Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 21, 2012 3:07 PM
Hello,
first of all excuse me for my bad english ;)
Advance some information about our topology:
we have a Windows 2008 R2 server with the NPS role installed. This Server is in the domain "services". In addition we have Windows 2003 servers, which are used as Domain Controllers for the domain "Users". We have a trust between the domains "services" and "users".
The Servers are in different IP-Subnets with a firewall between them.
In the "Network Policies" on the NPS Server we used user/computer groups from the domain "users". These workwell at first, and the LDAP connection to the domain controller in the "users" domain can also be produced.
Now the real problem:
Due to a timeout for inactive sessions on the firewall the LDAP session is separated after one hour.The NPS server, however, triesto use the old session and runs on the following error: Event 4402, NPS "There is no domain controller available for domain Users." (Because thesession no longer exists on the firewall and the packets are discarded.)
As soon as the user group is removed and readded in the NPS Policy, the connection to the domain controller is rebuilt, that means a new session is established on the firewall and the connection is working again, until the next timeout.
So, now I want the server to establish a new session for the LDAP connection to the domain controller automatically, after the session is terminated by the timeout. But how?
All replies (8)
Friday, August 10, 2012 10:18 AM ✅Answered
Hi jim_bot,
yes, we solved our problem. In our case the problem was, that we only had a trust between the domain "services" and the domain "users", but not a directly trust between the domain "services" and the subdomains of the domain "users".
You can also try this:
Change the default time-out of the TCP keep-alive to 30 minutes.<o:p></o:p>
Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
Key: KeepAliveTime
Format: DWORD
Value in milliseconds: 1800000
The server need to be restarted.
Wednesday, February 22, 2012 7:07 AM
Hi Caro89,
Thanks for posting here.
> Event 4402, NPS "There is no domain controller available for domain Users.
Is this the accurate description of this event ? cos system should prompt domain name in message usually but not “domain users”. Which DNS server is NPS server pointing and using ?
Anyway , since you mentioned about firewall so I believe we might already set firewall exceptions in order to allow the NPS could communicate with domain controller for data querying and authentication. But could we first check to make sure it has been properly set with following the introductions in the KB article below:
How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442
More information for reference :
Event ID 4402 — NPS and Domain Controller Communication
http://technet.microsoft.com/en-us/library/cc735393(WS.10).aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support
Wednesday, February 22, 2012 8:48 AM
Hi Tiger Li,
thanks for your answer.
This is the accurate description of the event, because in my example above the domain is called "users", so the name of the domain is "users". Maybe a bad example...
The NPS Server is using the domain controller from its domain "services" as the DNS Server.
There might be no problem with the firewall settings, because everything is working well until the timeout occurs.
So the problem is, that the server doesn´t establish a new session after the old one is terminated by the firewall.
Thursday, February 23, 2012 6:53 AM
Hi Caro89,
Thanks for update.
OK , so are these domain “users” and “services” sub domains of a parent one ? for example “contoso.com” ? if so the FQDN of these sub domain should be “users.contoso.com” and “service.cotoso.com” . Can you conform that ?
If so it seems we are not properly set the DNS suffix for these host and please consider to correct that and specify the FQDN name when connect NPS with active directory domain system.
Configuring Query Settings
http://technet.microsoft.com/en-us/library/cc959339.aspx
Meanwhile, have we create the trust relationship between these domains ? how did we set the name resolution ?
DNS and NetBIOS Name Resolution to Create External, Realm and Forest Trusts
http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx
If you are using single label domain name in this case , I’d like suggest to reconsider the current domain name space designing and try to rename it :
Information about configuring Active Directory domains by using single-label DNS names
http://support.microsoft.com/kb/300684
Providing Single-Label DNS Name Resolution
http://technet.microsoft.com/en-us/library/cc816610(WS.10).aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support
Friday, February 24, 2012 9:37 AM
Hi Tiger Li,
Thanks for your response.
I cann´t really comprehend why this should be a DNS or domain trust Problem. Because the connection worked at fist and any time after I readded the group from the "users" domain in the network policy it is working again. I get the following information in the event log then: Event 4400,NPS "A LDAP connection with domain controller sv-dc02.users.example.local for domain users (users=domain name!) is established."
So I think if there would be a problem with the DNS suffixes, the domain trust or something like, that the connection would never be established.
I only get the error message:(4402, NPS "There is no domain controller available for domain Users (users=domain name!).") after the ldap session is inactive for one hour or more and then terminated by our firewall.
So does anyone know an opportunity to edit the settings for LDAP connections on the nps server or has another resolution for that?
Thanks.
Friday, August 10, 2012 9:40 AM
I think this is exactly the same problem I'm having. It just stops working for users in the trusted domain after a period of time.
Bump to see if you ever got a fix for this Caro89?
Friday, August 10, 2012 10:42 AM
Thanks for the quick response :)
I don't have that key present in that path - did you have to add it manually?
I can try adding a direct trust too, thanks for the tip.
Friday, August 10, 2012 10:58 AM
Yes, you have to add it manually.
If you donn´t have a direct trust to the subdomains, the NPS Server tries to establish the ldap connection to the domain controller of the root domain after the timeout occured and not to the domain controller of the subdomain as needed. (We saw that in our firewall logs)
I hope that will help.