Univention Corporate Server (UCS) » Services for Windows

ID #1340

AD-Connector - Troubleshooting Guide

Produktlogo UCS UCS 4

 

 

AD-Connnector Troubleshooting Guide

The UCS AD Connector synchronizes objects between the UCS directory (OpenLDAP) and MS Active Directory.

The configuration of the UCS Active Directory Connector is described in the UCS manual for users and administrators

 

General information about error analysis

When objects are not synchronized correctly, either partly or as a whole, please check the following files and outputs on the UCS Domain Controller first:

  • Output from univention-adsearch with a filter (e.g.univention-adsearch cn=Administrator) should show the AD object. If this tool doesn't function, check the connector's basic configuration.
  • Logfile /var/log/univention/connector-status.log: Current synchronization overview
  • Logfile /var/log/univention/connector.log: General logfile, the amount of information can be configured by changing the debug level from 0 to 4 in the UCR variable connector/debug/level.
  • Output from univention-connector-list-rejected: Lists all objects, that are not fully synchronized, i.e. rejects.


If the problematic object is in the list of rejects, the logfiles connector.log should be checked.

 

Password service not reachable

The Connector creates users in the other directory, but doesn't activate the users in the AD. The passwords are not sychronized.

The connector.log shows tracebacks like this one:

failed in post_con_modify_functions
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/univention/connector/__init__.py", line 1018, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/password.py", line 239, in password_sync
    res = get_password_from_ad(connector, rid)
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/password.py", line 128, in get_password_from_ad
    s.connect ( (connector.lo_ad.host, 6670) )
  File "<string>", line 1, in connect
error: (111, 'Connection refused')

Possible reasons for the errors:

  • The Windows firewall forbids access: Add Exception for C:\Windows\UCS-AD-Connector\ucs-ad-connector.exe in the Windows-Firewall settings
  • The password service on the AD is not running: Check/Restart UCS AD Connector service under Start -> Administrative Tools -> Services)
  • The configuration is incomplete, e.g. no certificates are present: See logfile in the installation path C:\Windows\UCS-AD-Connector\ucs-ad-connector.log

A LDAP server is not reachable

In the connector.log are tracebacks, ending with the following error message:

SERVER_DOWN: {'desc': "Can't contact LDAP server"}

Check the availability of the UCS LDAP server (e.g. using univention-ldapsearch) and the AD LDAP (e.g. using univention-adsearch).

 

The Active Directory's maximum search size is reached

The AD doesn't return more than 1000 items when performing a search. A group with more than 1000 primary members exceeds this size in the Connector. The error message in the connector.log ends with:

ldap.SIZELIMIT_EXCEEDED: {'info': , 'desc': 'Size limit exceeded'}

 

Features from UCS cannot be represented by Active Directory

UCS has more features than AD, e.g.

  • nested group memberships
  • Container and OU structures

If features from UCS are to be synchronized, which cannot be represented in the AD, the objects are recorded in the connector.log, with this or a similar error message:

UNWILLING_TO_PERFORM: {'info': '00002142: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perfor

 

Continious sync of all users

This error is not be mistaken with a reject, where the rejected objects are resynchronized after some time.

Most common cause is that the password hashes cannot be saved in the AD and therefor the object is synchronized again. This can occur when the connector is not configured according to the Connector documentation to work with a Windows 2008 Server. By default, a Windows 2008 is configured to not save complete NTLM hashes. This problem can be solved with the correct configuration of the AD policies.

When this problem occurs, the connector.log contains NTLM hash outputs with the string NO PASSWORD*********************, e.g.:

25.10.2010 19:09:45,546 LDAP        (INFO   ): password_sync_ucs: Hash AD: hash PASSWORD********************* hashXY UCS: hashXY

Tags: UCS 4

Related entries:

Last update: 2015-07-07 14:30
Author: Tim Petersen
Revision: 1.2

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry