AD-Connector Troubleshooting Guide
The UCS AD Connector synchronizes objects between the UCS directory (OpenLDAP) and MS Active Directory.
The configuration of the UCS Active Directory Connector is described in the UCS manual for users and administrators
General information about error analysis
When objects are not synchronized correctly, either partly or as a whole, please check the following files and outputs on the UCS Domain Controller first:
- Output from
univention-adsearch
with a filter (e.g.univention-adsearch cn=Administrator
) should show the AD object. If this tool doesnât function, check the connectorâs basic configuration. - Logfile
/var/log/univention/connector-status.log
: Current synchronization overview - Logfile
/var/log/univention/connector.log
: General logfile, the amount of information can be configured by changing the debug level from 0 to 4 in the UCR variableconnector/debug/leve
l. - Output from
univention-connector-list-rejected
: Lists all objects, that are not fully synchronized, i.e. rejects.
If the problematic object is in the list of rejects, the logfiles connector.log should be checked.
Password service not reachable
The Connector creates users in the other directory, but doesnât activate the users in the AD. The passwords are not sychronized.
The connector.log shows tracebacks like this one:
failed in post_con_modify_functions
Traceback (most recent call last):
File â/usr/lib/python2.4/site-packages/univention/connector/init.pyâ, line 1018, in sync_to_ucs
f(self, property_type, object)
File â/usr/lib/python2.4/site-packages/univention/connector/ad/password.pyâ, line 239, in password_sync
res = get_password_from_ad(connector, rid)
File â/usr/lib/python2.4/site-packages/univention/connector/ad/password.pyâ, line 128, in get_password_from_ad
s.connect ( (connector.lo_ad.host, 6670) )
File ââ, line 1, in connect
error: (111, âConnection refusedâ)
Possible reasons for the errors:
- The Windows firewall forbids access: Add Exception for C:\Windows\UCS-AD-Connector\ucs-ad-connector.exe in the Windows-Firewall settings
- The password service on the AD is not running: Check/Restart UCS AD Connector service under Start â Administrative Tools â Services)
- The configuration is incomplete, e.g. no certificates are present: See logfile in the installation path C:\Windows\UCS-AD-Connector\ucs-ad-connector.log
The LDAP server is not reachable
In the connector.log are tracebacks, ending with the following error message:
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Check the availability of the UCS LDAP server (e.g. using univention-ldapsearch) and the AD LDAP (e.g. using univention-adsearch).
The Active Directoryâs maximum search size is reached
The AD doesnât return more than 1000 items when performing a search. A group with more than 1000 primary members exceeds this size in the Connector. The error message in the connector.log ends with:
ldap.SIZELIMIT_EXCEEDED: {'info': , 'desc': 'Size limit exceeded'}
Features from UCS cannot be represented by Active Directory
UCS has more features than AD, e.g.
- nested group memberships
- Container and OU structures
If features from UCS are to be synchronized, which cannot be represented in the AD, the objects are recorded in the connector.log, with this or a similar error message:
UNWILLING_TO_PERFORM: {'info': '00002142: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform
Continues sync of all users
This error is not be mistaken with a reject, where the rejected objects are resynchronized after some time.
Most common cause is that the password hashes cannot be saved in the AD and therefor the object is synchronized again. This can occur when the connector is not configured according to the Connector documentation to work with a Windows 2008 Server. By default, a Windows 2008 is configured to not save complete NTLM hashes. This problem can be solved with the correct configuration of the AD policies.
When this problem occurs, the connector.log contains NTLM hash outputs with the string NO PASSWORD *********************, e.g.:
25.10.2010 19:09:45,546 LDAP (INFO ): password_sync_ucs: Hash AD: hash PASSWORD********************* hashXY UCS: hashXY