Cannot create new computer in ADSI Edit on an AD LDS instance
Using ADSI Edit I cannot use the interface and create a new computer.
Background
So I installed Active Directory Lightweight Directory Services (AD LDS) on my Windows 8.1 Pro computer. Then I followed the tutorial to create an AD LDS instance and then this tutorial setting up groups and users. Everything works as detailed in the those tutorial pages.
However, I want to develop LDAP queries to determine the number of computers in a ActiveDirectory group and so I want to create computer objects. This is not possible from the New menu. I have read elesewhere that the importing of LDIF matters because you need the right schema. So I followed the steps a second time and imported all the LDIF files available which are a subset of the files found (for me) in C:\Windows\ADAM the selection is ...
- MS-AdamSyncMetadata.LDF
- MS-ADLDS-DisplaySpecifiers.LDF
- MS-AZMan.LDF
- MS-InetOrgPerson.LDF
- MS-MembershipTransitive.LDF
- MS-ParentDistname.LDF
- MS-ReplValMetadataExt.LDF
- MS-SecretAttributeCARs.LDF
- MS-SetOwnerBypassQuotaCARs.LDF
- MS-User.LDF
- MS-UserProxy.LDF
- MS-UserProxyFull.LDF
but even after selecting all of those I still cannot create new computer.
Now, it turns out the only ldf files outside C:\Windows\ADAM appear to be SQL Server log data files because the file extension is overloaded.
However, not all the files within C:\Windows\ADAM appear on the list, MS-ADAMSCHEMAW2K8.LDF does not appear. If I poke around in the contents of this file then I can something promising.
...
# Class: computer
dn: cn=Computer,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.2.840.113556.1.3.30
ldapDisplayName: computer
adminDisplayName: Computer
adminDescription: Computer
# schemaIDGUID: bf967a86-0de6-11d0-a285-00aa003049e2
schemaIDGUID:: hnqWv+YN0BGihQCqADBJ4g==
objectClassCategory: 1
systemFlags: 16
# subclassOf: user
subclassOf: 1.2.840.113556.1.5.9
...
So somehow I cannot select the LDIF file I need. What am I doing wrong?
EDIT: Continuing to Google, it seems I was correct that "By default AD LDS schema does not have a computer class" because this quote appears on this Technet web page.
Experimenting with Extend the AD LDS Schema to Support NFS User Mapping
Using ldifde -i -u -f MS-AdamSchemaW2K8.LDF -s localhost:389 -j . -c "cn=Configuration,dc=X" “#configurationNamingContext” gives the error output below
Connecting to "localhost:389"
Logging in as current user using SSPI
Importing directory from file "MS-AdamSchemaW2K8.LDF"
Loading entries.
Add error on entry starting on line 16: Invalid DN Syntax
The server side error is: 0x208f The object name has bad syntax.
The extended server error is:
0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of:
'cn=Schema,"#configurationNamingContext"'
0 entries modified successfully.
An error has occurred in the program
.
The above problem is solved by the answer here which says do not wrap final term in quotes.
... progressing...and that solved it. will answer my own question.
So extending the schema is the correct thing to do but understand that the instructions at the canonical Technet article have a typo which is corrected at this Technet forum Q & A.
The correct form is
ldifde -i -u -f MS-AdamSchemaW2K8.LDF -s localhost:389 -j . -c "cn=Configuration,dc=X" #configurationNamingContext
Here is proof
- Logon Batch Script Running for Standard Users but not Admins
- What are CN, OU, DC in an LDAP search?
- PHP LDAP query to get members of specific security Group
- How to authenticate User Credentials against AD from Android Java
- Is there any way to get VBA to get the current user's Full Name from a Windows user account without using CMD?
- LDAP Query via Windows CMD
- powershell foreach-object parallel - Not all properties of piped in object are available
- VBScript: Using WScript.Shell to Execute a Command Line Program That Accesses Active Directory
- Getting Active Directory "SecurityDescriptor" attribute in .net core on linux machine
- Set default server in powershell for AD related commands
- Batch Scripting - Wait until network Established
- ADFS Metadata not accessible from outside
- "é" become "ã©" while using ldap_modify_batch() in php
- Why creating new user and roaming profile creation will result error logging in?
- Having trouble making UserPrincipalName all lowercase in Powershell
- How to Compare Sets of Users
- How to keep the shell window open after running a PowerShell script?
- ExemptFileTypeDownloadWarnings correct registry syntax for intranet URLs
- How do I modify a Boolean LDAP Active Directory attribute using Net::LDAP?
- Get-ACL of Deleted Objects Container
- What is the maximum length of a SID in SDDL format
- IIS "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" SQL connection error, but only for 1 user
- How can I make sure this is a secure LDAP connection and write AD's unicodePwd attribute?
- Windows Property Pages: Domain Path Not Shown on Security Tab
- Azure Entra ID tokens endpoint issues an expired token
- NativeObject try-catch does not catch a timed out error
- Getting "The server could not be contacted." when trying to access active directory
- Can't figure out how to delete a specific computer from AD using power shell. Can't find any solution anywhere
- Powershell - Create new user accounts from CSV & simultaneously populate these new accounts with template account info (Address & group membership)
- Unknown Error (0x80005000) with LDAPS Connection