Solved

LDAP Client Connection Was Closed

Posted on 2010-11-22
5
8,923 Views
Last Modified: 2015-09-03
I have been receiving an error message (Event ID 2887, below) on our Windows 2008 Domain Controller.  I followed instructions to enable LDAP error logging and after doing so end up with a set of LDAP error logs (Event ID 1216, below).

I ran dcdiag on the domain controller and received the following:
Starting test: KccEvent
An Warning Event occurred.  EventID: 0x800004C0
Time Generated: 11/22/2010   05:34:26
Event String:
Internal event: An LDAP client connection was closed because of an error.
         ......................... DC passed test KccEvent

The time indicated by this warning event corresponds to the most recent event ID 1216.

I then found instructions to run the following commands (IPconfig /flushDNS; IPconfig /registerdns; Net stop netlogon; Net start netlogon) which I did on both the domain controller and on the server indicated by the event ID 1216.  But after doing so, event ID 1216 continues to occur.

Could somebody please suggest a next troubleshooting step?  To confirm, I am looking to resolve the cause of the Event ID 1216 occurrences, not to just turn them off.

Thanks in advance for any assistance!

******* Event ID 2887 ********
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/21/2010 9:00:31 PM
Event ID:      2887
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      dc.domain.com
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 2
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
***************************

******* Event ID 1216 ********
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/22/2010 5:34:26 AM
Event ID:      1216
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      dc.domain.com
Description:
Internal event: An LDAP client connection was closed because of an error.
 
Client IP:
192.168.1.xx:yyyyy
 
Additional Data
Error value:
1236 The network connection was aborted by the local system.
Internal ID:
c0602f0
***************************
0
Comment
Question by:pcamis
  • 3
  • 2
5 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 34196154


From this technote - it appears that this message is harmless. Seems like your logging maybe turned up some for these events to show up.

Numerous "Event ID 1216" Events in Directory Services Event Log
http://support.microsoft.com/kb/246717


Do you notice any failures or was this just tracking down warnings?

Mark
0
 

Author Comment

by:pcamis
ID: 34196228
Thanks Mark - my goal is to increase our server security by enabling LDAP signing.  Before doing so, I need to ensure that communication from all servers was performed with an LDAP signature.  To do so, I intentionally turned on these warnings.  With the warnings on, there appear to be two servers within the organization sending unsigned communications.  At this point, I'm trying to figure out how to force them to use an LDAP signature - which would resolve the warnings as opposed to just turning them off.  (Please excuse me if any of my terminology is incorrect.)

That better explain what I'm looking for?
0
 
LVL 15

Accepted Solution

by:
markpalinux earned 500 total points
ID: 34196600
On the machine with the client ip I would run ldifde - ldap query tool to see if you can reproduce the error, does each ldap query from that machine to the domain  cause the error.  Query another dc , does that cause the error. I would run those with netmon or wireshark to review the packets. Another query tool would be Joe's adfind.

The error states that it was aborted, does that mean that the connection closed before it and that the connection being closed prevented the "signature"?

could LDAP/SSL, ldaps could be another solution to increase your security?

Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain
DEAD LINK (eenookami): [http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html]


LDAP over SSL
http://technet.microsoft.com/en-us/library/ee411009%28WS.10%29.aspx

Also you could enable ipsec and have more security / encryption.

Mark
0
 

Author Comment

by:pcamis
ID: 34198810
Thanks Mark - that's all very helpful!

I ran an ldifde export from the identified server, which completed successfully and didn't throw a warning.  Is there a different ldifde command I should run to better test?

The first link you provided is fantastic.  I'm running into a problem with the guide, though.  At the step to add a new Domain Controller Authentication Certificate Template, I'm finding that that particular template isn't available in the list (even though it does appear in the Certificate Templates folder).  Any thoughts on why that's the case and what I can do?

Lastly, when logging is turned on, I found that I am seeing a number of the following event (which may prove to help troubleshoot?):

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/23/2010 12:58:07 PM
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          PCA\user
Computer:      dc.domain.com
Description:
Internal event: The LDAP server returned an error.
 
Additional Data
Error value:
0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=System,DC=pca,DC=com'
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 34200758

Here is the ldap syntax that will return the domain, configuration, and schema containers.
AD DNS domain = BatBat.com
dc = dc1

ldifde -s dc1 -d "dc=BatBat,dc=com" -f results-BatBat-domain.txt
ldifde -s dc1 -d "cn=configuration,dc=BatBat,dc=com" -f results-BatBat-config.txt
ldifde -s dc1 -d "cn=schema,cn=configuration,dc=BatBat,dc=com" -f results-BatBat-schema.txt

Mark
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now