IDMU in Windows Server 2008 SP2 suddenly unable to authenticate

Posted on 2014-08-06
Last Modified: 2014-12-03
We are running Identity Management Services for UNIX on Windows Server 2008 SP2 with one Windows Master and one Windows subordinate.  After working for over two years, our NIS domain is suddenly unable to authenticate users on any of our Linux/UNIX boxes.  Restarting services did not help.  Looking at Event Viewer or c:\Windows\idmu\logs yielded no information.

I did not setup our NIS configuration and in fact my knowledge of NIS is rather slim.  What I do know is that the IDMU configuration had not been touched for many months up until this point.  I did try at one point to get NFS file sharing on a separate 2008 R2 server to authenticate by pointing to the AD domain for identity mapping source.  That also was several weeks prior to this breakdown.

Here are the only potential problem indicators I can see:

1)  Use of the ypcat commands sometimes displays the appropriate information and sometimes returns the error "NIS Service is not running on the host '<servername>' in domain '<domainname>' - it's as though the Server for NIS is constantly starting and stopping, but no such activity is recorded in Event Viewer, no entries for Server for NIS starting and stopping are recorded unless I manually turn it off and on.

1a)  Likewise, Linux and UNIX servers that run the ypwhich will attempt to contact the appropriate server and will sometimes get a response back and sometimes will not get a response.  (I think that's the command - again, my knowledge of NIS and these commands is minimal)

2)  In ADSI editor I see duplicate container entries for defaultMigrationContainer30 and ypserv30 that have the objectGUID tacked onto the container name like so:



Having said all that, my first question is obvious:  Can anyone shed some light as to what might have happened?  Secondly, are those duplicate containers safe to flat-out delete through ADSI edit?
Question by:kjw_pkw
    LVL 9

    Expert Comment

    by:David Piniella
    Are the login auth attempts getting to the windows box? wireshark (or other packet capture) will tell you if the packets are getting to the windows boxes, and also if the packets are leaving the unix boxes properly. from the sporadic nature of it, I suspect you're having network problems of some sort (routing, bad dns or something) or possibly the service on the windows box is failing in some really weird way -- maybe the windows boxes are under high load and it's causing timeouts? I would setup a packet capture and see if i can find where it's breaking for sure.

    Author Comment

    A packet capture shows that the packets are getting to the Windows boxes, but the Windows boxes are not answering.  The performance counters on the windows servers are not showing high load in network, memory, disk, processor, or any other way that matters.  So it definitely seems like a problem developed with the service itself.  

    Could it be related to the odd duplicate containers I mentioned?  For grins, I tried renaming the CN=<domain> entry in the Containers for the mappings under the duplicate ypserv30CNF* container, and did not seem to affect the NIS Server (one way or the other) once it was restarted
    LVL 9

    Accepted Solution

    I find that pretty unlikely, and in any case, your renaming should have obviated that. As far as the how/why that happened, I would guess some sort of automated tool -- anything for migration or possibly something installed on the DC(s) that would modify the schema.

    You're going to need to turn on logging (or make the logging more explicit) in order to find out WTH is actually going on inside the service to make it fail.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now