Trouble querying AD when not on DC

[markdmac]

Hi Everyone,

I am encountering a problem withthe following code. It works great when the ASP page sits in IIS on my DC, but if moved to a member server it breaks saying "Table Does Not Exist."

I need to have the code work if running on a member server. Can anyone offer any advice?

<%@ LANGUAGE="VBSCRIPT" %>
<%
'==========================================================================
'
' NAME: showOU.asp 
'
' AUTHOR: Mark D. MacLachlan , Microsoft
' URL: [URL unfurl="true"]http://www.microsoft.com[/URL]
' DATE  : 12/13/2004
' COPYWRITE (C) 2004
' COMMENT: 
'
'==========================================================================

Set WSHNetwork = CreateObject("WScript.Network")

userstring = WSHNetwork.UserName
UserOU = SearchOU(userstring)

'************************************************************************
%>

<html>
<head>
<title>Show OU Info</title>
</head>


<body bgcolor="#99CCFF" style="text-align: center" link="#000000" vlink="#000000" alink="#99CCFF">
<%
Response.Write "User is located in:" & UserOU
%>
</body>
</html>
<%

Public Function SearchOU(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName, cn;subtree"
    Set oRecordSet = oCommand.Execute
    On Error Resume Next
    
    FullDN = Len(oRecordSet.Fields("DistinguishedName"))
    SubDN = Len(oRecordSet.Fields("cn"))+4
    OULength = FullDN - SubDN
    
    OUString = Right(oRecordSet.Fields("DistinguishedName"),OULength)
    
    SearchOU = OUString
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function
%>

Thanks in advance, any help is greatly appreciated.

 

[Chopstik]

Mark, since I have shamelessly stolen borrowed some of your code for similar purposes, I'll try to offer a hand here. But can you explain what "DC" refers to (I'm sorry but I'm not familiar with the term)?

Also, do you know which line it is erroring out on the member server? Which table it is referring to that does not exist? My initial thought is that the member server is perhaps not properly configured with AD but I have a limited understanding of it so I'd take that with a grain (or ton) of salt...

------------------------------------------------------------------------------------------------------------------------
"Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing ever happened."
- Winston Churchill

 

[markdmac]

A DC is a Domain Controller.

If the above posted Function is executed when the page exists in IIS on a DC it will work. Run standalone froma client machine (in a VBS file) it also works. Run as a standalone from the member server it works as well. When used in IIS on a member server it fails.

Near as I can determine the problem is with creating the ADODB connection.

The member server is properly joined to the domain and I have verified DNS is working OK. The standalone test also confirms that the connections from the server to AD are OK. I am unsure if the problem is related to authentication.

I am using NTAuthentication in IIS.

Thanks for any help you can give.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[Chopstik]

Sorry, but here we start to get a little beyond my ken. :-( Perhaps a permissions issue from the member but that's just a WAG. Sorry. Perhaps someone else can offer more insight.

------------------------------------------------------------------------------------------------------------------------
"Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing ever happened."
- Winston Churchill

 

[Sheco]

As a test to rule out permissions, perhaps enable anonymous access but then run the page under a domain admin account instead of IUSR_XXXXX. Obviously you don't want to leave it this way but it would be a good test.

 

[markdmac]

I had thought the same thing, but the problem with doing that as a test is that the returned results are then for the admin ID and not the User ID.

I am currently working on setting oConnection.Properties for this.

oConnection.Properties("User ID") = "Domain\administrator"
oConnection.Properties("Password") = "Password1"
oConnection.Properties("ADSI Flag") = &H1 ' Secure Authentication

Error I get with this is that the Read Only Property was not set. Error is on the line for setting the User ID.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript