In my earlier post, I showed how to add an attribute to the Partial Attribute Set in Active Directory. But how can you tell which attributes are already part of the Partial Attribute Set in the first place? You can certainly check each one manually, but that will take forever. Is there any other way that's more convenient?
In fact, let me show you two ways to do it that will make life a great deal easier.
The LDP utility is a graphical LDAP tool for use with Active Directory that allows you to perform very granular searches against your full directory structure. It was first made available in the Windows 2000 Support Tools, but is included with Windows 2008 and is available if you have Active Directory Domain Services installed as a role on your server.
To use LDP to list the attributes in your Schema that belong to the Partial Attribute Set, take the following steps:
At this point, your information should be similar to the following:
Once you select OK, you will see the RootDSE information on the right-hand screen. This information contains the top-level information about your directory and can be useful in understanding the basics of your directory structure.
At this point, you've connected, but you still need to authenticate to Active Directory, so you'll do an LDAP Bind.
If you get any other type of message, you likely have not used the right credentials and will need to get that resolved.
At this point, you have connected to your DC and have successfully completed an LDAP bind to authenticate against the directory. Now it's time to do what we came for.
To use LDP to find out which attributes belong to the Partial Attribute Set, take the following steps:
An example of how this might look is shown below:
When your query runs, every object that is part of the Partial Attribute Set (which has its attribute of isMemberOfPartialAttributeSet set to TRUE) will be displayed. Which attributes of each of these (yes, an attribute of an attribute!) are displayed will be based on which ones you entered in the Search window.
If you'd prefer to work from the command line, you can also use the LDIFDE tool to query Active Directory for this information. The actual content of the query is largely the same as outlined above, though you'll need to know how to get LDIFDE (in the long run, however, knowing LDIFDE will save you loads of time as an AD Administrator, so I highly recommend it).
If you're going to query Active Directory via LDIFDE, open a command prompt (you'll once again need to make sure you are using elevated credentials) and type the following:
LDIFDE -s <fully qualified server name> -d <Base DN> -r <search criteria> -l <list of attributes to export> -f <file name where the query will be written>
On my server, the command looks as follows:
Either way that you choose, you'll find that both LDP and LDIFDE have numerous uses in your day-to-day work as an Active Directory Administrator. This is just one example of how valuable these tools can provide, but all of us would be very wise to familiarize ourselves with both of these tools if we're to optimize our efforts to support an Active Directory infrastructure.