IDMU in Windows Server 2008 SP2 suddenly unable to authenticate
Posted on 2014-08-06
We are running Identity Management Services for UNIX on Windows Server 2008 SP2 with one Windows Master and one Windows subordinate. After working for over two years, our NIS domain is suddenly unable to authenticate users on any of our Linux/UNIX boxes. Restarting services did not help. Looking at Event Viewer or c:\Windows\idmu\logs yielded no information.
I did not setup our NIS configuration and in fact my knowledge of NIS is rather slim. What I do know is that the IDMU configuration had not been touched for many months up until this point. I did try at one point to get NFS file sharing on a separate 2008 R2 server to authenticate by pointing to the AD domain for identity mapping source. That also was several weeks prior to this breakdown.
Here are the only potential problem indicators I can see:
1) Use of the ypcat commands sometimes displays the appropriate information and sometimes returns the error "NIS Service is not running on the host '<servername>' in domain '<domainname>' - it's as though the Server for NIS is constantly starting and stopping, but no such activity is recorded in Event Viewer, no entries for Server for NIS starting and stopping are recorded unless I manually turn it off and on.
1a) Likewise, Linux and UNIX servers that run the ypwhich will attempt to contact the appropriate server and will sometimes get a response back and sometimes will not get a response. (I think that's the command - again, my knowledge of NIS and these commands is minimal)
2) In ADSI editor I see duplicate container entries for defaultMigrationContainer30 and ypserv30 that have the objectGUID tacked onto the container name like so:
Having said all that, my first question is obvious: Can anyone shed some light as to what might have happened? Secondly, are those duplicate containers safe to flat-out delete through ADSI edit?