Re: Creating a Computer Object in ADAM
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 6 Nov 2006 14:36:29 -0600
I'm going to guess and say that the ADAM service account doesn't have the
"generate security audits" privilege in the local security policy (or the
group policy that is governing that particular setting). Try adding that.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"LM" <merrittf@xxxxxxxx> wrote in message
news:1162844762.921142.151850@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This may be kind of chicken, I suppose, but given that we screwed
around quite a bit getting the stuff up the first time, we decided to
burn it all down and start over, going more slowly and carefully, and
see if we can get a clean, properly replicating configuration set
established and go from there. On installing the first instance on our
Windows 2003 server, we got the following warning:
'Active Directory was unable to initialize auditing security system. It
will run with auditing disabled. No security audits will be generated.
Additional Data: Error value: 1314 A required privilege is not held by
the client.For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.'
Just to keep from potentially chasing our tales more than can be
helped, I'd like to get an error/warning free install to start from, at
least. Seems like this might be information I can use.
Any advice on what causes this warning, and how to eliminate?
Thanks,
Lincoln
Lee Flight wrote:
Hi
so it seems like you are using pass-through authentication in a workgroup
and the name of one of the servers was changed, is that what happened?
I have not tried a rename on member of a config set and so would need
to test...
How are you doing name resolution in the workgroup, WINS or hosts
file? Can the replication partners resolve the new name?
You might want to run repadmin /showrepl or /replsummary against
the name changed server and its partners to see status.
I'm not convinced that the errors from dsdiag are such a problem
for machines in a workgroup.
Lee Flight
"LM" <merrittf@xxxxxxxx> wrote in message
news:1162409304.382402.207220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Definitely have replication problems. A couple questions about tools,
too. I appreciate it.
=================================================================
The attempt to establish a replication link for the following writable
directory partition failed.
Directory partition:
CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Source directory service:
CN=NTDS
Settings,CN=280M$CAMEO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Source directory service address:
280m:10f4334d-f1a5-4cab-861d-be724f003416
Intersite transport (if any):
This directory service will be unable to replicate with the source
directory service until this problem is corrected.
User Action
Verify if the source directory service is accessible or network
connectivity is available.
Additional Data
Error value:
8457 The destination server is currently rejecting replication
requests.
=======================================================
The Error from Same:
The directory server has failed to update the host name and/or ports
information for this service on the following remote server. This
operation will be retried. Other directory servers in this
configuration set (if any) will be unable to replicate changes from
this directory server until this change is performed and replicated to
them.
Additional Data
Target DSA object:
CN=NTDS
Settings,CN=280M$CAMEO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Error value:
5 Access is denied.
Internal ID:
32b0824
========================================================
The information entry that started it all:
The directory server has detected that the host name and/or ports have
been changed. If this is the only directory server in the configuration
set, then this information will be updated in the local database.
Otherwise, this information will be updated on a remote directory
server. This message will repeat until this change is replicated to the
local directory server.
Additional Data
Old DNS host name: Apps-Server
Current DNS host name: dev
Old NetBIOS name: APPS-SERVER
Current NetBIOS name: DEV
Old LDAP port: 389
Current LDAP port: 389
Old SSL port: 636
Current SSL port: 636
========================================================
Works on what happens to be my local instance:
The directory server has successfully updated the host name and/or
ports information for this service on the following remote server.
Other directory servers in this configuration set (if any) will be
unable to replicate changes from this directory server until this
change is replicated to them.
Additional Data
Target DSA object: CN=NTDS
Settings,CN=MERRITTF$CAMEO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
========================================================
These instances are all set up for authentication mode 0 and belong to
the same workgroup
========================================================
About tools:
I can't seem to get connected to my local instance of ADAM running
dsdiag. Connectivity fails as
'C:\WINDOWS\ADAM>dsdiag /s:MERRITTF /u:localhost\ADAM_Manager /p:* /v
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server MERRITTF.
[MERRITTF] Directory Binding Error 1753:
There are no more endpoints available from the endpoint mapper.
This may limit some of the tests that can be performed.
* Identified ADAM Configuration Set.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MERRITTF$CAMEO
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
[MERRITTF$CAMEO] DsBindWithSpnEx() failed with error 5,
Access is denied..
......................... MERRITTF$CAMEO failed test
Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MERRITTF$CAMEO
Skipping all tests, because server MERRITTF$CAMEO is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: VerifyReplicas
Running partition tests on : CAMEO
Starting test: CrossRefValidation
......................... CAMEO passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
I noted your comment re: using IP addresses. Looking at this from
below it does seem to resolve it to the DEV server, though.
'Testing server: Default-First-Site-Name\DEV$CAMEO'
Trying to run against the server I get:
C:\WINDOWS\ADAM>dsdiag /s:192.1.0.78 /u:192.1.0.78\ADAM_Manager
/p:password /v
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server 192.1.0.78.
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
[192.1.0.78] Directory Binding Error 1753:
There are no more endpoints available from the endpoint mapper.
This may limit some of the tests that can be performed.
* Identified ADAM Configuration Set.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DEV$CAMEO
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
[DEV$CAMEO] DsBindWithSpnEx() failed with error 1772,
The list of RPC servers available for the binding of auto
handles has b
een exhausted..
RPC Extended Error Info not available. Use group policy on the
local ma
chine at "Computer Configuration/Administrative Templates/System/Remote
Procedur
e Call" to enable it.
......................... DEV$CAMEO failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DEV$CAMEO
Skipping all tests, because server DEV$CAMEO is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: VerifyReplicas
Running partition tests on : CAMEO
Starting test: CrossRefValidation
......................... CAMEO passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
I can connect to my instance and Dev with ADSI Edit and
ADSchemaAnalyzer, so I'm a little confused, particularly since I am
getting Access Denied to my local instance when running DSDIAG. I
cannot get to the other members of the CS with ADSIEdit, however.
The other members of the CS should be set up the same as mine, but
obviously something is wrong.
These computers are not part of a Domain. No Domain controller in our
local network, we're just a Workgroup. Is a domain required for the
dsdiag tool?
Sorry for the long post. I'm kinda stumped.
Lee Flight wrote:
Hi
I think you need to check the ADAM instance event logs
on the members of your config set to look for clues as
to why you are having replication issues.
A couple of other points:
you should *not* attempt a schema extension until you
have your replication in working order
dsdiag may not work too well with IP addresses, I suspect
it will want resolvable names.
Lee Flight
"LM" <merrittf@xxxxxxxx> wrote in message
news:1161896039.990046.173210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lee,
Getting kinda fun now, but not there yet.
Using the ADAM Schema MMC Snap-In, I determined that the Schema
Master
happens to be the instance of ADAM running on the server we call
"Dev".
Just for fun, i attempted to transfer the Schema Master Role to my
local instance. I was logged into the Dev instance with admin
priviledges.
When I tell it to do the change, I get the message 'The requested
FSMO
operation failed. The current FSMO holder could not be contacted.
The
transfer of the current Operations Master could not be performed.'
Event Log entry reads:
'An attempt to transfer the operations master role represented by
the
following object failed.
Object:
CN=Schema,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Current operations master role:
CN=NTDS
Settings,CN=DEV$CAMEO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Proposed operations master role:
CN=NTDS
Settings,CN=MERRITTF$CAMEO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Additional Data
Error value:
8456'
Per MSDN, error code 8456 is:
'ERROR_DS_DRA_SOURCE_DISABLED
8456 The source server is currently rejecting replication requests.'
Running dsdiag returned the following:
C:\WINDOWS\ADAM>dsdiag /s:192.1.0.78:389 /u:Dev\ADAM_Manager /p:*
Password:
Directory Server Diagnosis
Performing initial setup:
An error cocured during DNS host lookup
* Identified ADAM Configuration Set.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DEV$CAMEO
Starting test: Connectivity
[DEV$CAMEO] DsBindWithSpnEx() failed with error 1772,
The list of RPC servers available for the binding of auto
handles has b
een exhausted..
......................... DEV$CAMEO failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DEV$CAMEO
Skipping all tests, because server DEV$CAMEO is
not responding to directory service requests
Running partition tests on : CAMEO
Starting test: CrossRefValidation
......................... CAMEO passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
If I'm reading it right, it looks like it's never really getting
connected. I tried domain in the /u parameter a number of ways (IP,
IP:389, and so forth) with the same results. Also tried /s as both
IP
and IP:389.
Suggestions?
Many thanks again,
Lincoln
Lee Flight wrote:
Hi
schema spans the config set and schema update must be made
against schema FSMO. The recommended way to do this
is to run the update on the schema FSMO or transfer the
schema FSMO role to a server and run the update. See:
ADAM Help
ADAM How To
Manage Schemas and Directory Partitions
Lee Flight
"LM" <merrittf@xxxxxxxx> wrote in message
news:1161717744.283588.221950@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lee et.al.,
Getting much warmer, for sure. I did the following steps:
1. Started up ADSchemaAnalyzer and loaded a Target Schema from
an
Active Directory instance on my network.
2. Loaded a Base Schema from localhost:389, which is my ADAM
instance.
3. Selected the computer object class in the Classes tree,
(noting
that it Auto Included some other classes).
4. Selected Create LDIF File from the file menu and so forth.
I opened up the LDIF file to get the import command:
#
==================================================================
#
# This file should be imported with the following command:
# ldifde -i -u -f compobj.ldf -s server:port -b username
domain
password -j . -c "cn=Configuration,dc=X"
#configurationNamingContext
# LDIFDE.EXE from AD/AM V1.0 or above must be used.
# This LDIF file should be imported into AD or AD/AM. It may not
work
for other directories.
#
#
==================================================================
I executed the command as shown, with the exception that I
removed
the
-b parameter and allowed it to log in as current user. That
seemed
to
work alright, but here's the log:
Connecting to "localhost:389"
Logging in as current user using SSPI
Importing directory from file "compobj.ldf"
Loading entries
1:
cn=ACS-Policy-Name,cn=Schema,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Entry DN:
cn=ACS-Policy-Name,cn=Schema,CN=Configuration,CN={954BF3F5-7205-47D1-935D-A1536D1E00C4}
Add error on line 15: Referral
The server side error is: 0x202b A referral was returned from the
server.
The extended server error is:
0000202B: RefErr: DSID-030A0A19, data 0, 1 access points
ref 1: 'dev:389:636'
0 entries modified successfully.
An error has occurred in the program
I note 'ref 1: 'dev:389:636'. dev is the name of a server that
has
an
instance of ADAM tht is part of my replication set
(terminology?),
so
I'm guessing it's complaining that one of it's replication
partners
(term again?) is trying to modify the schema. Makes sense to me
but,
assuming I'm right, what's to be done?
Many thanks for your help Lee and and others.
Lincoln
Lee Flight wrote:
Hi
you are in luck, ADAM SP1 comes with ADSchemaAnalyzer
which will let you import from a source schema into your ADAM
schema. That will handle all of the depndencies for you.
There are some notes on using ADSchemaAnalyzer in the
ADAM Step-By-Step Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=5163b97a-7df3-4b41-954e-0f7c04893e83&DisplayLang=en
and if you google the archives of this newsgroup you will find
some more notes on it.
On ldifde -j is the path to the log file , so . would be the
current
directory.
Note that a computer account in ADAM will not behave as
a domain computer account (security principal, domain trust)
so keep that in mind.
Post back if you need more help.
Lee Flight
"LM" <merrittf@xxxxxxxx> wrote in message
news:1161279148.807280.104540@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Folks,
I'm quite new to ADAM and Active Directory.
We want to create a Computer Object in ADAM for use by our
application.
I found postings here that discussed exporting the Computer
Object
from an Acive Directory instance using LDIFDE and importing it
into
ADAM. I did manage to export the object from Active Directory
successfully (at least it appears so) but when I try to import
it
into
ADAM I get the following:
'C:\WINDOWS\ADAM>ldifde -i -f compobj.ldf -s localhost:389
Connecting to "localhost:389"
Logging in as current user using SSPI
Importing directory from file "compobj.ldf"
Loading entries.
Add error on line 1: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090B3D, comment: Error in attribute
conversion operation, data 0, va28
0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file,
please
specify the log file path via the -j option.'
Reading a little more carefully in the thread, I found this
response
to
the suggestion about importing the computer object, from
Dmitri
Gavrilov :
'Unfortunately, it's not as simple as that. You can not just
bring a
single
class in. You have to bring all of its dependents too,
attributes
it
references, its superclass (user, slightly different from
ADAM's
user
definition), etc. This is not easy.'
Bummer...
I would like to get the Computer Object Class into my ADAM
instance.
Any advice? As I said, I'm really new to ADAM and AD and not
really
sure how to find the dependencies or what have you. For that
matter,
if it depends on a user class being imported that is 'slightly
different from ADAM's user definition', that sounds like it
might
overwrite the ADAM user class and so on, and who knows what a
ball
of
worms that might turn into? I would appreciate any advice on
this I
can get.
By the way, when I try to create a log I get:
C:\WINDOWS\ADAM>ldifde -i -f compobj.ldf -s localhost:389 -j
adamlog.txt
Unable to open log file
I can't think of any reason it shouldn't be able to open a
file.
C:\adamlog.txt doesn't work either, btw. Suggestions?
Many Thanks,
Lincoln
.
- Follow-Ups:
- References:
- Re: Creating a Computer Object in ADAM
- From: LM
- Re: Creating a Computer Object in ADAM
- From: Lee Flight
- Re: Creating a Computer Object in ADAM
- From: LM
- Re: Creating a Computer Object in ADAM
- Prev by Date: touble to create a new user in windows server 2003
- Next by Date: Re: touble to create a new user in windows server 2003
- Previous by thread: Re: Creating a Computer Object in ADAM
- Next by thread: Re: Creating a Computer Object in ADAM
- Index(es):
Relevant Pages
|
Loading
