Home > AD > LdapIPDeny List

LdapIPDeny List

August 28, 2009 bpraveen Leave a comment Go to comments

Let me explain you the background on an issue I have faced. A member server which has several applications running on it. All of a sudden all applications are stopped and not allowing us to start. The error seems to be with the service account used for the application. Its clearly says that its problem with authentication. So, in the process of troubleshooting one of our sysadmin disjoined the server from the domain. When he tried adding back the server to domain, then the actual problem started. It didn’t allow joining the server back to DC saying that LDAP Query Failed and got Access denied.

 As I do not have permissions on DCs I could not verify on the DC end and AD team could not help us in solving the problem. We had to rename and rebuild the server. But it didn’t help us to solve the issue.

Finally, it was escalated to Microsoft to get assistance. They have investigated and found the root cause which says that the server IP has been added to the LdapIPDeny List in AD which was causing ldap failed errors and not allowing this server to join back to domain. After we removed the IP from the list and successfully joined back to the domain.

Very brief information on the LdapIPDeny List which is as follows:

To provide higher level of security for the DC, you can apply an IP Deny List that prevents the DC from accepting LDAP queries from clients with specified IP addresses. Similar to the LDAP administration limits, the IP Deny list only alters the Default LDAP Policy object. The default LDAP Policy is applied to any DC that has not had a specific LDAP policy applied to it or the site in which it belongs.

A DC uses the following three mechanisms to apply LDAP Policies:

  • A DC might refer to a specific LDAP Policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
  • In the absence of a specific query policy being applied to a DC, the DC applies the Query Policy that has been assigned to the DC’s site. The ntDSSiteSettings object includes an option attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
  • In the absence of a specific DC or site Query Policy, a DC uses the default query policy named Default-Query Policy.

A Query Policy object includes the multivalued  attributes LDAPIPDeny List and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administrator limits and IP Deny List for the Default-Query Policy Object.

The following links might be helpful for you to understand how ldapipdeny list works.

http://technet.microsoft.com/en-us/library/cc976714.aspx

http://msdn.microsoft.com/en-us/library/cc220058(PROT.10).aspx

http://technet.microsoft.com/en-us/library/cc976703.aspx

Categories: AD Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.