Export (0) Print
Expand All

6.1.1.2.4.1.2 dSHeuristics

dSHeuristics is a Unicode string attribute. Each character in the string represents a heuristic that is used to determine the behavior of Active Directory. These heuristics are described partly in this section and partly elsewhere in this specification.

The following constraints apply to the dSHeuristics string:

  • The order of the characters in the string is fixed; characters can be omitted only by truncating the string.

  • By default, the dSHeuristics attribute does not exist and, unless otherwise specified, the default value of each character in the dSHeuristics string is "0".

  • When modifying an existing dSHeuristics string, the values of all existing characters that are not of interest to the modification should be preserved.

These constraints are illustrated by the following examples.

  1. If dSHeuristics is not present or has length of zero, then the fSupFirstLastANR heuristic is false.

  2. If dSHeuristics is only two Unicode characters long, then the fDoListObject heuristic, which would be represented by the third character in the string, is false.

  3. Consider a scenario where the fSupFirstLastANR, fSupLastFirstANR, and fDoNickRes heuristics are required for certain system behaviors. The dSHeuristics string would consist of at least four characters, fSupFirstLastANR, fSupLastFirstANR, fDoListObject, and fDoNickRes, even though the fDoListObject heuristic is not needed. An implementer would set the fDoListObject character to the default value of "0" as described earlier.

  4. Consider a scenario where anonymous LDAP operations to Active Directory need to be enabled. In this scenario, the seventh character of the dSHeuristics string, fLDAPBlockAnonOps, would be set to character "2". If the dSHeuristics string was already in existence before this operation, no characters in the dSHeuristics string other than the seventh character would be modified. If the dSHeuristics string did not yet exist before this operation, the first through sixth characters would be set to their default values, resulting in a dSHeuristics string of "0000002" in this case.

The following table describes the characters of the dSHeuristics string.

Character number

Character name

Description

1

fSupFirstLastANR

If this character is "0", then the fSupFirstLastANR heuristic is false; otherwise, the fSupFirstLastANR heuristic is true.

Section 3.1.1.3.1.3.4 specifies the effects of this heuristic.

2

fSupLastFirstANR

If this character is "0", then the fSupLastFirstANR heuristic is false; otherwise, the fSupLastFirstANR heuristic is true.

Section 3.1.1.3.1.3.4 specifies the effects of this heuristic.

3

fDoListObject

If this character is "1", then the fDoListObject heuristic is true; otherwise, the fDoListObject heuristic is false.

Section 5.1.3.2 specifies the effects of this heuristic.

4

fDoNickRes

If this character is "0", then the fDoNickRes heuristic is false; otherwise, the fDoNickRes heuristic is true.

The effects of the fDoNickRes heuristic are outside the state model. If the fDoNickRes heuristic is true, an ANR request via MAPI attempts an exact match against the MAPI nickname attribute (the attribute with mAPIID equal to 0x3A00) before performing an ANR search (see section 3.1.1.3.1.3.4).

5

fLDAPUsePermMod

If this character is "0", then the fLDAPUsePermMod heuristic is false; otherwise, the fLDAPUsePermMod heuristic is true.

If the fLDAPUsePermMod heuristic is true, then all LDAP Modify operations behave as if the LDAP_SERVER_PERMISSIVE_MODIFY_OID control was passed. Section 3.1.1.3.4.1.8 specifies the effects of the LDAP_SERVER_PERMISSIVE_MODIFY_OID control.

6

ulHideDSID

The ulHideDSID heuristic equates to the numeric value of this character; that is, character "0" equates to 0, character "1" equates to 1, and so on.

The ulHideDSID heuristic controls when DSIDs are returned in the LDAP extended error string when an operation encounters an error. If the heuristic is 0, then DSIDs will be returned at all times. If the heuristic is 1, then DSIDs will be returned as long as the error is not a name error where different DSIDs may reveal the existence of an object that is not visible to the client. If the heuristic is anything but 0 or 1, then DSIDs will not be returned at all.

A DSID consists of the string "DSID-", followed by an implementation-specific 32-bit integer expressed in hexadecimal. The integer identifies the execution point at which an error occurred.

7

fLDAPBlockAnonOps

If this character is "2", then the fLDAPBlockAnonOps heuristic is false; otherwise, the fLDAPBlockAnonOps heuristic is true. If this character is not present in the string, it defaults to "2" when the DC functional level is less than DS_BEHAVIOR_WIN2003, and to "0" otherwise.

Section 5.1.3 specifies the effects of this heuristic.

8

fAllowAnonNSPI

If this character is "0", then the fAllowAnonNSPI heuristic is false; otherwise, the fAllowAnonNSPI heuristic is true.

If the fAllowAnonNSPI heuristic is true, allow anonymous calls to the name service provider interface (NSPI) RPC bind method. Otherwise, only allow authenticated clients.

9

fUserPwdSupport

If this character is neither "0" nor "2", then the fUserPwdSupport heuristic is true. If this character is "2", then the fUserPwdSupport heuristic is false. If this character is "0", then the fUserPwdSupport heuristic is false for AD DS and true for AD LDS.

Sections 3.1.1.3.1.5.2 and 3.1.1.4.4 specify the effects of this heuristic.

10

tenthChar

When setting dSHeuristics to a value that is 10 or more Unicode characters long, if the value of tenthChar is not character "1", the server rejects the update. See section 3.1.1.5.3.2.

11

fSpecifyGUIDOnAdd

If this character is "0", then the fSpecifyGUIDOnAdd heuristic is false; otherwise, the fSpecifyGUIDOnAdd heuristic is true.

The fSpecifyGUIDOnAdd heuristic applies only to AD DS. AD LDS always treats this heuristic as if the character is "0"; that is, as if the fSpecifyGUIDOnAdd heuristic is false.

Section 3.1.1.5.2.2 specifies the effects of this heuristic.

12

fDontStandardizeSDs

If this character is "0", then the fDontStandardizeSDs heuristic is false; otherwise, the fDontStandardizeSDs heuristic is true.

Section 6.1.3 specifies the effects of this heuristic.

13

fAllowPasswordOperationsOverNonSecureConnection

If this character is "0", then the fAllowPasswordOperationsOverNonSecureConnection heuristic is false; otherwise, the fAllowPasswordOperationsOverNonSecureConnection heuristic is true.

The fAllowPasswordOperationsOverNonSecureConnection heuristic applies only to AD LDS.

Sections 3.1.1.3.1.5.1, 3.1.1.5.2.2, and 3.1.1.5.3.2 specify the effects of this heuristic.

14

fDontPropagateOnNoChangeUpdate

If this character is "0", then the fDontPropagateOnNoChangeUpdate heuristic is false; otherwise, the fDontPropagateOnNoChangeUpdate heuristic is true.

If the fDontPropagateOnNoChangeUpdate heuristic is true, when the nTSecurityDescriptor attribute of an object is set to a value that is bitwise identical to the current value, no work item is enqueued for the task that updates the security descriptors on the children of a modified object in order to propagate inherited ACEs (section 6.1.3). If the fDontPropagateOnNoChangeUpdate heuristic is false, a work item is always enqueued when the nTSecurityDescriptor attribute is modified.

The fDontPropagateOnNoChangeUpdate heuristic applies to Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system. Windows 2000 Server operating system and Windows Server 2003 operating system versions of Active Directory behave as if the fDontPropagateOnNoChangeUpdate heuristic is false.

15

fComputeANRStats

If this character is "0", then the fComputeANRStats heuristic is false; otherwise, the fComputeANRStats heuristic is true.

The effects of the fComputeANRStats heuristic are outside the state model. If the fComputeANRStats heuristic is true, ANR searches (section 3.1.1.3.1.3.4) are optimized using cardinality estimates like all other searches.

16

dwAdminSDExMask

The valid values for this character are from the set "0"–"9" and "a"–"f". The dwAdminSDExMask heuristic equals the character interpreted as a hex digit and converted into a 4-bit value (that is, "1"=0x1, "f"=0xF).

Section 3.1.1.6.1 specifies the effects of this heuristic.

17

fKVNOEmuW2K

If this character is "0", then the fKVNOEmuW2K heuristic is false; otherwise, the fKVNOEmuW2K heuristic is true.

Section 3.1.1.4.5.16 specifies the effects of this heuristic.

18

fLDAPBypassUpperBoundsOnLimits

If this character is "0", then the fLDAPBypassUpperBoundsOnLimits heuristic is false; otherwise, the fLDAPBypassUpperBoundsOnLimits heuristic is true.

If the fLDAPBypassUpperBoundsOnLimits heuristic is false, DCs impose implementation-dependent limits when interpreting values of the LDAP policies specified in section 3.1.1.3.4.6. If the configured policy value exceeds the limit, the DC ignores the policy value and instead uses the implementation-dependent limit.

This heuristic applies to Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 Server and Windows Server 2003 versions of Active Directory do not impose any such limits.

19

fDisableAutoIndexingOnSchemaUpdate

If this character is "0", then the fDisableAutoIndexingOnSchemaUpdate heuristic is false; otherwise, the DisableAutoIndexingOnSchemaUpdate heuristic is true. The effects of the fDisableAutoIndexingOnSchemaUpdate heuristic are outside the state model.

If the fDisableAutoIndexingOnSchemaUpdate heuristic is false, DCs can initiate index creation upon detection of index-related changes to the searchFlags attribute (see section 2.2.10). If the fDisableAutoIndexingOnSchemaUpdate heuristic is true, it is a hint to DCs that index creation can be delayed upon detection of index-related changes to the searchFlags attribute until either an administrator issues the schemaUpdateNow rootDSE modify operation, the DC is rebooted, or an implementation-dependent time period has elapsed.

This heuristic applies to Windows Server 2012 and Windows Server 2012 R2. Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2 operating system, Windows Server 2008, and Windows Server 2008 R2 do not implement support for this heuristic.

20

twentiethChar

When setting dSHeuristics to a value that is 20 or more Unicode characters long, if the value of twentiethChar is not character "2", the server rejects the update. See section 3.1.1.5.3.2.

21

DoNotVerifyUPNUniqueness

If this character is anything other than "0", AD LDS will not check values of userPrincipalName for uniqueness. See section 3.1.1.5.2.2.

This heuristic applies to Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

22-23

MinimumGetChangesRequestVersion

A hexadecimal value, ranging from "00" to "FF". This value controls the minimum version of the DRS_MSG_GETCHGREQ* structures the DC will send or accept. If the value is not set, the value "00" is used. When the value is "00", no restriction is enforced.

See [MS-DRSR] section 4.1.10.5.1.

24-25

MinimumGetChangesReplyVersion

A hex value, ranging from "00" to "FF". This value controls the minimum version of the DRS_MSG_GETCHGREPLY* structures the DC will send or accept. If the value is not set, the value "00" is used. When the value is "00", no restriction is enforced.

See [MS-DRSR] section 4.1.10.5.18.

 
Show:
© 2014 Microsoft