- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, we recently have enabled AD groups over adding users manually and this initially worked but now we have complaints from our users that sometimes it works and sometimes it's not working. It also looks like the users are removed again. The standard logs are not very helpful in troubleshooting the issue. So, I have a few questions:
- Are there still known issues with AD groups?
- Is there a way to enable better logging? So we can see which DC is used and what query is executed and the returned error.
- How is a DC selected? Is it based on AD site or some other logic?
- Is there a way to fix EMA to 1 or 2 DC's for troubleshooting instead of any DC?
- Why are users removed from the console if an issue occurs? If the user is no longer member of the group, okay, but not when there's an issue.
Other tips/things we could try are also helpful.
Thanks,
Kris
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KrisTiteca,
Greetings!
Please find the answers for the below questions:
Are there still known issues with AD groups?
As per our knowledge there are no known issues widely known about the AD groups
Is there a way to enable better logging? So we can see which DC is used and what query is executed and the returned error.
To get more detailed logging, you can enable advanced logging for the services interacting with AD. This can help you identify which Domain Controller (DC) is being used, what queries are being executed, and any errors that are returned.
Enabling Advanced Logging in Windows:
Event Viewer:
Open Event Viewer (eventvwr.msc).
Navigate to Applications and Services Logs > Microsoft > Windows > Directory Services-Replication and Directory Services-DomainController.
Enable logging for these services to capture detailed information about AD interactions.
Audit Directory Service Access:
Open the Group Policy Management Console (gpmc.msc).
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
Enable auditing for Directory Service Access to capture detailed logs of AD access attempts.
Debug Logging for AD:
You can enable debug logging for the AD client by modifying the registry:
SH
reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" /v "16 LDAP Interface Events" /t REG_DWORD /d 5 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" /v "5 Replication Events" /t REG_DWORD /d 5 /f
This will increase the verbosity of the logs related to LDAP and replication events.
How is a DC selected? Is it based on AD site or some other logic?
The selection of a Domain Controller (DC) is typically based on the AD site topology and the proximity of the DC to the client. The process involves:
AD Site: Clients will attempt to connect to a DC within their own AD site first.
DNS: Clients use DNS to locate DCs. They query for SRV records in DNS to find available DCs.
DC Affinity: Once a DC is selected, clients may continue to use the same DC for subsequent requests, unless it becomes unavailable.
Is there a way to fix EMA to 1 or 2 DC's for troubleshooting instead of any DC?
To troubleshoot and limit the interaction to specific DCs, you can configure your application or service to use specific DCs. This can be done by:
Hosts File: Modify the hosts file on the server running EMA to resolve the AD domain to specific DC IP addresses.
DNS Configuration: Configure DNS to prioritize certain DCs by adjusting the SRV records.
Application Configuration: Some applications allow you to specify preferred DCs in their configuration settings.
Why are users removed from the console if an issue occurs? If the user is no longer member of the group, okay, but not when there's an issue.
Users being removed from the console can be due to several reasons:
Group Membership Changes: If a user is removed from the AD group, they will lose access.
Intermittent Connectivity: If there are intermittent connectivity issues with the DC, the application might not be able to verify group membership and could remove users temporarily.
Replication Delays: AD replication delays can cause inconsistencies in group membership information.
Best Regards
Arun_intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KrisTiteca,
Greetings!
Please confirm if we were able to answer your queries, and kindly let us know if there are any further query that has been unanswered.
Best Regards
Arun_intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page