Environment
Directory & Resource Administrator 8.5x
Directory & Resource Administrator 8.6x
Situation
Not able to connect to DRA ADAM partition( replicas) on trusted domain secondary server
Unable to create LDAP queries on secondary server, throws error message.
Not able to connect to DRA partition through ADSI edit with ADAM admin credentails even after restarting DRA services.
Resolution
The requirements for ADAM admin account are documented in release notes.
Choosing a ADAM admin account
For Primary server:
The ADAM admin account should be a domain local security group of the domain of the primary server. The service accounts of all servers in the MMS should be members of this group.
For Secondary Server in same forest as Primary:
The group used for Primary or another group in the domain of the secondary server should be used. If a new group is created for secondary, then that group should have the service account of the secondary as a member. Service accounts of other servers in the MMS should be added before this secondary can be promoted.
For Secondary Server in a different forest: ( ENG230098 - Not able to connect to DRA partition (adam) on trusted domain secondary server)
A group in the domain of the secondary server should be used. This group should have the service account of the secondary as a member. Service accounts of other servers in the MMS should be added before this secondary can be promoted.
[Not Recommended]
A USER account can be used ONLY if ALL the following conditions are met:
1. All Servers in MMS are in same forest
2. the service accounts of ALL the servers are same
3. the service accounts will not be changed
4. and service account is the ADAM admin account.
If the admin accounts are not properly chosen for Secondary servers, there is a possibility of replication or access problems accruing.
Currently the only way to address this is by following these steps
- Stop the Secondary server
- Uninstall the ADAM instance (Optional, but there is no point keeping it)
- Change the ADAM admin account in registry
- Change the port numbers in registry (Only if Step 2 is not done or there is some problem with ports used)
- Reset the ?instance creation? flag in registry to 0. (This signal the server to create a instance)
- Start the server.
- Force a MMS sync or wait for MMS to happen.
- Verify that new instance is created.
- If ADAM instance is still not accessible, restart the server.
Cause
Additional Information
See NETIQKB72804 for details on how to manually create an ADAM (ADLS) Instance.