Re: ADAM Synchronizer Beta - question

I am pretty sure this is an authentication problem. Try connecting to the
domain name (test.co.santa-cruz.ca.us) as opposed to server name.

Also, what does "nltest /dsgetdc:test.co.santa-cruz.ca.us" say?

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:040F1A6F-82EE-4653-B3AD-3789A7C03DB6@xxxxxxxxxxxxxxxx
> Yes, I am sorry also. I have verified the CAS "Replicating Directory
> Changes"
> and "Replication Synchronize". THe machine is a memeber server in the
> Domain.
> the mode is mixed. I can use adam LDP and bind to the DC with this
> account.
> Is there anything on the local machine I need to set? Is there another way
> to
> verify/list all CAS?
>
> I am ready to give up on ADAM, I have lost so much time and energy. I feel
> as if I am close but troubleshooting and administration would doom my plan
> of
> user administration.
>
> Thanks for your help, it was appreciated.
>
> David
>
> "Dmitri Gavrilov [MSFT]" wrote:
>
>> Sorry, you are still getting the same error, which means the Control
>> Access
>> Right is not granted to the account that is used to connect to AD.
>>
>> BTW, why is locator call failing? Is ADAMSync running on a non-member
>> machine? If so, it could be failing to authenticate to AD.
>>
>> --
>> Dmitri Gavrilov
>> SDE, Active Directory Core
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:2A9D9A1F-2DEE-41DF-8695-C858F903878A@xxxxxxxxxxxxxxxx
>> > Hello Dmitri,
>> >
>> > I have made the changes as you described now I am getting the erro:
>> > Establishing connection to target server localhost:50000.
>> >
>> > Saving Configuration File on
>> > OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>> >
>> > An ldap error occured while saving the configuration file: Insufficient
>> > Rights
>> >
>> > An ldap error occured while saving the configuration file: Insufficient
>> > Rights
>> >
>> > ADAMSync is querying for a writeable replica of
>> > sctdc00.test.co.santa-cruz.ca.us.
>> >
>> > Error: DCLocator call failed with error 1355. Attempting to bind
>> > directly
>> > to
>> > string.
>> >
>> > Establishing connection to source server
>> > sctdc00.test.co.santa-cruz.ca.us:389.
>> >
>> > Using file .?dam15.tmp as a store for deferred dn-references.
>> >
>> > Populating the schema cache
>> >
>> > Populating the well known objects cache
>> >
>> > Starting synchronization run from
>> > ou=ISD,dc=test,dc=co,dc=santa-cruz,dc=ca,dc=us.
>> >
>> > Starting DirSync Search with object mode security.
>> >
>> > Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>> >
>> > Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> > processing
>> > control, data 0, v893.
>> >
>> > Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>> >
>> > Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> > processing
>> > control, data 0, v893.
>> >
>> > Saving Configuration File on
>> > OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>> >
>> > An ldap error occured while saving the configuration file: Insufficient
>> > Rights
>> >
>> > An ldap error occured while saving the configuration file: Insufficient
>> > Rights
>> >
>> > this is a domain-admin account, it is the same in the sync config file.
>> > it
>> > is the same that was used to install ADAM, and is also the account the
>> > service runs under. I am able to use LDP and bind with this account to
>> > the
>> > DC. the event log shows:
>> >
>> > This DSA successfully wrote the service principal names for the
>> > following
>> > account which are needed for mutual authentication to succeed on
>> > inbound
>> > connections.
>> >
>> > Account:
>> > CN=Administrator,CN=Users,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us
>> >
>> > my environment is ADAM on W2K3, AD on W2K, all in same domain.
>> >
>> > Thanks again for any help.
>> > "Dmitri Gavrilov [MSFT]" wrote:
>> >
>> >> The display name for this CAR is "Replicating Directory Changes". You
>> >> need
>> >> to grant it *on* the domain head object, *to* the account that
>> >> adamsync
>> >> uses.
>> >>
>> >> --
>> >> Dmitri Gavrilov
>> >> SDE, Active Directory Core
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> Use of included script samples are subject to the terms specified at
>> >> http://www.microsoft.com/info/cpyright.htm
>> >>
>> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:860666FE-367A-48FF-9C59-6B920DCBD356@xxxxxxxxxxxxxxxx
>> >> > Thank you Dmitri. I am having trouble finding this property. When I
>> >> > look
>> >> > at
>> >> > the account in AD users and computers, advaned properties I see:
>> >> > Manage replication topology x(allow)
>> >> > Replication Directory changes x(allow)
>> >> > Replication Synchronization x(allow)
>> >> >
>> >> > I did find create replication connection object was un-checked.
>> >> >
>> >> > Were can I find DS-Replication-get-changes?
>> >> >
>> >> > thanks again,
>> >> >
>> >> > David
>> >> >
>> >> > "Dmitri Gavrilov [MSFT]" wrote:
>> >> >
>> >> >> Sorry to get in the middle of a conversation, I think can help Lee
>> >> >> a
>> >> >> bit
>> >> >> here. The server error indicates you are running w2k AD, and it
>> >> >> complains
>> >> >> that you don't have permissions to pull changes with DirSync.
>> >> >> Indeed,
>> >> >> object-mode security is not implemented in w2k, so the only way to
>> >> >> get
>> >> >> dirsync to work is to grant Replicate-Get-Changes control access
>> >> >> right
>> >> >> to
>> >> >> the account that adamsync uses to connect to AD.
>> >> >>
>> >> >> --
>> >> >> Dmitri Gavrilov
>> >> >> SDE, Active Directory Core
>> >> >>
>> >> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> >> rights.
>> >> >> Use of included script samples are subject to the terms specified
>> >> >> at
>> >> >> http://www.microsoft.com/info/cpyright.htm
>> >> >>
>> >> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> >> message
>> >> >> news:1A3C2EF8-550E-43A9-8EC3-4118BA161928@xxxxxxxxxxxxxxxx
>> >> >> > New addtional info from log:
>> >> >> > Establishing connection to target server
>> >> >> > sctas06.test.co.santa-cruz.ca.us:50000.
>> >> >> >
>> >> >> > Saving Configuration File on
>> >> >> > OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>> >> >> >
>> >> >> > Saved configuration file.
>> >> >> >
>> >> >> > ADAMSync is querying for a writeable replica of
>> >> >> > sctdc00.test.co.santa-cruz.ca.us.
>> >> >> >
>> >> >> > Error: DCLocator call failed with error 1355. Attempting to bind
>> >> >> > directly
>> >> >> > to
>> >> >> > string.
>> >> >> >
>> >> >> > Establishing connection to source server
>> >> >> > sctdc00.test.co.santa-cruz.ca.us:389.
>> >> >> >
>> >> >> > Using file .?dam1B.tmp as a store for deferred dn-references.
>> >> >> >
>> >> >> > Populating the schema cache
>> >> >> >
>> >> >> > Populating the well known objects cache
>> >> >> >
>> >> >> > Starting synchronization run from
>> >> >> > ou=ISD,dc=test,dc=co,dc=santa-cruz,dc=ca,dc=us.
>> >> >> >
>> >> >> > Starting DirSync Search with object mode security.
>> >> >> >
>> >> >> > Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>> >> >> >
>> >> >> > Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> >> >> > processing
>> >> >> > control, data 0, v893.
>> >> >> >
>> >> >> > Ldap error occured. ldap_search_ext_s: Insufficient Rights.
>> >> >> >
>> >> >> > Extended Info: 000020F8: LdapErr: DSID-0C090670, comment: Error
>> >> >> > processing
>> >> >> > control, data 0, v893.
>> >> >> >
>> >> >> > Saving Configuration File on
>> >> >> > OU=ISD,DC=test,DC=co,DC=santa-cruz,DC=ca,DC=us,DC=adusers
>> >> >> >
>> >> >> > Saved configuration file.
>> >> >> >
>> >> >> > I hope this helps.
>> >> >> > David
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > "Lee Flight" wrote:
>> >> >> >
>> >> >> >> Hi
>> >> >> >>
>> >> >> >> I'm assuming that you re-ran the ADAMSync /install after
>> >> >> >> updating
>> >> >> >> the config.xml(?) Was the command below run with /log - ?
>> >> >> >>
>> >> >> >> I have never seen that error before all I can offer to do is
>> >> >> >> take a
>> >> >> >> look
>> >> >> >> at your config.xml (excluding any passwords etc.) if you are
>> >> >> >> prepared
>> >> >> >> to post it.
>> >> >> >>
>> >> >> >> Thanks
>> >> >> >> Lee Flight
>> >> >> >>
>> >> >> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> >> >> message
>> >> >> >> news:DD2521D1-3DD8-4DF3-AF43-8EB424C57FCA@xxxxxxxxxxxxxxxx
>> >> >> >> > Ok,
>> >> >> >> > I have added an <account-domain> tag and now the message is:
>> >> >> >> > C:\WINDOWS\ADAM>adamsync /sync localhost:50000 adsyncadam
>> >> >> >> > /creds
>> >> >> >> > test
>> >> >> >> > administrator xxxxx
>> >> >> >> > Error occured fetching internationalized message
>> >> >> >> > number -2146893813.
>> >> >> >> > Error
>> >> >> >> > code:
>> >> >> >> > 317
>> >> >> >> >
>> >> >> >> > C:\WINDOWS\ADAM>
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > David
>> >> >> >> > "Lee Flight" wrote:
>> >> >> >> >
>> >> >> >> >> Hi
>> >> >> >> >>
>> >> >> >> >> "DavidInCruz" <DavidInCruz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
>> >> >> >> >> in
>> >> >> >> >> message
>> >> >> >> >> news:91E0B81B-D04B-4A07-97B5-5B047CBDC231@xxxxxxxxxxxxxxxx
>> >> >> >> >>
>> >> >> >> >> > C:\WINDOWS\ADAM>adamsync /sync localhost:50000 adsyncadam
>> >> >> >> >> > /creds
>> >> >> >> >> > test
>> >> >> >> >> > administrator xxxxxx
>> >> >> >> >> > Ldap error occured. ldap_bind_s: Invalid Credentials.
>> >> >> >> >> > Extended Info: 8009030C: LdapErr: DSID-0C0903E2, comment:
>> >> >> >> >> > AcceptSecurityContext
>> >> >> >> >> > error, data 0, v893.
>> >> >> >> >>
>> >> >> >> >> I think that has to be saying that the account that you are
>> >> >> >> >> specifying
>> >> >> >> >> for
>> >> >> >> >> tha AD partition does not have access. Could you check that
>> >> >> >> >> the
>> >> >> >> >> <source-ad-account> and <account-domain> are correct and that
>> >> >> >> >> the
>> >> >> >> >> account has access to the partition in AD that you are spec.
>> >> >> >> >> You
>> >> >> >> >> could
>> >> >> >> >> check
>> >> >> >> >> by using ldp.exe to bind to the AD with that account, the
>> >> >> >> >> security
>> >> >> >> >> event
>> >> >> >> >> log
>> >> >> >> >> on
>> >> >> >> >> the DCs for the AD might give you a clue what is happening if
>> >> >> >> >> you
>> >> >> >> >> audit
>> >> >> >> >> logon
>> >> >> >> >> failures as part of your security policy.
>> >> >> >> >>
>> >> >> >> >> Thanks
>> >> >> >> >> Lee Flight
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


.

Relevant Pages

  • Re: Cant set SMS Service account, optionis greyed out.
    ... Active Directory Schema Modification and Publishing for Systems Management ... This site's SMS Service account or the site server's ... Either give the Service Account rights to update the domain's ...
    (microsoft.public.sms.setup)
  • Re: Admin Roles
    ... rights to do certain tasks. ... One account is a plain-vanilla, Domain User account they normally logon with, email, etc. ... Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchange 2003: Unable to change mailbox rights
    ... What rights are you trying to grant to a user that you add? ... > I'm running Exchange 2003 on Win Server Standard 2003. ... > Active Directory Users and Computers but whenever I ... > I'm not trying to change the Associate External Account ...
    (microsoft.public.exchange.admin)
  • Re: Exchange 2003: Unable to change mailbox rights
    ... Normally you have Associate External Account if the account is a disabled ... normally get it if, for example, you migrate NT4 users to Active Directory ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.exchange.admin)
  • Re: Error using ADAMSync tool
    ... Why would someone want a standalone LDAP-server only version of Active ... > Active Directory Application Mode, ... > Dmitri Gavrilov ... >> rights. ...
    (microsoft.public.windows.server.active_directory)