Re: Can't create a new Application partition in case when ADAM instance shares its configuration
- From: begemot <dumchikov@xxxxxxxxx>
- Date: Wed, 2 Apr 2008 23:23:04 -0700 (PDT)
On 1 Кві, 21:27, "Dmitri Gavrilov [MSFT]"
<dmit...@xxxxxxxxxxxxxxxxxxxx> wrote:
Aha, you are trying to use the "two-legged/chaining" approach that's
described in the thread that Lee referenced. The errors you are getting
point to an authentication problem:
C:\>err 0x2199
# for hex 0x2199 / decimal 8601 :
ERROR_DS_REMOTE_CROSSREF_OP_FAILED winerror.h
# The remote create cross reference operation failed on the
# Domain Naming Master FSMO. The operation's error is in the
# extended data.
And -2146893042=8009030e
C:\>err 8009030e
# for hex 0x8009030e / decimal -2146893042 :
SEC_E_NO_CREDENTIALS winerror.h
# No credentials are available in the security package
In order to enable chaining, you need to perform the special
(delegation-enabled) kind of bind, by setting appropriate SSPI flags prior
to the bind. This will enable the target instance to impersonate you when
connecting to domain naming master in order to create the crossRef.
I would recommend doing the two-step approach -- less moving parts, no
chaining, easier to diagnose problems. First, pre-create the crossRef on
directly on the DNM, then replicate the change down to the target instance,
then create the app partition there. Try this with dsmgmt and note that
crossRef's enabled value must be FALSE and dnsRoot value must match the name
of the target instance.
And yes, DN master *must* be up to create the app partition. Ok, this is not
true. It must be up to create the crossRef, and replicate it everywhere.
--
Dmitri Gavrilov
SDE, Exchange
This posting is provided "AS IS" with no warranties, and confers no rights..
Use of included script samples are subject to the terms specified athttp://www.microsoft.com/info/cpyright.htm
"begemot" <dumchi...@xxxxxxxxx> wrote in message
news:fb0b71c3-3fa6-460b-bb51-f30e1de978d8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi, thanks for your replies
To Lee
Yes your recipe works fine but I need to create a new partition in my
program, I am using LDAP protocol to do that.
To Dmitri:
I am creating a new application partition using LDAP protocol. I am
sending an add LDAP request with objectClass=container and
instanceType=5 to the replica server. If I send this request to the
server that holds Naming Master role, everything is alright, but with
replica it failed with UnwillingToPerform error code, error message
was
"00002199: SvcErr: DSID-01091A40, problem 5003 (WILL_NOT_PERFORM),
data -2146893042"
As I understood 0x00002199 means win32 error code - The remote create
cross reference operation failed on the Domain
Naming Master FSMO. The operation's error is in the extended data.
I thought about SPNs, and it seems to be alright, the user directory
under which the ADAM instance is running has four new SPNs, maybe I am
wrong, how can I ensure that SPNs were added properly.
One more question can a partition be created if the server that holds
Naming Master role is down?
Thanks for your reply!
.
- References:
- Re: Can't create a new Application partition in case when ADAM instance shares its configuration
- From: Dmitri Gavrilov [MSFT]
- Re: Can't create a new Application partition in case when ADAM instance shares its configuration
- From: begemot
- Re: Can't create a new Application partition in case when ADAM instance shares its configuration
- From: Dmitri Gavrilov [MSFT]
- Re: Can't create a new Application partition in case when ADAM instance shares its configuration
- Prev by Date: Re: C# .NET Application looses Connection to the Active Directory Serv
- Next by Date: DSQuery - difference between -inactive and -stalepwd
- Previous by thread: Re: Can't create a new Application partition in case when ADAM instance shares its configuration
- Next by thread: Re: Security Events for Groups Management
- Index(es):
Relevant Pages
|
