Re: ADAM replica problems
- From: "compurhythms@xxxxxxxxx" <compurhythms@xxxxxxxxx>
- Date: 10 Nov 2006 14:23:35 -0800
Still fighting this one. I haven't tried installing a master on the
machine in question yet as Lee suggests, but here's a different nugget:
This machine is in our test lab and we ghost the test machines
regularly. By ghost I mean bring the machine back online with an
almost-bare XP image that includes some pre-requisite software (which
does not include the ADAM software). Before they do this, I always
request that they do the following:
1. Remove ("un-join") the PC from the domain
2. Make sure there is no lingering entry in AD U&C for the PC under
"Computers"
3. Uninstall the ADAM instance (so it is removed from the appropriate
site in the ADAM configuration DC)
Is there a possibility that the domain controller is confusing the PC
with an older incarnation and disallowing these authentication
requests? The problem is I see no security event log audit failures on
either the DC or the PC, even with all audit filters turned on.
The upshot is that I am still getting "the logon attempt failed" when
trying to connect via ADSI Edit as a domain user on the PC.
Just a thought.
Mike
Lee Flight wrote:
Hi
inline below...
<compurhythms@xxxxxxxxx> wrote in message
news:1162320684.824287.78180@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
All audit events are logged. There are no audit failures shown when
the error occurs
I run with Audit Logon events (success,failure) enabled in the local
security policy
in WinXP and see logs for domain accounts binding to the ADAM instance.
I'll try that. But will this help me zero in on the issue? If it
works, won't it just tell me that there's a problem with a local
replica instance authenticating domain users without giving any insight
into the reason?
I was thinking that if it fails then we know it is a more generic problem;
config sets are harder to debug than unique instances.
Lee Flight
I'm still stunned that a remote bind from another machine with the
_same_ domain credentuals works. I would think the authentication
would occur on the target machine, not on the connecting client.
Perhaps I'm wrong on that.
Also, like I said LDP provides the error code "52e, va28". We know 52e
is the dreaded "logon failed", but does anyone know what va28 means?
Mike
Lee Flight
<compurhythms@xxxxxxxxx> wrote in message
news:1162229440.868081.192360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Environment:
- AD Domain in native 2003 mode
- ADAM master on Win2003 server (not a DC) joined to the domain
- Partition "DC=mypartition,DC=local" created on master
- ADAM ADSI Edit works just peachy on the master server
- Windows XP SP2 box joined to the domain and has a replica instance
(no errors during replica install). During install I indicated that my
partition should be replicated.
- I can ping both replica and master by full DNS name
- Firewall enabled, but c:\windows\adam\dsamain.exe is exempted to
allow for replication traffic
My problem is that I try to connect to my partition on the replica
machine. Here are the symptoms:
- I try to connect via ADAM ADSI Edit to "DC=mypartition,DC=local" on
the replica box and I get an error "The login attempt failed".
- I try the same on the master and it works
So I start thinking it is a replication issue. I try the following on
the replica machine:
repadmin /syncall localhost:9389
(where 9389 is the ldap port for the local instance)
I get this response:
"SyncAll exited with fatal Win32 error: 1323 (0x52b):
Unable to update the password. The value provided as the current
password is
incorrect"
Not sure exactly what that means. So I try connecting to the local
instance via LDP.EXE. A simple bind with an ADAM user _works_ (meaning
replication worked because the user was created on the master). But a
credential bind with a domain user with sufficient partition
priviledges fails with this error:
rror <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, va28
Error 0x8009030C The logon attempt failed
Now I'm leaning away from replication, but get a load of this!:
I go to the master server, connect back to the replica client with both
ADSI Edit and LDP.EXE and authentication works for both domain users
and ADAM users!
Seems like a problem with ADAM authenticating domain users on the
replica box. But I can log into XP with domain users and changing the
instance service account to a domain admin does no good.
So this begs the question: why can I bind to my replica instance with
domain credentials from another machine, but not locally on the replica
box?
Mike
.
- Follow-Ups:
- Re: ADAM replica problems
- From: Lee Flight
- Re: ADAM replica problems
- References:
- Re: ADAM replica problems
- From: compurhythms@xxxxxxxxx
- Re: ADAM replica problems
- From: Lee Flight
- Re: ADAM replica problems
- Prev by Date: Re: Modifying account names
- Next by Date: Re: publish a printer
- Previous by thread: Re: ADAM replica problems
- Next by thread: Re: ADAM replica problems
- Index(es):
Relevant Pages
|
Loading
