Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Incorrect user count or license errors with Specops Password Reset due to LDAP query timeout.

Description:

If you see user counts that don’t look quite right, or you get a license error in Specops Password Reset, it could be the nightly user counting timing out. To check if this is the issue, we can check our Event Viewer on the Specops Password Reset server.

On the Specops Password Reset server, open the Event Viewer, Windows Logs, and Application.

Look for EventID 350. The detail of the message will say something similar to:

“Failed to read users from domain ‘LDAP://DC=Users,DC=Example,DC=com’. Full error: ‘System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.

If you see this, then the LDAP query is timing out.

First, you should start by validating that the Specops Password Reset server has network connectivity to your Domain Controllers. This is a fundamental requirement of our products.

Once you have validated network connectivity, then it could be one of the two causes below:

  1. Specops Password Reset is having trouble running the LDAP query on one specific domain controller.
  2. Specops Password Reset is trying to run it’s LDAP query to check user/license information, and the query is taking too long no matter which domain controller.

Solution:

The solution can be different based on the cause of the issue. Two common solutions are below:

Solution #1: Specops Password Reset is trying to run the LDAPquery for user counting but it’s having issues with one domain controller.

To start we can check if Specops Password Reset is having issues to an individual DC. You can test this by specifying a preferred DC in the registry of your Specops Password Reset server.

You can do it by doing the following:

  1. Open the Registry Editor on your Specops Password Reset server.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\SpecopsSoft\Specops Password Reset\Server\Domains\yourdomainname\PreferredDomainController
  3. Set the value to the FQDN of your first DC.
  4. Initiate a user count from the Specops Password Reset Reporting page, or restart the Specops Password Reset service.
  5. Wait a few minutes, and then check that your user count is what you expect, and you no longer see time EventID 350 error in your Application Logs.
  6. If you do not see the error, then that means the LDAP query was able to complete to that particular DC.
  7. Cycle through your DCs by changing the value key to the FQDN of your other DCs, until you find the DC that generates the error.
  8. Once you have found the problematic DC, you can take steps to investigate the network connectivity to that DC.
  9. Once you are done testing, you can clear the value in PreferredDomainController.
  10. If all DCs generate the error, then move on to Solution #2.

Note: You can leave the FQDN of a DC that works in that registry key, but it should only be temporary. Best practice is for this value to be blank so that Specops Password Reset will find a nearby DC, and it’s not dependent on one DC.

Solution #2: Specops Password Reset is trying to run it’s LDAP query but it’s timing out to any domain controller

If after checking all of your DCs, the LDAP query continues to timeout on all of them, then we know the issue is not related to one specific DC.

The issue might be that the LDAP query needs more time to complete

We can test this by editing the registry value for the time limit the query has by default.

  1. Open the Registry Editor on your Specops Password Reset Server.
  2. Browse out to HKEY_LOCAL_MACHINE\SOFTWARE\SpecopsSoft\Specops Password Reset\Server\Domains\yourdomainname\
  3. Look for the key SearchTimeoutSeconds.
  4. If it does not exist, create a new DWORD(32-bit) Value with the name SearchTimeoutSeconds.
  5. The default value will be 0. Change that to 60.
  6. Initiate a user count from the Specops Password Reset Server reporting page, or restart the Specops Password Reset service.
  7. Wait a few minutes, and then check that your user count is what you expect, and you no longer see time EventID 350 error in your Application Logs.
  8. If it is still timing out, then you can increase the SearchTimeoutSeconds value to a higher number.
  9. Repeat steps 5 and 6.

If you are still having the issue after trying both of these solutions, then please open a Support Case here.

December 2, 2020

Was this article helpful?

Related Articles