Overview

When MailEssentials is installed on a machine that is joined to an Active Directory domain or is configured to retrieve the list of users from a remote Active Directory domain, a number of modules depend on the AD / LDAP server to function properly.

This article provides information on how to use Windows utilities while troubleshooting issues related to the AD / LDAP which will in turn affect the dependent modules. The same AD / LDAP queries executed by MailEssentials will be run from the command prompt to verify the LDAP connectivity. Fixing any LDAP or Active Directory related errors once they have been established is outside the scope of this article.

 

Introduction

MailEssentials has a number of modules that depend on and query either Active Directory (AD) or an LDAP server. Following is a list of these features:

• Directory Harvesting – AD
• Directory Harvesting – LDAP
• User Counting – AD
• User Counting – Exchange (which still uses AD)

The next section explains what information each of the above modules retrieves, and how to retrieve the same information using Windows utilities while troubleshooting. The Windows utility used in this section is csvde, which is similar to ldifde, but returns results in a comma-delimited file.

In this article, “user database” is a generic term used to refer to both AD and LDAP.

 

Description

General

The first difference to notice is that the Directory Harvesting features will retrieve information for only one object in the user database, while the User Counting modules will retrieve a list of users. As explained below, the main difference is in the search filter string that is used.

To query a user database you require the following information:

• Server name
• Port
• Version
• Base DN
• Credentials

When the AD is used, the above information is either default, or is retrieved transparently from AD. The server name is retrieved transparently from AD. The port used is 3268 if the query is done to a Global catalog, or 389 if the query is done to a Domain Controller. The version is not relevant for AD queries. The Base DN used by the MailEssentials AD modules is always the Naming Context, while the credentials used are LocalSystem (or the credentials of the logged-on user when testing from the configuration)

In the case of an LDAP server, the above information needs to be supplied. This is only required for the Directory Harvesting module as it is currently the only module that supports querying LDAP.

When querying the user lookup database, a search filter is also used to filter the information that is returned by AD.

 

Directory Harvesting - AD

In the case of Directory Harvesting – AD, the search filter used when performing the query is:

"(&(|(objectClass=Person)(objectClass=group)(objectClass=publicFolder)
(objectClass=msExchDynamicDistributionList))(|(mail=<user email address>)
(proxyAddresses=smtp:<user email address>)))"

You need to replace <user email address> with the user’s email address. So an example AD search filter string would be:

"(&(|(objectClass=Person)(objectClass=group)(objectClass=publicFolder)
(objectClass=msExchDynamicDistributionList))(|(mail=nicks@gfi.com)
(proxyAddresses=smtp:nicks@gfi.com)))"

The above means that it will retrieve any object that is of type Person, Group, Public Folder or Distribution List, and whose email address (or proxy Address) is nicks@gfi.com.

The pipe character ‘|’ means that it will OR the items in the brackets that follow, while the ‘&’ indicates that the items in the brackets will be AND. Not shown in this example, the ‘!’ means NOT.

Using csvde, we can retrieve the same information that is being retrieved by the Directory Harvesting module, by writing the following in command line:

csvde –f output.csv –t 3268 –r "(&(|(objectClass=Person)(objectClass=group)(objectClass=publicFolder)
(objectClass=msExchDynamicDistributionList))(|(mail=nicks@gfi.com)(proxyAddresses=smtp:nicks@gfi.com)))"

The above will save the information retrieved from AD to output.csv, which will be stored in the same location where you ran the command. Note that in this case we needed to use –t 3268 parameter, since we are querying the Global Catalog. –t parameter indicates a port, which is by default 389 (which means the query is done to a Domain Controller).

 

Directory Harvesting – LDAP

Similarly, we can use ldifde to check the results returned by an LDAP server to the Directory Harvesting module, when it is configured to use LDAP:

ldifde -f output.csv -b [USERNAME] [DOMAIN] [PASSWORD] -s [LDAP SERVER] -d "[BASEDN]" -r "(|
(mail=[EMAIL])(proxyAddresses=smtp:[EMAIL]))"

The following are parameters that will be used in our example:

• Server: 172.16.131.2
• Port: 389
• Base DN: DC=gfins,DC=com
• Domain: GFINS
• User: Administrator
• Password: adminpw

The email address to check is nicks@gfi.com. In this case, we would type the following in the command line, all on one line:

ldifde -f output.csv -b Administrator GFINS adminpw -s 172.16.131.2 -d " DC=gfins,DC=com " -r "(|(
mail=nicks@gfi.com)(proxyAddresses=smtp: nicks@gfi.com))"

Note that if you need to export OUs, users, and groups from an entire forest, you may either run the above LDIFDE export commands against each domain in the forest or alternatively, run the query once against the global catalog (GC). To do this, ensure that the domain controller that is specified by the -s switch is a GC, and additionally, specify the GC port using the -t switch. The GC port number is 3268.

 

User Counting - AD

In the case of AD user counting, MailEssentials will make use of the following query filter:

“(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*)(samAccountName=*))"

We can retrieve the same information as MailEssentials using the following command:

csvde -f F:\Support\nicks\OUTPUT.LDF -r "(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(mail=*)(samAccountName=*))"

Remember that MailEssentials always reports one user less in the Licensing properties. However, the debug log file usercntado.txt will show the same query filter string and the number of users that are returned.

You can confirm the LDAP filter string being used from usercntado.txt located at ..GFI\MailEssentials\Attendant\debuglogs

 

User Counting - Exchange

When counting users that have mailboxes in Exchange server, MailEssentials will first have to determine the name of the mailbox stores on the local Exchange server. MailEssentials uses APIs to determine this. It will then construct a filter string similar to the following to retrieve the users that have a mailbox on the local Exchange server.

(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*)(samAccountName=*)
(homeMDB=CN=Mailbox Store (SUPPORTTEST),CN=First Storage Group,CN=InformationStore,
CN=SUPPORTTEST,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,
CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=supportdomain,DC=local))

The following part will change to indicate the name and location of the Mailbox Store.

(homeMDB=CN=Mailbox Store (SUPPORTTEST),CN=First Storage Group,
CN=InformationStore,CN=SUPPORTTEST,CN=Servers,CN=First Administrative Group,
CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=supportdomain,DC=local)

If multiple mailbox stores are present, they will be added to the filter string.

The homeMDB(s) that are extracted and the LDAP filter string that is constructed are all shown in usercntvsapi.txt.

Back to top