• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10454
  • Last Modified:

LDAP Client Connection Was Closed

I have been receiving an error message (Event ID 2887, below) on our Windows 2008 Domain Controller.  I followed instructions to enable LDAP error logging and after doing so end up with a set of LDAP error logs (Event ID 1216, below).

I ran dcdiag on the domain controller and received the following:
Starting test: KccEvent
An Warning Event occurred.  EventID: 0x800004C0
Time Generated: 11/22/2010   05:34:26
Event String:
Internal event: An LDAP client connection was closed because of an error.
         ......................... DC passed test KccEvent

The time indicated by this warning event corresponds to the most recent event ID 1216.

I then found instructions to run the following commands (IPconfig /flushDNS; IPconfig /registerdns; Net stop netlogon; Net start netlogon) which I did on both the domain controller and on the server indicated by the event ID 1216.  But after doing so, event ID 1216 continues to occur.

Could somebody please suggest a next troubleshooting step?  To confirm, I am looking to resolve the cause of the Event ID 1216 occurrences, not to just turn them off.

Thanks in advance for any assistance!

******* Event ID 2887 ********
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/21/2010 9:00:31 PM
Event ID:      2887
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      dc.domain.com
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 2
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
***************************

******* Event ID 1216 ********
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/22/2010 5:34:26 AM
Event ID:      1216
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      dc.domain.com
Description:
Internal event: An LDAP client connection was closed because of an error.
 
Client IP:
192.168.1.xx:yyyyy
 
Additional Data
Error value:
1236 The network connection was aborted by the local system.
Internal ID:
c0602f0
***************************
0
Dan Carp
Asked:
Dan Carp
  • 3
  • 2
1 Solution
 
markpalinuxCommented:


From this technote - it appears that this message is harmless. Seems like your logging maybe turned up some for these events to show up.

Numerous "Event ID 1216" Events in Directory Services Event Log
http://support.microsoft.com/kb/246717


Do you notice any failures or was this just tracking down warnings?

Mark
0
 
Dan CarpIT DirectorAuthor Commented:
Thanks Mark - my goal is to increase our server security by enabling LDAP signing.  Before doing so, I need to ensure that communication from all servers was performed with an LDAP signature.  To do so, I intentionally turned on these warnings.  With the warnings on, there appear to be two servers within the organization sending unsigned communications.  At this point, I'm trying to figure out how to force them to use an LDAP signature - which would resolve the warnings as opposed to just turning them off.  (Please excuse me if any of my terminology is incorrect.)

That better explain what I'm looking for?
0
 
markpalinuxCommented:
On the machine with the client ip I would run ldifde - ldap query tool to see if you can reproduce the error, does each ldap query from that machine to the domain  cause the error.  Query another dc , does that cause the error. I would run those with netmon or wireshark to review the packets. Another query tool would be Joe's adfind.

The error states that it was aborted, does that mean that the connection closed before it and that the connection being closed prevented the "signature"?

could LDAP/SSL, ldaps could be another solution to increase your security?

Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain
DEAD LINK (eenookami): [http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html]


LDAP over SSL
http://technet.microsoft.com/en-us/library/ee411009%28WS.10%29.aspx

Also you could enable ipsec and have more security / encryption.

Mark
0
 
Dan CarpIT DirectorAuthor Commented:
Thanks Mark - that's all very helpful!

I ran an ldifde export from the identified server, which completed successfully and didn't throw a warning.  Is there a different ldifde command I should run to better test?

The first link you provided is fantastic.  I'm running into a problem with the guide, though.  At the step to add a new Domain Controller Authentication Certificate Template, I'm finding that that particular template isn't available in the list (even though it does appear in the Certificate Templates folder).  Any thoughts on why that's the case and what I can do?

Lastly, when logging is turned on, I found that I am seeing a number of the following event (which may prove to help troubleshoot?):

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/23/2010 12:58:07 PM
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          PCA\user
Computer:      dc.domain.com
Description:
Internal event: The LDAP server returned an error.
 
Additional Data
Error value:
0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=System,DC=pca,DC=com'
0
 
markpalinuxCommented:

Here is the ldap syntax that will return the domain, configuration, and schema containers.
AD DNS domain = BatBat.com
dc = dc1

ldifde -s dc1 -d "dc=BatBat,dc=com" -f results-BatBat-domain.txt
ldifde -s dc1 -d "cn=configuration,dc=BatBat,dc=com" -f results-BatBat-config.txt
ldifde -s dc1 -d "cn=schema,cn=configuration,dc=BatBat,dc=com" -f results-BatBat-schema.txt

Mark
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now