Troubleshooting Active Directory

Active Directory (AD) replication problems can have several different sources and can be highly technical. This guide covers the tools and a general methodology to fix Active Directory replication errors. The following subtopics cover symptoms, causes, and how to resolve specific replication errors. 

 

Event and tool solution recommendations

Before beginning, you will want to be sure you have access to your Directory Service event logs. If you encounter an issue during configuration or troubleshooting, you will need to refer to these logs.

Generally, the red (Error) and yellow (Warning) events in your Directory Service event log suggest a specific constraint that is causing replication failure on the source or destination domain controller. If the event message suggests steps for a solution, please try the steps that are described in the event.  To assist with this, the Repadmin tool and other diagnostic tools also provide information that can help you resolve replication failures. 

 

Ruling out disruptions

Aside from intentional disconnections, hardware failures, and an outdated Windows 2000 domain controller, some primary root causes for AD:

  • Network connectivity
    • The network connection might be unavailable, or network settings are not configured properly.
  • Name resolution
    • DNS misconfigurations are a common cause of replication failures.
  • Authentication and authorization
    • Authentication and authorization problems cause "Access denied" errors when a domain controller tries to connect to its replication partner.
  • Directory database (store)
    • The directory database might not be able to process transactions fast enough to keep up with replication time-outs.
  • Replication engine
    • If intersite replication schedules are too short, replication queues might be too large to process in the time that is required by the outbound replication schedule. In this case, replication of some changes can be stalled indefinitely potentially, long enough to exceed the tombstone lifetime.
  • Replication topology
    • Domain controllers must have intersite links in AD DS that map to real wide area network (WAN) or virtual private network (VPN) connections. If you create objects in AD DS for the replication topology that are not supported by the actual site topology of your network, replication that requires the misconfigured topology fails.

 

Common Root Causes

  • Network connectivity
    • The network connection might be unavailable, or network settings are not configured properly.
  • Name resolution
    • DNS misconfigurations are a common cause of replication failures.
  • Authentication and authorization
    • Authentication and authorization problems may cause "Access denied" errors when a domain controller tries to connect to its replication partner.
  • Directory database (store)
    • The directory database might not be able to process transactions fast enough to keep up with replication time-outs.
  • Replication engine
    • If intersite replication schedules are too short, replication queues might be too large to process in the time that is required by an outbound replication schedule. In this case, replication of some changes can be stalled indefinitely potentially, long enough to exceed the lifetime.
  • Replication topology
    • Domain controllers must have intersite links in Active Directory DS that map to a wide area network (WAN) or virtual private network (VPN) connections. If you create objects in Active Directory DS for the replication that are not supported by the actual site of your network, replication that requires the misconfigured topology will fail.

 

Common Errors & Solutions 

Error: HTTP ERROR 504

Root Cause: This error generally indicates that one server did not receive a timely response from another server that it was accessing while attempting to load the web page or fill another request by the browser. 

Solution: 1. You should be able to sign in to either the Formstack main domain or your account subdomain by accessing/signing in at: https://formstack.com/admin ?  2. Attempt the same login process using an alternative browser.

 

Error: Access is denied

Root Cause: A replication link may exist between two domain controllers, but replication cannot be performed properly as a result of an authentication failure.

Solution: Fixing Replication Security Problems 

 

Error: LDAP Error 49

Root Cause: The domain controller account might not be synchronized.

Solution: Fixing Replication Security Problems 

 

Error: Replication posted, waiting

Root Cause: The domain controller posted a replication request and is waiting for an answer. 

Solution: Replication is in progress from this source.  Please wait for replication to complete. This informational message indicates normal operation.

 

Error: Active Directory Login Failing and we're seeing a white screen.

Root Cause: IP Address(es) require whitelisting.  

Solution: Most likely the issue is that the IP addresses whitelisted will need to be updated or include the Formstack IP address: 52.71.30.102

 

Error: When adding an external username, the drop down for Authentication Providers is empty and it won't let me submit the form.

Root Cause: Issues locating an authenticated or existing Formstack user.

Solution: When authenticating with Active Directory, the username and password supplied by the authenticating user is used to bind to the LDAP server provided by Active Directory. If the LDAP server binding is successful, then the username and password are valid. From there, we use the User Filter setting of the Active Directory SSO provider to search for the authenticating user. Once the authenticating user is found, we extract the email address for the authenticating user and then try to find an existing Formstack user with that email address. If one is found, we authenticate the user as that Formstack user. If a Formstack user is not found, we use the Name and Email address returned by Active Directory to create a user on the account without any permissions.

 

Error: Can't contact LDAP server, Unable to bind to LDAP server.

Root Cause: Issues with your LDAP server and username and password.

Solution: The 'Contact' error means that Formstack could not reach your server and the 'Bind' error indicates that if we did reach your server, we couldn't authenticate with it using the provided username and password. 

 

Was this article helpful?
2 out of 7 found this helpful

Comments

0 comments

Please sign in to leave a comment.