O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.1. Viewing the RootDSE

Problem

You want to view attributes of the RootDSE, which can be useful for discovering basic information about a forest, domain, or domain controller.

Solution

Using a graphical user interface

  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter a domain controller, domain name, or leave blank to do a serverless bind.

  4. For Port, enter 389.

  5. Click OK.

  6. The contents of the RootDSE will be shown in the right pane.

Using a command-line interface

> enumprop "LDAP://RootDSE"

Using VBScript

' This code prints the attributes of the RootDSE
set objRootDSE = GetObject("LDAP://RootDSE")
objRootDSE.GetInfo
for i = 0 to objRootDSE.PropertyCount - 1 
    set strProp = objRootDSE.Item(i)
    WScript.Echo strProp.Name & " "
    for each strPropval in strProp.Values
       WScript.Echo "  " &  strPropval.CaseIgnoreString
    next
next

Discussion

The RootDSE was originally defined in RFC 2251 as part of the LDAPv3 specification. It is not part of the Active Directory namespace per se. It is a synthetic object that is maintained separately by each domain controller.

The RootDSE can be accessed anonymously, and in fact, none of the three solutions used credentials. In the CLI and VBScript solutions, I used serverless binds against the RootDSE. In that case, the DC Locator process is used to find a domain controller in the domain you authenticate against. This can also be accomplished with LDP by not entering a server name from the Connect dialog box.

The RootDSE is key to writing portable AD-enabled applications. It provides a mechanism to programmatically determine the distinguished names of the various naming contexts among other things, which means you do not need to hardcode that information in scripts and programs. Here is an example from LDP when run against a Windows Server 2003-based domain controller:

ld = ldap_open("dc01", 389);
Established connection to dc01.
Retrieving base DSA information . . . 
Result <0>: (null)
Matched DNs: 
Getting 1 entries:
>> Dn: 
1> currentTime: 05/26/2003 15:29:42 Pacific Standard Time Pacific Daylight Time; 

1> subschemaSubentry:CN=Aggregate,CN=Schema,CN=Configuration,DC=rallencorp,DC=com; 

1> dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com; 

5> namingContexts: DC=rallencorp,DC=com; CN=Configuration,DC=rallencorp,DC=com; 
CN=Schema,CN=Configuration,DC=rallencorp,DC=com; 
DC=DomainDnsZones,DC=rallencorp,DC=com; DC=ForestDnsZones,DC=rallencorp,DC=com; 

1> defaultNamingContext: DC=rallencorp,DC=com; 

1> schemaNamingContext: CN=Schema,CN=Configuration,DC=rallencorp,DC=com; 

1> configurationNamingContext: CN=Configuration,DC=rallencorp,DC=com; 

1> rootDomainNamingContext: DC=rallencorp,DC=com; 

21> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.
1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.
840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.
4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.
840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.
113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.
1852; 1.2.840.113556.1.4.802; 

2> supportedLDAPVersion: 3; 2; 

12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; 
InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; 
MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange; 

1> highestCommittedUSN: 53242; 

4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; 

1> dnsHostName: dc01.rallencorp.com; 

1> ldapServiceName: rallencorp.com:dc01$@RALLENCORP.COM; 

1> serverName: CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com; 

3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.
113556.1.4.1791; 

1> isSynchronized: TRUE; 

1> isGlobalCatalogReady: TRUE; 

1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 

1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 

1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );

Using VBScript

All attributes of the RootDSE were retrieved and displayed. Typically, you will need only a few of the attributes; in which case, you’ll want to use Get or GetEx as in the following example:

strDefaultNC = objRootDSE.Get("defaultNamingContext")

Or if want to get an object based on the distinguished name (DN) of one of the naming contexts, you can call GetObject using an ADsPath:

set objUser = GetObject("LDAP://cn=administrator,cn=users," & _
                        objRootDSE.Get("defaultNamingContext") )

See Also

RFC 2251, MS KB 219005 (Windows 2000: LDAPv3 RootDSE), MSDN: IADsPropertyEntry, MSDN: IADsProperty Value, MSDN: IADs::Get, and MSDN: IADs::GetEx

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required