none
Event id 1216 RRS feed

  • 问题

  • 在域环境中,有两台DC和一台Exchange2013

    Exchange2013安装在Windows Server 2013上,此机器的IP地址是10.31.4.1

    在两台DC上报大量的Event id 1216日志,如下:

      

    Internal event: An LDAP client connection was closed because of an error. 

    Client IP:
    10.31.4.1:13706 

    Additional Data 
    Error value:
    1236 The network connection was aborted by the local system. 
    Internal ID:
    c060372

      

    Internal

    event: An LDAP client connection was closed because of an error. 

    Client IP:
    10.31.4.1:59823 

    Additional Data 
    Error value:
    1236 The network connection was aborted by the local system. 
    Internal ID:
    c060372

    端口号不是固定的



    • 已编辑 liuxg168 2017年5月31日 8:50
    2017年5月31日 4:03

答案

全部回复

  • 你好,

    有一篇KB文章描述了该日志生成的原因,以及对应的解决方案,供你参考:

    Numerous "Event ID 1216" Events in Directory Services Event Log

    谢谢!


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    2017年6月1日 6:44
    版主
  • 你好,

    我改过这里

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics]

    "16 LDAP Interface Events"=dword:00000002

    才会出现Event id 1216

    原先是这个值是0,但在日志中会有 Event id 2887,内容如下:


    During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: 
    (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or 
    (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection 
     
    This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. 
     
    Summary information on the number of these binds received within the past 24 hours is below. 
     
    You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. 
     
    Number of simple binds performed without SSL/TLS: 0 
    Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 1

    我改"16 LDAP Interface Events"=dword:00000002,是为了想知道哪台电脑的原因,报日志 2887及什么原因造成的?怎样解决?


    • 已编辑 liuxg168 2017年6月2日 0:51
    2017年6月2日 0:47
  • 你好,

    有关Event ID 2887,可以通过设置DC拒绝简单的LDAP binds 请求来解决。

    微软有提供官方文档说明,供你参考:Event ID 2887 — LDAP signing

    谢谢!



    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年6月2日 2:00
    版主
  • 你好,

    配置 LDAP 服务器签名要求后,对域中其它电脑会有什么影响吗?域中有Windows server 2003、Windows XP(SP3)、Windows Server2008 R2、Windows Server2012 R2和Exchange2013,现在DC报Event id 1216 和Event id 2887,就是Windows Server2012 R2安装有Exchange2013的 IP地址。

    2017年6月2日 2:44
  • 你好,

    不会有影响,这样只是加强域控制的安全性。

    谢谢!


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年6月5日 2:36
    版主
  • 最终按照  http://go.microsoft.com/fwlink/?LinkID=87923 解决了。
    • 已标记为答案 liuxg168 2017年6月8日 1:19
    2017年6月8日 1:19