Export error "Kerberos-no-logon"
Hi,
I want to replicate users (one-way) from a local AD (AD1, forest1) to a remote AD(AD2, forest2) , then use PCNS to sync the password, but I had "Kerberos-no-logon" errors at exporting.
Here is my configuration:
1) I have configured an ILM Server as a member of AD1, I use AD2’s external IP address (NAT) for the remote AD2 MA2) all the servers are behind the firewall, ILM and AD2 server have mapped external internet IP address, all the ports have been opened on the firewall (TCP/UDP 389, 636, 53, 464), tested with NMAP, the credential on both ADMAs are ‘domain admins’, I use provisioning extension to set the initial the password for users exported in AD2.
3) During the exporting, I got "Kerberos-no-logon" errors, all the users can be created in the AD2 but accounts have been disabled because the initial password has not been set by extension.
4) I have tried to force Kerberos over TCP, but it didn’t solve the problem
5) searched some posts and documents, the problem could be the DNS related, ILM server need to access the AD2 srv records? could someone tell me is that right, and how to configure the DNS? Currently ILM server is using AD1 as DNS server.
Thanks.
Harry
Answers
Just to clarify:
either you use forwarding mechanisms or you replicate your forest2 DNS zones to forest1 DNS servers.- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:10 PM
- hi Harry,
after some additional thoughts I think your scenario won't work together with NAT. First some statements: as you can read in http://www.microsoft.com/downloads/details.aspx?familyid=C2EF3846-43F0-4CAF-9767-A9166368434E&displaylang=en:
Active Directory functionality is not supported over a router that has Network Address Translation (NAT) enabled. The configuration recommendations in this paper apply only to non-NAT environments.
Even if you've solved DNS resolution you propably will not be able to perform a Kerberos-based password operation. As Paul stated, this is not normal LDAP operation, instead the Kerberos password update protocol 464 is used.
The problem with Kerberos and NAT is that the Kerberos header contains information about the sender (IP address of your ILM-Server) and the recipient (your DC behind NAT) wants to resolve this address - to ensure the sender exists and the Kerberos packet is not forged. And this will defintenitly fail.
So the recommendation is to use a VPN instead of NAT between your locations?
/Matthias- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:11 PM
All Replies
The Export operations will be performed, except the initial password set?
If yes, I would exclude DNS and firewall problems.
Can you post the detailed error messsage.
Does your initial password fullfills the minimum password complexity rules of AD2
Do you set the user's userAccountControl attribute = 512 (Enabled) in your provisioning code?
- csentry["userAccountControl"].IntegerValue = 0x0200
/Matthias- Hi Matthias,
thank you.
Yes, users have been created in forest2, except the initial pwd.
the initial pwd is 'ABCabc123' os it meet the minimum pwd complexity rules.
userAccountControl attribut = 512 has been set.
everything is working when export to a local forest3 by using LAN network, include initial pwd and PCNS.
the error message is:
Distinguished Name: CN=xxx...
Modification type : update
Object type: user
Error Information
Running management agent : ad2.com
Error: kerberos-no-logon-server
latest occurrence
...
that's is.
Harry - Actually the ILM-server should be able to find an appropiate SRV records in the target domain to update the password.
Can you resolve _kpasswd._udp.<domain>.<com> accross the firewall?
Have you checked your firewall log for blocked packtes?
/Matthias Matthias,
I use IP address for the remote AD2, do I need resolve the remote domain name?
could you tell me how to resolve _kpasswd._udp.<domain>.<com>?
another threads said could change the kerberos timeout time longer, do you know how to?
I enabled the kerberos logging on the MIIS server, I didn't get error message when exporting users to forest2, but I've got an kerberos error during importing users from forest1 to metaverse,here is the system events for the kerberos error:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 22/10/2009
Time: 16:45:32
User: N/A
Computer: MIIS
Description:
A Kerberos Error Message was received:
on logon session ad1.com\miis
Client Time:
Server Time: 8:43:24.0000 10/22/2009 Z
Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
Extended Error:
Client Realm:
Client Name:
Server Realm: ad1.com
Server Name: krbtgt/ad1.com
Target Name: krbtgt/ad1.com
Error Text:
File: e
Line: 6c0
Error Data is in record data.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
- Harry,
you can try resolving the SRV record from your ILM machine with nslookup.exe _kpasswd._udp.<domain>.<com>
you should also check if all necessary SRV recrods are registered in your target domain. Use DNSLINT.exe for this analysis
What do you mean with "...I use IP address for the remote AD2". Where did you use an IP address instead of an FQDN?
Did you specify an preferred domain controller in your MA configuration? - Matthias,
because the remote AD (forest2) is located in another city, it's in another LAN and behind the firewall. so I use the AD2's NAT IP addrees in the ADMA, also configured same IP as preferred domain controller.
the local DNS server in AD1 do not have AD domain DNS zone or records. do I have to create that?
thanks - Harry,
i assume both forests have AD-integrated DNS.
For a proper DNS resolution you may have to configure on Forest1 DNS-Server infrastructure a conditional Forwarding for the forest2-DNS namespace and pointing this conditional forwarding to your forest2 DNS-Servers.
With this configuration you should also be able to use DNS names in the MA configuration instead of IP addresses.
/Matthias - You need to add Zone Transfers from the Source Server to the Target Server.
Once the Zones are replicated then you wont have any issues.
I had the same issue before but after doing zone transfer the issue resolved.
irshadahmed Just to clarify:
either you use forwarding mechanisms or you replicate your forest2 DNS zones to forest1 DNS servers.- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:10 PM
- Hi, if I replicate forest2 DNS zones on forest1 DNS server, all the records use forest2 LAN IP which cannot connected by DC1 or MIIS server in forest1, should I change all the IP address to forest2's NAT IP?
thanks - If you replicate (create a secondary zone) you cannot change anything - it's a read-only copy.
I'd try using forwarding and specify the NAT address as target of my forwarder - I don't think NATting is supported for replicating AD, though you may get it to work. However, I don't think you want or need to replicate anything at all./
In your particular case, you may want to manually (i.e. staticly) create the A and SRV records for one or two DCs in your remote forest. This way, ILM can correctly resolve a number of remote DCs. In the A record you would need to use the IP addresses of the target server as it would be known to the ILM server. I don't think you would need to configure PTR records for this scenario.
BTW, the records you want to register can be found in the C:\WINDOWS\system32\config\netlogon.dns file on your DC in the target forest.
Paul Loonen (Avanade) If you replicate (create a secondary zone) you cannot change anything - it's a read-only copy.
I'd try using forwarding and specify the NAT address as target of my forwarder
Matthias, I replicated the DNS for the forest 2, but both domain name and DC of forest 2 were resolved to forest2's LAN IP and Timeout, becuas MIIS server can not access to forest2's LAN which is located in another country.I don't think NATting is supported for replicating AD, though you may get it to work. However, I don't think you want or need to replicate anything at all./
In your particular case, you may want to manually (i.e. staticly) create the A and SRV records for one or two DCs in your remote forest. This way, ILM can correctly resolve a number of remote DCs. In the A record you would need to use the IP addresses of the target server as it would be known to the ILM server. I don't think you would need to configure PTR records for this scenario.
BTW, the records you want to register can be found in the C:\WINDOWS\system32\config\netlogon.dns file on your DC in the target forest.
Paul Loonen (Avanade)
Paul, should I change the LAN IP to the NAT IP in netlogon.dns in tagret forest, or just add another lines for the A records and keep the old record?
thanks- In the DNS that is used by your ILM environment, you need to import the records of logon.dns that you find on your target DC. Obviously, while importing, you need to modify the A record corresponding to the DC to the IP address that you can reach the DC on. You do not need to modify the logon.dns file itself (wouldn't make sense: a DC will create this file each time the netlogon service is started, overwriting therefore your changes). This file is useful when you don't have dynamic DNS configured as it shows which records should be registered in DNS for the DC to be fully discoverable by clients and other DCs. As in this case you're going through address translation, you will need to modify the A record while importing into the DNS used by ILM.
Paul Loonen (Avanade) I tried that, but it give me same error message. I just realized that even I use ADSI to connect to the remote forest2, I couldn't reset the password either, it give me an error as bellow:
Operation failes.Error code: 0x1f
0000001F:SvcErr:DSID-031A11E5, problem 5003(WILL_NOT_PERFORM), data 0
sorry to take your time, I'm new to ILM.
thanks
Harrybut I can modify other attributes via ADSIedit, except unicodepwd
- Harry,
You cannot reset the password by modifying the unicodepwd attribute directly - the AD will indeed not allow you. You will need to use the appropriate API to reset the passwords. Using e.g. AD Users & Computers or the new AD Administrative Center with the same user should work if you have sufficient rights (again, not by directly modifying the unicodepwd attribute directly, but by issuing a change password command).
BTW, setting unicodepwd only works during provisioning. Afterwards you cannot use this anymore in ILM. If during provisioning it doesn't work, please make sure that you in fact do comply with password policy settings. If your passwords don't comply, users are indeed created, but disabled.
Paul Loonen (Avanade) - hi Harry,
after some additional thoughts I think your scenario won't work together with NAT. First some statements: as you can read in http://www.microsoft.com/downloads/details.aspx?familyid=C2EF3846-43F0-4CAF-9767-A9166368434E&displaylang=en:
Active Directory functionality is not supported over a router that has Network Address Translation (NAT) enabled. The configuration recommendations in this paper apply only to non-NAT environments.
Even if you've solved DNS resolution you propably will not be able to perform a Kerberos-based password operation. As Paul stated, this is not normal LDAP operation, instead the Kerberos password update protocol 464 is used.
The problem with Kerberos and NAT is that the Kerberos header contains information about the sender (IP address of your ILM-Server) and the recipient (your DC behind NAT) wants to resolve this address - to ensure the sender exists and the Kerberos packet is not forged. And this will defintenitly fail.
So the recommendation is to use a VPN instead of NAT between your locations?
/Matthias- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:11 PM
