I developed a Windows service a couple of years ago that rids dormant user objects from Active Directory. It was a fairly simple service that did what it needed to do and took into consideration the quirks of Microsoft's Active Directory Domain structure such as when users authenticate, they do so against a single domain controller with that timestamp being stored instantly on just that DC. Eventually this timestamp gets replicated to other domain controllers but that can take up to a couple of weeks.

I recently had to add additional functionality to the service so that it would clean up AD accounts referenced from an Oracle database too. Rather than having to install the Oracle SQL*Net client on the Windows server where the service runs (which could be one of the DCs), I decided to call a web service running on a web server when performing the cleanup against the Oracle database. Within the logic executed by the Windows service, I generally place a boolean variable so that the service knows if it is already running or not each time the timer fires. If it is already running, the logic is skipped until the next time it is set to fire. Adding a call to a web service caused the logic to run once but after that it failed to run again because it thought the timer from the last firing was still being processed.

Read more »

Applications these days should be using secure LDAP (LDAPS) or Transport Layer Security (TLS) for authentication and authorization against a domain controller (DC). This provides an encrypted connection for data to traverse between a client, which could be a web server, and the DC. As with most encryption schemes that use digital certificates, the server certificate on the DC must be valid and not expired. An expired certificate on the DC will cause new connection attempts to the DC from clients to fail. In my experience, the clients will not try to connect to a secondary DC - so users begin seeing error messages. This all occurs even though the autoenrollment process provided the DC a replacement certificate some 42 days prior to expiration of the current certificate.

Read more »

It comes in handy at times to connect with my network at home through a secure VPN connection. I typically use this connection to access files that have been backed up or archived. Prior to upgrading my notebook PC from Windows XP Professional to Windows 7, there were no issues. A problem surfaced, however, just after the upgrade. Within seconds after establishing the VPN connection, my AD user account at work became locked. The reason for the lock: Incorrect password entered more than five times. But how could this be since all I did was establish a VPN connection? How did the upgrade to Windows 7 cause this?

Read more »

I was recently asked to look into why so many 671 messages were being written into the Windows Event Log on the domain controllers. Most of these being done by an application that allows users to change their password when it expires or if they forget it.

Read more »

Several years ago I developed an application in PowerBuilder for use on Windows 2000 machines. The application included a feature that sends SNMP requests to Cisco Access Servers and receives responses from the same. Before using the SNMP feature on a Windows 2000 computer, one had to install "Simple Network Management Protocol" under the "Management and Monitoring Tools" in the Add/Remove Windows Components dialog box. This was also true when migrating to Windows XP. When I migrated to Windows 7, the SNMP feature in my application failed when making a function call to SmnpRegister.

Read more »