Unable to connect to ADAM partition on a trusted domain Secondary DRA server (NETIQKB70610)

  • 7770610
  • 20-Aug-2007
  • 05-Jan-2012

Environment

Directory & Resource Administrator 8.5x
Directory & Resource Administrator 8.6x

Situation

Not able to connect to ADAM partition on a trusted domain secondary DRA server
Not able to connect to DRA ADAM partition( replicas) on trusted domain secondary server

Unable to create LDAP queries on secondary server, throws error message.

Not able to connect to DRA partition through ADSI edit with ADAM admin credentails even after restarting DRA services.

Resolution

The requirements for ADAM admin account are documented in release notes.

Choosing a ADAM admin account

 

For Primary server:

The ADAM admin account should be a domain local security group of the domain of the primary server. The service accounts of all servers in the MMS should be members of this group.

 

For Secondary Server in same forest as Primary:

The group used for Primary or another group in the domain of the secondary server should be used. If a new group is created for secondary, then that group should have the service account of the secondary as a member. Service accounts of other servers in the MMS should be added before this secondary can be promoted.

 

For Secondary Server in a different forest: ( ENG230098 - Not able to connect to DRA partition (adam) on trusted domain secondary server)

A group in the domain of the secondary server should be used. This group should have the service account of the secondary as a member. Service accounts of other servers in the MMS should be added before this secondary can be promoted.

 

 

[Not Recommended]

A USER account can be used ONLY if ALL the following conditions are met:

1. All Servers in MMS are in same forest

2. the service accounts of ALL the servers are same

3. the service accounts will not be changed

4. and service account is the ADAM admin account.

 

If the admin accounts are not properly chosen for Secondary servers, there is a possibility of replication or access problems accruing.

Currently the only way to address this is by following these steps

  1. Stop the Secondary server
  2. Uninstall the ADAM instance (Optional, but there is no point keeping it)
  3. Change the ADAM admin account in registry
  4. Change the port numbers in registry (Only if Step 2 is not done or there is some problem with ports used)
  5. Reset the ?instance creation? flag in registry to 0. (This signal the server to create a instance)
  6. Start the server.
  7. Force a MMS sync or wait for MMS to happen.
  8. Verify that new instance is created.
  9. If ADAM instance is still not accessible, restart the server.

Cause

The issue is that Adam Admins Group for a secondary server on a different trusted forest than that of the primary, should be a DOMAIN GROUP OF THE SAME DOMAIN AS THAT OF THE SECONDARY.

Additional Information

Formerly known as NETIQKB70610

See NETIQKB72804 for details on how to manually create an ADAM (ADLS) Instance.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.