Active Directory / LDAP Problems?



Everything fine until we had to reboot one of our DC's
(which also happens to be our exchange server).
Immediatly after getting reports of certain users missing
from global address book. Not just excluded but replaced
with blank entries. Their addresses could not be resolved.
Eventually discovered that the Authenticated User
security group was missing from the Users OU in AD,
(cannot explain how this has changed) repacing this
resolved the problem.
Problem we have now (which may or may not be related) is
to do with RAS client authentication, as before working
prior to above DC reboot, now failing to authenticate
user (Returning 930 The Authentication server didnot
respond to authentication requests in a timely fashion.
I have gone through everything i can find on the
Microsoft site but still it won't authenticate users. I
have enabled tracing and the iassam log states

[2644] 14:20:20:960: NT-SAM Names handler received
request with user identity clericu.
[2644] 14:20:20:960: Prepending default domain.
[2644] 14:20:20:960: SAM-Account-Name
is "NEASDOM\clericu".
[2644] 14:20:20:960: NT-SAM Authentication handler
received request for NEASDOM\clericu.
[2644] 14:20:20:960: Processing MS-CHAP v2 authentication.
[2644] 14:20:20:976: LogonUser succeeded.
[2644] 14:20:20:976: NT-SAM User Authorization handler
received request for NEASDOM\clericu.
[2644] 14:20:20:976: Opening LDAP connection to
[2644] 14:20:20:992: Access denied -- purging Kerberos
ticket cache.
[2644] 14:20:20:992: Retrying LDAP connection to
[2644] 14:20:21:023: LDAP connect failed: Access is
[2644] 14:20:21:148: Using downlevel dial-in parameters.
[2644] 14:20:21:148: NTDomain::getConnection failed:
Access is denied.
[2644] 14:20:21:148: Could not open an LDAP connection to
domain NEASDOM.
[2644] 14:20:21:148: Per-user attribute retrieval failed:
Access is denied.

We have enabled RRAS on another Server to see if this is
a local problem but this is acting the same.

Can anyone enlighted me as to how I give access so that
the LDAP connection won't fail?

Mike Crabtree

I would suggest running DCDiag on all DC's - or at the very least the RRAS one
and the PDC emulator

I'd also look carefully at the event logs of DC's (again esp. PDC emulator)
for related errors

Mike Crabtree MVP

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question