Hi!
I followed the steps of Red Hat document to implement Windows 2000 sync with FDS. After my "initial re-synchronization" process was done, I checked my directory tree.
I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", and it contained "Members/Static Group - uid=Administrator, , ou=People, dc=example, dc=com"
in its properties. But I could not find the real entry dn named "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it the correct result? Or I did
something wrong with configuration. Please tell me how to fix the problem. Thanks a lot.
Regards Joe Yu
I got the same result when i did it .I guess its normal
On 10/26/05, joe joe@openpower.com.tw wrote:
Hi!
I followed the steps of Red Hat document to implement Windows 2000 sync with FDS. After my "initial re-synchronization" process was done, I checked my directory tree.
I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", and it contained "Members/Static Group - uid=Administrator, , ou=People, dc=example, dc=com"
in its properties. But I could not find the real entry dn named "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it the correct result? Or I did
something wrong with configuration. Please tell me how to fix the problem. Thanks a lot.
Regards Joe Yu -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Thanks and Regards Nabeel Moidu System Administrator OnMobile System Inc Bangalore, India www.onmobile.com http://www.onmobile.com
If we don't believe in freedom of expression for people we despise, we don't believe in it at all. Noam Chomsky
joe wrote:
Hi!
I followed the steps of Red Hat document to implement Windows 2000 sync with FDS. After my "initial re-synchronization" process was done, I checked my directory tree.
I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", and it contained "Members/Static Group - uid=Administrator, , ou=People, dc=example, dc=com"
in its properties. But I could not find the real entry dn named "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it the correct result? Or I did
something wrong with configuration. Please tell me how to fix the problem. Thanks a lot.
I think it's ok. Administrator is a "pseudo" user - it's only used for Windows domain administration. I don't think it follows the schema for a user. Does the Administrator entry have a full name or a surname? There are other pseudo users that fall into this category, such as the kerberos kdc user. You could probably fill in the missing attributes and make it sync over, but it doesn't really matter unless you want to use the Administrator entry on unix.
Regards Joe Yu
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rich Megginson wrote:
I think it's ok. Administrator is a "pseudo" user - it's only used for Windows domain administration. I don't think it follows the schema for a user. Does the Administrator entry have a full name or a surname? There are other pseudo users that fall into this category, such as the kerberos kdc user. You could probably fill in the missing attributes and make it sync over, but it doesn't really matter unless you want to use the Administrator entry on unix.
True (in fact, the special users in AD are not supposed to get sync'ed at all), but I'm puzzled about the group member being sync'ed. By design, only group members that are also already present in the peer directory should be sync'ed. Therefore, if things are working to plan, the Administrator user should not be sync'ed, and neither should any group member that has its DN.
於 三,2005-10-26 於 08:44 -0600,David Boreham 提到:
Rich Megginson wrote:
I think it's ok. Administrator is a "pseudo" user - it's only used for Windows domain administration. I don't think it follows the schema for a user. Does the Administrator entry have a full name or a surname? There are other pseudo users that fall into this category, such as the kerberos kdc user. You could probably fill in the missing attributes and make it sync over, but it doesn't really matter unless you want to use the Administrator entry on unix.
True (in fact, the special users in AD are not supposed to get sync'ed at all), but I'm puzzled about the group member being sync'ed. By design, only group members that are also already present in the peer directory should be sync'ed. Therefore, if things are working to plan, the Administrator user should not be sync'ed, and neither should any group member that has its DN.
Thanks for all of these answers. But I still have a problem with it. I try to add some users in my AD and fill their property values, such as full name, surname. Then I invoke sync process again and check my directory tree in my FDS. It still have no user sync from AD. What's wrong with it? Do I miss something important?
Regards Joe
You did the full synchronization first? Did it go to completion? If not, were there any errors in the error log? If so, did you wait 5 minutes (the default) for the users to be sync'd from AD to FDS after making the updates on AD? You should also be able to do the Send Updates Now from the console to pick up the changes.
joe wrote:
於 三,2005-10-26 於 08:44 -0600,David Boreham 提到:
Rich Megginson wrote:
I think it's ok. Administrator is a "pseudo" user - it's only used for Windows domain administration. I don't think it follows the schema for a user. Does the Administrator entry have a full name or a surname? There are other pseudo users that fall into this category, such as the kerberos kdc user. You could probably fill in the missing attributes and make it sync over, but it doesn't really matter unless you want to use the Administrator entry on unix.
True (in fact, the special users in AD are not supposed to get sync'ed at all), but I'm puzzled about the group member being sync'ed. By design, only group members that are also already present in the peer directory should be sync'ed. Therefore, if things are working to plan, the Administrator user should not be sync'ed, and neither should any group member that has its DN.
Thanks for all of these answers. But I still have a problem with it. I try to add some users in my AD and fill their property values, such as full name, surname. Then I invoke sync process again and check my directory tree in my FDS. It still have no user sync from AD. What's wrong with it? Do I miss something important?
Regards Joe
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
joe wrote:
I followed the steps of Red Hat document to implement Windows 2000 sync with FDS. After my "initial re-synchronization" process was done, I checked my directory tree.
I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", and it contained "Members/Static Group - uid=Administrator, , ou=People, dc=example, dc=com"
in its properties. But I could not find the real entry dn named "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it the correct result? Or I did
This looks wrong. The double comma in the DN should be illegal.
I don't believe this is a known problem -- I've never seen this particular issue reported before.
Do you otherwise get correct sync results ? i.e. do your regular users and groups get sync'ed ok ?
If you enable replication logging, then run a re-sync, there will probably be something in the error log pertaining to this entry. That might tell us what's going wrong.
389-users@lists.fedoraproject.org