PROBLEM STATEMENT

Utilizing a Metaverse Rules Extension to provision users from SQL Server to Active Directory.  The Provisioning code and configuration worked successfully in a test environment.  In production the Active Directory Users are getting created.  However, the Active Directory User is getting created in a disabled state.  Review of the Synchronization Service Engine for the Active Directory Management Agent (ADMA) export displays a KERBEROS-NO-LOGON-SERVER error for each user provisioned.

Export Errors: http://msdn.microsoft.com/en-us/library/windows/desktop/ms696483(v=vs.100).aspx

Kerberos-no-logon-server 

An attempt is made to set or change a password attribute, and the management agent cannot resolve a server for the domain part of the logon credentials. This generally means there is a NetBIOS or DNS misconfiguration. This error is returned by the Active Directory management agent or the global address list synchronization management agent.

 

TROUBLESHOOTING

  • We ruled out management agent user account permissions; even as a domain administrator the provisioning failed.
  • Verified the configuration for the AD MA connection settings
  • Ruled out name resolution since the account provisions just without the password.
  • Gathered a Network Trace ( Download Network Monitor 3.4 )

INFORMATION

  • When provisioning a user with a password Kerberos port 464 comes into play. The sync engine connects to 464 to set the password. This port is also used for PCNS.
  • To understand my issue we need to understand how TCP works. All we need to know is the three-way-handshake TCP uses to setup communication over a port.
    • We first send a SYN to the target for the desired port.
    • The target responds with an ACK and SYN packet.
    • We ACK the target response.

NETWORK TRACE INFORMATION

Successful TCP Session

Three packets and the session is setup. Here's what a successful TCP session to TCP port 88 appears in Network Monitor.

In the case where the Active Directory user is created, but disabled because the password is not set correctly we can see a TCP Session with SyncReTransmit when attempting to access Kerberos port 464. 

ADDITIONAL INFORMATION