No announcement yet.

Trouble looking up AD information

  • Filter
  • Time
  • Show
Clear All
new posts

  • Trouble looking up AD information


    I'm having a problem looking up information from my Active Directory from one of my servers in my domain.

    This is my setup:
    * 1 server acting as DNS and AD server for domain labosec.intra
    * 1 server acting as Virtual Infrastructure server

    The VI server has successfully joined the domain and can perform DNS lookups without problem. However, when I try to login in my Virtual Center using domain accounts, this doesn't work.

    After some troubleshooting, I found out the following:
    * when I go to the permissions settings of the VC client and try to lookup domain information (such as groups and users), this always fails ("error accessing directory")
    * when I try testing the AD access by configuring terminal services access on the VI server, I never get any lookup results, the following screen keeps coming back (user is "frcre"):

    So, it looks like the Windows server can't perform the lookup. However, I have another server (a Juniper SSL appliance) configured for Active Directory authentication, and this authentication succeeds.

    I have not tested with another Windows server yet.

    Also, I'm getting the following errors in my event viewer on the AD server:

    Could these be part of the problem?

    How can I further troubleshoot this problem?

  • #2
    Re: Trouble looking up AD information

    Forgot to mention: the address is an address assigned by DHCP, I have no idea which device it is. Not accessible by RDP, telnet or SSH.


    • #3
      Re: Trouble looking up AD information

      Got some more errors, from the Event Viewer of the 'client' Windows server:

      The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/tbe1secadex01.labosec.intra. The target name used was ldap/tbe1secadex01.labosec.intra. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (LABOSEC.INTRA), and the client realm. Please contact your system administrator.
      This computer was not able to set up a secure session with a domain controller in domain LABOSEC due to the following:
      There are currently no logon servers available to service the logon request.
      This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
      I suppose that the lookup problem is related to the second error. But is the second error related to the Kerberos problem?

      -mod-: I have found the server with DHCP address, long live nmap
      Shut it down, will see if I'm still getting this kind of errors (the server seemed to be part of the same labosec.intra domain, with the old AD server).
      Last edited by Sloefke; 13th June 2007, 12:58.


      • #4
        Re: Trouble looking up AD information

        Interesting: I can login to the VI client with both local and domain administrator logins (I changed the local password, it was the same before).

        Also, I'm trying to find some information on how to diagnose and troubleshoot Active Directory, but I can't find much useful. Any hints on that?