Transfer to:
Operational Active Directory experience in complex domain environments
1, operation ACL
Operating ACLs requires using ActiveDs COM components.
In the recovery of the last article, Rock mentioned "Many activs.dll provided by the function of .NET's AD access component". The ACL operation is like this.
However, when I operate the ACL, I found that the process on 2003 was not passed in 2000, and reported "Security ID structure is invalid", and the Chinese is "safe ID structure". "
Find an article on KB: http://support.microsoft.com/default.aspx? ScID = Kb; EN-US; 316329
It turns out that there is a problem when the operating system is bound to the SID. Two solutions are available in KB:
A) manual operation of ACL (fainting, if you manually, I still write code, B4)
B) The DC connected by monitoring the network cannot respond. Because the actual environment I operate is a very complex domain environment, this situation is inevitable.
No way, I had to always deploy the program to the 2003 environment.
2, LDAP
Everyone knows, usually we use the DirectoryEntry class to operate the AD object.
The constructor of the DirectoryEntry class can be bound to the DC by specifying PATH. For example, we often use LDAP: ldap: // cn = oneCity, Ou = Corp, DC = Fabrikam, DC = COM
In general, there is no problem. But sometimes it will report an error that cannot be connected to the domain.
The reason is similar to that mentioned above. Here I explain in detail:
When the domain controller is added, the DC will register all the valid IP addresses of this unit into the DNS. When using NslookUp Fabrikam.com, you will find this domain (Fabrikam.com), there are many corresponding IP addresses. However, the DC server may have multiple network cards, and some network cards are not used (even without interpolation), this unused network card generates 168.x.x.x address, and this address will also be registered in DNS. When binding the domain controller, the system selects one to bind from the IP corresponding to the domain, of course, this invalid address will be picked. Therefore, when setting the PATH, it is best to specify a DC server, for example, ldap: // mydc01 / cn = oneCITY, OU = Corp, DC = Fabrikam, DC = COM
This method is also the advantage of picking up the nearest domain controller in a distributed domain environment (eg, Beijing / Shanghai / Guangzhou).
The specified DC server also needs to be aware that by trying multiple DC servers. For example, if the MYDC01 connection fails, try the next DC server (LDAP: // mydc02 / cn = oneCITY, OU = Corp, DC = Fabrikam, DC = COM). This is not difficult to do through the program, it will not say more here.
In simple domain environments (1-2 DC) operation AD is simple, but there will be many unexpected problems in complex domain environments, this experience is for your reference.
