http://marcdekeyser.com

Article: ADAM Troubleshooting

Initial troubleshooting

As always, one of the first things to check is the event viewer to see if an event was generated detailing the error. Additionally check the %windir%\debug for the adamsetup.log and adamuninstall.log (this last one is only created during the uninstall process). These two logs will tell you where the setup is failing and what should be checked.

It also pays to know that setup errors are written to the registry. If you cannot find the following key there was no failure as the keys are only generated if there was a failure and they are removed after a successful installation.

Registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\ADAM_Installer_Results

Specific troubleshooting

ERROR_LOGON_FAILURE When Trying to Bind

 If the computer is a member of a workgroup and not a domain, verify that the following registry value is 0 and reboot the machine before attempting to run setup again.

HKLM\Control\CurrentControlSet\Control\LSA\forceguest

Error: 0x800706fd The trust relationship between this workstation and the primary domain failed

When you are installing ADAM when not connected to the domain, check if you are trying to install the ADAM service with the Network Service (NetworkService account). If so you will need to connect to the domain to allow this account to resolve or choose a local account for the ADAM service account.

Error:  ADAM Setup could not complete because shortcuts could not be added to the start menu

Delete the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ADAM_Shared

Error: The name referenced is invalid

When you add an ADAM user to the administrator group of the schema or configuration container you get the error "The name referenced is invalid." This error is by design. An ADAM user cannot be an administrator of the whole instance. Users are not allowed in the Configuration container and groups cannot have cross-NC membership.

Troubleshooting the Addition of Partitions, Users, Groups, and OUs

Unable to Create a Partition

This can be done during setup, but if it was not done at that time, you will have to create the partition via DSMGMT or LDP. You must be logged on with the credentials that were used to create the ADAM instance. This account became the ADAM administrator when the instance was created. Below is an example of how to do this in DSMGMT.

1. Open the ADAM command prompt.
2. Type dsmgmt.
3. Type partition management.
4. Type connections.
5. Type connect to server Where servername is the name or IP address of the server and the port of the ADAM instance.
6. Type quit.

7. Type list to list the existing partitions. Partitions cannot have the same names even if the DN type is different. The following DN types are supported C,CN,DC,L,O,OU.
8. To create a new application partition type in create NC %1 %2 %3  where %1 is the DN of the partition, %2 is the objectclass , %3 is the server:port number or type in NULL for the currently selected instance.

Cannot Add Replica Partition

This can be done with Dsmgmt also. Do this on the machine that you want to hold the new replica partition. Follow Steps 1 through 6 above for adding a partition, then for Step 7 run the following command:

Add NC replica 

Error:  AD/AM create application directory failed with error 64 (Naming Violation)

This can happen if you have the objectclass of container with a DC=domain,DC=com  style partition. This objectclass is domainDNS.

Error:  AD/AM create application directory failed with error 53 (Unwilling To Perform)

One possible cause is if the objectclass is domain instead of domainDNS.

Error:  AD/AM create application directory failed with error 16 (No Such Attribute)

This can happen if you choose an objectclass that does not exist. Here is a list of the types of objects and the objectclass. The first name in the DN is the objectclass that you use

DC = domainDNS

O  = Organization

CN = Container

C   =  Country

L   = Locality

OU= OrganizationalUnit


Error: ldap_addW failed with 0x33(51 (Busy) Ldap extended error message is 0000200E: SvcErr: DSID-0206013A, problem 5001 (BUSY), data -1605 Win32 error returned is 0x200e(The directory service is busy.)

If you get this error exit out of Dsmgmt and go back in. This can occur after you try to create a partition and it fails.

Error: ldap_addW failed with 0x44(68 (Already Exists) Ldap extended error message is 00002071: UpdErr: DSID-0315232B, problem 6005 (ENTRY_EXISTS), data 0 Win32 error returned is 0x2071(An attempt was made to add an object to the directory with a name that is already in use.)

You cannot create a partition with the same name but a different types. This is not allowed.

Error:  I cannot add any users to my ADAM instance 

If the schema extensions were not added during setup you will need to add these with ldifde before you can add users to your ADAM instance. These are stored in the %WinDir%\ADAM folder by default.

Error:  I cannot add ADAM users to the admins group for the ADAM instance "the name reference is invalid"

This is by design. ADAM users cannot be administrators of the instance and they cannot be added to the configuration container. Only the ADAM administrators can do this.

Error:  When I try and add a group to ADAM it is asking me for Value? 

For this you must enter 2147483650 for global group or 2147483656 for universal Group. Since ADAM does not have a global catalog or domains, it does not matter which type is used.

Error:  The option to Add an OU is not there?

OUs can only be created under the following type of namespaces by default DC, O, C, and OU. If you want to change this behavior you will have to add the container that you want to the possSuperiors attribute of the organizational unit in the schema.

Error:  On Windows XP ADSI code to retrieve ntSecurityDescriptor results in an ERROR_NONE_MAPPED: No mapping between account names and security IDs was done.

This issue is resolved with the following hotfix:

817583 Active Directory Services does not request secure authorization over an SSL connection

Troubleshooting Replication

 ADAM not Replicating

Since ADAM is based on the active directory basic troubleshooting is the same. In order for the directory to replicate we must have name resolution, physical connectivity and the correct credentials to authenticate to the machine ADAM is running on.

Troubleshooting steps

1. Look at the Event log for that instance, look for replication or KCC errors.
2. Is the machine and its replication partners in a domain, workgroup, separate forests.
3 .If the machine is XP and it is in a workgroup, the following registry key must be changed to zero and the machine rebooted

HKLM\Control\CurrentControlSet\Control\LSA\forceguest

4.Use ADAM Adsiedit to connect to see which value is set for the attribute msDS-ReplAuthenticationMode in the root of the Configuration container:

A - ADAM Service accounts must be using the same name and password. Machines in a workgroup must use this value for replication to work.

B - Kerberos with failover to NTLM. This is the default setting if the machine ADAM is installed on is a domain member.

C - Kerberos only, no failover to NTLM.

As name resolution is required for replication to work DNS, NETBIOS, WINS, network broadcasts or correct entries in the HOST file are needed. Note that only host records in the DNS service are used.

Network connectivity

Required ports:

1. 389 TCP (LDAP) or TCP 686 (LDAPS) (these can vary if you are using a different port number for your ADAM instance)
2. 88 TCP/UDP (Kerberos)
3. 53 TCP/UDP (DNS)
4. 445 TCP/UDP (SMB over IP traffic)

Service Principal Names

SPNs are generated when ADAM is installed and updated, when the service starts and are created as an attribute on the User account that is running the ADAM service. If it is running under network service they get created as an attribute of the computer object.  If they are not created you will receive an Event ID 2516. This event will tell you what object it tried to create them under and why it failed. You will also get an Event ID 2519 that will give you a script and its location. This script will be using repadmin /writespn to manually add the SPNs.

Check for repadmin errors by running:

1. repadmin /showrepl server:port
2. repadmin /showutdvec (shows end to end replication from the perspective of a single DSA)
3. dsdiag /v /s:server:port

ADAM Service Discovery

Service Connection Points (SCP) objects are created under the machine that hosts the ADAM service. They are created or updated when the service starts and require the ADAM service account to have Create Child rights on the computer object. If the SCP cannot be created you will receive an Event ID 2537 that will describe why it could not be created.

Note that SCPs are not required and the creation of these can be disabled.

Troubleshooting Authentication Security and Certificates

Application Unable to Authenticate with ADAM

1. Verify a user can authenticate to ADAM via LDP using the server name and port number.

2. If ADAM is running on Windows XP, verify the following registry value is set to 0:

HKLM\System\CCS\Control\LSA\forceguest

3. By default anonymous binds are disabled, so an application attempting them will fail. To enable anonymous LDAP operations in ADAM, you must set the seventh character of the dsHeuristics value to 2.

4. Verify the ADAM service is running and check the event log for errors.

5. Verify what type of user is involved - ADAM User, proxy User, local user, or Windows security principal.

6. If a proxy user or Windows security principal is being used, verify that a domain is available. Verify there is a valid secure channel with the domain for the ADAM server. Verify network access, name resolution, DNS to a domain controller. Is there a domain controller available? Can the user logon to a workstation? Is replication both ADAM and AD working (repadmin). Basic workstation/logon troubleshooting applies here.

7. If the user is an ADAM user, a simple bind is used and must be done over SSL, since the password is sent in plain text.

8. Is the ADAM user account locked out or disabled: Check the attribute on the user object msDs-userpassworexpired, msDS-UserAccountAutoLocked or msDS-UserAccountDisabled. This will default to true if you have a password policy enabled and the password is blank or does not meet the password policy requirements.

9. Are we connecting over SSL? If so can you connect over normal LDAP? Check the certificates (see the next issue).

Cannot Bind to ADAM over SSL

1. By default password changes in ADAM must be over SSL, but to do SSL we need a certificate From a Certificate Server CA, or a third party Certificate.

2. Request a server certificate for the Windows machine hosting the ADAM instance. Use the FQDN of the machine for the name of the certificate.  Make sure to check the box to allow it to be exportable to the machine store.

3. Check to ensure the certificate was properly installed.  Via the Certificates MMC snap-in for the computer account.

4. Allowing ADAM to use the server certificate, by adding it to the ADAM service "My store" or place it in the machine personal store and change permissions so that the ADAM service can read it. To give the ADAM service account permission to the machine certificate. Read and execute must be given to the file with the latest time stamp in the following location:

Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

5. Set up the client to trust the rootCA and certificate path of the CA that issued the server certificate. Do this through the CA website.  Export the CA certificate and certification path.  Import these into the Trusted Root Store in the Certificates MMC snap-in.

SASL Bind for ADAM Security Principal

Simple LDAP binds are sent in plain text, which is why SSL should be used for security. Simple binds are the only way to bind to ADAM for an ADAM security principal. SASL binds (using Kerberos, NTLM, or Negotiate) are used by local or domain Windows security principals. Bind redirection for ADAM proxy objects use simple LDAP binds to ADAM and then a SASL bind to Active Directory to authenticate the user.

Unable to See Objects after Binding to ADAM

Is the ADAM user a member of the Readers Built in Group? By default ADAM users are placed in the Users Group which does not have any read permissions to the partition.

Unable to Bind to ADAM with an Active Directory Account or Bind Redirection with LDP

1. On the Connection menu, click Connect, and then connect to your ADAM instance on a new connection.

2. On the Options menu, click Connection Options.

3. In Option Name, in Value click LDAP_OPT_SIGN (enables/disables Kerberos signing prior to binding using the LDAP_AUTH_NEGOTIATE flag), type 1, and then click Set.

4. In Option Name, in Value click LDAP_OPT_ENCRYPT (enables/disables Kerberos encryption prior to binding using the LDAP_AUTH_NEGOTIATE flag) type 1, click Set, and then click Close. Note this does not work on Windows XP.

5. Bind to your ADAM instance with LDP by clicking Bind on the Connection menu.

6. In User, type in the distinguished name (DN) of the proxy object.

7. Make sure the Domain option is not selected.

8. In Password, type the password that is associated with the Active Directory user you specified.

Using a Different Security Principal Other Than User, Person or inetOrgPerson

Any object can be a security principal by adding the msDS-bindableobject auxiliary class and the unicodePwd attribute to the schema definition of the object class in the ADAM schema.

Using Network Load Balancing with ADAM

Follow the steps above and ensure that LDAPS is working by by binding to LDP using SSL. If this works, proceed with binding a wildcard certificate.

Unable to Use Basic Authentication with IIS to Authenticate ADAM users

By default IIS cannot use ADAM as its primary authentication for ASP.NET pages. A forms authentication mechanism that uses the ADAM instance for user verification must be used.

Outlook or Windows Address Book Failure to Logon to ADAM with error: "The specified directory service has denied access. Check the Properties for this directory service and verify that your Authentication Type settings and parameters are correct."

The client software is configured to logon with the simple name not the distinguished name.

No Security Tab in ADAM Adsiedit

All security setting within ADAM must be done through DSACLS, LDP, or using a script.

Storing Application Policies for Authorization Manager with ADAM

For this to work you must first install the AZMAN schema extension then use a tool such as ADAM-ADSIedit to create a container to hold the application policy store.

1. In AZMAN, right-click the root Authorization Manager node in the tree view and select New Authorization Store.

2. Select Active Directory as the store type and specify the LDAP distinguished name (DN) of the store object to be created or managed specifying the ADAM server name and LDAP port as follows:

servername:/cn=,CN=

Obtaining an Object Identifier

http://msdn.microsoft.com/en-us/library/ms677621(VS.85).aspx

Using the Unique GUID for an ADAM Instance to Modify the Schema or Configuration Container

It is not necessary to use the unique GUID for an ADAM instance to modify the schema or configuration container. The ADAM version of Ldifde allows you to use the #schemaNamingContext and #configurationNamingContext variables for this purpose.

Error Importing LDIF File: Add error on line 1: No Such Attribute The server side error is "The parameter is incorrect." 0 entries modified successfully. An error has occurred in the program

Make sure you are using the ADAM version of LDIFDE, which is located in %windir%\ADAM by default.

Error Importing Users: Add error on line 2: Unwilling To Perform The server side error is "The modification was not permitted for security reasons."

 



Feedback

# re: Article: ADAM Troubleshooting

I appreciate the site, really helped me troubleshooting some issues I had getting LDS to work 4/17/2013 9:44 PM | Brandon Henderson