Re: ADAM to ADAM Sync setup

Tech-Archive recommends: Fix windows errors by optimizing your registry

Oh! Thanks for heads up, that makes things easier.
IP does not work most likely because it attempts to do mutual auth, which
requires full DNS name, which must match the SPN.

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:OOdU%23YiGGHA.532@xxxxxxxxxxxxxxxxxxxxxxx
> You are right (of course!) it's a bit of an bad choice for admin account
> when the machine has a domain it can take advantage of. However when
> joining a configuration set with the poster's configuration he is failing
> before being asked for the Admin for the second ADAM instance.
> When I tried a repro. it went OK to beyond the point of failure posted.
>
> It would be great to handle this error better, specifying an IP address
> instead of the FQ DNS name on the Joining a Configuration set page
> seems to trip it every time.
>
> Thanks
> Lee Flight
>
>
> "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:uWqmtvKGGHA.648@xxxxxxxxxxxxxxxxxxxxxxx
>> One other thing that did not look good is ADAM admin selection. If you
>> use a local user from the first box, then you won't be able to logon to
>> the instance on the second box, because it does not know anything about
>> that user. I wonder if this has some effect on your problem. Try choosing
>> a domain user as ADAM admin.
>>
>> I see many people hit this "parameter is incorrect" error during account
>> validation. We should have put more logging in place... I'll try to
>> improve this in longhorn.
>>
>> --
>> Dmitri Gavrilov
>> SDE, DS Admin eXperience
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>> "Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
>> news:uFekdQIGGHA.3856@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi
>>>
>>> a few questions:
>>>
>>> did you accept thr prompt to grant the logon as a service right
>>> to the domain account you are using?
>>>
>>> is there a firewall between the servers?
>>>
>>> on the second ADAM instance on the Joining a Configuration Set
>>> page of the wizard did you specify the fully-qualified DNS name
>>> of the source server as opposed to say, the IP address? Can the
>>> second server resolve the DNS name of the source server exactly
>>> as you typed it into the wizard on the Joining a Configuration Set
>>> page?
>>>
>>>
>>> Thanks
>>> Lee Flight
>>>
>>>
>>> "Bruce" <besmith2@xxxxxxxxxxx> wrote in message
>>> news:1137169299.236129.74060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> Step 1: I create the first AD/AM instance and I set the "service
>>>> account selection" to a domain user mydomain\AdamServiceAdmin.
>>>>
>>>> Step 2: I set the adam administrator to a local account
>>>> vmdotnet1\adamAdmin.
>>>>
>>>> The first instance creates successfully so I import the new schema
>>>> ldif's and a few users.
>>>>
>>>>
>>>> Step 3: Then I create the second AD/AM instance on a different box. I
>>>> choose replica. Now I get to the "Administrative Credentials for the
>>>> Configuration set" I put in the local user created on the first box
>>>> vmdotnet1\adamAdmin.
>>>>
>>>> Step 4: I choose my partition. Then on the "Service Account Selection"
>>>> I try to use the domain user mydomain\AdamServiceAdmin and it fails
>>>> with:
>>>>
>>>> The service account for this instance of ADAM cannot be used with the
>>>> selected configuration set. The account failed validation with the
>>>> following errror:
>>>> Error 0x80070057
>>>> The parameter is incorrect.
>>>>
>>>> Select a different service account, and then try again.....
>>>>
>>>> Please help.
>>>> Both machines are in the same domain.
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Windows XP machine unable to log onto a Windows 2003 domain; used to have no problem
    ... would have mentioned the DNS errors in netdiag output). ... In this case, as a local admin you can disjoin from the domain, ... >> Microsoft MVP (Windows Server System: Security) ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot access admin share
    ... most likely an AUTHENTICATION problem. ... First goal is to prove authentication, and along with it correct DNS ... What happens if you map the drive explicitly with an Admin ... Ensure that every computer uses STRICTLY the internal DNS server ...
    (microsoft.public.windows.server.general)
  • RE: Cannot update Active Directory. Error code = 1355.
    ... administrator is enterprise admin and schema admin. ... However i did not understand DNS well, ... Well, being "Domain Admins" is not enough, make sure you are in "Schema ... * your server name (nslookup smsserver.mydom.intra) ...
    (microsoft.public.sms.admin)
  • Re: dns crash causes admin privilege accts to lock
    ... > A UNIX admin turned into a Windows admin by force. ... > The Administrator account did not get locked out. ... As Kevin said, AD absolutely requires DNS. ...
    (microsoft.public.win2000.dns)
  • Re: Domain Keys DNS entries
    ... What are you using for DNS? ... The sourceforge link has the configuration set up that you need to do. ... > int the second one you type in the key file your MTA creates for you. ...
    (microsoft.public.windows.server.dns)