Using LDP to Find an Objects ‘Distinguished Name’ in Active Directory

KB ID 0001337 

Problem

There are a few occasions when you need to know an objects ‘Distinguished Name’ (DN). For me it’s usually when I’ve got a device that needs to do LDAP/LDAPS lookups, (RSA Appliance, Netscaler, Cisco FirePOWER, etc). Today someone needed to ‘bind’ a Checkpoint firewall to Active Directory, and asked me to create user, and give them the DN and password.

I’ve mentioned ldp.exe many times, but never dedicated a post to it, it’s a tiny executable, that was first seen in the server 2003 support tools.  With 2008 you needed to add the Active Directory Lightweight Directory Service Role to get it. With server 2012 and 2016 you will get it on any Domain Controller.

For a member server, (or non domain joined server) you can add LDP.exe by simply adding the following feature from server manager.

LDP Usage

Windows Key+R > ldp {Enter} > Connection > Connect > select localhost, (if you are on the DC, or the FQDN of a DC if you are not). Normally port 389 is fine, but if you have enabled LDAPS, you might want to use port 636, and tick SSL also > OK.

Now you need to bind to LDAP, I’m using my logged on account, but if you want to test a user account can bind to Active Directory, then you can specify a username/password and domain > OK.

Note: To bind to, and read all objects in Active Directory, only  domain user is required.

Now to view anything > View > Tree > Select the root DN to view all of AD, (in my case DC=pnl,DC=com) > OK.

You can now browse your AD, and get the DN for any object.

Related Articles, References, Credits, or External Links

Windows Server 2012 – Enable LDAPS

Cisco FirePOWER Management Center Appliance – Allowing Domain Authentication