I have an issue with secure LDAP authentication on a Windows 2003
server running in 2000 mode. Anonymous LDAP test is successful, but
not the secure LDAP test. There are two domain controllers.
Here is the results of netdiag: (domain name changed for security)
Global results:
Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Member Workstation
Netbios Domain name. . . . . . : AAAA
Dns domain name. . . . . . . . : AAAA.local
Dns forest name. . . . . . . . : AAAA.local
Domain Guid. . . . . . . . . . : {F33CAB50-4A36-463B-
A28C-1F2B6D556FE6}
Domain Sid . . . . . . . . . . :
S-1-5-21-1706305302-796677691-2764107765
Logon User . . . . . . . . . . : joe.smith
Logon Domain . . . . . . . . . : AAAA
Logon Server . . . . . . . . . : \\AAAADC2
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{2336B8EA-F405-4BE0-944A-BC42F9B0366F}
1 NetBt transport currently configured.
LDAP test. . . . . . . . . . . . . : Failed
Find DC in domain 'AAAA':
Found this DC in domain 'AAAA':
DC. . . . . . . . . . . : \\aaaadc2.AAAA.local
Address . . . . . . . . : \\192.168.1.192
Domain Guid . . . . . . : {F33CAB50-4A36-463B-
A28C-1F2B6D556FE6}
Domain Name . . . . . . : AAAA.local
Forest Name . . . . . . : AAAA.local
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : GC DS KDC TIMESERV WRITABLE DNS_DC
DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Do un-authenticated LDAP call to 'aaaadc2.AAAA.local'.
Found 1 entries:
Attr: currentTime
Val: 17 20070308193933.0Z
Attr: subschemaSubentry
Val: 56
CN=Aggregate,CN=Schema,CN=Configuration,DC=AAAA,DC=local
Attr: dsServiceName
Val: 108 CN=NTDS Settings,CN=AAAADC2,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
Attr: namingContexts
Val: 16 DC=AAAA,DC=local
Val: 33 CN=Configuration,DC=AAAA,DC=local
Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
Val: 34 DC=ForestDnsZones,DC=AAAA,DC=local
Val: 34 DC=DomainDnsZones,DC=AAAA,DC=local
Attr: defaultNamingContext
Val: 16 DC=AAAA,DC=local
Attr: schemaNamingContext
Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
Attr: configurationNamingContext
Val: 33 CN=Configuration,DC=AAAA,DC=local
Attr: rootDomainNamingContext
Val: 16 DC=AAAA,DC=local
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Val: 23 1.2.840.113556.1.4.1907
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 1421098
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 18 aaaadc2.AAAA.local
Attr: ldapServiceName
Val: 30 AAAA.local:aaaadc2$@AAAA.LOCAL
Attr: serverName
Val: 91 CN=AAAADC2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
Attr: domainFunctionality
Val: 1 0
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
Do NTLM authenticated LDAP call to 'aaaadc2.AAAA.local'.
[FATAL] Cannot do NTLM authenticated ldap_bind to
'aaaadc2.AAAA.local': Invalid Credentials.
Do Negotiate authenticated LDAP call to 'aaaadc2.AAAA.local'.
[FATAL] Cannot do Negotiate authenticated ldap_bind to
'aaaadc2.AAAA.local': Invalid Credentials.
Registered Service Principal Names:
MSSQLSvc/440-05.AAAA.local:1913
HOST/440-05
HOST/440-05.AAAA.local
Do un-authenticated LDAP call to 'aaaadc1.AAAA.local'.
Found 1 entries:
Attr: currentTime
Val: 17 20070308193933.0Z
Attr: subschemaSubentry
Val: 56
CN=Aggregate,CN=Schema,CN=Configuration,DC=AAAA,DC=local
Attr: dsServiceName
Val: 108 CN=NTDS Settings,CN=AAAADC1,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
Attr: namingContexts
Val: 16 DC=AAAA,DC=local
Val: 33 CN=Configuration,DC=AAAA,DC=local
Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
Val: 34 DC=ForestDnsZones,DC=AAAA,DC=local
Val: 34 DC=DomainDnsZones,DC=AAAA,DC=local
Attr: defaultNamingContext
Val: 16 DC=AAAA,DC=local
Attr: schemaNamingContext
Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
Attr: configurationNamingContext
Val: 33 CN=Configuration,DC=AAAA,DC=local
Attr: rootDomainNamingContext
Val: 16 DC=AAAA,DC=local
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Val: 23 1.2.840.113556.1.4.1907
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 1677486
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 18 aaaadc1.AAAA.local
Attr: ldapServiceName
Val: 30 AAAA.local:aaaadc1$@AAAA.LOCAL
Attr: serverName
Val: 91 CN=AAAADC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 5 FALSE
Attr: domainFunctionality
Val: 1 0
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
Do NTLM authenticated LDAP call to 'aaaadc1.AAAA.local'.
[FATAL] Cannot do NTLM authenticated ldap_bind to
'aaaadc1.AAAA.local': Invalid Credentials.
Do Negotiate authenticated LDAP call to 'aaaadc1.AAAA.local'.
[FATAL] Cannot do Negotiate authenticated ldap_bind to
'aaaadc1.AAAA.local': Invalid Credentials.
Registered Service Principal Names:
MSSQLSvc/440-05.AAAA.local:1913
HOST/440-05
HOST/440-05.AAAA.local
[FATAL] No LDAP servers work in the domain 'AAAA'.
The command completed successfully
Everyone can log in just fine, no issues with any shares or rights.
However, when I install services that require a network account, the
services will not accept the correct username and password. It locks
the service account, and my administrator account. Specifically the
application is Symantec Continuous Backup Protection server. I have
spent many hours on the phone with them and they said they have never
seen this before.
Anyone have any idea's how to fix this? I thought about using netdom
to reset the DC account, but I don't know if that will fix it.
Bookmarks