Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » ADAM 2008 (LDS) not replicating with ADAM v1 W2K3
ADAM 2008 (LDS) not replicating with ADAM v1 W2K3 [message #161709] Tue, 06 October 2009 07:50 Go to next message
Jim S  is currently offline Jim S
Messages: 11
Registered: October 2009
Junior Member
I'm trying to add an ADAM 2008 (LDS) replica to an existing W2k3 ADAM v1
replication environment consisting of 5 replicas on W2k3 servers that
replicate a partition (dc=mycompany,dc=com). The installation appeared to be
successfull however after the install when I tried to connect to the
partition (dc=mycompany,dc=com) on the new 2008 server with ADSI edit I
received the error "The directory property cannot be found in the cache". I
then followed the steps in http://support.microsoft.com/kb/958973 and was
able to conecct however no objects except a handful of empty containers are
visible. Additionally, the instance does not appear to be replicating the
partition with the rest of the ADAM v1 servers. Running the command
"repadmin /syncall localhost:389 "dc=mycompany,dc=com" results in the
following errors
" From: ExistingW2k3Server.mycompany.com:389
To : NewW2K8Server.mycompany.com:389
Error issuing replication: -2146893008 (0x80090330):
The specified data could not be decrypted.

**I've verified the LDS instance on the new server is running with a local
account and password identical to all the other ADAM v1 instances.
**I ran through installation on a second W2k8 server had the same
experience/problems.
**Have added multiple W2K3/ADAM v1 replicas to the environment in the past
with no issues.

Any help is appreciated,
Thanksk - Jim
Re: ADAM 2008 (LDS) not replicating with ADAM v1 W2K3 [message #161765 is a reply to message #161709] Wed, 07 October 2009 07:17 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
It looks like there may be an issue at the authentication layer. Is there
any reason why you are using synced local account passwords instead of the
more traditional domain security model? My understanding is that the synced
local account approach for authentication works but is not the intended
approach. Perhaps something in the Windows authentication layer between the
two OS's is preventing it from being used here.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Jim S" <JimS@discussions.microsoft.com> wrote in message
news:3EFBE638-A93B-4ECE-8F6A-7EE77CD7833C@microsoft.com...
> I'm trying to add an ADAM 2008 (LDS) replica to an existing W2k3 ADAM v1
> replication environment consisting of 5 replicas on W2k3 servers that
> replicate a partition (dc=mycompany,dc=com). The installation appeared to
> be
> successfull however after the install when I tried to connect to the
> partition (dc=mycompany,dc=com) on the new 2008 server with ADSI edit I
> received the error "The directory property cannot be found in the cache".
> I
> then followed the steps in http://support.microsoft.com/kb/958973 and was
> able to conecct however no objects except a handful of empty containers
> are
> visible. Additionally, the instance does not appear to be replicating the
> partition with the rest of the ADAM v1 servers. Running the command
> "repadmin /syncall localhost:389 "dc=mycompany,dc=com" results in the
> following errors
> " From: ExistingW2k3Server.mycompany.com:389
> To : NewW2K8Server.mycompany.com:389
> Error issuing replication: -2146893008 (0x80090330):
> The specified data could not be decrypted.
>
> **I've verified the LDS instance on the new server is running with a local
> account and password identical to all the other ADAM v1 instances.
> **I ran through installation on a second W2k8 server had the same
> experience/problems.
> **Have added multiple W2K3/ADAM v1 replicas to the environment in the past
> with no issues.
>
> Any help is appreciated,
> Thanksk - Jim
>
Re: ADAM 2008 (LDS) not replicating with ADAM v1 W2K3 [message #161781 is a reply to message #161709] Wed, 07 October 2009 09:18 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi

following on from Joe's point what's the setup here?
Are the ADAM/LDS servers members of a domain?
What installation options did you choose: an account created local
to the WS03 and WS08 servers for the service account. What
account is in use for the ADAM/LDS administrator account?

That KB article has some reasonable information but is poor on
context, reading it one could believe that it deals with a default condition
rather than one where ADAM/LDS administrator access has been
lost. You should not need that procedure in normal operation. Again
we would need to know what account was specified as AD LDS administrator
for the AD LDS replica.

The adamsetup log in %windir%\debug might give you a chance to
review the installation.

Thanks
Lee Flight





"Jim S" <JimS@discussions.microsoft.com> wrote in message
news:3EFBE638-A93B-4ECE-8F6A-7EE77CD7833C@microsoft.com...
> I'm trying to add an ADAM 2008 (LDS) replica to an existing W2k3 ADAM v1
> replication environment consisting of 5 replicas on W2k3 servers that
> replicate a partition (dc=mycompany,dc=com). The installation appeared to
> be
> successfull however after the install when I tried to connect to the
> partition (dc=mycompany,dc=com) on the new 2008 server with ADSI edit I
> received the error "The directory property cannot be found in the cache".
> I
> then followed the steps in http://support.microsoft.com/kb/958973 and was
> able to conecct however no objects except a handful of empty containers
> are
> visible. Additionally, the instance does not appear to be replicating the
> partition with the rest of the ADAM v1 servers. Running the command
> "repadmin /syncall localhost:389 "dc=mycompany,dc=com" results in the
> following errors
> " From: ExistingW2k3Server.mycompany.com:389
> To : NewW2K8Server.mycompany.com:389
> Error issuing replication: -2146893008 (0x80090330):
> The specified data could not be decrypted.
>
> **I've verified the LDS instance on the new server is running with a local
> account and password identical to all the other ADAM v1 instances.
> **I ran through installation on a second W2k8 server had the same
> experience/problems.
> **Have added multiple W2K3/ADAM v1 replicas to the environment in the past
> with no issues.
>
> Any help is appreciated,
> Thanksk - Jim
>
Re: ADAM 2008 (LDS) not replicating with ADAM v1 W2K3 [message #161849 is a reply to message #161781] Thu, 08 October 2009 07:54 Go to previous messageGo to next message
Jim S  is currently offline Jim S
Messages: 11
Registered: October 2009
Junior Member
The rationale behind running the ADAM instances with a local account was
that we didn't want the domain to be a dependancy for our ADAM directory -
probably overkill in hindsight but it's been running fine like this for 5
years. The ADAM servers are in the domain and most of the user account
objects are proxy accounts that rely on the domain for authN anyway so the
local service account model has even less value except to the non user proxy
accounts.
During the installation we provide a local group called "ADAM Admins" as
the administrative account/group.
Since attempting to add the LDS on Monday we've been experiencing
replication problems with our existing v1 ADAM instances. To correct the
issue I've uninstalled LDS from the new server and deleted the server
instance in cofig/sites.
Thanks,
Jim



"Lee Flight" wrote:

> Hi
>
> following on from Joe's point what's the setup here?
> Are the ADAM/LDS servers members of a domain?
> What installation options did you choose: an account created local
> to the WS03 and WS08 servers for the service account. What
> account is in use for the ADAM/LDS administrator account?
>
> That KB article has some reasonable information but is poor on
> context, reading it one could believe that it deals with a default condition
> rather than one where ADAM/LDS administrator access has been
> lost. You should not need that procedure in normal operation. Again
> we would need to know what account was specified as AD LDS administrator
> for the AD LDS replica.
>
> The adamsetup log in %windir%\debug might give you a chance to
> review the installation.
>
> Thanks
> Lee Flight
>
>
>
>
>
> "Jim S" <JimS@discussions.microsoft.com> wrote in message
> news:3EFBE638-A93B-4ECE-8F6A-7EE77CD7833C@microsoft.com...
> > I'm trying to add an ADAM 2008 (LDS) replica to an existing W2k3 ADAM v1
> > replication environment consisting of 5 replicas on W2k3 servers that
> > replicate a partition (dc=mycompany,dc=com). The installation appeared to
> > be
> > successfull however after the install when I tried to connect to the
> > partition (dc=mycompany,dc=com) on the new 2008 server with ADSI edit I
> > received the error "The directory property cannot be found in the cache".
> > I
> > then followed the steps in http://support.microsoft.com/kb/958973 and was
> > able to conecct however no objects except a handful of empty containers
> > are
> > visible. Additionally, the instance does not appear to be replicating the
> > partition with the rest of the ADAM v1 servers. Running the command
> > "repadmin /syncall localhost:389 "dc=mycompany,dc=com" results in the
> > following errors
> > " From: ExistingW2k3Server.mycompany.com:389
> > To : NewW2K8Server.mycompany.com:389
> > Error issuing replication: -2146893008 (0x80090330):
> > The specified data could not be decrypted.
> >
> > **I've verified the LDS instance on the new server is running with a local
> > account and password identical to all the other ADAM v1 instances.
> > **I ran through installation on a second W2k8 server had the same
> > experience/problems.
> > **Have added multiple W2K3/ADAM v1 replicas to the environment in the past
> > with no issues.
> >
> > Any help is appreciated,
> > Thanksk - Jim
> >
>
>
>
Re: ADAM 2008 (LDS) not replicating with ADAM v1 W2K3 [message #161887 is a reply to message #161849] Thu, 08 October 2009 20:16 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Yeah, if you have user proxy objects to users in AD, then it does seem a
little crazy to avoid the domain.

The bottom line is that the replication model is based on RPC which is based
on Windows security. It is possible to get NTLM to work with synced local
passwords, but it looks like you may have run into a hitch with this.
You'll likely be better off just running ADAM as network service and being
done with it. Using that, Kerberos authentication will work by default and
you should have fewer issues.

My normal approach with ADAM is to always put builtin\administrators in the
ADAM Admins group so that whoever is a local admin on the box is an admin in
ADAM. Sometimes you don't want this, but in my experience it is more
typical that you do. You can certainly use a separate group, but the great
advantage of using the builtin group beyond the obvious integration with
other OS stuff is that it is easy to script this via LDIF because the
builtin admin groups has a fixed SID on all machines.

I think it would be cool if there was a clean model to use ADAM principals
for implementing replication, but it just isn't designed to work that way.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Jim S" <JimS@discussions.microsoft.com> wrote in message
news:DF0663CB-8E62-4FAA-9D0D-C5C4E56E99A9@microsoft.com...
>
> The rationale behind running the ADAM instances with a local account was
> that we didn't want the domain to be a dependancy for our ADAM directory -
> probably overkill in hindsight but it's been running fine like this for 5
> years. The ADAM servers are in the domain and most of the user account
> objects are proxy accounts that rely on the domain for authN anyway so the
> local service account model has even less value except to the non user
> proxy
> accounts.
> During the installation we provide a local group called "ADAM Admins" as
> the administrative account/group.
> Since attempting to add the LDS on Monday we've been experiencing
> replication problems with our existing v1 ADAM instances. To correct the
> issue I've uninstalled LDS from the new server and deleted the server
> instance in cofig/sites.
> Thanks,
> Jim
>
>
>
> "Lee Flight" wrote:
>
>> Hi
>>
>> following on from Joe's point what's the setup here?
>> Are the ADAM/LDS servers members of a domain?
>> What installation options did you choose: an account created local
>> to the WS03 and WS08 servers for the service account. What
>> account is in use for the ADAM/LDS administrator account?
>>
>> That KB article has some reasonable information but is poor on
>> context, reading it one could believe that it deals with a default
>> condition
>> rather than one where ADAM/LDS administrator access has been
>> lost. You should not need that procedure in normal operation. Again
>> we would need to know what account was specified as AD LDS administrator
>> for the AD LDS replica.
>>
>> The adamsetup log in %windir%\debug might give you a chance to
>> review the installation.
>>
>> Thanks
>> Lee Flight
>>
>>
>>
>>
>>
>> "Jim S" <JimS@discussions.microsoft.com> wrote in message
>> news:3EFBE638-A93B-4ECE-8F6A-7EE77CD7833C@microsoft.com...
>> > I'm trying to add an ADAM 2008 (LDS) replica to an existing W2k3 ADAM
>> > v1
>> > replication environment consisting of 5 replicas on W2k3 servers that
>> > replicate a partition (dc=mycompany,dc=com). The installation appeared
>> > to
>> > be
>> > successfull however after the install when I tried to connect to the
>> > partition (dc=mycompany,dc=com) on the new 2008 server with ADSI edit I
>> > received the error "The directory property cannot be found in the
>> > cache".
>> > I
>> > then followed the steps in http://support.microsoft.com/kb/958973 and
>> > was
>> > able to conecct however no objects except a handful of empty containers
>> > are
>> > visible. Additionally, the instance does not appear to be replicating
>> > the
>> > partition with the rest of the ADAM v1 servers. Running the command
>> > "repadmin /syncall localhost:389 "dc=mycompany,dc=com" results in the
>> > following errors
>> > " From: ExistingW2k3Server.mycompany.com:389
>> > To : NewW2K8Server.mycompany.com:389
>> > Error issuing replication: -2146893008 (0x80090330):
>> > The specified data could not be decrypted.
>> >
>> > **I've verified the LDS instance on the new server is running with a
>> > local
>> > account and password identical to all the other ADAM v1 instances.
>> > **I ran through installation on a second W2k8 server had the same
>> > experience/problems.
>> > **Have added multiple W2K3/ADAM v1 replicas to the environment in the
>> > past
>> > with no issues.
>> >
>> > Any help is appreciated,
>> > Thanksk - Jim
>> >
>>
>>
>>
Re: ADAM 2008 (LDS) not replicating with ADAM v1 W2K3 [message #161920 is a reply to message #161849] Fri, 09 October 2009 02:27 Go to previous message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
I agree with Joe's comments on using builtin administrators it's what I do,
the segregation of duties from a local ADAM Admins group is not very useful
as the local administrator on the ADAM instance can always clobber the ADAM
instance if they choose.

I tried a repro with a single ADAM SP1 instance and introduced an AD LDS
instance to the configuration set:

tried Network Service as the service account and that worked fine

tried a local windows account with identical username and password
on each server, again that worked fine (replication mode was negotiated
passthrough)

It sounds like you have a mature,solid setup under ADAM v1:

is it really ADAM v1 that you have or ADAM SP1?

do you have the resources to take a backup from your production
system and load it into a test server running ADAM and then test that
against your WS08 server?

The "replication problems" with the existing config set sounds worrying,
if the AD LDS instance was being referenced (by your load balancers?)
then updates from it might fail to replicate with the problems that you had,
is that what you were seeing?

Thanks
Lee Flight



"Jim S" <JimS@discussions.microsoft.com> wrote in message
news:DF0663CB-8E62-4FAA-9D0D-C5C4E56E99A9@microsoft.com...
>
> The rationale behind running the ADAM instances with a local account was
> that we didn't want the domain to be a dependancy for our ADAM directory -
> probably overkill in hindsight but it's been running fine like this for 5
> years. The ADAM servers are in the domain and most of the user account
> objects are proxy accounts that rely on the domain for authN anyway so the
> local service account model has even less value except to the non user
> proxy
> accounts.
> During the installation we provide a local group called "ADAM Admins" as
> the administrative account/group.
> Since attempting to add the LDS on Monday we've been experiencing
> replication problems with our existing v1 ADAM instances. To correct the
> issue I've uninstalled LDS from the new server and deleted the server
> instance in cofig/sites.
> Thanks,
> Jim
>
>
>
> "Lee Flight" wrote:
>
>> Hi
>>
>> following on from Joe's point what's the setup here?
>> Are the ADAM/LDS servers members of a domain?
>> What installation options did you choose: an account created local
>> to the WS03 and WS08 servers for the service account. What
>> account is in use for the ADAM/LDS administrator account?
>>
>> That KB article has some reasonable information but is poor on
>> context, reading it one could believe that it deals with a default
>> condition
>> rather than one where ADAM/LDS administrator access has been
>> lost. You should not need that procedure in normal operation. Again
>> we would need to know what account was specified as AD LDS administrator
>> for the AD LDS replica.
>>
>> The adamsetup log in %windir%\debug might give you a chance to
>> review the installation.
>>
>> Thanks
>> Lee Flight
>>
>>
>>
>>
>>
>> "Jim S" <JimS@discussions.microsoft.com> wrote in message
>> news:3EFBE638-A93B-4ECE-8F6A-7EE77CD7833C@microsoft.com...
>> > I'm trying to add an ADAM 2008 (LDS) replica to an existing W2k3 ADAM
>> > v1
>> > replication environment consisting of 5 replicas on W2k3 servers that
>> > replicate a partition (dc=mycompany,dc=com). The installation appeared
>> > to
>> > be
>> > successfull however after the install when I tried to connect to the
>> > partition (dc=mycompany,dc=com) on the new 2008 server with ADSI edit I
>> > received the error "The directory property cannot be found in the
>> > cache".
>> > I
>> > then followed the steps in http://support.microsoft.com/kb/958973 and
>> > was
>> > able to conecct however no objects except a handful of empty containers
>> > are
>> > visible. Additionally, the instance does not appear to be replicating
>> > the
>> > partition with the rest of the ADAM v1 servers. Running the command
>> > "repadmin /syncall localhost:389 "dc=mycompany,dc=com" results in the
>> > following errors
>> > " From: ExistingW2k3Server.mycompany.com:389
>> > To : NewW2K8Server.mycompany.com:389
>> > Error issuing replication: -2146893008 (0x80090330):
>> > The specified data could not be decrypted.
>> >
>> > **I've verified the LDS instance on the new server is running with a
>> > local
>> > account and password identical to all the other ADAM v1 instances.
>> > **I ran through installation on a second W2k8 server had the same
>> > experience/problems.
>> > **Have added multiple W2K3/ADAM v1 replicas to the environment in the
>> > past
>> > with no issues.
>> >
>> > Any help is appreciated,
>> > Thanksk - Jim
>> >
>>
>>
>>
Previous Topic:AD Migration Scenarios
Next Topic:ADAM SP1 install error
Goto Forum:
  


Current Time: Fri Jan 19 00:44:44 MST 2018

Total time taken to generate the page: 0.05266 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software