Re: ADAM SP1 on Win2K3 SP1

The problem remains after I granted Read permission of every file in MachineKeys folder to the domain user. ldp.exe still fails with the same error code 0x51 Server Down, which doesn't make any sense.

Now I have a general question. Assuming SSL on ADAM is working fine and i want to use antoher domain user account as the ADAM service account. Do i only need to grant that account READ permission to machine keys and use dsdbutil to change the ADAM service account? Or I have to go through the entire process starting from requesting certificate all over again to use the new domain user account as the ADAM service account?

Previously what I did was that I went through the entire SSL setup process while logged on as a domain admin, and subsequently picked a normal domain user account to run ADAM.

Lee Flight wrote:
Hi

as you noted if running ADAM on a DC you should be
using a standard doamin account not Network Service.

There are some notes on ADAM SSL configuration here:

http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en

In particular note that you must set appropriate permissions on *individual*
keys in Users\ApplicationData\Microsoft\Crypto\RSA\MachineKeys as
the keys in that folder do not inherit permissions.

Lee Flight

"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message news:edYZ7XnyGHA.4104@xxxxxxxxxxxxxxxxxxxxxxx

Okay, the second mystery is solved. I didn't use dsdbutil to change ADAM service account, that's why I'm getting some JET DB related error.

The first problem remains there.

Bo Zhu wrote:

Hi,

I have two questions related to ADAM running on a domain controller.

1. SSL connection with non-administrative acccount
I followed a pretty detailed step-by-step guide (http://www.oftedal.no/~erlend/?blogid=7) on how to setup SSL certificate with ADAM, like generating a server authentication certificate, place the certificate in service account certificate store, granting read acccess to private key files, etc. But after all confiugration steps were done, I was only able to connect to my ADAM instance through SSL if ADAM is run by an Administrative account. If I run ADAM service with "NT Authority\Network Service", which is the default account selected during ADAM instance creation, ldp.exe always fail to connect with the following error message:

ld = ldap_sslinit("ffkillervm2k3.zb.encentuate.com", 50001, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ffkillervm2k3.zb.encentuate.com.

I found something in one ADAM FAQ from Microsoft that says I can use "certutil -store my" command to see the file name of the private key whose Read permission should be granted to the service account used to run ADAM service. But all I got for the "Key Container" attribute after running this command is the name of root CA certificate I generated earlier. I even granted Read permission of "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder and all sub-folders to "NT Authority\Network Service" account and still SSL connection fails.


2. Running ADAM service with a domain user account
ADAM Help states I should not run ADAM service with "NT AUTHORITY\NETWORK SERVICE" account if the instance is running on a domain controller. So I created a new domain user in my test AD and used that account to run ADAM. I have also enabled "Log on as a service" and "Generate security audits" for the new domain user account in Default Domain Contollers Policy. Unfortunately I'm not able to start ADAM service with that new domain user account.

A quick examination of Windows events shows one error:

Active Directory could not be initialized.

The directory service cannot recover from this error.

User Action
Restore the local directory service from backup media.

Additional Data
Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or in use


Any help is appreciated.

Best regards,

Bo Zhu



.

Relevant Pages

  • Re: ADAM to ADAM Sync setup
    ... One other thing that did not look good is ADAM admin selection. ... I see many people hit this "parameter is incorrect" error during account ... > as you typed it into the wizard on the Joining a Configuration Set ... >> account selection" to a domain user mydomain\AdamServiceAdmin. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... did you restart the ADAM sevice after you added the read permission ... want to use antoher domain user account as the ADAM service account. ... only need to grant that account READ permission to machine keys and use ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... ADAM Instance event log? ... MachineKeys folder to the domain user. ... want to use antoher domain user account as the ADAM service account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM installation
    ... By default we try and register SCP's in AD for service publication. ... ADAM doesn't have perms to do the registration. ... > If ADAM is running under a local service account, ... > If ADAM is running under a domain user account, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... credentials instead of a fixed service account. ... it is a special LDAP control supported by AD and ADAM ... If I couldn't make it work for WAB, ... credentials in the WAB settings in order to authenticate. ...
    (microsoft.public.windows.server.active_directory)