CE Can't Talk to Windows AD

[weikfan]

Hi All,

We are on CE10 with Windows AD authentication. We have multiple groups on Window AD. The folder rights were applied to the these groups after they were brought to CE. It has been functioning this way for about 2 months. Starting today, though, we are getting the following error message in our development environment when looking at the users of a group from CMC.

There was an error while retrieving data from the server: Active Directory Authentication failed to get the members of the group with ID "S-1-5-21-28647537-809508314-1842888061-30434". If the problem persists, please delete this group and re-map it into Crystal, then try again.

Could you please let me know what would have caused this and the fix for it other than re-applying the rights? Before this was happening, an OS upgrade and some maintenance was done on our web server (UNIX) for CE. I can't tell if that could cause the problem because I was able to log on and refresh reports after the upgrade was done. We started to get errors about 1 hour after I was able to refresh the report successfully.

We are using the same WinAD groups in Production. It doesn't have this problem there (yet).

Thanks for your help.
Fan

 

[Turkbear]

Hi,
How many 'branches'( or something like that, I'm not an AD person) does your AD tree have..Perhaps one of them has lost that Group's info - can you delete and recreate?
Does your AD administrator have any insight into the issue?





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[weikfan]

Hi Turkbear,

By 'branch', do you mean how many groups a user belong to on AD? According to the AD administrator, they could be in several different groups on AD. But the ones coming in to CE are independent of each other. the AD admin can't explain much why the error occurrs because our production environment imported the same groups the same way and working.

Also, it's not just one group that's not working. We have the same issue in dev for all the AD groups (about 15 of them). Since the rights are applied on the AD groups in CE, we will need to reapply the rights when we delete the group and added back in.

Thanks.
Fan

 

[Turkbear]

Hi, Actually no..My Bad description of multiple AD servers.
When you select an AD group in the CMC/Authentication page and click update, is the same error message returned?

I Assume you are using the same AD admin account for both Prod and Dev..







To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[weikfan]

I am checking on the multiple AD servers.

I do get the same error when I select an AD group in CMC/Authentication and click update.

For the AD admin account, do you mean the account they use to set up the groups in Windows AD or the account they use to bring in the AD groups to CE? The account they use to set up the groups in Windows AD is the same. The account they use to bring the AD groups to CE are diffferent for Dev and Prod.

I am also wondering if the size of the AD list could make any difference. Although we are using the same list, our Pord server is more robust than the one for Dev. Could it be that it ran out of space and corrupted something?

Thanks again for your quick response.
Fan

 

[Turkbear]

Hi,
The user used to connect to the AD system - are you sure the user you specify in Dev has rights to read the AD data?

Try using the same User as in Prod..





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[weikfan]

Hi,

We just got it resolved. Our AD Admin deleted a test group that is in CE. Once we removed the deleted group from CE, it was ok.

I didn't know it would impact all our other groups in CE.

Regarding the AD servers. We do have multiple AD servers. Each has the exact AD groups. Do you see any potential problems with this?

Thanks for your help.
Fan

 

[Turkbear]

Hi,
No...except there may be a delay for a change to be 'seen' by all the servers...







To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[weikfan]

Thanks.