Thanks, Eric! So I've enabled LDAP loging at level 5, and from time to time it shows me a warning Тип события: Предупреждение Источник события: NTDS LDAP Категория события: (16) Код события: 1216 Дата: 03.01.2005 Время: 22:00:11 Пользователь: Нет данных Компьютер: MAINDC Описание: Сервер LDAP закрыл сокет для клиента из-за ошибочной ситуации, 995. (внутренний код c06028b::731). (The LDAP server closed the socket because of error situation, 995 (INTERNAL CODE c06028b::731))
Left path of code always c06028b but the right differs from time to time (731, 1037,1615,1627,1439) I think this happens after some unsuccesiffully connection from our Exchange, does it help to explain anything? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Fleischman Sent: Sunday, January 02, 2005 8:03 PM To: [email protected] Subject: RE: [ActiveDir] help troubleshoot ntds general 1049 error By virtue of you being on 2000 and not 2003, you won't get an object DN in the event as we didn't pass it in to the event then. I don't recall what the logging looks like, but perhaps you could figure out the source from LDAP interface logging. On 2003 I know this to be true (short of lack of correlation on a massively loaded DSA, but this is probably still doable through some educated guessing), on 2000 I'm not sure, I don't look at the logs as often. I'd give it a try though....turn ldap interface logging to 5, then next time you experience the issue look at the events surrounding the problem event, and see if you can figure out the ldap query being issued. Also, if they happen quazi-regularly, you could take a network trace and correlate time of the event with ldap query that came in over the wire, and probably figure it out that way. That has the added benefit of showing you the source IP, which I think ldap interface logging on 2000 would not show you (though I'll admit I'm not sure if the logging really wouldn't show that). It's unlikely you'll get to a state where things stop working, because whatever this is that is doing it has probably been doing it for a while, and probably will keep doing it for a while longer. So long as it gets the data it needs from the directory, it will probably be happy. But I appreciate wanting to get to root cause too. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Procenko Sent: Sunday, January 02, 2005 8:22 AM To: [email protected] Subject: RE: [ActiveDir] help troubleshoot ntds general 1049 error Thanks for clarification. There was not any object DN's, the Description field is just a text about not found root references and that's all. we dont have any external directories. I think the only application, which uses directory intensively is Exchange2000, but it seems to work fine too. The most important thing to me is that everything won't get worse, so one day AD won't stop working because of this, or Exchange. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brett Shirley Sent: Sunday, January 02, 2005 4:33 PM To: [email protected] Subject: RE: [ActiveDir] help troubleshoot ntds general 1049 error Not really. It is OK to not generate a superior reference. Superior references are really for people who have a advanced directory setups, and intentionally want unknown LDAP DNs to be referred to another directory service (i.e. another AD forest, or Novel NDS, or Sun iPlanet / SunONE servers). But this means that there is some application that is generating a garbage DN, in that it is asking your directory for a DN base that isn't rooted in any of your domains/config/schema NCs. What is the object DN in the event? Can you use that to guess at the errant app hitting your directory? Cheers, Brett Shirley [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Sun, 2 Jan 2005, Pete Procenko wrote: > I see, I found some references about superiorDNSRoot at the MS's site, could You please recommend what to look for in AD to see where the trouble is? As far as I understood superiorDNSRoot is something dynamically generated, but in my case sometimes this generation fail, am I right? > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
