LDAP Diagnostic Tools

Страницы работы

Содержание работы


Ldp.exe is a graphical tool that allows users to perform Lightweight Directory Access Protocol (LDAP) operations, such as connect, bind, search, modify, add, and delete, against any LDAP-compatible directory, such as Active Directory™ directory service. LDAP is an Internet-standard wire protocol used by Active Directory.

Many objects stored in Active Directory are not readily displayed using the graphical tools that ship with the retail version of Microsoft® Windows® 2000. Ldp.exe can be used by administrators to view these objects and their metadata such as security descriptors and replication metadata to aid in problem determination.


Starting Ldp    1

Ldp Menu Selections    1

File Menu    2

Browse Menu    2

View Menu    5

Starting Ldp

Ldp.exe can be invoked from the command prompt, or from the Start menu run command line. It has a Windows Explorer–like interface, with the scope pane on the left for navigating through Active Directory namespace and the results pane on the right for displaying the results of the LDAP operations. Any text displayed in the results pane can be selected with the mouse and copied to the clipboard.

Ldp Menu Selections

Ldp makes extensive use of menu commands to perform the various LDAP operations.

File Menu


The Connect dialog box allows the user to enter the Domain Controller’s DNS name or IP address and to specify the TCP port. Leaving the server’s name field blank results in a connection to a domain controller in the current logged-on user’s domain. Port 389 is the default port for LDAP and port 3268 is the default port for Active Directory Global Catalog.

Upon successful connection to a domain controller, the RootDSE information will be displayed in the results pane.


The Bind dialog box allows the user to submit their credentials for authentication during the LDAP session. If these fields are left blank, Ldp will use the credentials of the user who is currently logged on.


This terminates the current connection to the domain controller.


This clears the results pane.

Save/Save As

This saves the contents of the results pane to a text file.

Browse Menu


The Add dialog allows the user to add objects to Active Directory. The full distinguished name of the object must be entered, as well as all the mandatory attributes for the class of object being added.


The Delete dialog box permits the user to delete any object in Active Directory. The full distinguished name of the object must be entered. If the selected object is a container, the check box option Recursive causes Ldp to delete any child object, even if that child object is itself a container.


The Modify dialog box allows the user to modify the attributes of any object stored in the directory. Again the objects full distinguished name must be entered. Operation selection permits new values to be added or existing values to be deleted or replaced.

Modify RDN

The Modify RDN dialog box allows the user to modify (or rename) an object’s relative distinguished name.

This also permits an object to be moved from one container to another.


The Search dialog box allows the user to search Active Directory. The search base must be specified as a distinguished name, and the filter must be a valid LDAP filter. For example to retrieve all objects with Name1 as their first name and a surname beginning with the letter “S” the filter would be (&(firstname=Name1)(sn=S*)). To find all objects with a surname of Surname1 or a surname of Surname2, the filter would be (|(sn=Surname1)(sn=Surname2))


The Compare dialog box allows the user to compare the value of an object’s attribute with a specified value and returns a result of either true or false.

Extended Operation

The Extended Operation dialog box allows the user to submit an extended LDAP operation to Active Directory by specifying a LDAP Operational ID (OID) and an applicable value.


The Security dialog box permits the user to view the security descriptor that has been placed on an object. This can be useful when attempting to determine the access permissions to an object.

Sample output:


        Type: (5)


        AceSize: 0x28

        AceFlags: (0x0)

        Mask: 0x00000010

        Flags: 0x1


        Object Type:

            (in HEX)(59ba2f42-79a2-11d0-90-20-00-c0-4f-c2-d3-cf)




            NT AUTHORITY\Authenticated Users


The Replication dialog box displays the replication metadata such as Attribute ID, Originating and Local Update Sequence Numbers (USN), GUID of the originating domain controller, date/ time stamps for every attribute of an object. This is useful in identifying whether objects have been updated and replicated between the domain controllers.

Sample output:

Getting 'cn=Victor Eastman,ou=Sales,dc=antipodes,dc=com' metadata...

53 entries.




Originating DSA














98-08-03 15:11.22






98-08-03 15:11.22






98-08-03 15:11.22

View Menu


The Tree dialog box is used to specify the base object to be displayed in the scope pane. If the base distinguished name is left blank, the tree view is rooted at the current default domain for the logged on user.

The tree view permits the user to expand and collapse the child objects, and double-clicking on a selected object displays the attributes of that object in the results pane.

Enterprise Configuration

Enterprise Configuration graphically displays all domains and domain controllers in the enterprise. It also indicates whether the domain controllers are online or offline.

© Copyright 1985-1999 Microsoft Corporation. All rights reserved.

Похожие материалы

Информация о работе