ADAM instance creation on DRA servers in an untrusted Forest fails (NETIQKB70988)

ADAM instance creation in an un-trusted forest

In order to add Secondary DRA servers to the Primary DRA server, where both the servers are in un-trusted domains, the ADAM instance should be created manually and it should be replicated. Before creating the ADAM instance follow these instructions:

1. Uninstall existing ADAM instance if installed already.
2. Create a local user account on both computers (primary and secondary DRA machines) with an identical user account name and password.
3. Add the user account (created in step 2) as part of the local administrator group on both Primary and Secondary DRA servers.

Steps to create ADAM instance on Primary DRA server:

1. Start installing Primary ADAM instance
   • For windows 2003: To start the Active Directory Application Mode Setup Wizard, click Start, point to All Programs, point to ADAM, and then click Create an ADAM instance.
   • For windows 2008 and above: Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
2. Launch Create ADAM instance setup wizard and Click ?Next".
3. Select ADAM instance type ?A unique instance? from Setup Option page, and click ?Next?.
4. On the Instance Name page, provide the DRA ADAM instance name that was specified during DRA Primary server installation, and click ?Next?.
   • Note: if the ADAM instance already is installed, use this step for changing the ADAM service account: You can change the ADAM service account after ADAM is installed by using the Dsmgmt command-line tool. When you install ADAM on a domain controller, you must select a domain user account as the ADAM service account.
5. On the Ports page, provide the DRA ADAM ports specified during DRA installation, (i.e. LDAP and SSL port numbers), and click ?Next?.
6. On the Application Directory Partition page, provide the DRA partition name, i.e., DC=DRA,DC=COM, and click ?Next?.
7. On the File Locations page, specify the file location for storing the ADAM instance information, and click ?Next?.
8. On the Service Account Selection page, provide the username and password of the account (that created in step 3 of instructions), and click ?Next?.
   • Note: The message saying that the selected account does not having the permission to run as service. Do you want to add the ADAM setup to add the permission to this account? --- Select Yes option to continue.
9. On the AD LDS Administrators page, select the same ADAM group that was specified during DRA installation, and click ?Next?.
10. Select the option ?Do not import any LDIF files for this instance of ADAM? (don?t select any LDIF files from the Import LDIF Files page because DRA uses its own schema), and click ?Next?.
11. Click ?Next? and the ADAM instance will proceed to install, then click "Finish" and the ADAM instance will be created successfully.

After creating the ADAM instance, launch the ADAM ADSI EDIT Console to add the users (both DRA service account and Local Windows account created in step 2 of instructions) to an ADAM group by following the below steps:

1. Connect to ADAM instance with default naming context partition using the console ADAM ADSI EDIT and give depiction as shown below:
2. Expand the detail pane, i.e., DC=DRA, DC=COM of the ADAM partition and go to the CN=Roles container.
3. Open the Administrators property page on result pane.
4. In Attributes, click Member, and then click Edit.
5. Click Add Windows Account, select the DRA service account and ADAM account created in step 3 of instructions, and then click OK.
6. Connect the ADAM instance with configuration partition using the ADAM ADSI EDIT as per depiction:
7. Expand the detail pane, i.e., DC=DRA, DC=COM of the ADAM partition and go to the CN=Roles container.
8. Add the DRA service account and local Windows account (created in step 2 of instructions above) to part of the ADAM account, follow the same steps from step 3 to 5 in this section.
9. Stop the NetIQ Administration service.
10. Set the following DRA ADAM registry key values to zero in the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\ Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\ADAMConfiguration:
    • "AQSchemaExtensionsFlag"
    • "VASchemaExtensionsFlag"
    • "RootContainersFlag"
    • "AQSchemaExtensionVASupportFlag"
    • "SHConfigRootContainersFlag"
    • "SHConfigSchemaExtensionsFlag"
11. Start the NetIQ Administration service.
12. Add the secondary DRA server (the DRA server in the un-trusted forest) as a Secondary DRA server on the Primary DRA server.

Steps to create ADAM instance on Secondary DRA server:

1. On the Secondary DRA server, launch Create ADAM instance setup wizard and Click ?Next".
2. Select ADAM instance type ?A replica of existing instance? from Setup Option page and click ?Next?.
3. On the Instance Name page, provide the DRA ADAM instance name that was specified during DRA Secondary server installation, and click ?Next?.
4. On the Ports page, provide the DRA ADAM ports specified during DRA secondary server installation, (i.e. LDAP and SSL port numbers), and click ?Next?.
5. On the Joining Configuration page, provide the Primary server name and Primary server?s LDAP port number and click ?Next?.
6. On the Administrative Credential page, select the option ?This account?, provide the local windows account credential of Primary server and Click ?Next?.
7. On the Application Partition page, check the DRA partition name of respective configuration set (here Primary server partition name), i.e., DC=DRA,DC=COM, and click ?Next?.
8. On the File Locations page, specify the file location for storing the ADAM instance information, and click ?Next?.
9. On the Service Account Selection page, provide the secondary server?s username and password of the account (created in step 2 of instructions above), and click ?Next?.
   • Note: The message saying that the selected account does not having the permission to run as service. Do you want to add the ADAM setup to add the permission to this account? --- Select Yes option to continue.
10. On the AD LDS Administrators page, select the same ADAM group that was specified during DRA installation, and click ?Next?.
11. Click ?Next? and the ADAM instance will proceed to install, then click "Finish" and the ADAM instance will be created successfully.
12. Then add the Local User account and DRA service account of the secondary server to the ADAM account, follow the same steps above (1 to 7) by launching ADSI EDIT console in secondary server.