Cannot query Active Directory using ServerBind on non-domain computer in Windows PE

1

I have a need to write a .NET application which will query Active Directory while running in Windows PE on a computer which is not yet a member of the domain.

We are running this during a Microsoft Deployment Toolkit task sequence (note that MDT 2012 has been configured to load support for .NET into the WinPE environment - the .NET application is starting without any problems).

I am using the code below to bind to the domain:

DirectoryEntry entry = new DirectoryEntry(
  path,
  username,
  password,
  AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);

I have tried a path both of the form:

LDAP://domainServer/dc=domain,dc=name

And also without a domain controller name as

LDAP://dc=domain,dc=name

I have also tried using a username both of the form domain\username and also just username.

The DirectoryEntry object seems to be constructed okay, but when I try to execute Console.Writeline(entry.Name) to confirm a valid connection has been made, I get the following exception:

System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000) at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_Name()

I have tried other variations on this code, trying to execute LDAP queries with various filters, trying to rewrite it in VBScript, etc... but the code posted above is the simplest example I could come up with which reproduces the problem.

From what I have read, in a scenario like this you would always need to use AuthenticationTypes.ServerBind and that is why I am trying to specify the code within the ADSI LDAP path. But what is wrong with the code above? To me, it looks like it is passing all needed information in the parameters to the DirectoryEntry constructor.

security
active-directory
directoryservices
winpe
asked on Stack Overflow Feb 13, 2013 by Shannon Wagner

1 Answer

1

There is a way to get it work, but it's not supported by Microsoft. This post helped me a lot. It works, tested and approved for a deployment of new computers :)

Get the ADSIxXX.inf from the zip file to C:\ADSI

Copy the following files from a Windows/System32 to C:\ADSI. Carefull of Architecture x86 x64 -

   adsldp.dll
   adsmsext.dll
   adsnt.dll
   mscoree.dll
   mscorier.dll
   mscories.dll

Mount the bootimage.wim

No need to load Package (Your WinPE is already configured to load .NET API), juste add ADSI driver:

Dism /Image:C:\Mount /Add-Driver /Driver:C:\ADSI\ADSIxXX.inf /forceunsigned

No need to load his script

Unmount the bootimage.wim

Then it's done, if your .NET application is well implement ;) I'm not sur the PIPE | is supported as an argument too, just set to AuthenticationTypes.Secure -

DirectoryEntry entry = new DirectoryEntry(
  path,
  username,
  password,
  AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);

Link: http://www.deploymentresearch.com/Research/tabid/62/EntryId/74/ADSI-plugin-for-WinPE-4-0.aspx#AddComment

answered on Stack Overflow Oct 18, 2013 by Antoine

User contributions licensed under CC BY-SA 3.0