[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


IDMU in Windows Server 2008 SP2 suddenly unable to authenticate

Posted on 2014-08-06
Medium Priority
Last Modified: 2014-12-03
We are running Identity Management Services for UNIX on Windows Server 2008 SP2 with one Windows Master and one Windows subordinate.  After working for over two years, our NIS domain is suddenly unable to authenticate users on any of our Linux/UNIX boxes.  Restarting services did not help.  Looking at Event Viewer or c:\Windows\idmu\logs yielded no information.

I did not setup our NIS configuration and in fact my knowledge of NIS is rather slim.  What I do know is that the IDMU configuration had not been touched for many months up until this point.  I did try at one point to get NFS file sharing on a separate 2008 R2 server to authenticate by pointing to the AD domain for identity mapping source.  That also was several weeks prior to this breakdown.

Here are the only potential problem indicators I can see:

1)  Use of the ypcat commands sometimes displays the appropriate information and sometimes returns the error "NIS Service is not running on the host '<servername>' in domain '<domainname>' - it's as though the Server for NIS is constantly starting and stopping, but no such activity is recorded in Event Viewer, no entries for Server for NIS starting and stopping are recorded unless I manually turn it off and on.

1a)  Likewise, Linux and UNIX servers that run the ypwhich will attempt to contact the appropriate server and will sometimes get a response back and sometimes will not get a response.  (I think that's the command - again, my knowledge of NIS and these commands is minimal)

2)  In ADSI editor I see duplicate container entries for defaultMigrationContainer30 and ypserv30 that have the objectGUID tacked onto the container name like so:



Having said all that, my first question is obvious:  Can anyone shed some light as to what might have happened?  Secondly, are those duplicate containers safe to flat-out delete through ADSI edit?
Question by:kjw_pkw
  • 2

Expert Comment

by:David Piniella
ID: 40246029
Are the login auth attempts getting to the windows box? wireshark (or other packet capture) will tell you if the packets are getting to the windows boxes, and also if the packets are leaving the unix boxes properly. from the sporadic nature of it, I suspect you're having network problems of some sort (routing, bad dns or something) or possibly the service on the windows box is failing in some really weird way -- maybe the windows boxes are under high load and it's causing timeouts? I would setup a packet capture and see if i can find where it's breaking for sure.

Author Comment

ID: 40246183
A packet capture shows that the packets are getting to the Windows boxes, but the Windows boxes are not answering.  The performance counters on the windows servers are not showing high load in network, memory, disk, processor, or any other way that matters.  So it definitely seems like a problem developed with the service itself.  

Could it be related to the odd duplicate containers I mentioned?  For grins, I tried renaming the CN=<domain> entry in the Containers for the mappings under the duplicate ypserv30CNF* container, and did not seem to affect the NIS Server (one way or the other) once it was restarted

Accepted Solution

David Piniella earned 1500 total points
ID: 40246323
I find that pretty unlikely, and in any case, your renaming should have obviated that. As far as the how/why that happened, I would guess some sort of automated tool -- anything for migration or possibly something installed on the DC(s) that would modify the schema.

You're going to need to turn on logging (or make the logging more explicit) in order to find out WTH is actually going on inside the service to make it fail.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question