Troubleshooting ldap on onboard administrator – HP Onboard Administrator User Manual
Page 329
Enabling LDAP Directory Services Authentication to Microsoft Active Directory 329
o
Test Operator
o
o
DOMAIN\Test Operator
5.
Enter the corresponding password used for this account. You have full access to interconnect bays but
not to any server blades.
Troubleshooting LDAP on Onboard Administrator
To verify that SSL is working on the Domain Controllers in your domain, open a browser and then navigate
to https://<domain_controller>:636 (substitute your Domain Controller for <domain_controller>). You can
substitute <domain> in place of <domain controller> which goes to DNS to verify which Domain Controller
is currently answering requests for the domain. Test multiple Domain Controllers to verify that all of them have
been issued a certificate. If SSL is operating properly on a Domain Controller (for example, a Certificate has
been issued to it), you are prompted by the Security dialog that asks if you want to proceed with accessing
the site or view the certificate. If you click Yes, a webpage does not appear. The test is to make the Security
Dialog prompt appear. A server not accepting connections on port 636 displays the page cannot be
displayed message. If this test fails, the Domain Controller is not accepting SSL connections possibly
because a certificate has not been issued. This process is automatic, but might require a reboot.
To avoid a reboot:
1.
On the Domain Controller, load the Computer Account MMC snap-in, and then navigate to the
Personal->Certificates folder.
2.
Right-click the folder, and then choose Request New Certificate. The type default is Domain Controller.
3.
Click Next, and then repeat until the Domain Controller issues the certificate.
A second method for troubleshooting SSL is to go to the DC, and then run the following command:
C:\netstat -an | find /i "636"
If the server is listening for requests on port 636,the following response appears:
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
1.
A third issue might be that the domain controllers have not auto-enrolled. The DCs can take up to 8 hours
to auto-enroll and get their certificates issued because MS uses GPO to make the DC's aware of the
newly installed CA. You can force this by running DSSTORE -pulse from the DCs (tool is in the w2k
reskit). It is triggered by winlogon. Therefore, for auto-enrollment to function, you must log off and then
log on again. The certificates appear automatically in the CAs Issued Certs list. Make sure the CA is not
listing them in Pending Certs. If it is, change the CA to auto issue certificates when a request comes in.
If the auto-enrollment feature still does not function, request the certificate using the following procedure:
2.
On the Domain Controller, open MMC, and then add Certificate Snap-in (Computer Account).
3.
Navigate to Personal, and then right-click the folder.
4.
Click Request New Cert, and then click Next.
5.
Enter a name for the certificate.
If an RPC error occurs, verify that the CA is listed in DNS and that the CA is running.
If the wizard does not start, force the server to see the CA and then allow the wizard to run:
To speed up the GPO process and make the DCs acknowledge the CA, use one of the following commands:
•
Windows® 2003, Gpupdate /force
•
Windows® 2000, Secedit /refreshpolicy machine_policy /enforce