LDAP problem after upgrading from WIN 2000 to WIN 2003

Discussion in 'Active Directory' started by MSFT Developer, Aug 20, 2005.

  1. We have quite a few intranet applications that uses Active directory to
    provide role based permission and authentication. We were using LDAP to
    access AD. We recently upgraded to WIN 2003 from WIN 2000. All of our
    intranet applications started to throw the error. After extensive reading we
    found that when a call is made to the AD domain login/password should be
    supplied. This let us access the AD. But now we need to reboot our domain
    controllers everyday because when the calls are made from the intranet
    applications they are not cleared from the AD and thus causes intranet
    applications fail with "connection cannot be established to AD, Max
    connection reached". Did anyone have this problem? Is there any other way to
    overcome this issue but still authenticating the users using AD?

    Thanks in advance.
    MSFT Developer, Aug 20, 2005
    1. Advertisements

  2. What does your cleanup logic look like in the apps that are having problems?
    Assuming this is .NET code (you don't really say), are you calling Dispose
    on ALL of your DirectoryEntry objects when you are done with them? That
    will help ensure that you aren't leaving unused open connections to the DCs.

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Aug 20, 2005
    1. Advertisements

  3. Thanks Joe.

    Sorry, I didn't mention the platform I am having issue with. The application
    is written in c# using .net framework 1.1.

    I am using Close() method instead of Dispose().

    BTW, another additional information I didn't provide is after the upgrade to
    WIN 2k3 the overall performance of the intranet applications is affected.
    Applications are taking lot of time to load. Some guys on the team say that
    this could due to the reason that the new security model implemented in WIN
    2K3 takes more time to authenticate against the AD. Is this true?

    Also, in the past we tried to use IsInRole method and we didn't always get
    the expected result. So we are scrolling to the entire group to see whether
    the logged in user is in this group. Is anyone using IsInRole without any

    MSFT Developer, Aug 20, 2005
  4. I would definitely recommend using IsInRole if you have a WindowsPrincipal
    object available. Doing this, you are taking advantage of the Windows logon
    token IIS has already built for you and preventing the need to do any LDAP
    stuff to look up user's groups.

    There are some issues with IsInRole in .NET 1.x that (I believe) being
    addressed in 2.0. Someone else has written a nice article on this and
    recommended some workarounds:


    I do recommend using Dispose instead of Close as it does the same thing
    Close does AND has the additional benefit of suppressing finalization on
    your DE's which will help ensure they get collected much faster.

    I also recommend you carefully look over your code and make sure you don't
    have any DE's DirectorySearcher or SearchResultCollection objects that
    aren't getting Disposed. Always Dispose in a finally block or just use the
    C# "using" statement to automate this.

    Also, if you really do need to do group membership expansion for a user, I
    recommend using the tokenGroups approach that Ryan has documented here:


    Hopefully, IsInRole will work for you though.

    I can't explain why the move to 2003 is causing you grief as I have not had
    that experience. Sorry.

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Aug 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.