Announcement

Collapse
No announcement yet.

ldifde Utility Syntax Question use with inetOrgPersonFix.ldf

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ldifde Utility Syntax Question use with inetOrgPersonFix.ldf

    Forgive me for being dumb, but I am not very well versed in syntax. Do you know how I would translate the following command that is trying to connect to our domain controller?



    Ldifde /i /f inetOrgPersonFix.ldf /c "DC=X" "<your domain>"



    Where <your domain> should be replaced with the fully qualified domain name for your domain. For example, DC=Microsoft,DC=COM.







    Given our domain controller PDCSLIM and our Full Qualified Domain Name of mccart.com how would I plug this into the above underlined command?

    Thanks

  • #2
    Actually, if you run the command on a DC (preferably the SCHEMA MASTER) then you need not add the DC and domain name.
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Originally posted by danielp
      Actually, if you run the command on a DC (preferably the SCHEMA MASTER) then you need not add the DC and domain name.
      Thanks for the response. It looks like there is some level of authentication, but the program give the following errors attached in the pic. This ios being run on the schema master.
      Attached Files

      Comment


      • #4
        Re: ldifde Utility Syntax Question use with inetOrgPersonFix

        Run it like this:
        Code:
        Ldifde /i /f inetOrgPersonFix.ldf /c "DC=X" "dc=mccart,dc=com"
        Make sure that your account is member of Schema Admins group and that you have enabled schema updates on the Schema Master

        If all that fails, add /v switch to the command to get more verbose error description
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: ldifde Utility Syntax Question use with inetOrgPersonFix

          Originally posted by guyt
          Run it like this:
          Code:
          Ldifde /i /f inetOrgPersonFix.ldf /c "DC=X" "dc=mccart,dc=com"
          I still get the same error from my last post with the line above. I did take off the /i and it ran at that point. I then try to rerun the command after the /f and it seems to run until it gets to the end and gives an error below (1.) . I also have included a log file of the command.(2.)

          1. Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager.


          2. Log File:
          Code:
          Connecting to "pdcslim.mccart.com"
          Logging in as current user using SSPI
          Importing directory from file "inetorgpersonfix.ldf"
          Loading entries
          1: DC=mccart,DC=com
          Entry DN: DC=mccart,DC=com
          change: add
          Attribute 0) masteredBy:CN=NTDS Settings,CN=ISAIAH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mccart,DC=comCN=NTDS 
          Settings,CN=PDCSLIM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mccart,DC=com
          Attribute 1) auditingPolicy: UNPRINTABLE BINARY(2)
          Attribute 2) creationTime:125384368057690880
          Attribute 3) dc:mccart
          Attribute 4) domainReplica:PDCSLIM
          Attribute 5) forceLogoff:-9223372036854775808
          Attribute 6) fSMORoleOwner:CN=NTDS Settings,CN=PDCSLIM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mccart,DC=com
          Attribute 7) gPLink:[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mccart,DC=com;0]
          Attribute 8) gPOptions:0
          Attribute 9) instanceType:5
          Attribute 10) isCriticalSystemObject:TRUE
          Attribute 11) lockOutObservationWindow:-18000000000
          Attribute 12) lockoutDuration:-18000000000
          Attribute 13) lockoutThreshold:0
          Attribute 14) maxPwdAge:-36288000000000
          Attribute 15) minPwdAge:0
          Attribute 16) minPwdLength:0
          Attribute 17) modifiedCount:137438964536
          Attribute 18) modifiedCountAtLastProm:137438955634
          Attribute 19) ms-DS-MachineAccountQuota:10
          Attribute 20) nextRid:1237
          Attribute 21) nTMixedDomain:1
          Attribute 22) distinguishedName:DC=mccart,DC=com
          Attribute 23) objectCategory:CN=Domain-DNS,CN=Schema,CN=Configuration,DC=mccart,DC=com
          Attribute 24) objectClass:domainDNS
          Attribute 25) objectGUID: UNPRINTABLE BINARY(16)
          Attribute 26) objectSid: UNPRINTABLE BINARY(24)
          Attribute 27) pwdHistoryLength:0
          Attribute 28) pwdProperties:16
          Attribute 29) name:mccart
          Attribute 30) replUpToDateVector: UNPRINTABLE BINARY(88)
          Attribute 31) repsFrom: UNPRINTABLE BINARY(267) UNPRINTABLE 
          BINARY(267)
          Attribute 32) repsTo: UNPRINTABLE BINARY(267)
          Attribute 33) rIDManagerReference:CN=RID Manager$,CN=System,DC=mccart,DC=com
          Attribute 34) serverState:1
          Attribute 35) subRefs:CN=Configuration,DC=mccart,DC=com
          Attribute 36) systemFlags:-1946157056
          Attribute 37) uASCompat:1
          Attribute 38) uSNChanged:12010646
          Attribute 39) uSNCreated:1154
          Attribute 40) wellKnownObjects:B:32:18E2EA80684F11D2B9AA00C04F79F805:
          CN=Deleted Objects,DC=mccart,DC=comB:32:2FBAC1870ADE11D297C400C04FD8D5CD:
          CN=Infrastructure,DC=mccart,DC=comB:32:AB8153B7768811D1ADED00C04FD8D5CD:
          CN=LostAndFound,DC=mccart,DC=comB:32:AB1D30F3768811D1ADED00C04FD8D5CD:
          CN=System,DC=mccart,DC=comB:32:A361B2FFFFD211D1AA4B00C04FD7D83A:
          OU=Domain Controllers,DC=mccart,DC=comB:32:AA312825768811D1ADED00C04FD8D5CD:
          CN=Computers,DC=mccart,DC=comB:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,
          DC=mccart,DC=com
          Attribute 41) whenChanged:20050210131235.0Z
          Attribute 42) whenCreated:20020119062457.0Z
          
          Add error on line 1: Unwilling To Perform
          The server side error is "Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)."
          0 entries modified successfully.
          An error has occurred in the program

          Comment


          • #6
            Please post the inetOrgPersonFix.ldf you are trying to use.
            The output implies that the LDIF used as input contains attributes that can only be changed by system (i.e.: uSNChanged)
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              Originally posted by guyt
              Please post the inetOrgPersonFix.ldf you are trying to use.
              The output implies that the LDIF used as input contains attributes that can only be changed by system (i.e.: uSNChanged)
              I'm not sure I understand the question, but I extracted the inetOrgPersonFix.ldf from the 2003 Server CD and ran the following command:

              Ldifde /i /f inetOrgPersonFix.ldf /c "DC=X" "dc=mccart,dc=com"

              Comment


              • #8
                Run
                Code:
                Ldifde -i -v -f inetOrgPersonFix.ldf -c "DC=X" "dc=mccart,dc=com" -j c:\
                and attach the lldif.log that will be created in c:\

                I do not have the inetOrgPersonFix.ldf handy, so attaching it would be helpful too
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment


                • #9
                  Here is the log info and atteched is the utility renamed to .zip:

                  Code:
                  Connecting to "pdcslim.mccart.com"
                  Logging in as current user using SSPI
                  Importing directory from file "inetorgpersonfix.ldf"
                  Loading entries
                  1: DC=mccart,DC=com
                  Entry DN: DC=mccart,DC=com
                  change: add
                  Attribute 0) masteredBy:CN=NTDS Settings,CN=ISAIAH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mccart,DC=comCN=NTDS Settings,CN=PDCSLIM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mccart,DC=com
                  Attribute 1) auditingPolicy: UNPRINTABLE BINARY(2)
                  Attribute 2) creationTime:125384368057690880
                  Attribute 3) dc:mccart
                  Attribute 4) domainReplica:PDCSLIM
                  Attribute 5) forceLogoff:-9223372036854775808
                  Attribute 6) fSMORoleOwner:CN=NTDS Settings,CN=PDCSLIM,CN=Servers,CN=Default-First-Site-
                  Name,CN=Sites,CN=Configuration,DC=mccart,DC=com
                  Attribute 7) gPLink:[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mccart,DC=com;0]
                  Attribute 8) gPOptions:0
                  Attribute 9) instanceType:5
                  Attribute 10) isCriticalSystemObject:TRUE
                  Attribute 11) lockOutObservationWindow:-18000000000
                  Attribute 12) lockoutDuration:-18000000000
                  Attribute 13) lockoutThreshold:0
                  Attribute 14) maxPwdAge:-36288000000000
                  Attribute 15) minPwdAge:0
                  Attribute 16) minPwdLength:0
                  Attribute 17) modifiedCount:137438964536
                  Attribute 18) modifiedCountAtLastProm:137438955634
                  Attribute 19) ms-DS-MachineAccountQuota:10
                  Attribute 20) nextRid:1237
                  Attribute 21) nTMixedDomain:1
                  Attribute 22) distinguishedName:DC=mccart,DC=com
                  Attribute 23) objectCategory:CN=Domain-
                  DNS,CN=Schema,CN=Configuration,DC=mccart,DC=com
                  Attribute 24) objectClass:domainDNS
                  Attribute 25) objectGUID: UNPRINTABLE BINARY(16)
                  Attribute 26) objectSid: UNPRINTABLE BINARY(24)
                  Attribute 27) pwdHistoryLength:0
                  Attribute 28) pwdProperties:16
                  Attribute 29) name:mccart
                  Attribute 30) replUpToDateVector: UNPRINTABLE BINARY(88)
                  Attribute 31) repsFrom: UNPRINTABLE BINARY(267) UNPRINTABLE BINARY
                  (267)
                  Attribute 32) repsTo: UNPRINTABLE BINARY(267)
                  Attribute 33) rIDManagerReference:CN=RID 
                  Manager$,CN=System,DC=mccart,DC=com
                  Attribute 34) serverState:1
                  Attribute 35) subRefs:CN=Configuration,DC=mccart,DC=com
                  Attribute 36) systemFlags:-1946157056
                  Attribute 37) uASCompat:1
                  Attribute 38) uSNChanged:12010646
                  Attribute 39) uSNCreated:1154
                  Attribute 40) wellKnownObjects:B:32:18E2EA80684F11D2B9AA00C04F79F805:
                  CN=Deleted Objects,DC=mccart,DC=comB:32:2FBAC1870ADE11D297C400C04FD8D5CD:
                  CN=Infrastructure,DC=mccart,DC=comB:32:AB8153B7768811D1ADED00C04FD8D5CD:
                  CN=LostAndFound,DC=mccart,DC=comB:32:AB1D30F3768811D1ADED00C04FD8D5CD:
                  CN=System,DC=mccart,DC=comB:32:A361B2FFFFD211D1AA4B00C04FD7D83A:
                  OU=Domain Controllers,DC=mccart,DC=comB:32:AA312825768811D1ADED00C04FD8D5CD:
                  CN=Computers,DC=mccart,DC=comB:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,
                  DC=mccart,DC=com
                  Attribute 41) whenChanged:20050210131235.0Z
                  Attribute 42) whenCreated:20020119062457.0Z
                  
                  Add error on line 1: Unwilling To Perform
                  The server side error is "Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)."
                  0 entries modified successfully.
                  An error has occurred in the program
                  Attached Files

                  Comment


                  • #10
                    Looks like the zip file is corrupt - I can't open it.
                    Also you have not answered whether your account is member of Schema Admins and whether you have enabled schema updates on the Schema Master
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      The .zip file is the inetOrgPersonFix.ldf file renamed to .zip. You will Just have to rename it. I am not sure if Schema updates have ever been enabled I know that I haven't. That's not to say the last admin didn't. I am logging into that server as administrator which is a member of the Schema Admins built-in account.

                      What would be the worst thing that could happen if this "fix" doesn't get ran before I do the adprep on my domain? If you can't tell I am a little "green" with some of the more in depth AD stuff!! Thanks for your help and patients!!

                      Comment


                      • #12
                        I really really see no issue here. Just follow Guy's instructions, plain and simple.

                        1) See if you're using a domain admin/schema admin/enterprise admin account. That shouldn't be hard to check.

                        2) Then see if the Schema has been configured to allow write operations.

                        3) Next, see if you're on the Schema Master FSMO role holder (should be the first DC in the forest, see my site for info on this issue).

                        4) Last - run the script.

                        Let us know what came up.
                        Cheers,

                        Daniel Petri
                        Microsoft Most Valuable Professional - Active Directory Directory Services
                        MCSA/E, MCTS, MCITP, MCT

                        Comment


                        • #13
                          Originally posted by danielp
                          I really really see no issue here. Just follow Guy's instructions, plain and simple.

                          1) See if you're using a domain admin/schema admin/enterprise admin account. That shouldn't be hard to check.

                          2) Then see if the Schema has been configured to allow write operations.

                          3) Next, see if you're on the Schema Master FSMO role holder (should be the first DC in the forest, see my site for info on this issue).

                          4) Last - run the script.

                          Let us know what came up.
                          In response to the above:
                          1. I AM using an administrator account with all of the proper permissions.
                          2. I double-checked the Schema and it DOES allow write permissions.
                          3. I am running the script on the Schema Master FSMO role holder.
                          4. When I run the script it always errors out. I have tried to change some of the DC= parameters and have followed this site's and Microsofts KB#325379 in response to this, but I just can't get it to go. I almost give up do you?

                          Comment


                          • #14
                            What does the "Schema Update Allowed" value says ? ( http://support.microsoft.com/default...b;en-us;216060 )

                            Do you have mangled attributes that you are trying to apply the fix ?
                            Guy Teverovsky
                            "Smith & Wesson - the original point and click interface"

                            Comment


                            • #15
                              Originally posted by guyt
                              What does the "Schema Update Allowed" value says ? ( http://support.microsoft.com/default...b;en-us;216060 )

                              Do you have mangled attributes that you are trying to apply the fix ?
                              It has the entry already Schema Update Allowed with the value of 1. So that has been enabled. I just ran across the inetorgpersonfix.ldf when researching before doing an upgrade to 2003 server. In my organization we have 2 DCs and one Exchange 2000 server so that tells me that the Schema values written were done so by Exchange so we fall under the 2nd scenario described in Microsoft KB: RIGHT..........???????http://support.microsoft.com/default...b;en-us;314649

                              Comment

                              Working...
                              X