the dsGetDc call is successful by either running nltest
> > /dsgetdc:domain-name.com or netdiag /test:dsgetdc
> >
> >
> > > Is there a way or how can Active Directory or LDAP search all of my
> > > domains, both parent and child, for the username to authenticate?
> >
> > If you're using an LDAP query this is possible through the use of
> > crossRef
> > objects and LDAP referrals. Although in order for this to work you must
> > pass the full DN of the domain. If you don't pass the DN, then you'll
> > need
> > to pass additional info., such as domain name, etc.
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in
> > message
> > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
> > I have an ERP application that can authenticate users from Active
> > Directory
> > or LDAP. The problem that I am having is that it does not appear that
> > any
> > domain information is passed to my DCs or LDAP Server. For example, I
> > can
> > login and authenticate just fine in the parent domain, but when I try to
> > login as a user from the child domain, the authentication fails. The
> > only
> > login information that is entered is the user name, i.e. sjones. Is
> > there
> > a
> > way or how can Active Directory or LDAP search all of my domains, both
> > parent
> > and child, for the username to authenticate?
> >
> >
> >
>
>
>