1202 ошибка adws веб службы active directory

Hey there! Josh Mora here, with a brief post on an issue I recently had and wanted to make public, in hopes this will help those that run into this issue, and in addition, provide some helpful logging information that can be useful for any ADWS issues you might come across.

Scenario:

So, the issue I want to talk to you about: You have an AD LDS server, on which you are running ADWS, and you are constantly, minute after minute after minute, getting Event 1202 in the ADWS events with the following information:

Log Name:      Active Directory Web Services
Source:        ADWS
Date:          5/05/2020 1:30:00 PM
Event ID:      1202
Task Category: ADWS Instance Events
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      LDS01.Contoso.com
Description:
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.

Directory instance: ADAM_INSTANCE
Directory instance LDAP port: 389
Directory instance SSL port: 636

Now, this might not even be disrupting your services, everything may continue to work properly. However, this excessive logging of 1202 events can become annoying, and even troubling, since it very well could be indicating issues that you aren’t even aware of. So, let’s jump straight into how we can find the cause of this, and how we resolve it.

ADWS Debug Logging:

In this situation, I used the built-in functionality of ADWS Debug Logging. Enabling the debug logging consists in modifying the “Microsoft.ActiveDirectory.WebServices.exe.config” file, a file you can modify with different configuration parameters in order to achieve some extra functionality out of ADWS, information which is explained in this Microsoft Documentation. Unfortunately, that documentation doesn’t go over the parameters for enabling the Debug Logging, hence why I am posting this.

Checking ADWS Configuration Information:

Special thanks to Jason Bender, who put these two commands together that conveniently provide the configuration information from the ADWS Config file.

1. In a PowerShell window, run the following: [xml]$ADWSConfiguration = get-content -path c:windowsadwsmicrosoft.activedirectory.webservices.exe.config
2. Then, run: $ADWSConfiguration.configuration.appsettings.add
3. You should get an output like this:

Enabling ADWS Debug Logging:

1. Navigate to ‘C:WindowsADWS’. The file we are looking to modify is “Microsoft.ActiveDirectory.WebServices.Exe.Config”.

1. Now, before making any changes, I strongly suggest to take a backup of the “Microsoft.ActiveDirectory.WebServices.Exe.Config” file. You can never be too safe!

1. Right-click the file “Microsoft.ActiveDirectory.WebServices.Exe.Config”, then Open with, and select Notepad, or any other text editor. Right under <appSettings>, enter the following two lines:

<add key=»DebugLevel» value=»Info»/>

<add key=»DebugLogFile» value=»C:WindowsDebugADWSlog.txt»/>

This Config file does not tolerate the smallest mistake, so make sure you do not have any typos or extra spaces.

1. Once the file has been modified, save the file and then restart the ADWS service for the changes to take effect.

1. You can then run the PowerShell commands and should now be able to see the DebugLevel and DebugLogFile set.

Information to keep in mind:

• Typos or extra spaces in the Config file can cause the ADWS service to fail to start with the following error: “Windows could not start the Active Directory Web Services service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion.”
• There are other debug levels for the DebugLevel parameter, including “None”, “Warn” and “Error”. However, the most helpful and informative is “Info”.
• The DebugLogFile location can be specified per your needs, it’s not a fixed location for the log file.
• This ADWS Debug Logging can log a lot of information when set to “Info”, so it’s suggested to only have this running while you are reproducing your issue, after which you should disable the logging, by deleting the lines that were added.

Analyzing the ADWS Debug Log file:

To clarify, this blog is not a guide on overall analysis of the ADWS Debug Log file, but more focused on the issue at hand, the excessive 1202 events, so that’s what I will be addressing.

The first we see, is the ScavengerThread waking up and begin looking for Instances:

LdapSessionPoolImplementation: [05/05/2020 1:29:40 PM] [8] ScavengerThread: woke up

LdapSessionPoolImplementation: [05/05/2020 1:29:40 PM] [8] ScavengerThread: processing next pool

ConnectionPool: [05/05/2020 1:29:40 PM] [8] GetReservationEnumerator: entering, instance=NTDS

LdapSessionPoolImplementation: [05/05/2020 1:29:40 PM] [8] ScavengerThread: processing next pool

ConnectionPool: [05/05/2020 1:29:40 PM] [8] GetReservationEnumerator: entering, instance=ADAM_INSTANCE

LdapSessionPoolImplementation: [05/05/2020 1:29:40 PM] [8] Scavenger: waking up at 00:00:40 interval

EnumerationContextCache: [05/05/2020 1:30:00 PM] [b] OnTimedEvent: got an event

EnumerationContextCache: [05/05/2020 1:30:00 PM] [b] RemoveExpiredEntries called

EnumerationContextCache: [05/05/2020 1:30:00 PM] [b] RemoveExpiredEntries — found 0 entries to remove

EnumerationContextCache: [05/05/2020 1:30:00 PM] [b] RemoveExpiredEntries done

Next, we see ADWS checking registry keys for NTDS, in order to determine if this Instance is actually servicing:

InstanceMap: [05/05/2020 1:31:00 PM] [d] CheckAndLoadNTDSInstance: entered

InstanceMap: [05/05/2020 1:31:00 PM] [d] CheckAndLoadNTDSInstance: found NTDS Parameters key

At this point, ADWS has found that there is an NTDS Parameter registry key (which would contain all the NTDS settings), and due to the presence of this key, ADWS believes this is a Domain Controller providing ADDS services.

So, now ADWS checks to see if we are indeed meeting basic requirements for providing ADDS services, more specifically if the server is providing Global Catalog services:

InstanceMap: [05/05/2020 1:31:00 PM] [d] CheckAndLoadGCInstance: entered

InstanceMap: [05/05/2020 1:31:00 PM] [d] CheckForGlobalCatalog: entered

DirectoryUtilities: [05/05/2020 1:31:00 PM] [d] GetTimeRemaining: remaining time is 00:02:00

InstanceMap: [05/05/2020 1:31:01 PM] [d] CheckForGlobalCatalog: isGlobalCatalogReady:

InstanceMap: [05/05/2020 1:31:01 PM] [d] GlobalCatalog is not ready to service the requests.

InstanceMap: [05/05/2020 1:31:01 PM] [d] CheckAndLoadGCInstance: CheckForGlobalCatalog=False

At this point, we can see the failure, which is triggering the event 1202.

After this, ADWS moves on to checking ADAM Instances are ready for servicing, as well, however we no longer care for that “noise” in the log file, as we’ve found our problem.

Interpretation of the Data:

The data above tells us the following:

• An NTDS Parameters registry key was found, therefor ADWS is aware NTDS Instance possibly exists on this server.
• Because of the previous point, ADWS now believes that this server is providing ADDS services (though it is not, it is an LDS server).
• Since ADWS believes this is a DC, it checked if Global Catalog is ready and/or if the ports are opened and servicing, however it found that this is false.

So, in simple words, ADWS was tricked into believing that this was a Domain Controller, however since it’s not a Domain Controller, the isGlobalCatalogReady/CheckForGlobalCatalog obviously failed.

This triggers the Event 1202 to get logged, being logged every minute (because that is the default interval in which this check is performed).

Solution:

The solution in this case is very clear and simple. An AD LDS server is not supposed to have a Parameters key under NTDS, as it’s not a Domain Controller and should not/will not require any of the values specified under that key.

Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDS, and delete the Parameters key.

A Similar Scenario:

There are other situations, in which the same 1202 event is logged, but perhaps the server is not an AD LDS server, but rather an actual Domain Controller. In these scenarios, the common solution is to delay the startup type for the ADWS service.

This is because, in those cases, the issue is due to a “race condition”, where ADWS begins performing it’s checks before ADDS services has started, and therefor fails the check and logs the event.  I have only seen this scenario with Domain Controllers running 2012 R2 and below.

Thank you, and that’s all for now!

— Josh

Имя
журнала:   Active Directory Web Services

Источник:     
ADWS

Дата:         
12.12.2011 15:57:34

Код события:  
1202

Категория задачи:События экземпляра веб-служб Active Directory

Уровень:      
Ошибка

Ключевые слова:Классический

Пользователь: 
Н/Д

Компьютер:    
FFTMG.domain.com

Описание:

На данном компьютере теперь расположен указанный экземпляр Active Directory, но веб-службам Active Directory не удалось обработать его запросы.
Веб-службы Active Directory будут периодически пытаться повторить эту операцию.

 Экземпляр Active Directory: NTDS

 LDAP-порт
экземпляра Active Directory: 389

 SSL-порт
экземпляра Active Directory: 636

Xml события:

<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>

 
<System>

   
<Provider Name=»ADWS» />

   
<EventID Qualifiers=»49152″>1202</EventID>

   
<Level>2</Level>

   
<Task>3</Task>

   
<Keywords>0x80000000000000</Keywords>

   
<TimeCreated SystemTime=»2011-12-12T08:57:34.000000000Z» />

   
<EventRecordID>8752</EventRecordID>

   
<Channel>Active Directory Web Services</Channel>

   
<Computer>FFTMG.domain.com</Computer>

   
<Security />

 
</System>

 
<EventData>

   
<Data>NTDS</Data>

   
<Data>389</Data>

   
<Data>636</Data>

 
</EventData>

</Event>

Появляется каждую минуту. Начала появляться сразу после попытки лечения ошибки:

Имя журнала:  
ADAM (ISASTGCTRL)

Источник:     
ADAM [ISASTGCTRL] LDAP

Дата:         
09.12.2011 6:41:34

Код события:  
2886

Категория задачи:Интерфейс LDAP

Уровень:      
Предупреждение

Ключевые слова:Классический

Пользователь: 
АНОНИМНЫЙ ВХОД

Компьютер:    
FFTMG.domain.com

Описание:

Безопасность данного сервера каталогов можно существенно повысить, если настроить его на отклонение привязок SASL (согласование, 
Kerberos, NTLM или выборка), которые не запрашивают подписи (проверки целостности) и простых привязок LDAP, которые 
выполняются для подключения LDAP с открытым (не зашифрованным SSL/TLS) текстом. 
Даже если никто из клиентов такие привязки не использует, настройка сервера на их отклонение улучшит безопасность этого сервера.

В данный момент некоторые клиенты могут рассчитывать на неподписанные привязки SASL или простые привязки LDAP для подключения без SSL/TLS и могут
перестать работать, если будет сделано такое изменение конфигурации. 
Чтобы помочь выявить клиенты, у которых появляются такие привязки, данный 
сервер каталогов один раз каждые 24 часа будет регистрировать итоговое событие, указывающее, сколько таких привязок 
произошло.  Рекомендуется настроить такие клиенты так, чтобы они не использовали эти привязки. 
Как только соответствующие события перестанут регистрироваться 
в течение достаточно продолжительного периода, рекомендуется настроить сервер на отклонение таких привязок.

Дополнительные сведения о том, как сделать соответствующие изменения в конфигурации сервера, см. в статье по адресу: http://go.microsoft.com/fwlink/?LinkID=87923.

Можно включить дополнительную регистрацию для фиксации события каждый раз, когда клиент выполняет такую привязку, включая сведения о том, 
на каком клиенте она сделана.  Для этого следует поднять параметр для категории регистрации событий «События интерфейса LDAP» до уровня 2 или выше.

Xml события:

<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>

 
<System>

   
<Provider Name=»ADAM [ISASTGCTRL] LDAP» />

   
<EventID Qualifiers=»32768″>2886</EventID>

   
<Level>3</Level>

   
<Task>16</Task>

   
<Keywords>0x80000000000000</Keywords>

   
<TimeCreated SystemTime=»2011-12-08T23:41:34.000000000Z» />

   
<EventRecordID>1523</EventRecordID>

   
<Channel>ADAM (ISASTGCTRL)</Channel>

   
<Computer>FFTMG.domain.com</Computer>

   
<Security UserID=»S-1-5-7″ />

 
</System>

 
<EventData>

 
</EventData>

</Event>

Этим (http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/54ebcdc3-1a03-45c6-affb-8c9607d18921
,
http://technet.microsoft.com/en-us/library/dd941829(WS.10).aspx ) методом.

Лечение ошибки 2886 оказалось нецелесообразным, политика была приведена в исходное состояние, а ошибка осталась. Помогите пожалуйста решить проблему.

Софт: домен на 2008 SP2, TMG 2010 SP2.