joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

AdFind -ASQ and Unavailable Critical Extension

by @ 10:13 pm on 2/1/2007. Filed under tech

So one of my old MCS friends who is no longer with MCS and is now doing real admin work has admitted that he loves AdFind and depends on it daily. That makes me smile. What makes me smile even more is when he runs into things that I used to bitch about to him when he was with MSFT and he would just respond with “quit your bitchin!”. Who’s bitchin now??? I especially like hearing things like… Oh MSFT wouldn’t have done it that way, that would be stupid… Especially when I know for a fact, that is exactly how it was done because I have dealt with it…

Anyway, back on topic, my friend brought up an issue he encountered… Basically he was trying to use -ASQ (Attribute Scoped Queries) to retrieve the display names of the members of the Domain User’s group. When he did that he was getting Unavailable Critical Extension. Now this error can mean several things but the most obvious thing is that the functionality you are requesting isn’t built into the directory that you are querying. This was exactly the case here, he was querying a Windows 2000 Domain Controller which doesn’t have the ASQ capability. I had to ask what his specific query he was doing though because there are times where the capability is available but you have run into another issue. The most common other issue I tend to hear about is usually that you have overloaded tempDB with a query that has a sort involved. The way around that is through some special indexing or just not doing that. 🙂

Of course there is another issue with using Attribute Scoped Queries with the Domain User’s group… Do you know what it is?

There are actually quite a few caveats and issues that can pop with ASQ and the new K3 SP2 / Longhorn functionality which allows you to recursively query up through group memberships in a single call (see http://msdn2.microsoft.com/en-us/library/aa746475.aspx and look at LDAP_MATCHING_RULE_IN_CHAIN – AdFind exposes this with :INCHAIN: or :NEST:) that I need to write up to discuss with you folks. I will make a note of it. I have written about it in other forums but never brought it back here so people (including me) can always find it.

Rating 3.00 out of 5

2 Responses to “AdFind -ASQ and Unavailable Critical Extension”

  1. Darren says:

    I have been trying to use LDAP_MATCHING_RULE_IN_CHAIN in a Windows 2003 (SP1) domain query.

    Set rs = conn.Execute( _
    “;” & _
    “(memberOf:1.2.840.113556.1.4.1941:=CN=dkA,OU=TestGroups,DC=42,DC=local);cn;subtree” )

    I get no results, no matter what I set for the scope.
    Am I missing something obvious? I have tried with many LDAP search tools. Thanks

  2. joe says:

    That control isn’t available until K3 SP2.

[joeware – never stop exploring… :) is proudly powered by WordPress.]