Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jims (biz_at_neocasa.net)
Date: 09/24/04 

Date: Fri, 24 Sep 2004 12:45:55 -0400

I am able to log into the ADAM server interactively with TestDom\adamuser0
domain account.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:eGA%23p0koEHA.1588@TK2MSFTNGP09.phx.gbl...
> Can you logon to ADAM machine as the test user (from AD)? This requires
two
> things:
> (a) the user in AD is valid
> (b) the ADAM machine is a happy member of the AD domain.
>
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Jims" <biz@neocasa.net> wrote in message
> news:u6EBtYjoEHA.1300@TK2MSFTNGP12.phx.gbl...
> > I checked the AD and ADAM SIDS of several accounts and they all match.
> The
> > AD accounts are enabled. I've included ldifs for a test account.
> > Thanks,
> > Jim
> >
>
> --------------------------------------------------------------------------
> --
> > -------------
> > ADAM ldif for cn=adamuser0
>
> --------------------------------------------------------------------------
> --
> > -------------
> > dn: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> > changetype: add
> > sn: User0
> > mail: ADAM.User0@childrens.harvard.edu
> > employeeID: 999110
> > givenName: ADAM
> > objectClass: top
> > objectClass: userProxy
> > cn: adamuser0
> > description: Test account for ADAM load testing. See Jim
> > distinguishedName: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> > instanceType: 4
> > whenCreated: 20040923205501.0Z
> > whenChanged: 20040923205501.0Z
> > displayName: User0 ADAM
> > uSNCreated: 165089
> > memberOf: CN=Readers,CN=Roles,DC=CHBDir,DC=Org
> > uSNChanged: 165089
> > showInAdvancedViewOnly: TRUE
> > name: adamuser0
> > objectGUID:: Ao8zPFz7Jki83KNtIioTlg==
> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
> > objectCategory:
> >
> >
>
CN=User-Proxy,CN=Schema,CN=Configuration,CN={037EF044-62EC-46CF-BC6C-F83B492
> > B5
> > D6A}
> >
>
> --------------------------------------------------------------------------
> --
> > ---------
> > Active Directory ldif for cn=adamuser0
>
> --------------------------------------------------------------------------
> --
> > ---------
> > dn: CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
> > changetype: add
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: adamuser0
> > sn: User0
> > description: Test account for ADAM load testing. See Jim S.
> > givenName: ADAM
> > distinguishedName:
> > CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
> > instanceType: 4
> > whenCreated: 20040922202306.0Z
> > whenChanged: 20040923223103.0Z
> > displayName: User0, ADAM
> > uSNCreated: 29167521
> > uSNChanged: 29291979
> > department: ADAM Project
> > mDBUseDefaults: TRUE
> > mailNickname: adamuser0
> > name: adamuser0
> > objectGUID:: +egFGfcmZkag1A4SGvxaFg==
> > userAccountControl: 512
> > codePage: 0
> > countryCode: 0
> > pwdLastSet: 127404521926265493
> > primaryGroupID: 513
> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
> > accountExpires: 9223372036854775807
> > sAMAccountName: adamuser0
> > sAMAccountType: 805306368
> > userPrincipalName: adamuser0@TestDom.ORG
> > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=TestDom,DC=ORG
>
> --------------------------------------------------------------------------
> --
> > ----------------------------
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
> > news:OJPe5LfoEHA.3460@tk2msftngp13.phx.gbl...
> > > Please verify that the SIDs inside userProxies still point to valid
user
> > > objects in AD. You can use LDP's utilities/map sids. If the user
exists,
> > > check that it's not disabled or locked out or expired.
> > >
> > > --
> > > Dmitri Gavrilov
> > > SDE, Active Directory Core
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > > "Jims" <biz@neocasa.net> wrote in message
> > > news:u$5FnKcoEHA.2636@TK2MSFTNGP09.phx.gbl...
> > > We've have a working ADAM environment for several months using MIIS
sync
> > > with AD and bindproxy accounts. We upgraded our W2K directory and 4/5
> DCs
> > > this week. I can no longer authenticate to ADAM with AD user
accounts.
> > > This is a test ADAM server and I haven't tried to authenticate in over
a
> > > week so I'm not sure of the AD domain significance but I have'nt done
> > > anything else to the ADAM server except configure SSL, which works. I
> can
> > > authenticate "user" accounts ok just not "bindproxy" accounts. The
ADAM
> > > security event log logs the below event. I don't see anything in the
DC
> > > event logs.
> > > Thanks,
> > > Jim
> > >
> > > -----------------------------------------------------------
> > >
> > > Type: Failure Aud EventID: 680
> > > Logon attempt by: ADAM_CHBADAM1
> > >
> > > Logon account: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> > >
> > > Source Workstation: -
> > >
> > > Error Code: 0xC000006D
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: No new e-mail delivered after mailbox is moved
    ... you use message tracking on the messages sent to the test user and determine ... pointed to the valid and functional DC/GC server. ... > created, and sent and received a number of e-mails between accounts, I ...
    (microsoft.public.exchange2000.admin)
  • Re: Active Directory or Not
    ... "Domain Account Mode: ... "Active Directory Account Creation Mode: ... unique accounts for customers in Active Directory ... accoutn to WSS, the WSS creates the related AD account. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Group policy
    ... However, you are testing with a policy that is in the Accounts policies, ... >I am using Windows 2003 server group policy managment and editor. ... > to setup a group policy just to test on 1 test user. ... I seem to have everything setup but the policy is not working. ...
    (microsoft.public.security)
  • Re: Group policy
    ... > The test user is in the IT group, I created a GP linked to the IT group, I ... >> and these will only have impact on domain accounts when set in a GPO ... >> have impact on machine local accounts on machines in the OU ...
    (microsoft.public.security)
  • Re: Group policy
    ... The test user is in the IT group, I created a GP linked to the IT group, I ... have selected the Test user in the security filtering of GPM scope for the IT ... > and these will only have impact on domain accounts when set in a GPO ... >> linked group policy under the IT OU. ...
    (microsoft.public.security)