|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
AD fail resulting in ADAM Configuration set unaccessible. Help!I have an external facing AD. When my ADAM instance was created, I made
use of a AD group to be ADAM's Administrator. This AD group contains
the AD-administrator.
Now my DC experience hardware failure, the AD is lost. Unable to authenticate as administrator, I cannot connect to the ADAM Configuration Set. Can anyone help on how to recover this ? - At least be able to connect to configuration ; - Or reset the ACL ; - Or turn off secure options for password change ; For the worst, is there anyway to export (ldifde etc) all the ADAM users AND PASSWORD into a new ADAM setup ? Password is needed so that it is transparent to user. Last is there any better idea to recover from this problem ? Thanks in advance -- elibbis ------------------------------------------------------------------------ elibbis's Profile: http://forums.techarena.in/members/elibbis.htm View this thread: http://forums.techarena.in/active-directory/1088461.htmhttp://forums.techarena.in Hi
if you have lost your only DC then I would focus on getting that back. It's also a good safety net to have the Builtin Administrators group as a member of the ADAM administrators role. On your questions: you should be able to bind to the ADAM instance using a windows account local to the server that has the ADAM instance ACL or secure options for password change - not sure what you are asking here on data export - there is no way to export the passwords from the user objects in ADAM you would need to reprovion them If your AD is not coming back and you need to access the ADAM instance then you can try following my notes here [1]. If you have an ADAM configuration set then you may see replication negotiation problems between members of the configuration set in the absence the DCs. Lee Flight [1] http://groups.google.co.uk/group/microsoft.public.active.directory.interfaces/browse_thread/thread/ade9cf248b0804b0/32cf8899463c4623?#32cf8899463c4623 Thanks again Lee Flight (when I 1st started my ADAM, I got lots of
advices from you too).
So, an update. I am able to take ownership of my ADAM my configuration set now. I can admin the configuration. The next step will be to remove the failed (or orphaned server). This is the 1st ADAM server and it performs the adamsync from my internal AD. To remove the dead ADAM server (it is the 1st ADAM server). I use dsmgmt -> metadata cleanup and hit error : =================== dsmgmt: metadata cleanup metadata cleanup: metadata cleanup: connections server connections: server connections: connect to server localhost:50002 Binding to localhost:50002 ... Connected to localhost:50002 using credentials of locally logged on user. server connections: server connections: quit metadata cleanup: metadata cleanup: select operation target select operation target: select operation target: list dom Found 0 domain(s) select operation target: select operation target: list site Found 1 site(s) 0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={18CB4FC1-D6E2-44E7- B928-CB36C6FA7AE6} select operation target: select operation target: sel site 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={18CB4FC1-D6E2-44 E7-B928-CB36C6FA7AE6} No current domain No current server No current Naming Context select operation target: select operation target: list servers in site Found 2 server(s) 0 - CN=XCTLDS2$creative1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi guration,CN={18CB4FC1-D6E2-44E7-B928-CB36C6FA7AE6} 1 - CN=CTLEMI1$Creative2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi guration,CN={18CB4FC1-D6E2-44E7-B928-CB36C6FA7AE6} select operation target: select operation target: select server 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={18CB4FC1-D6E2-44 E7-B928-CB36C6FA7AE6} No current domain Server - CN=XCTLDS2$creative1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN= Configuration,CN={18CB4FC1-D6E2-44E7-B928-CB36C6FA7AE6} DSA object - CN=NTDS Settings,CN=XCTLDS2$creative1,CN=Servers,CN=Default -First-Site-Name,CN=Sites,CN=Configuration,CN={18CB4FC1-D6E2-44E7-B928-CB36C6FA7 AE6} DNS host name - XCTLDS2.partners.creaf.com No current Naming Context select operation target: select operation target: quit metadata cleanup: remove selected server DsRemoveDsServerW error 0x57(The parameter is incorrect.) metadata cleanup: metadata cleanup: remove selected server "CN=XCTLDS2$creative1,CN=Servers,CN=Def ault-First-Site-Name,CN=Sites,CN=Configuration,CN={18CB4FC1-D6E2-44E7-B928-CB36C 6FA7AE6}" on localhost:50002 A global connection already exists. No arguments should be specified. metadata cleanup: ===================== In short the errors : 1. using "remove selected server" generate DsRemoveDsServerW error 0x57(The parameter is incorrect.) 2. using "remove selected server %s on %s" generated A global connection already exists. No arguments should be specified. Anyone can advice is there a way I can resolve the error, get my job done using dsmgmt. IF not , I am contemplating to to goto ADSIedit -> the ADAM Configuration Set; manaully remove the objects. See the attachment, those in red box is what I think should be removed. Am I missing out on anything ? +-------------------------------------------------------------------+ |Filename: Configuration.jpg | |Download: http://forums.techarena.in/attachment.php?attachmentid=7486| +-------------------------------------------------------------------+ -- elibbis ------------------------------------------------------------------------ elibbis's Profile: http://forums.techarena.in/members/elibbis.htm View this thread: http://forums.techarena.in/active-directory/1088461.htmhttp://forums.techarena.in Hi,
I'm not sure how we got on to metadata cleanup ... anyhow to answer your question dsmgmt is definitely the tool to use other manual attempts at cleanup can be onerous. In ADAM SP1 the exact syntax for metadata cleanup and order of actions is important and there is now a KB article that describes this [1], note that no "connections" are made inside dsmgmt and also you need to know the name of the instance you are cleaning up but you have that from your post. Lee Flight [1] http://support.microsoft.com/kb/958839 
Other interesting topics
Event 861 fills event log on newly built Domain Controller
Home folder creation via script profilepath - User Profile Lost Resources how to change from sub.domain.com to domain.com Scripted Drives Password Change Assigning roles to users from trusted domains netdiag outputs messages regarding DNS server IP of 0.0.0.0 Security Log Fills with 861 errors on New Domain Controller |
|||||||||||||||||||||||
