| Author | Messages | |
laurarobinson
Posts:96
 | | 01/30/2008 1:28 PM |
| W2K3 R2 is just W2K3 SP1 with what is essentially a feature pack on top, so
you’ll generally want to keep that in mind with the “applies to” stuff in
KBs.
Laura
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Wednesday, January 30, 2008 11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
Hi Steve,
One of the guys spotted that in this KB article that there is no
mention of Server 2003 R2, which is where we are at. Does that make any
difference? Thanks.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, January 29, 2008 8:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
The patch will not hurt and will make it smoother the next time the cert
renews. I assume you have an Enterprise CA and you have not changed the
defaults for where the CRL is published? It will likely be hard to
reconstruct what occurred. A network trace of the client handshake or
schannel logging may have given us clues but after the fact it is hard to
pinpoint a root cause.
Thanks,
-Steve
Steve Linehan | HYPERLINK
"http://www.microsoft.com/windowsserver2008"Windows Server 2008.jpg |
HYPERLINK "http://www.microsoft.com/windowsserver2008/audsel.mspx"Download
RC1 | HYPERLINK
"http://www.wedsg.com/winclient/vistasidebargadget/download.htm"Add
Countdown Gadget to Desktop | LA Launch 2.27.08
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Tuesday, January 29, 2008 7:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
I will be patching and rebooting these servers over the next couple of days.
It sounds like I should include this hotfix. Is that correct? It sounds
like it couldn’t hurt anything.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, January 29, 2008 7:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
Left out part of the sentence. It should have read without the fix
mentioned earlier this will not happen by default, with the fix it should
have been transparent.
Thanks,
-Steve
Steve Linehan | HYPERLINK
"http://www.microsoft.com/windowsserver2008"Windows Server 2008.jpg |
HYPERLINK "http://www.microsoft.com/windowsserver2008/audsel.mspx"Download
RC1 | HYPERLINK
"http://www.wedsg.com/winclient/vistasidebargadget/download.htm"Add
Countdown Gadget to Desktop | LA Launch 2.27.08
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, January 29, 2008 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
How often is the CRL published for that CA? I imagine the Cert was renewed
prior to 12/18/2007 though you should be able to look at the CA and tell
when the request was made, and by default we will not switch over to the new
cert, it will happen on a reboot. Did any of your other DCs fail this way,
have they all been rebooted since the cert renew, maybe patch Tuesday, but
this one was not or it missed the window?
Thanks,
-Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Tuesday, January 29, 2008 7:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
No problems with the cert chain. The cert is valid from 12/18/07 to
12/18/2008. Should I assume it renewed on 12/18/2007?
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Laura A. Robinson
Sent: Tuesday, January 29, 2008 6:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
Hi Mike! J
What about the certificate chain? Is that all clean and verifiable? Did that
certificate by any chance renew recently (as in, say, on 12/18 or
thereabouts)?
Laura
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Tuesday, January 29, 2008 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
Hi Laura!
The cert doesn’t expire until 12/18/08. We have an internal CA. And
with regards to monitoring, adfind to the rescue, like usual! (oh joe, you
are sooooo good!) A failed connection with adfind on the bind will produce
an error 51 with a %errorlevel% value of -1 .
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Laura A. Robinson
Sent: Tuesday, January 29, 2008 4:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
Well, first thing is to look at the DC cert, I would think. What’s the
expiration on it? Where did it come from?
Laura
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Tuesday, January 29, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC stops taking LDAP/636 connections - why and
monitoring
Today I had one of my DCs (actually the one that holds all of the FSMO
roles) quit taking secure LDAP/636 connections. Absolutely nothing in the
event logs to indicate a problem. A reboot solved the problem. I’ve not
had that issue before, ever. One interesting fact is that I shut down
another DC in a remote site last night about 8PM. DNS records are weighted
heavily so that this downed DC seldom gets touched by clients. It will be
off for another 18 hours or so.
Questions: 1) what would cause this? Where else on the DC should I be
looking for errors? What’s an easy way to automatically monitor this?
Thanks in advance!
Mike Thommes
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.15/1249 - Release Date: 1/29/2008
9:51 AM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.15/1249 - Release Date: 1/29/2008
9:51 AM
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.15/1249 - Release Date: 1/29/2008
9:51 AM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.15/1249 - Release Date: 1/29/2008
9:51 AM
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008
9:29 AM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008
9:29 AM
| | | |
|
|