Troubleshooting LDAP on Onboard Administrator
To verify that SSL is working on the Domain Controllers in your domain, open a browser and then navigate to https://<domain_controller>:636 (substitute your Domain Controller for <domain_controller>). You can substitute <domain> in place of <domain controller> which goes to DNS to verify which Domain Controller is currently answering requests for the domain. Test multiple Domain Controllers to verify that all of them have been issued a certificate. If SSL is operating properly on a Domain Controller (for example, a Certificate has been issued to it), you are prompted by the Security dialog that asks if you want to proceed with accessing the site or view the certificate. If you click Yes, a webpage does not appear. The test is to make the Security Dialog prompt appear. A server not accepting connections on port 636 displays the page cannot be displayed
message. If this test fails, the Domain Controller is not accepting SSL connections possibly because a certificate has not been issued. This process is automatic, but might require a reboot.
To avoid a reboot:
- On the Domain Controller, load the Computer Account MMC snap-in, and then navigate to the Personal->Certificates folder.
- Right-click the folder, and then choose Request New Certificate. The type default is Domain Controller.
- Click Next, and then repeat until the Domain Controller issues the certificate.
A second method for troubleshooting SSL is to go to the DC, and then run the following command:
C:netstat -an | find /i “636″
If the server is listening for requests on port 636,the following response appears:
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
- A third issue might be that the domain controllers have not auto-enrolled. The DCs can take up to 8 hours to auto-enroll and get their certificates issued because MS uses GPO to make the DC’s aware of the newly installed CA. You can force this by running DSSTORE -pulse from the DCs (tool is in the w2k reskit). It is triggered by winlogon. Therefore, for auto-enrollment to function, you must log off and then log on again. The certificates appear automatically in the CAs Issued Certs list. Make sure the CA is not listing them in Pending Certs. If it is, change the CA to auto issue certificates when a request comes in. If the auto-enrollment feature still does not function, request the certificate using the following procedure:
- On the Domain Controller, open MMC, and then add Certificate Snap-in (Computer Account).
- Navigate to Personal, and then right-click the folder.
- Click Request New Cert, and then click Next.
- Enter a name for the certificate.
If an RPC error occurs, verify that the CA is listed in DNS and that the CA is running.
If the wizard does not start, force the server to see the CA and then allow the wizard to run:
To speed up the GPO process and make the DCs acknowledge the CA, use one of the following commands:
- Windows® 2003, Gpupdate /force
- Windows® 2000, Secedit /refreshpolicy machine_policy /enforce
Verify that the Onboard Administrator has all the appropriate network settings unique to your network (such as DNS) and that the time and date are correct (certificates are date sensitive). Ensure that Onboard Administrator can reach the DNS server (by pinging it from the Onboard Administrator command line interface).
If LDAP is enabled while booting into Lost Password mode, the local Administrator password is reset, LDAP is disabled, and local login is re-enabled.
NOTE: The Onboard Administrator LDAP feature supports Microsoft® Active Directory using the |