Familar with Service Connection Point objects? This is an object in AD that is published by various services so people/processes can find them. For example, by default ADAM will publish a service connection point object in AD so you can easily track down the instances, it will look something like
dn:CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc
>objectClass: top
>objectClass: joeware-ServerClass
>objectClass: leaf
>objectClass: connectionPoint
>objectClass: serviceConnectionPoint
>cn: {04c817c7-46a4-4a0e-b258-c2bd69c00f78}
>distinguishedName: CN={04c817c7-46a4-4a0e-b258-c2bd69c00f78},CN=2K3UTL01,CN=Computers,DC=test,DC=loc
>instanceType: 4
>whenCreated: 20070614062433.0Z
>whenChanged: 20080529030556.0Z
>uSNCreated: 797021
>uSNChanged: 1285616
>showInAdvancedViewOnly: TRUE
>name: {04c817c7-46a4-4a0e-b258-c2bd69c00f78}
>objectGUID: {D63DD350-B13F-47FA-8503-911D44EFE7C1}
>keywords: partition:O=testpart
>keywords: 802b7d6e-78da-40f3-8db6-cdc3318b3784
>keywords: partition:CN=Configuration,CN={F0415E15-15F1-4777-81D7-0B4E9FAD7921}
>keywords: cb6b3b7b-6447-498e-a62f-e4a80b1ce3aa
>keywords: fsmo:naming
>keywords: fsmo:schema
>keywords: instance:instance1
>keywords: site:Default-First-Site-Name
>keywords: 1.2.840.113556.1.4.1791
>keywords: 1.2.840.113556.1.4.1851
>keywords: 04c817c7-46a4-4a0e-b258-c2bd69c00f78
>serviceClassName: LDAP
>serviceBindingInformation: ldaps://2k3utl01.test.loc:636
>serviceBindingInformation: ldap://2k3utl01.test.loc:389
>serviceDNSName: 2k3utl01.test.loc
>serviceDNSNameType: A
>objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=test,DC=loc
>dSCorePropagationData: 20080818161307.0Z
>dSCorePropagationData: 20080426152208.0Z
>dSCorePropagationData: 20071208191953.0Z
>dSCorePropagationData: 16010101181633.0Z
This is pretty useful information when searching for ADAM instances, especially in a large org with thousands or hundreds of thousands of machines. One of the really useful items is the serviceClassName attribute which tells you the type of service you are dealing with…. For an ADAM instance or likely anything that publishes a LDAP serviceConnectionPoint object the serviceClassName is LDAP… Great, so I can do a search of my forest looking for all SCP objects with serviceClassName=LDAP and that should give me a first cut at ADAM machines…. Ummm no.
Why not? Because serviceClassName isn’t in the partial attribute set (aka PAS aka Global Catalog)…. why not???? It is a small attribute and would be immensely useful there.
So take it from me… just add that attribute to the PAS set via
adfind -sc s:serviceclassname -dsq | admod isMemberOfPartialAttributeSet::TRUE
Do you have a simple way to create SCPs that didn’t get created when a service (MSSQLSVC in my case) was installed by an underprivileged account? I have no SCPs or SPNs on the SQL servers that are being used here. Something simple and foolproof would be nice! 🙂