Solved

Active directiory domain services has a warning about rejecting SASL in the event viewer

Posted on 2011-03-13
4
1,342 Views
Last Modified: 2012-05-11
I'm setting up a new server and have this error in the event log.

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

I'm using this server only for 10 computers in the office for authentication, and file storage and security.   this will be the only DC in the Small Business.  

I'm GUESSING that rejecting SASL LDAP binds will not effect or is not needed for the functions of what I'm using this server for. Am I wrong?

How would I reject the SASL LDAP binds if so?

Thanks in advance,
0
Comment
Question by:Zantis
  • 3
4 Comments
 
LVL 13

Accepted Solution

by:
AustinComputerLabs earned 500 total points
ID: 35125668
That is what I would call a default error. I see it often on single server systems that are operating just fine.
0
 

Author Comment

by:Zantis
ID: 35125706
You gotta love those, is this also a default error?  It looks like it only shows up after a reboot and must get corrected.

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35125715
Yes, I love that scare the first time you see it.
After that you will see a happy one that says that DNS is happy now.
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35125725
Event ID 2 and 4

the DNS server has started

The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.

If you do not get those, you have an issue.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now