Can't connect to ADAM instance after installing Windows XP SP2

Discussion in 'Active Directory' started by Laura Bagnall, Oct 19, 2004.

  1. I had gone through the ADAM reviewers guide a few months ago, and thing
    worked just fine. Now, I'm finally getting around to writing actual code,
    but I can't connect to the ADAM instance using ANSI-Edit. I uninstalled and
    reinstalled, including an option to import some LDF files, and it choked when
    it tried to connect to the service in order to import the LDF files. It
    skipped that step, but the service was running. I still couldn't connect.
    The service is running under the Network SYstem account, and for the
    administrator, I've tried both my domain account, and an account that I
    created locally on my machine. I'm doing this install on my Windows XP
    Professional machine for development purposes, although the final deployment
    will be on Windows Server 2003. The only thing that's changed that I can
    think of between when it was working and now, is that I've installed Windows
    XP SP2. Are there any known issues with that and ADAM?
     
    Laura Bagnall, Oct 19, 2004
    #1
    1. Advertisements

  2. SP2 turns firewall on. If you need ldap/adsi access, open ADAM ldap and ssl
    ports (389 and 636 by default). Replication over firewall is trickier, but
    doable. There are KB articles describing this, if you need it.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Oct 19, 2004
    #2
    1. Advertisements

  3. Nope. That's not it. I tried turning off the firewall and got the same
    result. Here are some snippets from the adamsetup.log. I'm using unattended
    install, and not specifying users in Answers.txt, which means that I'm
    accepting the defaults of the Network System account to run the service
    under, and the currently logged in user for the administrator. The currently
    logged in user is my domain account, and I have administrative privileges on
    my machine.

    // check to makre sure that currently logged in user is admin
    adamsetup F2C.DE4 0016 Enter IsCurrentUserAdministrator
    adamsetup F2C.DE4 0017 Current user is an admin
    ....
    // set admin user to currently logged in user (me)
    adamsetup F2C.DE4 0269 Enter Generate::AdminAccount
    adamsetup F2C.DE4 026A PINNACLE\lbagnall
    adamsetup F2C.DE4 026B Enter State::SetCurrentUserADAMAdmin true
    adamsetup F2C.DE4 026C Enter Validate::AdminAccount PINNACLE\lbagnall
    adamsetup F2C.DE4 026D Enter State::GetInstance
    adamsetup F2C.DE4 026E Enter State::GetAdminSelector
    adamsetup F2C.DE4 026F Enter ObjectSelect::GetSID
    adamsetup F2C.DE4 0270 Enter State::GetAdminSelector
    adamsetup F2C.DE4 0271 Enter ObjectSelect::UpdateName
    PINNACLE\lbagnall
    adamsetup F2C.DE4 0272 Enter ObjectSelect::clearSID
    adamsetup F2C.DE4 0273 Enter L"LookupAccountNameLocally"
    PINNACLE\lbagnall
    adamsetup F2C.DE4 0274 HRESULT = 0x00000000
    adamsetup F2C.DE4 0275 Enter ObjectSelect::setSID
    adamsetup F2C.DE4 0276 Enter ObjectSelect::clearSID
    adamsetup F2C.DE4 0277 ADAMERR_OK
    .....
    // Things after that look OK, until it's time to try to install the LDF files
    adamsetup F2C.358 07C3 Enter State::GetSelectedLDIFFiles
    adamsetup F2C.358 07C4 Enter State::GetRemotePassword
    adamsetup F2C.358 07C5 Enter State::GetRemoteAuthority
    adamsetup F2C.358 07C6 Enter State::GetRemoteUser
    adamsetup F2C.358 07C7 Enter State::UseRemoteCreds false
    adamsetup F2C.358 07C8 Enter State::GetMyLDAPPort 50000
    adamsetup F2C.358 07C9 Enter Validate::RemoteCredsSufficient
    adamsetup F2C.358 07CA localhost:50000
    adamsetup F2C.358 07CB ReadServiceAccountInfo() => 85
    adamsetup F2C.358 07CC readSucceeded = false
    adamsetup F2C.358 07CD ADAMERR_REPCREDS_INVALID
    adamsetup F2C.358 07CE Enter State::IsUnattend true
    adamsetup F2C.358 07CF Enter State::IgnoreWarnings true
    adamsetup F2C.358 07D0 Enter State::AddFinishWarning ADAM Setup skipped
    LDIF file importation because the account provided could not be used. Either
    the credentials were not valid, or the account did not have administrative
    permissions for ADAM. To import LDIF files later, use the Ldifde.exe tool in
    the ADAM folder.
     
    Laura Bagnall, Oct 19, 2004
    #3
  4. So, you are installing a replica? From the log, you are unable to contact
    the source machine. You are getting LDAP_TIMEOUT (error 85) when attempting
    to open the initial connection. Check dns and firewalls.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Oct 19, 2004
    #4
  5. Laura Bagnall

    Lee Flight Guest

    Lee Flight, Oct 19, 2004
    #5
  6. Ah, you are right. Installer uses ReadServiceAccountInfo() to validate
    access to the newly installed instance, prior to importing LDIF files.
    Originally this function was written for replica install account validation,
    this confused me...

    So, it appears the new instance has some trouble registering the LDAP head.
    Laura, please check ADAM event log. Anything of interest there?

    Is the instance running? Try connecting to it with LDP. Also, run "netstat
    /oan". Do you see ADAM instance listening on ldap and ssl ports? Match the
    PID to the process using task manager/view/select columns/PID.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Oct 19, 2004
    #6
  7. URL below -- exactly the same problem. And I made exactly the same wrong
    assumption. Man...
    No, I don't believe we got to a resolution back then. Looked like some
    strange networking issue.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Oct 19, 2004
    #7
  8. Nothing of interest in the ADAM event log. Just lots of messages like
    "Online defragmentation has completed..." I even tried setting the value 16
    LDAP Interface Evetns under the key
    HKLM\SYSTEM\CurrentControlSet\Services\ADAM_UserDirectory\Diagnostics 16
    LDAP Interface Events to 5, without generating any events. (Found that
    trolling a newsgroup...)

    netstat /oan showed that it was listening in on the configured ports (I was
    using 50000 and 50001)
    TCP 0.0.0.0:50000 0.0.0.0:0 LISTENING 2280
    TCP 0.0.0.0:50001 0.0.0.0:0 LISTENING 2280

    Checking in "Services" shows that the service is running. Checking Task
    Manager shows that process 2280 has Image Name of dsamain.exe and is running
    under "NETWORK SERVICE".

    Using LDP, I am able to connect to the ADAM instance. It's the BIND that is
    timing out.

    Suggestions?

    Laura

    If you scroll down to the very end of this post, I'm including the output
    from LDP there.

    ld = ldap_open("localhost", 50000);
    Established connection to localhost.
    Retrieving base DSA information...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:1> currentTime: 10/19/2004 17:53:10 Eastern Standard Time;
    1> subschemaSubentry:
    CN=Aggregate,CN=Schema,CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    1> dsServiceName: CN=NTDS
    Settings,CN=MA-LBAGNALLXP$UserDirectory,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    3> namingContexts:
    CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    CN=Schema,CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    O=pinnacleteamsports,C=us;
    1> schemaNamingContext:
    CN=Schema,CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    1> configurationNamingContext:
    CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    21> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801;
    1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417;
    1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529;
    1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970;
    1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339;
    1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9;
    2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.1852;
    1.2.840.113556.1.4.802;
    2> supportedLDAPVersion: 3; 2;
    12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv;
    MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime;
    MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize;
    MaxNotificationPerConn; MaxValRange;
    1> highestCommittedUSN: 16387;
    4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
    1> dnsHostName: MA-LBagnallXP.pcle.com;
    1> serverName:
    CN=MA-LBAGNALLXP$UserDirectory,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={7589AEA0-3837-479A-89A8-AE7B710BA43F};
    2> supportedCapabilities: 1.2.840.113556.1.4.1851; 1.2.840.113556.1.4.1791;
    1> isSynchronized: TRUE;
    1> forestFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
    1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
     
    Laura Bagnall, Oct 19, 2004
    #8
  9. One other piece of information. I looked at the other post, and the one
    thing in common is that I am also running on a laptop, with both a wired and
    a wireless connection. I also have Cisco VPN installed, although I don't
    currently have VPN running, since I'm at work. In his case, he was running
    Windows Server 2003, and I'm running Windows XP SP2. The mysterious thing
    is that this worked for me a couple of months ago, and isn't working now,
    and I haven't changed my hardware in that time.

    Laura
     
    Laura Bagnall, Oct 19, 2004
    #9
  10. Laura Bagnall

    Lee Flight Guest

    Hi

    Do you audit logon/logoff failures on the machine, if so could
    you check the security event log after the bind attempt with ldp?

    Could you try (right-click) disabling all network interfaces but
    the network interface that has the domain connection?

    You said you tried a local account as ADAM administrator, when
    you test that using ldp (specifying the Netbios name of the machine
    in the Domain field of the bind popup) does that fail in the same way?
    And the same test with ALL network interfaces disabled?

    For a domain machine it should not matter but what value do you
    have for

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest


    Thanks
    Lee Flight
     
    Lee Flight, Oct 20, 2004
    #10
  11. Please do what Lee suggests, especially disabling one of the connections.
    You may also try the following.

    Check that the machine is happily joined to the domain. You can access
    network resources, right? Can you logon to the machine as PINNACLE\lbagnall?
    Try binding with empty creds (i.e. as the currently logged on user).

    Something else to try -- try binding as a local user (e.g. local admin) on
    your laptop. In order to do this, specify machine name in the domain box.

    Timeout on bind looks pretty weird. It appears as if a network packet is
    being lost.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Oct 20, 2004
    #11
  12. Took me a little while, but here are the answers...

    Q: Do you audit logon/logoff failures on the machine, if so could
    you check the security event log after the bind attempt with ldp?
    A: Done. Nothing in the log.

    Q: Could you try (right-click) disabling all network interfaces but
    the network interface that has the domain connection?
    A: Didn't help.

    Q: You said you tried a local account as ADAM administrator, when
    you test that using ldp (specifying the Netbios name of the machine
    in the Domain field of the bind popup) does that fail in the same way?
    A: Yes

    Q: And the same test with ALL network interfaces disabled?
    A: Still fails.

    Q: For a domain machine it should not matter but what value do you
    have for
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest
    A: 0

    Q: Check that the machine is happily joined to the domain. You can access
    network resources, right? Can you logon to the machine as PINNACLE\lbagnall?
    A: Yes, no problem.
     
    Laura Bagnall, Oct 20, 2004
    #12
  13. Hmmm... There's something funky going on. Some non-standard network stack I
    wonder? Sysco vpn could have installed something.

    Try connecting from another machine. Does it fail too? If so, get a network
    sniff of the failure.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Oct 20, 2004
    #13
  14. OK. Screwed around for a while with Netmon. Something strange going on with
    LSASS.EXE. However, my machine was doing other weird things, and I finally
    decided that it was going to take less time to reformat my drive and
    reinstall the operating system, then it was going to track the issue down. I
    try to do this about once every year or two anyway, and it was overdue. Damn
    big hammer, but it worked, and my system is clean now.
     
    Laura Bagnall, Oct 28, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.