Resolution
Directory and Resource Administrator 7.x
symptom
The NetIQ 'Administration Server' service triggers an exception when creating computers in a Microsoft Windows 2000 domain.
symptom
The following event is generated in the System logs of the Administration Server when creating computer accounts:
Event Type: Information
Event Source: DrWatson
Event Category: None
Event ID: 4097
Date: 7/2/2004
Time: 3:16:04 PM
User: N/A
Computer: DRA Server
Description:
The application, , generated an application error The error occurred on 07/02/2004 @ 15:16:04.430 The exception generated was c0000005 at address 7C0013D6 (wcscpy)
For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0d 0a 0d 0a 41 70 70 6c ....Appl
0008: 69 63 61 74 69 6f 6e 20 ication
0010: 65 78 63 65 70 74 69 6f exceptio
0018: 6e 20 6f 63 63 75 72 72 n occurr
cause
This can be due to the Domain Admins group being in an Organizational Unit (OU) that was denied access by the NetIQ Administration Server Service Account.
fix
By default, the Domain Admins group is what gets set as "Who can join the computer to the domain" when creating a computer account in Active Directory. If the Domain Admins group is placed into an Organizational Unit (OU) where the Service account cannot enumerate the object, then the $McsCanBeJoinedBy value is VT_EMPTY. Since the Domain Admins group is not in the the cache, it attempts to set a null value on who can join the computer to the domain. This causes the exception to be triggered. To resolve:
- Place the Domain Admins group in an OU that can be enumerated by DRA.
- Use a script to set 'Who can join the computer to the domain' to a user or group other than the Domain Admins group.