Home > Security Appliances > Group Policies and Blacklisting > Troubleshooting Active Directory with Group Policies

Troubleshooting Active Directory with Group Policies

In order to successfully map group policies to an LDAP group in Active Directory, the domain controller must be configured specifically to integrate with Dashboard.

This article describes common problems, solutions, and troubleshooting steps for integrating Active Directory with Dashboard group policies.

For configuration steps and initial setup, please refer to our documentation on Integrating Active Directory with Group Policies.

Expected Behavior

The MX utilizes Microsoft's Windows Management Instrumentation (WMI) service to pull a continuous stream of Logon Security Events from specified Domain Controllers in the Active Directory domain. These security events have critical information that tell the MX which user accounts are logged into which computers. Specifically, the events contain the IP address of the computer and the Windows username of the logged on user.

The MX will run through the following steps to identify AD group members and apply associated group policies:

  1. MX securely contacts the specified Domain Controllers for the AD domain, using TLS.
  2. MX reads WMI logon events from the DC's security events, to determine which users are logged into which devices.
  3. MX binds to DCs using LDAP/TLS to gather each user's AD group membership.
  4. Group membership is added to a database on the MX.
  5. If a domain user's group membership matches an AD group policy mapping in Dashboard, the MX can apply the associated group policy to the user's computer.

Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply policy in real-time whenever a new user logs in.

Error Messages

If the MX is unable to perform any of the steps outlined above, Dashboard should display an error message describing the part of the process that failed. Specifically, under Security appliance > Configure > Active Directory > Active Directory servers, the Status column will show a red X if there are problems communicating with that server. Hovering over the X will display an error message describing the specific issue:

The following sections describe these error messages in more detail, and provide recommended troubleshooting steps for each:

ldap_bind: Invalid credentials

Error Description: Short domain, Domain admin or Password values are incorrectly configured for Active Directory Servers in Dashboard. 

Error Solution: The following steps describe how to find the correct info to enter in Dashboard under Security appliance > Configure > Active Directory > Active Directory Servers:

  • Short domain: Use the pre-Windows 2000 (NetBIOS) domain name format. Find the pre-Windows 2000 domain name by doing either of the following on the domain controller.
    • Run the set command from the command prompt and locate the USERDOMAIN value:
    • In the Active Directory Users and Computers console, locate the pre-Windows 2000 domain name value on the Account Properties tab of the domain administrator or any user in the domain. Note: Do not include the backslash when entering the short domain in Dashboard.
  • Domain admin: Use the User logon name of the Domain administrator without a NetBIOS domain name prefix or UPN suffix. This can be found on the Account Properties tab of the domain administrator in the Active Directory Users and Computers console of the domain controller.
  • Password: The password for the Domain admin account is incorrect or the user is locked out in Active Directory. To determine if the account is locked, check the Account Properties tab of the domain administrator in the Active Directory Users and Computers console of the domain controller. 

Could not reach domain controller

Error Description - The MX is unable to reach the LDAP and WMI services on the domain controller. Specifically, the MX is unable to establish a TCP session with either service.

Error Solution - To resolve an unreachable domain controller, please verify:

  • The correct IP address of the domain controller is entered into the Server IP field in Dashboard.
  • There is IP connectivity between the MX and domain controller. 
  • A firewall is not blocking LDAP and WMI connections to the domain controller. LDAP connections will use TCP port 3268 and WMI will use TCP ports 135, 445, and dynamically-assigned ports, 1024-65535(TCP) for Windows 2003 and older, and 49152 - 65535(TCP) for Windows 2008.
  • Verify Windows Management Instrumentation (WMI) service is running on the domain controller. This is done by check the servers Services console.

For more information on troubleshooting connection issues, reference our documentation on Troubleshooting a connection.

ldap_bind: Can't contact LDAP server

Error Description - This error indicates the MX can connect to the WMI service on the domain controller but cannot connect to the LDAP service. Note that this is different from the Could not reach domain controller error (described above) which indicates both the WMI and LDAP services are unreachable.

Error Solution - To resolve LDAP connection failures, please verify:

  • The domain controller is a Global Catalog listening on TCP port 3268:
  • A firewall is not blocking LDAP connections to the Global Catalog service on TCP port 3268.

For more information on troubleshooting connection issues, reference our documentation on Troubleshooting a connection.

ldap_start_tls: Server is unavailable

Error Description - The MX uses TLS to secure the LDAP connection to the domain controller. This error indicates the MX received an Error initializing TLS response from the domain controller when attempting to establish TLS.

Error Solution: To resolve issues with TLS, please verify the following:

WMI Error

Error Description - This error means the WMI service on the domain controller is returning an NT error code when the MX tries to pull security logs. These events are necessary for the MX to learn which user accounts are logged into which computers. 

Error Solution - There are two reasons for WMI errors:

  • The user account configured in Dashboard does not have permissions to access domain controller security logs. If Dashboard shows a continuous WMI Error, the issue is likely user permissions. To fix this, add the configured Domain admin account as a member of the Domain admins group in Active Directory. 
  • In order to apply Group Policies to clients in real-time, the MX connects to the WMI service every 5 seconds to pull the most recent logon events. The WMI Provider Service may require increased memory and handle quotas and a smaller Security Event log size to handle the requests.
    Please follow the steps below to increase WMI Provider Service memory and handle quotas and decrease the size of the Security Event logs:
  1. Open the Event Viewer.
  2. Navigate to Event Viewer> Windows Logs > Security.
  3. Right click Security and click Properties.
  4. Set the Maximum log size (KB) to 1024.
  5. For When maximum event log size is reached select Overwrite events as needed (oldest events first) or Archive the log when full, do not overwrite events.
  6. Click OK

LDAP Connection error

Error Description: This error commonly occurs when the domain controller does not support TLS v1.0 

Error Solution: Verify the domain controller supports TLS v1.0.

You must to post a comment.
Last modified
12:55, 2 Nov 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 5478

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case