Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active directiory domain services has a warning about rejecting SASL in the event viewer

Posted on 2011-03-13
4
Medium Priority
?
1,575 Views
Last Modified: 2012-05-11
I'm setting up a new server and have this error in the event log.

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

I'm using this server only for 10 computers in the office for authentication, and file storage and security.   this will be the only DC in the Small Business.  

I'm GUESSING that rejecting SASL LDAP binds will not effect or is not needed for the functions of what I'm using this server for. Am I wrong?

How would I reject the SASL LDAP binds if so?

Thanks in advance,
0
Comment
Question by:Zantis
  • 3
4 Comments
 
LVL 13

Accepted Solution

by:
AustinComputerLabs earned 2000 total points
ID: 35125668
That is what I would call a default error. I see it often on single server systems that are operating just fine.
0
 

Author Comment

by:Zantis
ID: 35125706
You gotta love those, is this also a default error?  It looks like it only shows up after a reboot and must get corrected.

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35125715
Yes, I love that scare the first time you see it.
After that you will see a happy one that says that DNS is happy now.
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35125725
Event ID 2 and 4

the DNS server has started

The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.

If you do not get those, you have an issue.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question