Re: ADAM Synchronizer Beta - question
- From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 7 May 2005 20:53:45 -0600
Sorry, you are still getting the same error, which means the Control Access
Right is not granted to the account that is used to connect to AD.
BTW, why is locator call failing? Is ADAMSync running on a non-member
machine? If so, it could be failing to authenticate to AD.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2A9D9A1F-2DEE-41DF-8695-C858F903878A@xxxxxxxxxxxxxxxx
> Hello Dmitri,
>
> I have made the changes as you described now I am getting the erro:
> Establishing connection to target server localhost:50000.
>
> Saving Configuration File on
> OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>
> An ldap error occured while saving the configuration file: Insufficient
> Rights
>
> An ldap error occured while saving the configuration file: Insufficient
> Rights
>
> ADAMSync is querying for a writeable replica of
> sctdc00.test.co.santa-cruz.ca.us.
>
> Error: DCLocator call failed with error 1355. Attempting to bind directly
> to
> string.
>
> Establishing connection to source server
> sctdc00.test.co.santa-cruz.ca.us:389.
>
> Using file .?dam15.tmp as a store for deferred dn-references.
>
> Populating the schema cache
>
> Populating the well known objects cache
>
> Starting synchronization run from
> ou=ISD,dc=test,dc=co,dc=santa-cruz,dc=ca,dc=us.
>
> Starting DirSync Search with object mode security.
>
> Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>
> Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error processing
> control, data 0, v893.
>
> Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>
> Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error processing
> control, data 0, v893.
>
> Saving Configuration File on
> OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>
> An ldap error occured while saving the configuration file: Insufficient
> Rights
>
> An ldap error occured while saving the configuration file: Insufficient
> Rights
>
> this is a domain-admin account, it is the same in the sync config file. it
> is the same that was used to install ADAM, and is also the account the
> service runs under. I am able to use LDP and bind with this account to the
> DC. the event log shows:
>
> This DSA successfully wrote the service principal names for the following
> account which are needed for mutual authentication to succeed on inbound
> connections.
>
> Account:
> CN=Administrator,CN=Users,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us
>
> my environment is ADAM on W2K3, AD on W2K, all in same domain.
>
> Thanks again for any help.
> "Dmitri Gavrilov [MSFT]" wrote:
>
>> The display name for this CAR is "Replicating Directory Changes". You
>> need
>> to grant it *on* the domain head object, *to* the account that adamsync
>> uses.
>>
>> --
>> Dmitri Gavrilov
>> SDE, Active Directory Core
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:860666FE-367A-48FF-9C59-6B920DCBD356@xxxxxxxxxxxxxxxx
>> > Thank you Dmitri. I am having trouble finding this property. When I
>> > look
>> > at
>> > the account in AD users and computers, advaned properties I see:
>> > Manage replication topology x(allow)
>> > Replication Directory changes x(allow)
>> > Replication Synchronization x(allow)
>> >
>> > I did find create replication connection object was un-checked.
>> >
>> > Were can I find DS-Replication-get-changes?
>> >
>> > thanks again,
>> >
>> > David
>> >
>> > "Dmitri Gavrilov [MSFT]" wrote:
>> >
>> >> Sorry to get in the middle of a conversation, I think can help Lee a
>> >> bit
>> >> here. The server error indicates you are running w2k AD, and it
>> >> complains
>> >> that you don't have permissions to pull changes with DirSync. Indeed,
>> >> object-mode security is not implemented in w2k, so the only way to get
>> >> dirsync to work is to grant Replicate-Get-Changes control access right
>> >> to
>> >> the account that adamsync uses to connect to AD.
>> >>
>> >> --
>> >> Dmitri Gavrilov
>> >> SDE, Active Directory Core
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> Use of included script samples are subject to the terms specified at
>> >> http://www.microsoft.com/info/cpyright.htm
>> >>
>> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:1A3C2EF8-550E-43A9-8EC3-4118BA161928@xxxxxxxxxxxxxxxx
>> >> > New addtional info from log:
>> >> > Establishing connection to target server
>> >> > sctas06.test.co.santa-cruz.ca.us:50000.
>> >> >
>> >> > Saving Configuration File on
>> >> > OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>> >> >
>> >> > Saved configuration file.
>> >> >
>> >> > ADAMSync is querying for a writeable replica of
>> >> > sctdc00.test.co.santa-cruz.ca.us.
>> >> >
>> >> > Error: DCLocator call failed with error 1355. Attempting to bind
>> >> > directly
>> >> > to
>> >> > string.
>> >> >
>> >> > Establishing connection to source server
>> >> > sctdc00.test.co.santa-cruz.ca.us:389.
>> >> >
>> >> > Using file .?dam1B.tmp as a store for deferred dn-references.
>> >> >
>> >> > Populating the schema cache
>> >> >
>> >> > Populating the well known objects cache
>> >> >
>> >> > Starting synchronization run from
>> >> > ou=ISD,dc=test,dc=co,dc=santa-cruz,dc=ca,dc=us.
>> >> >
>> >> > Starting DirSync Search with object mode security.
>> >> >
>> >> > Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>> >> >
>> >> > Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> >> > processing
>> >> > control, data 0, v893.
>> >> >
>> >> > Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>> >> >
>> >> > Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> >> > processing
>> >> > control, data 0, v893.
>> >> >
>> >> > Saving Configuration File on
>> >> > OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>> >> >
>> >> > Saved configuration file.
>> >> >
>> >> > I hope this helps.
>> >> > David
>> >> >
>> >> >
>> >> >
>> >> > "Lee Flight" wrote:
>> >> >
>> >> >> Hi
>> >> >>
>> >> >> I'm assuming that you re-ran the ADAMSync /install after updating
>> >> >> the config.xml(?) Was the command below run with /log - ?
>> >> >>
>> >> >> I have never seen that error before all I can offer to do is take a
>> >> >> look
>> >> >> at your config.xml (excluding any passwords etc.) if you are
>> >> >> prepared
>> >> >> to post it.
>> >> >>
>> >> >> Thanks
>> >> >> Lee Flight
>> >> >>
>> >> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> >> message
>> >> >> news:DD2521D1-3DD8-4DF3-AF43-8EB424C57FCA@xxxxxxxxxxxxxxxx
>> >> >> > Ok,
>> >> >> > I have added an <account-domain> tag and now the message is:
>> >> >> > C:\WINDOWS\ADAM>adamsync /sync localhost:50000 adsyncadam /creds
>> >> >> > test
>> >> >> > administrator xxxxx
>> >> >> > Error occured fetching internationalized message
>> >> >> > number -2146893813.
>> >> >> > Error
>> >> >> > code:
>> >> >> > 317
>> >> >> >
>> >> >> > C:\WINDOWS\ADAM>
>> >> >> >
>> >> >> >
>> >> >> > David
>> >> >> > "Lee Flight" wrote:
>> >> >> >
>> >> >> >> Hi
>> >> >> >>
>> >> >> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> >> >> message
>> >> >> >> news:91E0B81B-D04B-4A07-97B5-5B047CBDC231@xxxxxxxxxxxxxxxx
>> >> >> >>
>> >> >> >> > C:\WINDOWS\ADAM>adamsync /sync localhost:50000 adsyncadam
>> >> >> >> > /creds
>> >> >> >> > test
>> >> >> >> > administrator xxxxxx
>> >> >> >> > Ldap error occured. ldap_bind_s: Invalid Credentials.
>> >> >> >> > Extended Info: 8009030C: LdapErr: DSID-0C0903E2, comment:
>> >> >> >> > AcceptSecurityContext
>> >> >> >> > error, data 0, v893.
>> >> >> >>
>> >> >> >> I think that has to be saying that the account that you are
>> >> >> >> specifying
>> >> >> >> for
>> >> >> >> tha AD partition does not have access. Could you check that the
>> >> >> >> <source-ad-account> and <account-domain> are correct and that
>> >> >> >> the
>> >> >> >> account has access to the partition in AD that you are spec. You
>> >> >> >> could
>> >> >> >> check
>> >> >> >> by using ldp.exe to bind to the AD with that account, the
>> >> >> >> security
>> >> >> >> event
>> >> >> >> log
>> >> >> >> on
>> >> >> >> the DCs for the AD might give you a clue what is happening if
>> >> >> >> you
>> >> >> >> audit
>> >> >> >> logon
>> >> >> >> failures as part of your security policy.
>> >> >> >>
>> >> >> >> Thanks
>> >> >> >> Lee Flight
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
.
- Follow-Ups:
- Re: ADAM Synchronizer Beta - question
- From: DavidInCruz
- Re: ADAM Synchronizer Beta - question
- References:
- Re: ADAM Synchronizer Beta - question
- From: DavidInCruz
- Re: ADAM Synchronizer Beta - question
- From: Lee Flight
- Re: ADAM Synchronizer Beta - question
- From: DavidInCruz
- Re: ADAM Synchronizer Beta - question
- From: Lee Flight
- Re: ADAM Synchronizer Beta - question
- From: DavidInCruz
- Re: ADAM Synchronizer Beta - question
- From: Dmitri Gavrilov [MSFT]
- Re: ADAM Synchronizer Beta - question
- From: DavidInCruz
- Re: ADAM Synchronizer Beta - question
- From: Dmitri Gavrilov [MSFT]
- Re: ADAM Synchronizer Beta - question
- From: DavidInCruz
- Re: ADAM Synchronizer Beta - question
- Prev by Date: Re: DC Removal fails: Failed finding a suitable domain controller
- Next by Date: Solved: DC Removal fails: Failed finding a suitable domain controller
- Previous by thread: Re: ADAM Synchronizer Beta - question
- Next by thread: Re: ADAM Synchronizer Beta - question
- Index(es):
Relevant Pages
|
