Re: Rare ADAM instance setup problem
- From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
- Date: Fri, 7 Dec 2007 15:47:59 -0000
Hi
the installer will impersonate the caller to determine the admin account
if none is specified. It seems that you have a case where the account
name being resolved is the computer account in the domain so the
token must have the SID of the computer account.
If you run the ADAM setup wizard manually on such a problem machine
what does the wizard suggest on the Admin account selection page?
Thanks
Lee Flight
"mbenson" <mbenson.3173bg@xxxxxxxxxxxxx> wrote in message
news:mbenson.3173bg@xxxxxxxxxxxxxxxx
Hi,
I wondered if anyone had seen this before. I've been scratching my head
on this for a while. Our product uses Microsoft ADAM and as part of the
install it creates an ADAM instance and sets up additional schema etc.
It does this by running adaminstall.exe in unattended mode with an
answer file.
Occasionally on some Windows Server 2003 servers, the ADAM instance
ends up with insufficient rights for the logged on user and as a result
it cannot load any Schema LDFs. On most servers it works fine but I
can't find any difference between servers it works on and servers it
fails on. Repeating the installation on the bad server always produces
the same error.
There is a clue in the C:\Windows\Debug\adamsetup.log when comparing
good and bad installs.
On a good install done by the local "Administrator" the log shows:
..
adamsetup FD0.0F4 01EA Enter Generate::AdminAccount
adamsetup FD0.0F4 01EB MYCOMPUTERNAME\Administrator
adamsetup FD0.0F4 01EC Enter State::SetCurrentUserADAMAdmin
true
adamsetup FD0.0F4 01ED Enter Validate::AdminAccount
MYCOMPUTERNAME\Administrator
..
This is part of giving the local administrator ADAM rights.
On a failed install also done by the local "Administrator" we instead
see:
..
adamsetup D08.D04 01EA Enter Generate::AdminAccount
adamsetup D08.D04 01EB MYDOMAIN\MYCOMPUTERNAME$
adamsetup D08.D04 01EC Enter State::SetCurrentUserADAMAdmin
true
adamsetup D08.D04 01ED Enter Validate::AdminAccount
MYDOMAIN\MYCOMPUTERNAME$
..
Then later in the adamsetup.log we get a line:
..
adamsetup D08.D24 040F Enter State::AddFinishWarning ADAM Setup
skipped LDIF file importation because the account provided could not be
used. Either the credentials were not valid, or the account did not have
administrative permissions for ADAM. To import LDIF files later, use the
Ldifde.exe tool in the ADAM folder.
..
It seems that this is because the instance setup in the failed case
didn't give the local administrator the required admin rights in ADAM.
I can't see the difference in the servers. I've tried removing the
faulty server from the domain. I don't see any errors in the Security
Event logs etc. I'm sure there is something wrong with the server OS or
with the local Administrator account but I can't see what.
I guess the real question here is why does ADAM sometimes add
MYDOMAIN\MYCOMPUTERNAME$ as the admin instead of the locally logged on
user (MYCOMPUTERNAME\Administrator)?
I'd be very glad of any insight on this. Everything else in ADAM works
great.
Thanks in advance.
Mark.
--
mbenson
------------------------------------------------------------------------
mbenson's Profile: http://forums.techarena.in/member.php?userid=25050
View this thread: http://forums.techarena.in/showthread.php?t=866722
http://forums.techarena.in
.
- Follow-Ups:
- Re: Rare ADAM instance setup problem
- From: mbenson
- Re: Rare ADAM instance setup problem
- References:
- Rare ADAM instance setup problem
- From: mbenson
- Rare ADAM instance setup problem
- Prev by Date: security logging
- Next by Date: Re: ADSI Impersonation Problem
- Previous by thread: Rare ADAM instance setup problem
- Next by thread: Re: Rare ADAM instance setup problem
- Index(es):
Relevant Pages
|
Loading
