Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2008 - AD/LDAP Issue - PureMessage Install


  • Please log in to reply
8 replies to this topic

#1 sbsman

sbsman

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 12 January 2016 - 10:05 AM

Hi all

 

I'm new to this forum. I'll try and be as detailed as i can with regards to this issue - sorry if it's a bit long winded!

 

Basically we had an old version of Sophos PureMessage (v3.0) on our SBS 2008 server running Exchange 2007, and we wanted to upgrade this to 3.1.1. That in itself is fine, however during the installation no matter what we seemed to do it wouldn't upgrade to the new version. We have now uninstalled PureMessage in order to install it again from scratch.

 

However the same problem now happens on a new installation. During the setup process it asks to create a new password for the predefined user of 'SophosPureMessage' but according to the error message the password complexity requirements don't meet what the domain wants - even though i have entered passwords as long as 15-20 characters and include alphanumeric, uppercase, lowercase, multiple special characters. What we have tried is creating a network user of SophosPureMessage manually instead which then lets us past this stage, however the setup will fail during the last stages of the setup as it says it is unable to contact the AD domain because of logon failure. However we know that the AD domain is contactable as all other domain services work fine (DNS, Email, Logon etc).

 

Our server is configured to run using a domain format of XXX.local, however the error message doesn't include the '.local' in the error message of the installer. It just says unable to contact XXX.

 

I have been working with the 3rd line teams for Sophos support who have been very good, but we aren't getting anywhere after more then a week. What they did suggest is running a VBS script which had the following, because of the problem. For now i am just putting XXX to substitute our own domain name.

======================

const ADS_SECURE_AUTHENTICATION = &H0001

Set oDSP = GetObject("LDAP:")
Set obj = oDSP.OpenDSObject("LDAP://XXX/rootDSE",vbNullString,vbNullString,ADS_SECURE_AUTHENTICATION)
WScript.Echo obj.Get("configurationNamingContext")

======================

 

Using command prompt, we then run the following command (with elevated privileges) on the root of C: cscript test.vbs > test.txt

 

We are getting an error that came back with: c:\Test.vbs(4, 1) (null): Logon failure: unknown user name or bad password.

 

I have done an NSLOOKUP command for our domain are the following is returned:

c:\>nslookup XXX
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  fe80::5be1:f55d:a87f:965a

Name:    XXX.XXX.local
Address:  10.0.0.32

 

Does anyone know why, or more importantly how to fix this error at all? Some forums have suggested turning on IPV6 but this is already switched on so i don't believe this is the issue.

 

Other things that i can confirm:

- Being an SBS server this is the only domain controller on the domain

- We are logging on as a domain administrator

- The server doesn't run DHCP



BC AdBot (Login to Remove)

 


#2 stratosgr

stratosgr

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:02:01 PM

Posted 15 January 2016 - 09:50 AM

1st of all do you have any entries on your event viewer regarding this problem or anything like connection issues or dfs replication errors?

2nd can you post log from dcdiag?



#3 sbsman

sbsman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 15 January 2016 - 11:57 AM

1st of all do you have any entries on your event viewer regarding this problem or anything like connection issues or dfs replication errors?

2nd can you post log from dcdiag?

 

Hi Stratosgr

 

Thanks for your feedback.

 

I have taken a look at the DFS replication logs, but there are no warnings, error, or critical events - just informational events. However i have taken a further look at the Directory Service events and i can see warnings - usually just a couple a day, i have copied an example of one of the messages. When i do a filter on any warning, critical, or error events though i can see that this stretch's back to 2014 so this is nothing new.

 

LOG NAME: Directory Service
EVENT ID: 2887
LEVEL: WARNING
USER: ANONYMOUS LOGON
OPCODE: INFO
COMPUTER: MSD-SBS.XXX.local
TASK CATEGORY: LDAP Interface

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 34

 

 

With regards to the dcdiag command, i can see that there are all sorts of various flags that can be used with this command. Could you confirm what flags you want me to run with this command?

 

Cheers



#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:10:01 PM

Posted 17 January 2016 - 06:51 PM

So it sounds like an authentication issue and i would say because its looking to Auth using the Netbios name and not the fully qualified domain name.

is there any reason this cannot be a local account on the mail server?

 

Just to check, run the command ncpa.cpl, right click the adaptor and then proeprties, TCP/IPv4, then advanced and then click dns tab and then make sure "append primary  and connection and specifi DNS is ticked and the sub tree is ticked also.

Maybe even create a new DNS record.

EDIT: also that ddiag dump could be from an XP machine trying to authenticate?


Edited by JohnnyJammer, 17 January 2016 - 06:55 PM.


#5 sbsman

sbsman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 18 January 2016 - 06:53 AM

So it sounds like an authentication issue and i would say because its looking to Auth using the Netbios name and not the fully qualified domain name.

is there any reason this cannot be a local account on the mail server?

 

Just to check, run the command ncpa.cpl, right click the adaptor and then proeprties, TCP/IPv4, then advanced and then click dns tab and then make sure "append primary  and connection and specifi DNS is ticked and the sub tree is ticked also.

Maybe even create a new DNS record.

EDIT: also that ddiag dump could be from an XP machine trying to authenticate?

 

Hi Johnny

 

Sorry I'm not too sure what you mean by 'is there any reason this cannot be a local account on the mail server'? Exchange is on the same server so the admin user does have a mail account.

 

I've checked the DNS tab on the IPv4 of the active network card and 'Append primary and connection specific DNS suffixes' is currently selected, and the tick box for 'Append parent suffixes of the primary DNS suffix' is also ticked. In the bottom of the DNS tab there is also a tick box enabled which says 'Register this connection's DNS addresses in DNS'.

 

I have run the DCDIAG command which was: dcdiag /TEST:DNS and i have put the output below:

 

 

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = MSD-SBS

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\MSD-SBS

      Starting test: Connectivity

         ......................... MSD-SBS passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\MSD-SBS

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... MSD-SBS passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : XXX

   
   Running enterprise tests on : XXX.local

      Starting test: DNS

         Test results for domain controllers:

            
            DC: MSD-SBS.XXX.local

            Domain: XXX.local

            

                  
               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found
                  
               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 194.74.65.69 (<name unavailable>)
                  
               TEST: Delegations (Del)
                  Error: DNS server: exchange1.XXX.local.

                  IP:<Unavailable> [Missing glue A record]

                  
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000007] Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client):

                  

                     Warning:
                     Missing AAAA record at DNS server 10.0.0.32:
                     MSD-SBS.XXX.local
                     
                     Warning:
                     Missing AAAA record at DNS server 10.0.0.32:
                     gc._msdcs.XXX.local
                     
               Warning: Record Registrations not found in some network adapters

         
         Summary of test results for DNS servers used by the above domain

         controllers:

         

            DNS server: 194.74.65.69 (<name unavailable>)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 194.74.65.69               
         Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: XXX.local

               MSD-SBS                      PASS WARN FAIL FAIL PASS WARN n/a  
         
         ......................... XXX.local failed test DNS

 

 

I was wondering whether to create a new root zone in the DNS server that just has our domain name, without the '.local' bit at the end, but I'm a little unsure about doing this in case i make the situation worse.

 

We do have a very small handful of XP machines left, but these are all being upgraded with the next few weeks.


Edited by sbsman, 18 January 2016 - 06:59 AM.


#6 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:10:01 PM

Posted 18 January 2016 - 04:59 PM

You appear to have DNS issues mate, you might need to get the DNS iP from your ISP or use googles DNS server for the DNS Forwarding (Error: Forwarders list has invalid forwarder: 194.74.65.69 (<name unavailable>)).

Also it appears to be no AAA record for the exchange server (exchange1.XXX.local), are you sure this same server is running the DNS service/role?

Also its not advised to have exchange on the same server as active directory (Global catalog).

 

So from what i see you are missing the DNS record for the GC server

Warning:
                     Missing AAAA record at DNS server 10.0.0.32:
                     gc._msdcs.XXX.local

 

Try flushing the dns on exchange using using this one long command (Its 2 commands in one line) "ipconfig /flushdns && ipconfig /registerdns", that should flush and re-register the dns records on the exchange server and also nslookup should point to 10.0.0.32.



#7 sbsman

sbsman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 19 January 2016 - 07:32 AM

Hi Johnny

 

The computer 'EXCHANGE1' was our old email server, is no longer being used and hasn't been switched on since it was decommissioned. I believe that our current server however was upgraded from SBS 2003 to SBS 2008 at some point - unsure of when. I can't help but wondering if this is contributing to the problem somehow.

 

I only have a basic understanding of DNS, but i have removed old references and that old name server which wasn't responding (EXCHANGE1). I have re-run DCDIAG /TEST:DNS and the output now looks a bit better.

 

 

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = MSD-SBS

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\MSD-SBS

      Starting test: Connectivity

         ......................... MSD-SBS passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\MSD-SBS

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... MSD-SBS passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : XXX

   
   Running enterprise tests on : XXX.local

      Starting test: DNS

         Test results for domain controllers:

            
            DC: MSD-SBS.XXX.local

            Domain: XXX.local

            

                  
               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found
                  
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000007] Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client):

                  

                     Warning:
                     Missing AAAA record at DNS server 10.0.0.32:
                     MSD-SBS.XXX.local
                     
                     Warning:
                     Missing AAAA record at DNS server 10.0.0.32:
                     gc._msdcs.XXX.local
                     
               Warning: Record Registrations not found in some network adapters

         
               MSD-SBS                      PASS WARN PASS PASS PASS WARN n/a  
         ......................... XXX.local passed test DNS

 

 

I have then followed your instructions and run the command you instructed and have got the following output:

 

C:\Windows\system32>ipconfig /flushdns && ipconfig /registerdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

Windows IP Configuration

Registration of the DNS resource records for all adapters of this computer has been initiated. Any errors will be reported in the Event Viewer in 15 minutes.

 

 

I have re-run the script command: cscript Test.vbs but i am still getting the error below:

 

c:\>cscript Test.vbs
Microsoft ® Windows Script Host Version 5.7
Copyright © Microsoft Corporation. All rights reserved.

c:\Test.vbs(4, 1) (null): Logon failure: unknown user name or bad password.

 

 

I'm baffled as to why we are still getting this error though. I thought communicating via LDAP with the server should have been straight forward... Any other ideas?



#8 sbsman

sbsman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 19 January 2016 - 09:50 AM

Also just to add to further investigation work i have been doing, i have used a program called 'LDP.exe' that comes bundled with Server 2008 to do some testing. I have connected to the domain XXX on the default unsecured port of 389 (i also tested on the SSL port of 636 which also works).

 

 

ld = ldap_open("XXX", 389);
Established connection to XXX.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=XXX,DC=local;
currentTime: 19/01/2016 14:01:53 GMT Standard Time;
defaultNamingContext: DC=XXX,DC=local;
dnsHostName: MSD-SBS.XXX.local;
domainControllerFunctionality: 3 = ( WIN2008 );
domainFunctionality: 2 = ( WIN2003 );
dsServiceName: CN=NTDS Settings,CN=MSD-SBS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=local;
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 6985394;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: XXX.local:msd-sbs$@XXX.LOCAL;
namingContexts (5): DC=XXX,DC=local; CN=Configuration,DC=XXX,DC=local; CN=Schema,CN=Configuration,DC=XXX,DC=local; DC=ForestDnsZones,DC=XXX,DC=local; DC=DomainDnsZones,DC=XXX,DC=local;
rootDomainNamingContext: DC=XXX,DC=local;
schemaNamingContext: CN=Schema,CN=Configuration,DC=XXX,DC=local;
serverName: CN=MSD-SBS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=local;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=XXX,DC=local;
supportedCapabilities (4): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 );
supportedControl (26): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT );
supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------

 

 

I have also looking around at the Active Directory domains and trusts, but because i am cautious i don't want to adjust anything in here until i understand any implications of what I'm doing first.

 

What i have noticed under: Sites > Default-First-Site-Name > Servers > I can see that there are 2 object references called 'EXCHANGE1' and 'MSD-SBS'.

 

When i have right clicked on 'EXCHANGE1' and selected properties the general tab says:

 

Computer: EXCHANGE1

Domain: XXX.local

DC Type: Domain Controller

 

Transports available for inter-site transfer

IP

SMTP

 

 

When i have right clicked on 'MSD-SBS' and selected properties the general tab says:

 

Computer: msd-sbs

Domain: XXX.local

DC Type: Global Catalog

 

Transports available for inter-site transfer

IP

SMTP

 

This has thrown me a bit as it was my understanding the our SBS was the Domain Controller. When computers connect to the domain they seem to be able to join without a problem. Is this likely to be one of the issues that is causing the problem?



#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:10:01 PM

Posted 19 January 2016 - 05:40 PM

Still see an error for no DNS record from thee srver you are performing the dcdiag from

TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

 

Also you say exchange1 has been turned off but it still shows as being a domain controller so it would hve to be turned back on and have active directory removed as a role.

Note if it hasnt been turned on for some time then you will run into replication issues due to the tomb stone period expiring.

Forcing a replication using repadmin command will fix that and then remove the server as a domain controller and dns as well.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users