[번역] AD 도메인으로 연결하기

http://www.eggheadcafe.com/conversation.aspx?messageid=30188124&threadid=30188121

 워크그룹 머신에서 AD 도메인으로 연결하기 - 조 캐플란
 Connecting to an AD domain from a workgroup machine - Joe Kaplan
15-Jun-07 09:34:01

이런 문제(*1)는 워크그룹 컴퓨터를 적용할 때 많이 나오는 문제입니다. 바인딩
문자열로 사용한 LDAP://rootDSE 는 서버나 도메인을
( LDAP://domain.com/rootDSE 처럼 ) 지정하고 있지 않습니다. 그래서,
LDAP API는 도메인은 현재 보안 컨텍스트에서 연결된 도메인에 기반하여
알아내려 합니다. 그러나, 로컬 계정일 경우에는, 연결된 도메인이 없기 때문에
이와 같은 에러를 얻게 되는 것입니다.

All of these problems are typical of a workgroup computer deployment.  Your
binding string, LDAP://rootDSE, does not specify a server or domain in the
path (like LDAP://domain.com/rootDSE), so the LDAP API attempts to figure
out the domain to use based on the domain affiliation of the current
security context.  If that is a local machine account, then there is no
domain affiliation and you get the error you see.

The error regarding not being able to convert the datatype happens when the
current security context does not have permissions to read the abstract
schema in the directory (object pointed to by the subschemaSubentry DN in
rootDSE), so it falls back to a default schema which does not have
definitions for all AD attributes.  To correct this, you must bind as an
authenticated domain user, so you would need to provide credentials somehow.

LogonUser can only allow users to logon who are trusted by the machine and a
workgroup machine doesn't trust domain users, so they can't logon.  You
would need to use some sort of approach for remote authentication using SSPI
or perhaps an LDAP bind.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

(*1) However, it now fails with the error 0x8007054b - 'The specified domain
either does not exist or could not be contacted.'