Discussion:
SFU error message on NIS Server node
(too old to reply)
Demel
2009-08-23 07:03:01 UTC
Permalink
I have problems with identity management for unix, the problem is the one
described in kb article 923515.
The serverReference attribute value on the server is correct.

Also password synchronization does not work.
When i make a password change, the attribute unixUserPassword remains the same
i have tested all the configuration settings in a test environment and it
works.
All the DC in the domain have Password Synchronization installed and enabled.
The tool is running on a windows server 2003 R2 AD DC.

I'd like to hear from others before I contact Microsoft Customer Service and
Support.
Ashish
2009-08-24 19:30:32 UTC
Permalink
Copy and save the text between <code> and </code> as servref.vbs and
run it using the following syntax -

c:\>cscript servref.vbs -all

This will list all the servers that need to have serverReference
populated with their DNs. If you see any servers with blank
serverReference - you will have to fix them before this error will go
away.

- Ashish


<code>
'======================================
Dim strFilter 'As String
Dim oConnection 'As ADODB.Connection
Dim oRecordSet 'As ADODB.RecordSet
Dim strQuery 'As String
Dim strDomainNC 'As String
Dim oRootDSE 'As IADs
Dim vArray 'As Variant()
Dim vSid 'As Variant
Dim oDirObject 'As Variant


showAll = false


if WScript.Arguments.Count > 0 then
if WScript.Arguments(0) = "-all" then
showAll = true
end if
end if


' Find the domain naming context
set oRootDSE = GetObject("LDAP://RootDSE")
strConfiguration = oRootDSE.Get("configurationNamingContext")
set oRootDSE = Nothing


WScript.Echo "Configuration='" & strConfiguration & "'" & vbCrLf


' Setup the ADO connection
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open ""


strQuery = "<LDAP://CN=Sites," & strConfiguration & ">;" &
"(objectClass=Server);name,distinguishedName,serverReference;subTree"


WScript.Echo "Query='" & strQuery & "'" & vbCrLf


'Execute the query
set oRecordSet = oConnection.Execute(strQuery)
if oRecordSet.Eof then
WScript.Echo "No objects were found"
Else


'On Error Resume Next


' Iterate through the objects that match the filter
While Not oRecordset.Eof
serverReference = oRecordSet.Fields("serverReference").Value
if showAll or serverReference = "" then
WScript.Echo "Name='" & oRecordset.Fields("name").Value &
"'"
WScript.Echo "DN='" & oRecordset.Fields
("distinguishedName").Value & "'"
WScript.Echo "serverReference='" & serverReference & "'"
WScript.Echo
end if
oRecordset.MoveNext
Wend
End if


'Clean up
Set oRecordset = Nothing
Set oConnection = Nothing


WScript.Echo "Done."
'======================================
</code>
Demel
2009-08-25 09:15:01 UTC
Permalink
Hi Ashish,
when I run the the script, I get the following output:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Configuration='CN=Configuration,DC=domainname,DC=com'

Query='<LDAP://CN=Sites,CN=Configuration,DC=domainname,DC=com>;(objectClass=Server);name,distinguishedName,serverReference;subTree'

Done.
Post by Ashish
Copy and save the text between <code> and </code> as servref.vbs and
run it using the following syntax -
c:\>cscript servref.vbs -all
This will list all the servers that need to have serverReference
populated with their DNs. If you see any servers with blank
serverReference - you will have to fix them before this error will go
away.
- Ashish
<code>
'======================================
Dim strFilter 'As String
Dim oConnection 'As ADODB.Connection
Dim oRecordSet 'As ADODB.RecordSet
Dim strQuery 'As String
Dim strDomainNC 'As String
Dim oRootDSE 'As IADs
Dim vArray 'As Variant()
Dim vSid 'As Variant
Dim oDirObject 'As Variant
showAll = false
if WScript.Arguments.Count > 0 then
if WScript.Arguments(0) = "-all" then
showAll = true
end if
end if
' Find the domain naming context
set oRootDSE = GetObject("LDAP://RootDSE")
strConfiguration = oRootDSE.Get("configurationNamingContext")
set oRootDSE = Nothing
WScript.Echo "Configuration='" & strConfiguration & "'" & vbCrLf
' Setup the ADO connection
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open ""
strQuery = "<LDAP://CN=Sites," & strConfiguration & ">;" &
"(objectClass=Server);name,distinguishedName,serverReference;subTree"
WScript.Echo "Query='" & strQuery & "'" & vbCrLf
'Execute the query
set oRecordSet = oConnection.Execute(strQuery)
if oRecordSet.Eof then
WScript.Echo "No objects were found"
Else
'On Error Resume Next
' Iterate through the objects that match the filter
While Not oRecordset.Eof
serverReference = oRecordSet.Fields("serverReference").Value
if showAll or serverReference = "" then
WScript.Echo "Name='" & oRecordset.Fields("name").Value &
"'"
WScript.Echo "DN='" & oRecordset.Fields
("distinguishedName").Value & "'"
WScript.Echo "serverReference='" & serverReference & "'"
WScript.Echo
end if
oRecordset.MoveNext
Wend
End if
'Clean up
Set oRecordset = Nothing
Set oConnection = Nothing
WScript.Echo "Done."
'======================================
</code>
Demel
2009-08-25 11:39:01 UTC
Permalink
Thank you Ashish. You helped me dig a little bit further into the problem.

After reproducing the whole thing on a copy of the actual production
environment and modifying the script to show all the servers with or without
a value in serverReference, it showed exchange servers without a value in the
serverReference attribute. (Why it didn’t show these servers before
modifying the script, I don’t now). Why are the exchange servers listed
under my Sites Servers? Maybe because we have an application installed that
uses Microsoft Message Queuing.

I added the value for serverReference attribute for these servers and voila,
the error message was gone.
The serverReference attribute value MUST be populated for ALL the servers in
the Sites container. The statement “This problem occurs when the
serverReference attribute has a value of <Not Set> for a particular Server
for NIS network in Active Directory Configuration container”, in KB 923515 is
not clear and incomplete. It should reference all the servers within the
(adsiedit.msc) Configuration[<ServerName>.<YourDomain>.<DomainSuffix>],
CN=Configuration,DC=<YourDomain>,DC=<DomainSuffix>, CN=Sites Sites container.

My first problem is resolved. Now I still have the password synchronization
problem.
All the DC in the domain have Password Synchronization installed, enabled
and are configured as follows.
“Windows to Computers that run on UNIX” is enabled.
“Port Number” 6677
“Encryption / Decryption key” is the same on all DCs.
“Enable extensive logging” is enabled.
“Enable Windows to NIS (AD) Password Sync” is enabled.

UNIX Computers container is empty (as it is in the test environment, where
it works).
Post by Ashish
Copy and save the text between <code> and </code> as servref.vbs and
run it using the following syntax -
c:\>cscript servref.vbs -all
This will list all the servers that need to have serverReference
populated with their DNs. If you see any servers with blank
serverReference - you will have to fix them before this error will go
away.
- Ashish
<code>
'======================================
Dim strFilter 'As String
Dim oConnection 'As ADODB.Connection
Dim oRecordSet 'As ADODB.RecordSet
Dim strQuery 'As String
Dim strDomainNC 'As String
Dim oRootDSE 'As IADs
Dim vArray 'As Variant()
Dim vSid 'As Variant
Dim oDirObject 'As Variant
showAll = false
if WScript.Arguments.Count > 0 then
if WScript.Arguments(0) = "-all" then
showAll = true
end if
end if
' Find the domain naming context
set oRootDSE = GetObject("LDAP://RootDSE")
strConfiguration = oRootDSE.Get("configurationNamingContext")
set oRootDSE = Nothing
WScript.Echo "Configuration='" & strConfiguration & "'" & vbCrLf
' Setup the ADO connection
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open ""
strQuery = "<LDAP://CN=Sites," & strConfiguration & ">;" &
"(objectClass=Server);name,distinguishedName,serverReference;subTree"
WScript.Echo "Query='" & strQuery & "'" & vbCrLf
'Execute the query
set oRecordSet = oConnection.Execute(strQuery)
if oRecordSet.Eof then
WScript.Echo "No objects were found"
Else
'On Error Resume Next
' Iterate through the objects that match the filter
While Not oRecordset.Eof
serverReference = oRecordSet.Fields("serverReference").Value
if showAll or serverReference = "" then
WScript.Echo "Name='" & oRecordset.Fields("name").Value &
"'"
WScript.Echo "DN='" & oRecordset.Fields
("distinguishedName").Value & "'"
WScript.Echo "serverReference='" & serverReference & "'"
WScript.Echo
end if
oRecordset.MoveNext
Wend
End if
'Clean up
Set oRecordset = Nothing
Set oConnection = Nothing
WScript.Echo "Done."
'======================================
</code>
Demel
2009-08-27 12:47:01 UTC
Permalink
Here is my solution for the password synchronization problem!

Uninstall idMU
Reboot
Search for (psxdll.dll, psxdllsvr.dll, psxrun.exe, psxss.exe, pswdsync.dll,
psxdrv.sys) and delete files
In the registry, search for idmu and delete all references in registry
Install idmu
Reboot
Set Server for NIS service to automatic and start service
In password synchronization properties, configuration tab, enable extensive
logging and enable windows to NIS(AD) password synchronization
Select NO for "perform compatibility check"
Select YES for "are you sure you still want to enable this feature?"
At the command prompt, ypmatch -d <NIS Domain> <user> passwd.byname, to
check the current password
Change test user password and check for event id 4098
In Identity Management for UNIX, Server for NIS, click check for updates now
At the command prompt, ypmatch -d <NIS Domain> <user> passwd.byname, to see
if the password changed
In password synchronization properties, settings tab, generate a new key (or
copy the generated key from another DC)
Post by Demel
Thank you Ashish. You helped me dig a little bit further into the problem.
After reproducing the whole thing on a copy of the actual production
environment and modifying the script to show all the servers with or without
a value in serverReference, it showed exchange servers without a value in the
serverReference attribute. (Why it didn’t show these servers before
modifying the script, I don’t now). Why are the exchange servers listed
under my Sites Servers? Maybe because we have an application installed that
uses Microsoft Message Queuing.
I added the value for serverReference attribute for these servers and voila,
the error message was gone.
The serverReference attribute value MUST be populated for ALL the servers in
the Sites container. The statement “This problem occurs when the
serverReference attribute has a value of <Not Set> for a particular Server
for NIS network in Active Directory Configuration container”, in KB 923515 is
not clear and incomplete. It should reference all the servers within the
(adsiedit.msc) Configuration[<ServerName>.<YourDomain>.<DomainSuffix>],
CN=Configuration,DC=<YourDomain>,DC=<DomainSuffix>, CN=Sites Sites container.
My first problem is resolved. Now I still have the password synchronization
problem.
All the DC in the domain have Password Synchronization installed, enabled
and are configured as follows.
“Windows to Computers that run on UNIX” is enabled.
“Port Number” 6677
“Encryption / Decryption key” is the same on all DCs.
“Enable extensive logging” is enabled.
“Enable Windows to NIS (AD) Password Sync” is enabled.
UNIX Computers container is empty (as it is in the test environment, where
it works).
Post by Ashish
Copy and save the text between <code> and </code> as servref.vbs and
run it using the following syntax -
c:\>cscript servref.vbs -all
This will list all the servers that need to have serverReference
populated with their DNs. If you see any servers with blank
serverReference - you will have to fix them before this error will go
away.
- Ashish
<code>
'======================================
Dim strFilter 'As String
Dim oConnection 'As ADODB.Connection
Dim oRecordSet 'As ADODB.RecordSet
Dim strQuery 'As String
Dim strDomainNC 'As String
Dim oRootDSE 'As IADs
Dim vArray 'As Variant()
Dim vSid 'As Variant
Dim oDirObject 'As Variant
showAll = false
if WScript.Arguments.Count > 0 then
if WScript.Arguments(0) = "-all" then
showAll = true
end if
end if
' Find the domain naming context
set oRootDSE = GetObject("LDAP://RootDSE")
strConfiguration = oRootDSE.Get("configurationNamingContext")
set oRootDSE = Nothing
WScript.Echo "Configuration='" & strConfiguration & "'" & vbCrLf
' Setup the ADO connection
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open ""
strQuery = "<LDAP://CN=Sites," & strConfiguration & ">;" &
"(objectClass=Server);name,distinguishedName,serverReference;subTree"
WScript.Echo "Query='" & strQuery & "'" & vbCrLf
'Execute the query
set oRecordSet = oConnection.Execute(strQuery)
if oRecordSet.Eof then
WScript.Echo "No objects were found"
Else
'On Error Resume Next
' Iterate through the objects that match the filter
While Not oRecordset.Eof
serverReference = oRecordSet.Fields("serverReference").Value
if showAll or serverReference = "" then
WScript.Echo "Name='" & oRecordset.Fields("name").Value &
"'"
WScript.Echo "DN='" & oRecordset.Fields
("distinguishedName").Value & "'"
WScript.Echo "serverReference='" & serverReference & "'"
WScript.Echo
end if
oRecordset.MoveNext
Wend
End if
'Clean up
Set oRecordset = Nothing
Set oConnection = Nothing
WScript.Echo "Done."
'======================================
</code>
Loading...