Azure AD Password Sync Error with Event ID 611

Recently we faced an issue with the Password Sync from our On-Prem AD server . The strange issue was when we create/delete  an AD object the synchronization completes successfully except for the Password changes. In the event viewer on the AAD connect server we could see event ID 611.

Password synchronization failed for domain: test.com

Details:
System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.

 

If you are facing the same issue , you need to modify the registy entry on the AAD connect server as below;

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ldap

Modify the parameter LdapClientIntegrity to 0.

But I am still not sure , is it a Bug or not, If I come across any information about the cause of the error , I will update this post accordingly.

Good Luck.

 

Advertisements

October 23, 2018 at 4:06 pm Leave a comment

How to descommission the On-Prem Exchange server after the successful migration to O365.

When you performed a cutover or Hybrid migration to O365 , You need to uninstall the On-Prem Exchange Server. Even though MS recommends to keep at least one Exchange On-Prem Server(Does not require any license and special license available for this use cases), Some environments require them to be uninstall in that case we could follow the below steps.(Please note I have not included any screenshots because if you are reading this article you should have well familiarized with O365 Admin / EAC consoles.

  • Change the DNS records internally & externally to point it to O365.
  • Open EAC on Office365
  • Click on Mailflow -> Open Connectors
  • Disable or Delete the 2 Connectors ( Both Inbound & Outbound)
  • Click on Organization and remove the O365 to Onpremises …config.
  • Stop the AD Sync (Set-MsolDirSyncEnabled –EnableDirSync $false)
  • Remove all the unwanted or non migrated mailboxes from the On-Prem Server
  • Remove the Public Folders
  • Remove / Disable Arbitration Mailbox ( Get-Mailbox –Arbitration )
  • Optional(Remove OAB)
  • Uninstall Exchange
  • Re-enable ADSync (Set-MsolDirSyncEnabled –EnableDirSync $true)

http://galinlab.com/2017/07/06/decommissioning-exchange-after-cutover-migration-with-dirsyncadsync-is-enabled/Credits:

October 21, 2018 at 11:40 am Leave a comment

How to expire Veeam Backup Jobs

When using Veeam B&R  , if you had to face a situation where you need to expire the old backups to free up some disk space you need to follow slightly a different approach. As mostly in other cases (especially VERITAS) you could simply change the retention period to a lower value and need to  restart the services , you could notice the backup files have been disappeared. In Veeam you need to go through the below steps.

  • Remove the backup files manually (recommended to clear the files created by the last incremental jobs  until you reach to the last full backup).
  • Reduce the backup pointer to a lower value in your backup job.
  • Then you need to start the jobs manually or wait for the next schedule.

October 15, 2018 at 11:25 am Leave a comment

VCSA6.7 and Veeam B&R Issues

Recently we were upgrading our ESXi Infrastructure from ESXi 6.0 to 6.7.During this process we kicked off the migration process with our VCenter Server 6.0 with the intention to move it to a VCSA 6.7  .  Everything went well . But on the following day we started receiving Backup job failure alerts from Veeam  Server.

After few google searches we came to know that the Veeam B&R need to be upgraded with U3 to be fully be compatible with Photon based VCSA 6.7 .

Good Luck with your VSphere Upgrades.

October 15, 2018 at 11:10 am Leave a comment

Nutanix NTP Issues & Troubleshooting.

The below commands helps to troubleshoot and fix NTP issues on Nutanix Cluster. You can run these command by logging to any of the CVM’s.

To check the date on all the nodes

allssh ssh root@192.168.5.1 date

To check the NTP source
allssh ssh root@192.168.5.1 ntpq p
To update the NTP server
allssh ssh root@192.168.5.1 service ntpd stop (Stops the NTP service)
allssh ssh root@192.168.5.1 ntpdate u 1.1.1.1 ( Add the NTP server IP)
allssh ssh root@192.168.5.1 service ntpd start (Starts the NTP service)
(source: http://vmwaremine.com)
——————————————
Further Troubleshooting.
——————————————
In case if you are bombed with NTP alerts on Prism like Time drift you could run the below commands , But I would recommend to contact support.(By default offset of 3 seconds + or – , will throw these error messages)
To check any communication issues with the NTP server
1) sudo nc  -vu 1.1.1.1 123 (leave it for few minutes and Press CTRL+C)(If your NTP is listening on UDP you will not be getting any response)
2) Read the genesis.out file and look for the offset messages ( allssh grep offset ~/data/logs/genesis.out)
3) Run the ntpdate -d 1.1.1.1 (To check the NTP sync data)
As Nutanix recommends run the below cron job to force the servers to reduce the offset.
allssh ‘(/usr/bin/crontab -l && echo “*/1 * * * * bash -lc /home/nutanix/serviceability/bin/fix_time_drift”) | /usr/bin/crontab -‘
Thereafter you could monitor with the below command to observe the NTP offset is being reduced,
allssh “grep offset ~/data/logs/genesis.out | tail -n10”
Finally make sure to remove the cronjob with the below command.
allssh “(/usr/bin/crontab -l | sed ‘/fix_time_drift/d’ | /usr/bin/crontab -)”.
To check the NTP sync’s on AHV host.
hostssh ntpq -pn

July 24, 2018 at 9:00 am Leave a comment

Additional Permissions needed for a Service Account to Reset and Change AD passwords and Unlock AD Accounts.

In some scenarios we had to delegate the  permission for a Junior Administrator to do some AD related tasks ,for example change/reset the AD user password , Unlock user account , etc. In this case most of the articles I have googled and referred pointing only to enable the
“Reset user passwords and force password change at next logon “. But what I realized is that this alone will not grant your the required permission.

Thus additionally you need to add a custom level delegation as provided below;

  • Create a custom task to delegate and click Next.
  • Select  Only the following objects in the folder from the Delegate control of option.
  • Select the User objects option as the object to which to delegate.
    Click Next to proceed.(Ensure Property-specific is selected.)
  • Scroll down to select the Read lockout Time and Write lockout Time.
  • Review the changes and click next to complete the wizard.

Please note that I have not listed any detailed steps on how to create the delegation rules as there are plenty of articles available on the Internet  that provides a very descriptive guidelines along with  the screenshots.

Source: https://webactivedirectory.com/knowledge-base/permissions-service-account-needs-reset-change-ad-passwords-unlock-ad-accounts/

June 28, 2018 at 11:20 am Leave a comment

Older Posts Newer Posts


Archives

Categories

Follow Hope you like it.. on WordPress.com

Blog Stats

  • 16,734 hits

%d bloggers like this: