Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AD LDS replica of ADAM

1,483 views
Skip to first unread message

drm

unread,
May 27, 2010, 3:53:16 PM5/27/10
to
I am trying to create a replica of an ADAM instance (Windows 2003 sp2)
under AD LDS (Windows 2008 sp1). I am using the same domain account
that I used to create the ADAM instance. I can use this account to
create a stand alone AD LDS instance and even a replica of another AD
LDS instance. When I try to create a replica of the ADAM instance,
everything looks good in the wizard but when I look at the instance
using adsiedit, all of the containers are empty with no attributes.
Is this kind of replication not possible?

Note: I saw a similar post but could not tell if the issue was
resolved.

Lee Flight

unread,
May 28, 2010, 6:49:07 AM5/28/10
to
Hi

could you clarify:

what the domain account is being used for is it the ADAM and
AD LDS service account on both servers?

Are the WS03 and WS08 server joined to the same domain?

Also if you restart the ADAM and AD LDS instances do you get any
warnings/errors
the instance even logs?

Output of:

repadmin /showrepl localhost:<adam or ad lds port> /verbose

might give a clue

Thanks
Lee Flight

"drm" <don...@westernsouthernlife.com> wrote in message
news:f148223a-4e2a-47c8...@u7g2000vbq.googlegroups.com...

drm

unread,
May 28, 2010, 7:45:44 AM5/28/10
to
On May 28, 6:49 am, "Lee Flight" <l...@le.ac.uk-nospam> wrote:
> Hi
>
> could you clarify:
>
>  what the domain account is being used for is it the ADAM and
>  AD LDS service account on both servers?
>
>  Are the WS03 and WS08 server joined to the same domain?
>
> Also if you restart the ADAM and AD LDS instances do you get any
> warnings/errors
> the instance even logs?
>
> Output of:
>
>  repadmin /showrepl localhost:<adam or ad lds port> /verbose
>
> might give a clue
>
> Thanks
> Lee Flight
>
> "drm" <don....@westernsouthernlife.com> wrote in message

>
> news:f148223a-4e2a-47c8...@u7g2000vbq.googlegroups.com...
>
> >I am trying to create a replica of an ADAM instance (Windows 2003 sp2)
> > under AD LDS (Windows 2008 sp1).  I am using the same domain account
> > that I used to create the ADAM instance.  I can use this account to
> > create a stand alone AD LDS instance and even a replica of another AD
> > LDS instance.  When I try to create a replica of the ADAM instance,
> > everything looks good in the wizard but when I look at the instance
> > using adsiedit, all of the containers are empty with no attributes.
> > Is this kind of replication not possible?
>
> > Note: I saw a similar post but could not tell if the issue was
> > resolved.

Thanks Lee
1. The account is a service account on both servers.
2. Both servers are in the same domain
3. Restart warning:
The security of this directory server can be significantly enhanced by
configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or
Digest) LDAP binds that do not request signing (integrity
verification) and LDAP simple binds that are performed on a cleartext
(non-SSL/TLS-encrypted) connection. Even if no clients are using such
binds, configuring the server to reject them will improve the security
of this server.
4.Output of repadmin:
Default-First-Site-Name\EAW2K8DEV2$instance4
DSA Options: (none)
Site Options: (none)
DSA object GUID: b7268fc8-2bad-4f06-bc8a-0d5c182f9203
DSA invocationID: c34190a0-13ab-4da4-9a50-647478a6eac8

==== INBOUND NEIGHBORS ======================================

CN=Configuration,CN={B59C1E29-972F-455A-BDD5-1FA7C1B7D60D}
Default-First-Site-Name\VMDOTNET4$WSFG360 via RPC
DSA object GUID: ae3846f1-08b5-4f8e-a887-e2a13760a880
Address: VMDOTNET4.WS.WSFGRP.NET:ae3846f1-08b5-4f8e-a887-
e2a13760a880
DSA invocationID: ae3846f1-08b5-4f8e-a887-e2a13760a880
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26081069/OU, 26081069/PU
Last attempt @ 2010-05-28 07:29:34 was successful.

CN=Schema,CN=Configuration,CN={B59C1E29-972F-455A-BDD5-1FA7C1B7D60D}
Default-First-Site-Name\VMDOTNET4$WSFG360 via RPC
DSA object GUID: ae3846f1-08b5-4f8e-a887-e2a13760a880
Address: VMDOTNET4.WS.WSFGRP.NET:ae3846f1-08b5-4f8e-a887-
e2a13760a880
DSA invocationID: ae3846f1-08b5-4f8e-a887-e2a13760a880
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26081069/OU, 26081069/PU
Last attempt @ 2010-05-28 07:29:34 was successful.

OU=WSFG,DC=COM
Default-First-Site-Name\VMDOTNET4$WSFG360 via RPC
DSA object GUID: ae3846f1-08b5-4f8e-a887-e2a13760a880
Address: VMDOTNET4.WS.WSFGRP.NET:ae3846f1-08b5-4f8e-a887-
e2a13760a880
DSA invocationID: ae3846f1-08b5-4f8e-a887-e2a13760a880
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE NEVER_SYNCED
USNs: 0/OU, 0/PU
Last attempt @ 2010-05-28 07:29:35 failed, result -2146893008
(0x8009033
0):
The specified data could not be decrypted.

19 consecutive failure(s).
Last success @ (never).

Source: Default-First-Site-Name\VMDOTNET4$WSFG360
******* 19 CONSECUTIVE FAILURES since (never)
Last error: -2146893008 (0x80090330):
The specified data could not be decrypted.


Source: Default-First-Site-Name\EAW2K8DEV2$test
******* 1 CONSECUTIVE FAILURES since 2010-05-28 07:34:04
Last error: 1772 (0x6ec):
The list of RPC servers available for the binding of auto
handles ha
s been exhausted.

Naming Context: CN=Configuration,CN={B59C1E29-972F-455A-
BDD5-1FA7C1B7D60D}
Source: Default-First-Site-Name\EAW2K8DEV2$test
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,CN={B59C1E29-972F-455A-
BDD5-1FA7C1B7D
60D}
Source: Default-First-Site-Name\EAW2K8DEV2$test
******* WARNING: KCC could not add this REPLICA LINK due to error.

Lee Flight

unread,
May 28, 2010, 9:00:20 AM5/28/10
to

Hi

is the service account a (single) AD account in the domain that the servers
are joined
to or a local (windows) account created on both servers?

Thanks
Lee Flight

"drm" <don...@westernsouthernlife.com> wrote in message

news:332430dc-705f-4ff0...@y12g2000vbr.googlegroups.com...

drm

unread,
May 28, 2010, 11:17:52 AM5/28/10
to
On May 28, 9:00 am, "Lee Flight" <l...@le.ac.uk-nospam> wrote:
> Hi
>
> is the service account a (single) AD account in the domain that the servers
> are joined
> to or a local (windows) account created on both servers?
>
> Thanks
> Lee Flight
>
> "drm" <don....@westernsouthernlife.com> wrote in message

A single account in the domain.

Lee Flight

unread,
May 28, 2010, 11:52:11 AM5/28/10
to

Hi

OK thanks, the error message is what you would see if you had an ADAM and an
AD LDS
attempting to replicate with "negotiated" as the replication security level
[1]. Using a domain
account as the service account you should be using Kerberos, assuming that
there is no firewalling
in place (?) that would stop the Kerberos mutual authentication between the
ADAM and AD LDS
servers then a problem with the servicePrincipalName setting on the single
domain account may be
the issue. The thing to do is to locate the domain account in AD and look at
the servicePrincipalName
attribute of that account using your favorite LDAP browser or attribute
editor, what you should
see on the multi-valued attribute is servicePrincipalNames following the
standard ADAM/AD LDS
form [2]. What do you see? If the account is use for a production instance
exercise caution before
any modification.

Lee Flight

[1]
http://adamsync.wordpress.com/2010/04/02/windows-server-2003-adam-to-windows-server-2008-ad-lds-replication-fails-when-using-ntlm-negotiate/

[2] http://technet.microsoft.com/en-us/library/cc776694(WS.10).aspx

"drm" <don...@westernsouthernlife.com> wrote in message

news:9ff770ac-0c95-49e4...@z17g2000vbd.googlegroups.com...

>> ******* 19 CONSECUTIVE FAILURES since (never)
>> Last error: -2146893008 (0x80090330):
>> The specified data could not be decrypted.

>A single account in the domain.


drm

unread,
Jun 1, 2010, 3:29:24 PM6/1/10
to
On May 28, 11:52 am, "Lee Flight" <l...@le.ac.uk-nospam> wrote:
> Hi
>
> OK thanks, the error message is what you would see if you had an ADAM and an
> AD LDS
> attempting to replicate with "negotiated" as the replication security level
> [1]. Using a domain
> account as the service account you should be using Kerberos, assuming that
> there is no firewalling
> in place (?) that would stop the Kerberos mutual authentication between the
> ADAM and AD LDS
> servers then a problem with the servicePrincipalName setting on the single
> domain account may be
> the issue. The thing to do is to locate the domain account in AD and look at
> the servicePrincipalName
> attribute of that account using your favorite LDAP browser or attribute
> editor, what you should
> see on the multi-valued attribute is servicePrincipalNames following the
> standard ADAM/AD LDS
> form [2]. What do you see? If the account is use for a production instance
> exercise caution before
> any modification.
>
> Lee Flight
>
> [1]http://adamsync.wordpress.com/2010/04/02/windows-server-2003-adam-to-...
>
> [2]http://technet.microsoft.com/en-us/library/cc776694(WS.10).aspx
>
> "drm" <don....@westernsouthernlife.com> wrote in message

>
> news:9ff770ac-0c95-49e4...@z17g2000vbd.googlegroups.com...
>
> >> ******* 19 CONSECUTIVE FAILURES since (never)
> >> Last error: -2146893008 (0x80090330):
> >> The specified data could not be decrypted.
> >A single account in the domain.

After we ran a "repadmin.exe /writespn" command, everything appears to
be working.

Thanks for looking into this Lee.

0 new messages