ALBPM Directory Service: Hybrid Configuration - MSAD Problems

I've successfully configured the Directory Service of an ALBPM (Enterprise Standalone) v6.0.4 #94069 installation to use a MS Active Directory (MSAD) service for ALBPM organization infomation. I can view participant, group and organizational unit information using the Process Administrator. However, I've noted:
<ul><li>The MSAD is swamped with (successful) authentication requests from the ALBPM directory service and
     and I have had to stop the ALBPM 6.0 server to prevent disruption to our MSAD service.
</li>
<li>
     Repeated warning messages in the ALBPM log about MSAD Contacts, listed in MSAD Groups, that cannot be found as ALBPM Participants. These messages do not appear for MSAD Users who are correctly shown as ALBPM Participants.
</li>
<li>
     Repeated warning messages in the ALBPM log about MSAD Groups that cannot be found as ALBPM Groups where the MSAD Group definiton is such that the MSAD sAMAccountName value for the group is different to the MSAD name or cn value.
</li>
</ul>
Is anyone else using MSAD in their ALBPM directory service configuration? Have you seen similar issues? I've tried reporting this via Oracle Support, however, my impression is that others users do not have such problems using MSAD with ALBPM or Oracle BPM.
Thanks,
Rob

Hi Rob,
Have a read of this http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/admin_guide/index.html if you are using groups.
I'm using Novell eDirectory instead of AD but am also seeing a large number of requests from BPM. However, I've not had time yet to investigate to what these relate.
Thanks,
Mike,

Similar Messages

Problem in configuring MS Win2003 AD as a Directory Service

I am trying to configure MS Windows Server 2003 Active Directory as a Directory Service for Sun ONE Web Server 6.1
I have made the following configuration at the Global Settings Page of the Administration Server :
Directory Service ID : default
Host Name : myhost.mydomain.mycountry
Port : 389
Use Secure
Sockets Layer (SSL)
for connections? : No
Base DN : DC=mydomain,DC=mycountry
Bind DN : CN=myuser,CN=Users,DC=mydomain,DC=mycountry
Bind Password : mypassword
Whatever I am trying to do at the Users and Groups Page of the Administration Server I am getting the following message :
An error occurred while contacting the LDAP server.
(Can't connect to the LDAP server)
A connection to the directory server could not be opened. Contact your directory server administrator for assistance.
The user myuser is member of the Administrators Group.
I log on to the Sun ONE Web Server 6.1 as myuser.
I know that Base DN and Bind DN are correct because I use them with Microsoft's LDP Tool. I don't know if the user lacks any privilege (although he is a member of the Administrators) or if I have to configure something else from the Administration Server.
Any help on this problem would be appreciated very much.
Thanks in advance

Hi
Are you able to use ACL (ACE's) in iPlanet after integrating ADS?. userId field is empty. How are you actually using this iPlanet integration with ADS in your application/in your company.?
Thanks!
GV
[email protected]

ALBPM 5.7 BPM process admin issues with Oracle 11g RAC as directory service

Hi,
Setup ALBPM 5.7 enterprise for weblogic.
BPM Engine deployed on weblogic cluster.
BPM process admin (web console) deployed on tomcat.
BPM process admin uses WEB-INF/directory.properties for directory configuration.
things were fine with oracle SID,
directory.default.url=oracle://<db_host>:1521/schema=diruser,sid=BPMDB { with this, login to process admin was working fine}
But clueless, on how to configure RAC as the directory service in the above directory.properties file. Since this is a old version, no directory.xml in the installation.
Connection string:
(DESCRIPTION =
(LOAD_BALANCE = on)
(FAILOVER = on)
(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST1)(PORT=1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST2)(PORT=1521))
(CONNECT_DATA =
(SERVICE_NAME = BPMDB)
(FAILOVER_MODE =
(TYPE = SELECT)
(METHOD = BASIC)
Please help how to use service name (above connection string) in directory.properties, to be able to login to process admin successfully.
Thanks in advance,
Swamy

Using admin center, able to get the string to be used in directory.properties.
FYI, the string looks like below,
directory.default.url=oracle://customURL:0/schema=bpmdirectory,customURL=jdbc:oracle:thin:@(DESCRIPTION = (LOAD_BALANCE = on)(FAILOVER = on)(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST1)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST2)(PORT=1521)) (CONNECT_DATA = (SERVICE_NAME = BPMDB.DOMAIN.COM) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC))))

Shared Services: Multi-domain MSAD based configuration issue

Hello to All,
Can someone tell me how to configure MSAD to use two domains X and Y under one user directory D.
My actual configuration is based on the domain X and provides some MSAD users groups in D user directory.
But I need to provisionne another user that belong to another AD in a foreign domain Y.
A trusted relationship (approbation relationship) have been created between the two domains X and Y.
Is this kind of multi-domain configuration allowed in Shared Services?
If yes, how can I configure this?
OS: Solaris
Hyperion Shared Services 9.3.1
Thanks in advance for your help

There are a couple of ways:
1) Add a new provider in Shared Services
2) Modify your current provider to go to a higher level in your domain which will likely require different parameters on your existing Active Directory provider
Option 2 is preferable if you see this will cascade and other domains will be needed and they are all under a global company domain.
Regards,
John A. Booth
http://www.metavero.com

Shared Services hangs after MSAD configuration (9.2.0.2)

Hi all,
I am trying to configure MSAD with shared services. I successfully add the MSAD domain and then add it to the search order, being number 2 after native. I then restart HSS. When I go to open HSS or the framework login the whole thing just hangs. HSS does always start correctly. For testing purposes I am restoring the CSS file each time. I have tried 3 different user accounts so I doubt it is a permissions issue.
I have also tried configuring the MSAD domain, restart HSS, then adding it to the search order and restarting HSS. It made no difference.
Has anyone seen this before? The same domain has been added to a different instance of HSS on another server (DR) so I can't understand why it is hanging.
Many thanks in advance,
Nathan

After extensive testing with Oracle Hyperion the root cause was runnong HSS as a service following the configuration with MSAD. The config framework page displayed 9.2.0.2 as the version when it was actually 9.2.0.3 as confirmed by the HSS console. Apparently this problem can happen in 9.2.0.3.
Just thought I'd let you know the solution.
Nathan

External User directory configuration MSAD

Hi,
I am trying to configure MSAD External User directory in Hyperion Shared services 9.3.1 and got succeed. After restarting Shared services I am not able to find MSAD directory in user directories and showing as below
Directory name Directory Type search order
Native Directory NATIVE 1
MSADDIR MSAD Not Used
when i trying to test the connection it is showing successful.
Can anyone help me on this.
Any help would be greatly appreciated.
Regards
PrakashV

Hi Jhon,
Thank you for your quick response.
Previously I configured with OID and given the Server connection details only and the OID configured successfully. Now I am trying to configure with MSAD now I have given only server connection details. I have not specified search details. Atleast it has to be visible at "User Directories" in shared services (left panel).
If i have supplied any wrong information test connection should not be success. But I am able to test success. Here are the details i have given.
Server Info
Directory Server: Microsoft
Name: MSADDIR
Hostname: <Server IP>
Port : 389
SSL enabled: <Not checked>
Base DN: DC=<>, DC=local,
ID Attribute: ObjectGUID
Maxmum Size: 100
Anonymous bind: <Not checked>
Trusted: <Checked>
User Info:
append base DN: <Checked>
User DN: cn=hyperion
Password: <password>
Please help me if you have any idea.
Regards
PrakashV

The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

We are in the process of removing a child domain from the forest and are down to two DCs. These are both Server 2008r2 sp1 servers, one physical and virtual (PDC). When I try to remove a DC (not the PDC emulator) I get the following error:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=mydomain,DC=local to
Active Directory Domain Controller \\V-Svr03.mydomain.local.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I have checked replication with repadmin /showrepl and all connections were successful. The dcdiag /test:kccEvent test on all servers passed.
Most DCdiag tests are successful. The only failure is on NCSecDesc when running dcdiag /test:NCSecDesc
   Testing server: Default-First-Site\DC1-DEV-OFC
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=hookemup,DC=local
         ......................... DC1-DEV-OFC failed test NCSecDesc
In researching this I find "If you do not plan to add an RODC to the forest, you can disregard this error."
We have not successfully run ADprep /rodcPrep nor do we plan on having any Read-Only DCs, so I think we can ignor this error. We did try running ADprep /rodcPrep but got an LDAP error which I can duplicate if this is important.
Schema and Naming FSMOs are on a DC higher in the forest. RID, PDC, and Infrastructure FSMOs for the child domain are on the Virtual server (PDC).
Any guidance on where to go from here would be greatly appreciated as I have no more hair on my head to pull.

Ok... I ran repadmin /showreps /v again and it shows no errors
C:\>repadmin /showreps /v
Default-First-Site\DC1-DEV-OFC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: b294c59f-8b46-4133-89c5-0f30bfd49607
DSA invocationID: 1054285d-cffe-42b4-8074-e2d44adbb151
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=mydomain,DC=local
    Default-First-Site\HESTIA via RPC
        DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
        Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
        DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 16381490/OU, 16381490/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\V-SVR03 via RPC
        DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
        Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
        DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 114817/OU, 114817/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\V-SVR01 via RPC
        DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
        Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
        DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 66047/OU, 66047/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\ATHENA via RPC
        DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
        Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
        DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 8098197/OU, 8098197/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
CN=Schema,CN=Configuration,DC=mydomain,DC=local
    Default-First-Site\ATHENA via RPC
        DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
        Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
        DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 8097482/OU, 8097482/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\V-SVR01 via RPC
        DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
        Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
        DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 65239/OU, 65239/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\V-SVR03 via RPC
        DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
        Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
        DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 114149/OU, 114149/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\HESTIA via RPC
        DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
        Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
        DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 16381373/OU, 16381373/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
DC=ForestDnsZones,DC=mydomain,DC=local
    Default-First-Site\V-SVR01 via RPC
        DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
        Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
        DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 66295/OU, 66295/PU
        Last attempt @ 2012-10-29 13:57:48 was successful.
    Default-First-Site\ATHENA via RPC
        DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
        Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
        DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 8098367/OU, 8098367/PU
        Last attempt @ 2012-10-29 13:58:13 was successful.
    Default-First-Site\V-SVR03 via RPC
        DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
        Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
        DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 115032/OU, 115032/PU
        Last attempt @ 2012-10-29 13:58:25 was successful.
    Default-First-Site\HESTIA via RPC
        DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
        Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
        DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 16381653/OU, 16381653/PU
        Last attempt @ 2012-10-29 13:58:34 was successful.
DC=mySUBdomain,DC=local
    Default-First-Site\V-SVR03 via RPC
        DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
        Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
        DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 114871/OU, 114871/PU
        Last attempt @ 2012-10-29 13:54:02 was successful.
DC=DomainDnsZones,DC=mySUBdomain,DC=local
    Default-First-Site\V-SVR03 via RPC
        DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
        Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
        DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
        USNs: 114017/OU, 114017/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
DC=mydomain,DC=local
    Default-First-Site\V-SVR03 via RPC
        DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
        Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
        DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
        USNs: 114017/OU, 114017/PU
        Last attempt @ 2012-10-29 13:52:39 was successful.
    Default-First-Site\HESTIA via RPC
        DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
        Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
        DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
        USNs: 16381614/OU, 16381614/PU
        Last attempt @ 2012-10-29 13:56:52 was successful.
    Default-First-Site\V-SVR01 via RPC
        DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
        Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
        DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
        USNs: 66325/OU, 66325/PU
        Last attempt @ 2012-10-29 13:58:34 was successful.
    Default-First-Site\ATHENA via RPC
        DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
        Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
        DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
        USNs: 8098385/OU, 8098385/PU
        Last attempt @ 2012-10-29 13:58:38 was successful.

Ramifications of assigning a wildcard certificate to the SMTP service (needed for Exchange 2010 Hybrid Configuration - Office 365)

Hello All:
I am receiving an error when I run the Manage Hybrid Configuration wizard - ERROR:Updating hybrid configuration failed with error 'Subtask NeedsConfiguration execution failed: Configure Recipient Settings. I have opened a SR, but figured I'd try the forums,
too. I have a wildcard certificate from GoDaddy (MS says they support wildcards from GoDaddy) & that cert has only the IIS service applied to it on the CAS. I've read in the Exchange Server Deployment Assistant that it should have the SMTP & IIS services
assigned to it, but my question is - SMTP on the CAS (separate server) or on the Mailbox/Hub Transport (separate server)? And what are the ramifications of assigning the SMTP service to, let's say, the CAS? We have had multiple issues every time the servers
get updated/changed; I do not want to disrupt services further, as the Manage Hybrid Configuration will be done during business hours.
If anyone can provide any assistance/clarification, it would be most appreciated.
Thank you.

Hi,
We can enable a Wildcard certificate with SMTP service for Exchange Hybird Deployment. The SMTP service can be assigned to multiple certificates. For some Exchange services such as OWA, Ecp, ActiveSync, Autodiscover service, OOF, it is used with Exchange
certificate with IIS service. And there is usually only one certificate can be assigned with IIS service.
Please just make sure your Wildcard certificate can contain all namespaces which are used for all internal URL and External URL configuration in Exchange services. About how to import an existing wildcard certificate on the Exchange 2010 Hybird servers,
please refer to the Import & Enable Third Party Certificate on Hybrid Servers
part in the following article:
http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-hybrid-deployment-migrating-to-office-365-exchange-online-part9.html
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
make sure that you completely understand the risk before retrieving any suggestions from the above link.
Regards,
Winnie Liang
TechNet Community Support

Meeting Place 8.5.3.4 - Change Directory Service Configuration

Hi Support Community
We have 3 CUCM clusters version 8.6.2
We have 1 Meeting Place 8.5.3.4 cluster with a primary and standby server
Meeting Place has directory service integration with 1 of the CUCM clusters and performs all user sync and authentication via AXL / LDAP
We now need to change the Meeting Place configuration for AXL server, used for authentication and sync, to another CUCM cluster, this will use exactly the same LDAP search base so all users and details will remain the same in CUCM and therefore we want nothing to change in Meeting Place so all users should remain the same with the same configuration and all meetings should remain the same.
It looks straight forward to change the AXL URL but then we discovered the below from the Meeting Place configuration guide :
" user updates, imports, and deletions are not supported from a redundant Cisco Unified Communications Manager, even if it is integrated with the same LDAP directory as the primary Cisco Unified Communications Manager. This is because Directory Service user updates are tied to a field that is unique to each Cisco Unified Communications Manager server."
So we need to know how we go about changing the directory service configuration to point to another CUCM cluster for authentication and synchronization whilst keeping Meeting Place users and meetings in the Database unchanged.
Any help will be greatly appreciated.
Thanks, Carl Ratcliffe

Hi Carl,
I've just received a final update. If you want to point your Directory Integration to a different CUCM server that is holding the same user database and runs AXL service, you should be able to just change the AXL URL on MP and point to this new server. After this change is made and saved, we recommend restarting services on MeetingPlace (SSH to the server with mpxadmin account, changing to 'root', and running 'mpx_sys restart' command). Once the services are restarted and system comes back up, go to User Configuration > Directory Service > Directory Service Configuration and perform a Full Sync (make sure that Profile Number setting under Profile Number Configuration section is set to New users only in order to avoid any profile # change if any of the user profiles in CUCM was updated in the meantime)
Please, let me know of any questions you might have.
Thank you.
-Dejan

Event ID 12294-Directory-Services-SAM Problem

Good day ,
I have users that have accounts that keep getting locked out for no apparent reason
Event ID 12294 Directory-Services-Sam, The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data). "Accounts are locked
after a certain number of bad passwords are provided so please consider resetting the password of the account
the windows 2008R2 is up to date also we upadate our antivurse . have you an idea how to fix it Im all the day unlocked users.
Many Tnaks
regards
e

Hello,
It seems that your account is under attack using a brute force method. Since Administrator account cannot be locked out this event is triggered. Similar thread and more info on the links below:
Event ID 12294-Directory-Services-Sam Error
Event
ID: 12294 Source: SAM
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

Updating hybrid configuration failed - Kerberos authentication: The network path was not found

I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
When I run the Manage Hybrid Configuration, I receive the following error:
Updating hybrid configuration failed with error
'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
path was not found.
The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
[1/5/2014 21:21:1] INFO:Opening runspace to
http://[servername]/powershell?serializationLevel=Full
[1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
[1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at System.Management.Automation.Runspaces.RunspacePool.Open()
   at System.Management.Automation.RemoteRunspace.Open()
   at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
   at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
I have sought help, posting on the forum at community.office365.com -
http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
Has anyone else come across this problem running the Hybrid Configuration Wizard?

Hello Darrell,
Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
looks good.
As the article states you can run the Exchange BPA and it will check if any of these exist as well.

Unable to print from MS Word: "The Directory Service is currently unavailable"

Hi! I hope you can help me. Please note that I have a Windows XP computer (Home Edition, Version 2002, Service Pack 3, 32-bit). When I initially installed a Brother printer (model# MFC-J475DW) in Dec 2013, I had no problems printing documents. My problems
started about 2 days ago. I got an error message after I opened a MS Word document (.doc) and clicked the Print button to print a document. The Printer "Name" field was empty. I clicked the dropdown box in that window and saw 3 options:
1 - Brother MFC-J475DW Printer
2 - Brother PC-FAX v.3.2
3 - PaperPort Image Printer
When I selected "Brother MFC-J475DW Printer," a Microsoft Word dialog box appeared, saying the following:
"The printer has not yet responded, but the Microsoft Office program may be able to proceed without printer information. Do you want to continue to wait for the printer?"
I can either click on a Yes button or a No button. Either way, I'm brought back to the Print page. When I click on the OK button to start printing, another error message appears:
"Windows cannot print due to a problem with the current printer setup. Try one or more of the following:
*Check the printer by printing a test page from Windows.
*Make sure the printer is turned on and online.
*Reinstall the printer driver."
I have a choice to click either OK or Web Help. I click the OK button to close the box, then return to the Print page. When I click on the "Find Printer..." button, the Find Printers window appears for a moment, then is replaced by this error message:
"The Directory Service is currently unavailable"
On Friday (Mar 21), when the error first occurred, I was able to print a letter in MS Word after un- and re-installing the Brother printer and its drivers. The problem reappeared the next day (Saturday). I don't want to do that every time to print a single
page, so would you please recommend a solution?
By the way, I am able to print a test page from the printer in Control Panel, and I can print from a Notepad document. Also, when I go to the Control Panel, select "Printers and Faxes," then right-click on the printer (Brother MFC-J475DW Printer),
then select the Ports page, there's a check mark next to USB001 (not LPT1 or COM1). When I click on the "Configure Port..." button, I get this error message:
"An error occurred during port configuration. This operation is not supported."
Earlier today, I got a reply from brother.com's tech support (thanks to the 1 year warranty). They said the problem is on my PC, not their printer. However, they provided links to completely uninstall the printer, then reinstall it. I did just that, but
the problem persists. I'll download OpenOffice.org's Office Suite to see if I can print documents with their software instead of MS Word. Until then, I await any suggestions.
I hope this info is helpful. Thanks in advance for your help.

I downloaded OpenOffice and am able to print documents (in particular, the same document I created in MS Word). I guess MS Word is to blame. I believe the issue is concluded, but I'd welcome any comments about the Active Directory, as I might have a problem
with OpenOffice in the future regarding that.

Starting single sign-on and directory service

i am trying to install oracle 9i infrastructure on my clean win2000 box with 2.4 GHz proc and 1GB RAM.
i am getting falilure messages for the following:
infrastructure instance configuration assistant: failed
oracle 9i application server randomize password: failed
single sign on configuration assistant: failed
infrastructure mod-osso configuration assistant: failed
OPMN configuration assistant: failed
log file says:
Configuration failed for IAS
IAS Instance creation failed
Configuration failed for JAZN
JAZN configuration failed: unable to establish a directory context.
Configuration succeeded for IASProperty
Configuration failed for IAS
Configuration failed for JAZN
after which single sign-on and directory service dont start. which means no connectivity :(
can somebody please guide me about how to avoid this failure in installation or how to manually start these after installation.
it would be a great help
ashish

Hi,
we're having exactly the same problem.
Could you tell me what the problem is with the network ?
You say configure it properly but what do you mean ?
It's installed on a Windows 2000 Server machine, it's own DNS.
Thanks,
Yuri Arts

Active Directory Services Can't Connect to Domain

I removed Active Directory services form a server running 2012. I then went to reinstall and reconfigure it, but I keep running into issues. When I launch active directory admin center it gives me an error that it can't connect to any domain, and I can't
make any changes. The local server has already been promoted to the domain controller. Here is the output from dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ACSSVR
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ACSSVR
Starting test: Connectivity
......................... ACSSVR passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ACSSVR
Starting test: Advertising
Fatal Error:DsGetDcName (ACSSVR) call failed, error 1355
The Locator could not find the server.
......................... ACSSVR failed test Advertising
Starting test: FrsEvent
......................... ACSSVR passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ACSSVR failed test DFSREvent
Starting test: SysVolCheck
......................... ACSSVR passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/02/2015 12:00:00
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification)
and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
A warning event occurred. EventID: 0x80000734
Time Generated: 03/02/2015 12:00:37
Event String:
The local domain controller could not connect with the following domain controller hosting the following directory partition to resolve distinguished names.
......................... ACSSVR passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ACSSVR passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ACSSVR passed test MachineAccount
Starting test: NCSecDesc
......................... ACSSVR passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ACSSVR\netlogon)
[ACSSVR] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... ACSSVR failed test NetLogons
Starting test: ObjectsReplicated
......................... ACSSVR passed test ObjectsReplicated
Starting test: Replications
......................... ACSSVR passed test Replications
Starting test: RidManager
......................... ACSSVR passed test RidManager
Starting test: Services
......................... ACSSVR passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:21:34
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:21:58
Event String:
The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:26:01
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:26:01
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:26:16
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000002E
Time Generated: 03/02/2015 11:34:32
Event String:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 03/02/2015 11:34:32
Event String:
The Windows Time service terminated with the following error:
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:35:01
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:39:08
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:39:27
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:39:27
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2015 11:39:40
Event String:
The WinRM service failed to create the following SPNs: WSMAN/ACSSVR.ACS.local; WSMAN/ACSSVR.
A warning event occurred. EventID: 0x0000000C
Time Generated: 03/02/2015 11:39:39
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0xC000042B
Time Generated: 03/02/2015 11:42:01
Event String:
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 11:44:31
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 11:45:05
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2015 11:55:22
Event String:
The dynamic deletion of the DNS record 'ACS.acsolutionsinc.net. 600 IN A 192.168.56.1' failed on the following DNS server:
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:55:22
Event String:
Name resolution for the name acsolutionsinc.net timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2015 11:55:47
Event String:
The dynamic deletion of the DNS record '_ldap._tcp.ACS.acsolutionsinc.net. 600 IN SRV 0 100 389 ACSSVR.ACS.acsolutionsinc.net.' failed on the following DNS server:
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:55:53
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:55:53
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:59:53
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 12:00:13
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 12:00:13
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2015 12:00:25
Event String:
The WinRM service failed to create the following SPNs: WSMAN/ACSSVR.ACS.local; WSMAN/ACSSVR.
A warning event occurred. EventID: 0x0000000C
Time Generated: 03/02/2015 12:00:25
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0xC000042B
Time Generated: 03/02/2015 12:02:47
Event String:
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 12:05:17
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 12:05:17
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
......................... ACSSVR failed test SystemLog
Starting test: VerifyReferences
......................... ACSSVR passed test VerifyReferences
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ACS
Starting test: CheckSDRefDom
......................... ACS passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ACS passed test CrossRefValidation
Running enterprise tests on : ACS.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... ACS.local failed test LocatorCheck
Starting test: Intersite
......................... ACS.local passed test Intersite
I've been trying to debug errors one at a time, but I'm having a hard time finding any information that pertains to this issue as a whole. Anything you can tell me about this would be great, thank you for reading.

It was the only server in the network, the only dc in the old forest. When I re-installed ad ds I gave the new forest different name, but I guess the old settings are still in the system somewhere conflicting with the new setup? Is there a way to
purge the old setup entirely and start over with ad ds, or am I going to have to re-install the whole OS? Thanks again for the help.
Honestly, the best way to handle this is to rebuild the server. There are many things that are "left behind" when you remove the Domain / Forest from a Domain Controller. In fact many articles will say after using ADMT (active directory migration
tool) you should decommission the original Domain Controller (aka reinstall the OS).
While you could spend more time trying to get that domain controller working, it absolutely is going to be 1) More reliable 2) faster to reinstall the OS on the old domain controller. If you are still leveraging storage, or services on that domain controller,
you will want to back them up, or have a transition plan before reinstalling everything on the server. I have a feeling if you choose to keep troubleshooting this, you will run into more issues down the road.
Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015!

Parties and Services in Configuration Scenarios

Hi,
I think I understand the distinctions between parties, business-systems, and -services.
If I define an integration scenario in the repository and check the checkbox b2b-communication, I have to use parties in the directory integration scneario configurator.
Do I then also have to provide a partner for my own company and assign my business-systems and services under this node? I otherwise get problems when I assign the services to the application systems in the configurator and my receiver determinations get wrong.
Any thoughts and information about this topic is welcome.
Thanks,
Hans

Hi Hans,
it is not necessary to define your 'own' party if you only have 'intra-enterprise message exchange'. The big deal about parties is the possibility to define 'additional' IDs like DUNS-numbers to the Party - this is necessary whenever an Adapter is used that requires specific IDs (these are typically B2B Adapters only). The Receiver-Adapter (for messages coming into the Integration Server) will map from an additional ID to the XI-Party name and the Sender Adapter (for messages sent out of the IS) will map from the XI-Party name to the additional ID as defined within the Sender channel.
In other words: parties are needed, whenever one Communication Partner's message format expects meaningful values according to a specific schema - not only in the payload but also in the message header (liek RNIF).
Please be also aware, that the Scenario Configurator tries to capture typical use cases - it can not handle everything so it is possible that one has to change objects afterwards.
regards, frank

ALBPM Directory Service: Hybrid Configuration - MSAD Problems

Similar Messages

Maybe you are looking for