Accounts cache refresh for a trusted domain fails (NETIQKB5621)

  • Document ID:7705621
  • Creation Date:02-Feb-2007
  • Modified Date:20-Jun-2007
    • Micro Focus Products:
      Directory and Resource Administrator

Resolution

fact
Directory and Resource Administrator 6.30 SP1

fact
Directory and Resource Administrator 6.40

fact
Directory and Resource Administrator 6.30.01

fact
Directory and Resource Administrator 6.50

symptom
Accounts cache refresh for a trusted domain fails

symptom
Accounts Cache Refresh for trusted domains fails with the following error message in the application log

Event Type: Error
Event Source: MCSAdminSvc
Event Category: AcctProvDomain
Event ID: 14081
User:  N/A
Description:
Domain dns.domain_name(NetBIOS_domain_name) (Trusted,AD) (Startup load using existing domain file) contents unsuccessfully loaded, hr=8007052e=(Logon failure: unknown user name or bad password)



cause

The above error message can occur for the following reasons:

  1. The service account running the MCS OnePoint Administration Server service is not a known account in the trusted domain.
  2. The username or password of the override account specified for the trusted domain in the Directory and Resource Administrator MMC under the Configuration\Managed and Trusted domain is incorrect.


fix

The above error message can be resolved by performing any of the following:

  • Specify an override account for the trusted domain if it is not already specified by performing the following steps:
    1. Launch the Directory and Resource Administrator, logged in with a minimum of Built-in Configuration role.
    2. Expand the Configuration node and select the Managed and trusted domains option
    3. Select the managed domain.
    4. Once the managed domain has been selected, highlight the trusted domain in the displayed list.
    5. Click Properties.
    6. Click Override Account on the Domain Properties window.
    7. Select the Use the following override account to access this domain radio button.
    8. Specify the account name using Pre-Windows 2000 format: domain\account_name. Do not use a DNS domain name.  The account specified must have the right to enumerate users in the domain.  By default, all users in the domain have the ability to enumerate users in that domain.
    9. Specify and confirm the password for the account.
    10. Click OK.

  • If an override account is not specified, the service account running the MCS OnePoint Administration Server service must be added to the Everyone group in the trusted domain.  In order to be able to perform a successful cache refresh for a trusted domain, the service account must be a known account in the trusted domain since, by default, all user accounts in the domain have the ability to enumerate all objects.

  • To prevent Directory and Resource Administrator from performing an Accounts Cache Refresh for a trusted domain refer to the following KB article:

    • NETIQKB7274 - How can I prevent Directory and Resource Administrator from performing an Accounts Cache Refresh for a trusted domain?



Additional Information

Formerly known as NETIQKB5621