Recipe 10.15 Finding the Nonreplicated and Constructed Attributes

10.15.1 Problem

You want to find the attributes are not replicated or are constructed by Active Directory.

10.15.2 Solution

10.15.2.1 Using a graphical user interface
  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection Bind.

  7. Enter credentials of a domain user.

  8. Click OK.

  9. From the menu, select Browse Search.

  10. For BaseDN, type the Schema Container DN (e.g., cn=schema,cn=configuration,dc=rallencorp,dc=com).

  11. For Scope, select One Level.

  12. To find nonreplicated attributes, use the following for Filter:

    (&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))
  13. To find constructed attributes, use the following for Filter:

    (&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))
  14. Click Run.

10.15.2.2 Using a command-line interface

To find the nonreplicated attributes, use the following command:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr "cn"[RETURN] -filter "(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))"

To find the constructed attributes, use the following command:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr "cn"[RETURN] -filter "(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))"
10.15.2.3 Using VBScript
' This script will print out the nonreplicated and constructed attributes set objRootDSE = GetObject("LDAP://RootDSE") strBase    =  "<LDAP://" & objRootDSE.Get("SchemaNamingContext") & ">;" strFilter  = "(&(objectcategory=attributeSchema)" _            & "(systemFlags:1.2.840.113556.1.4.803:=1));"  strAttrs   = "cn;" strScope   = "onelevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst WScript.Echo "Nonreplicated attributes: " while Not objRS.EOF     Wscript.Echo "  " & objRS.Fields(0).Value     objRS.MoveNext wend strFilter = "(&(objectcategory=attributeSchema) " _           & "(systemFlags:1.2.840.113556.1.4.803:=4));" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst WScript.Echo "" WScript.Echo "Constructed attributes: " while Not objRS.EOF     Wscript.Echo "  " & objRS.Fields(0).Value     objRS.MoveNext wend

10.15.3 Discussion

The systemFlags attribute of attributeSchema objects defines a few special attribute properties, including whether an attribute is not replicated between domain controllers and whether it is dynamically constructed by Active Directory.

Most attributes are replicated after they are updated on an object, but some never replicate between domain controllers. These attributes are considered nonreplicated. An example of a nonreplicated attribute you may be familiar with is the lastLogon attribute that stores the last logon timestamp for user and computer objects. Whenever a user or computer logs in to Active Directory, the authenticating domain controller updates the user or computer's lastLogin attribute, but the update does not get replicated out to other domain controllers.

Constructed attributes are automatically maintained by Active Directory and cannot be set manually. A good example of a constructed attribute is the new msDS-Approx-Immed-Subordinates that is available in Windows Server 2003. That attribute contains the approximate number of child objects within a container. Obviously this attribute wouldn't be of much value if you had to maintain it, so Active Directory does it automatically.

One of the downsides to constructed attributes is that you cannot search against them. For example, I cannot perform a search to find all containers that have more than 10 objects in them (i.e., msDS-Approx-Immed-Subordinates>10). This would return an operations error. Constructed attributes can only be returned as part of the attribute set for a query and not used as part of the query itself.

To find the nonreplicated or constructed attributes you have to use a bitwise LDAP filter against attributeSchema objects. A bit value of 1 indicates the attribute is non-replicated and a value of 4 indicates the attribute is constructed.

10.15.4 See Also

Recipe 4.9 for searching with a bitwise filter



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net