Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » A directory Service error has occured
A directory Service error has occured [message #156757] Wed, 24 June 2009 17:36 Go to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
For giving READER access to ASPNET Account in ADAM

dn: CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
changetype: modify
add: member
(local system)\ASPNET

prompted this error. This is in Windows 2003 Server machine. Dev server. I
am able to add aspnet account as reader in AzMan.
Re: A directory Service error has occured [message #156861 is a reply to message #156757] Thu, 25 June 2009 04:41 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi
to add a windows principal to an ADAM group/role then
in your ldf file after

add: member

you need

member::{base64 encoding of "<SID=stringSID>"}

so if you have an windows account that has a string SID

S-1-5-21-2304429112-859824812-289076493-500

then you would base64 encode
<SID=S-1-5-21-2304429112-859824812-289076493-500>

giving

PFNJRD1TLTEtNS0yMS0yMzA0NDI5MTEyLTg1OTgyNDgxMi0yODkwNzY0OTMt NTAwPg==

and so your ldf would need

member::PFNJRD1TLTEtNS0yMS0yMzA0NDI5MTEyLTg1OTgyNDgxMi0yODkw NzY0OTMtNTAwPg==

ignore any line wraps and note :: after member.


Lee Flight

"Kreshiv" <Kreshiv@discussions.microsoft.com> wrote in message
news:DB55B688-87AC-41ED-9BA9-B8862346E272@microsoft.com...
> For giving READER access to ASPNET Account in ADAM
>
> dn: CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
> changetype: modify
> add: member
> (local system)\ASPNET
>
> prompted this error. This is in Windows 2003 Server machine. Dev server. I
> am able to add aspnet account as reader in AzMan.
Re: A directory Service error has occured [message #156900 is a reply to message #156861] Thu, 25 June 2009 16:43 Go to previous messageGo to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Lee,

Thanks for your time. Let my local system be 'A' and the remote system be
'B'. I have ADAM, AzMan, Server app, Client app in both the machines. Client
app and service is working fine in 'A'. A is a Windows XP machine.

Coming to B, B is Windows Server Machine. I want to run the Client App(in B)
which access the WCF(in B). For the same situation in system A, I added 'A's
ASPNET account as Reader in ADAM and AzMan and things worked out positively.
For B, Since it a Windows Server 2003,
1) Do I need to add 'B's ASPNET Account to ADAM and AzMan as Readers.
2) I tried adding that through ADAM AdsiEdit and AzMan. AzMan allowed me.
But ADAM is prompting the mentioned error.

Am I clear?? In general, What configuration a Windows Server based ADAM and
AzMan looks for in an application pinging them? I am not a pure Windows Guy,
so I dont know to use LDP. I am trying through ADAM Adsi Edit. Please help
me. I am looking for this for last 3 days..
Re: A directory Service error has occured [message #156902 is a reply to message #156900] Thu, 25 June 2009 17:10 Go to previous messageGo to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Lee,

FYI, I am a Administrator to System B. I am able to add Windows accounts and
adam accounts as members. I can even browse and see the aspnet account in the
search window. But I am not able to access it.
Re: A directory Service error has occured [message #156904 is a reply to message #156902] Thu, 25 June 2009 20:46 Go to previous messageGo to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Thanks Joe. That was a good explanation. Even I found the Network Service
account today in my eventvwr log. I have all ADAM, AzMan and the IIS running
in machine B. So I think giving access to this network service account of
machine B in ADAM and AzMan of machine B, should solve the issue.

How will you grant access rights to Network service account in Windows2003.
I am able to grant reader access in ADAM, for Users and groups in ADAM but
not for ASPNET or Network Service account. I am a local administrator to the
devServer. Thats where this error comes again and again. Is there any other
way that I can grant access to the network service account.

Forgot to add: I am able to add the same Network service account in AzMan. I
am able to see him in ADAM, But not able to add him in ADAM. Help me, Please.
I have to demo on Monday..
Re: A directory Service error has occured [message #156917 is a reply to message #156904] Fri, 26 June 2009 05:24 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi

I'm glad Joe is on this thread although I cannot see his post!
One thing to bear in mind is that if you are trying to
add anything like a computer account to a role in ADAM
then some tools e.g. ADSIedit may be problematic as early
versions (prior to WS08 IIRC) hard coded the account type
that is used by the edit member dialog. Joe's usual recommendation
for these type of dev scenarios in the archives of this newsgroup
is to add builtin Authenticated users principal to the ADAM
Readers role, I'd endorse that.

Lee Flight

"Kreshiv" <Kreshiv@discussions.microsoft.com> wrote in message
news:84213AFF-E940-4208-9A6D-C9CBFDB56A0C@microsoft.com...
> Thanks Joe. That was a good explanation. Even I found the Network Service
> account today in my eventvwr log. I have all ADAM, AzMan and the IIS
> running
> in machine B. So I think giving access to this network service account of
> machine B in ADAM and AzMan of machine B, should solve the issue.
>
> How will you grant access rights to Network service account in
> Windows2003.
> I am able to grant reader access in ADAM, for Users and groups in ADAM
> but
> not for ASPNET or Network Service account. I am a local administrator to
> the
> devServer. Thats where this error comes again and again. Is there any
> other
> way that I can grant access to the network service account.
>
> Forgot to add: I am able to add the same Network service account in AzMan.
> I
> am able to see him in ADAM, But not able to add him in ADAM. Help me,
> Please.
> I have to demo on Monday..
Re: A directory Service error has occured [message #156940 is a reply to message #156917] Fri, 26 June 2009 14:30 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
There are parallel threads taking place in two different places:

http://directoryprogramming.net/forums/6752/ShowThread.aspx# 6752

I don't think you typically frequent my web forum but sometimes people ask
infrastructure questions that I can't answer so I suggest they repost here.
Then, sometimes we end up with parallel discussions as a result. :)

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:ObEzu$j9JHA.1252@TK2MSFTNGP04.phx.gbl...
> Hi
>
> I'm glad Joe is on this thread although I cannot see his post!
> One thing to bear in mind is that if you are trying to
> add anything like a computer account to a role in ADAM
> then some tools e.g. ADSIedit may be problematic as early
> versions (prior to WS08 IIRC) hard coded the account type
> that is used by the edit member dialog. Joe's usual recommendation
> for these type of dev scenarios in the archives of this newsgroup
> is to add builtin Authenticated users principal to the ADAM
> Readers role, I'd endorse that.
>
> Lee Flight
>
> "Kreshiv" <Kreshiv@discussions.microsoft.com> wrote in message
> news:84213AFF-E940-4208-9A6D-C9CBFDB56A0C@microsoft.com...
>> Thanks Joe. That was a good explanation. Even I found the Network Service
>> account today in my eventvwr log. I have all ADAM, AzMan and the IIS
>> running
>> in machine B. So I think giving access to this network service account of
>> machine B in ADAM and AzMan of machine B, should solve the issue.
>>
>> How will you grant access rights to Network service account in
>> Windows2003.
>> I am able to grant reader access in ADAM, for Users and groups in ADAM
>> but
>> not for ASPNET or Network Service account. I am a local administrator to
>> the
>> devServer. Thats where this error comes again and again. Is there any
>> other
>> way that I can grant access to the network service account.
>>
>> Forgot to add: I am able to add the same Network service account in
>> AzMan. I
>> am able to see him in ADAM, But not able to add him in ADAM. Help me,
>> Please.
>> I have to demo on Monday..
>
>
Re: A directory Service error has occured [message #156946 is a reply to message #156917] Fri, 26 June 2009 18:23 Go to previous message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Lee,

Mentioned Joe name by mistake. Thanks for your time and suggestions. As
mentioned in DirectoryProgramming.NET I tried adding Network Service account
and things worked out positively as Joe wrote. I created a Domain Account
then, and added it to the app pool identity. Then gave Reader access in ADAM
and AzMan.

All my issues are solved now. Thanks both.
Previous Topic:Migrating from AD 2000 to 2003
Next Topic:W2K3 / W2K8 DCDIAG
Goto Forum:
  


Current Time: Sat Oct 21 19:03:24 EDT 2017

Total time taken to generate the page: 0.02750 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software