Re: ADAM Synchronizer Beta - question

Ah! Thanks for watching the thread and checking the error code
for us. Hopefully giving the rights below to the account will fix the
problem,
I'm afraid I do not have a W2K domain to test against.

Lee Flight

"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OBy0b%23FUFHA.4092@xxxxxxxxxxxxxxxxxxxxxxx
> Sorry to get in the middle of a conversation, I think can help Lee a bit
> here. The server error indicates you are running w2k AD, and it complains
> that you don't have permissions to pull changes with DirSync. Indeed,
> object-mode security is not implemented in w2k, so the only way to get
> dirsync to work is to grant Replicate-Get-Changes control access right to
> the account that adamsync uses to connect to AD.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:1A3C2EF8-550E-43A9-8EC3-4118BA161928@xxxxxxxxxxxxxxxx
>> New addtional info from log:
>> Establishing connection to target server
>> sctas06.test.co.santa-cruz.ca.us:50000.
>>
>> Saving Configuration File on
>> OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>>
>> Saved configuration file.
>>
>> ADAMSync is querying for a writeable replica of
>> sctdc00.test.co.santa-cruz.ca.us.
>>
>> Error: DCLocator call failed with error 1355. Attempting to bind directly
>> to
>> string.
>>
>> Establishing connection to source server
>> sctdc00.test.co.santa-cruz.ca.us:389.
>>
>> Using file .?dam1B.tmp as a store for deferred dn-references.
>>
>> Populating the schema cache
>>
>> Populating the well known objects cache
>>
>> Starting synchronization run from
>> ou=ISD,dc=test,dc=co,dc=santa-cruz,dc=ca,dc=us.
>>
>> Starting DirSync Search with object mode security.
>>
>> Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>>
>> Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> processing
>> control, data 0, v893.
>>
>> Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>>
>> Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> processing
>> control, data 0, v893.
>>
>> Saving Configuration File on
>> OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>>
>> Saved configuration file.
>>
>> I hope this helps.
>> David
>>
>>
>>
>> "Lee Flight" wrote:
>>
>>> Hi
>>>
>>> I'm assuming that you re-ran the ADAMSync /install after updating
>>> the config.xml(?) Was the command below run with /log - ?
>>>
>>> I have never seen that error before all I can offer to do is take a look
>>> at your config.xml (excluding any passwords etc.) if you are prepared
>>> to post it.
>>>
>>> Thanks
>>> Lee Flight
>>>
>>> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:DD2521D1-3DD8-4DF3-AF43-8EB424C57FCA@xxxxxxxxxxxxxxxx
>>> > Ok,
>>> > I have added an <account-domain> tag and now the message is:
>>> > C:\WINDOWS\ADAM>adamsync /sync localhost:50000 adsyncadam /creds test
>>> > administrator xxxxx
>>> > Error occured fetching internationalized message number -2146893813.
>>> > Error
>>> > code:
>>> > 317
>>> >
>>> > C:\WINDOWS\ADAM>
>>> >
>>> >
>>> > David
>>> > "Lee Flight" wrote:
>>> >
>>> >> Hi
>>> >>
>>> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>>> >> message
>>> >> news:91E0B81B-D04B-4A07-97B5-5B047CBDC231@xxxxxxxxxxxxxxxx
>>> >>
>>> >> > C:\WINDOWS\ADAM>adamsync /sync localhost:50000 adsyncadam /creds
>>> >> > test
>>> >> > administrator xxxxxx
>>> >> > Ldap error occured. ldap_bind_s: Invalid Credentials.
>>> >> > Extended Info: 8009030C: LdapErr: DSID-0C0903E2, comment:
>>> >> > AcceptSecurityContext
>>> >> > error, data 0, v893.
>>> >>
>>> >> I think that has to be saying that the account that you are
>>> >> specifying
>>> >> for
>>> >> tha AD partition does not have access. Could you check that the
>>> >> <source-ad-account> and <account-domain> are correct and that the
>>> >> account has access to the partition in AD that you are spec. You
>>> >> could
>>> >> check
>>> >> by using ldp.exe to bind to the AD with that account, the security
>>> >> event
>>> >> log
>>> >> on
>>> >> the DCs for the AD might give you a clue what is happening if you
>>> >> audit
>>> >> logon
>>> >> failures as part of your security policy.
>>> >>
>>> >> Thanks
>>> >> Lee Flight
>>> >>
>>> >>
>>> >>
>>>
>>>
>>>
>
>


.

Relevant Pages

  • Re: ADAM Synchronizer Beta - question
    ... Right is not granted to the account that is used to connect to AD. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > An ldap error occured while saving the configuration file: ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Synchronizer Beta - question
    ... I can use adam LDP and bind to the DC with this account. ... > This posting is provided "AS IS" with no warranties, and confers no rights. ... >> An ldap error occured while saving the configuration file: ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to change the account that ASP.NET uses
    ... Might i have just to give the rights to ASPNET user account ... in SQL Server, no? ... >> configuration file required to service this request. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: "Access is denied" trying to connect to IIS7 - any ideas?
    ... which can be superseded by another account on the folder, like the Everyone group account doesn't have full control as an example that has superseded your user account rights. ... All three of these had full control of the folder. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Edit various passwords & user names
    ... You will need to have admin rights... ... Go to Control Panel->User Accounts. ... Click on the account you want to delete. ...
    (microsoft.public.windowsxp.security_admin)
Quantcast