Re: ADAM SP1 on Win2K3 SP1
- From: Bo Zhu <ffkiller@xxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Aug 2006 15:46:44 +0800
Okay, the second mystery is solved. I didn't use dsdbutil to change ADAM service account, that's why I'm getting some JET DB related error.
The first problem remains there.
Bo Zhu wrote:
Hi,.
I have two questions related to ADAM running on a domain controller.
1. SSL connection with non-administrative acccount
I followed a pretty detailed step-by-step guide (http://www.oftedal.no/~erlend/?blogid=7) on how to setup SSL certificate with ADAM, like generating a server authentication certificate, place the certificate in service account certificate store, granting read acccess to private key files, etc. But after all confiugration steps were done, I was only able to connect to my ADAM instance through SSL if ADAM is run by an Administrative account. If I run ADAM service with "NT Authority\Network Service", which is the default account selected during ADAM instance creation, ldp.exe always fail to connect with the following error message:
ld = ldap_sslinit("ffkillervm2k3.zb.encentuate.com", 50001, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ffkillervm2k3.zb.encentuate.com.
I found something in one ADAM FAQ from Microsoft that says I can use "certutil -store my" command to see the file name of the private key whose Read permission should be granted to the service account used to run ADAM service. But all I got for the "Key Container" attribute after running this command is the name of root CA certificate I generated earlier. I even granted Read permission of "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder and all sub-folders to "NT Authority\Network Service" account and still SSL connection fails.
2. Running ADAM service with a domain user account
ADAM Help states I should not run ADAM service with "NT AUTHORITY\NETWORK SERVICE" account if the instance is running on a domain controller. So I created a new domain user in my test AD and used that account to run ADAM. I have also enabled "Log on as a service" and "Generate security audits" for the new domain user account in Default Domain Contollers Policy. Unfortunately I'm not able to start ADAM service with that new domain user account.
A quick examination of Windows events shows one error:
Active Directory could not be initialized.
The directory service cannot recover from this error.
User Action
Restore the local directory service from backup media.
Additional Data
Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or in use
Any help is appreciated.
Best regards,
Bo Zhu
- Follow-Ups:
- Re: ADAM SP1 on Win2K3 SP1
- From: Lee Flight
- Re: ADAM SP1 on Win2K3 SP1
- References:
- ADAM SP1 on Win2K3 SP1
- From: Bo Zhu
- ADAM SP1 on Win2K3 SP1
- Prev by Date: ADAM SP1 on Win2K3 SP1
- Next by Date: How can I list all service principals in a Windows 2003 Active Directory?
- Previous by thread: ADAM SP1 on Win2K3 SP1
- Next by thread: Re: ADAM SP1 on Win2K3 SP1
- Index(es):
Relevant Pages
|
Loading
