Anonymous_User Absent Member.
Absent Member.
812 views

Connecting DRA to an different domain


Hi!

At the moment, we have DRA insalled in our own company domain. We'd like
to actually manage a customers domain with it too. I've added the
customer's domain into the managed domains. I've set it to connect to a
specific domain controller on the domain (which is the PDC, the
firewalls dont allow connecting to all of the customers domain
controllers at the moment).

If I looks at the properties of the customer domain, the general tab
says:
DNS Name: Customer.local
Name (Pre-Windows 200): customerlocal
Domain type: Windows Server 2003 domain
Status: ok
Connect to a domain controller: \\PDC

It seems I can create and manage users just fine, reset passwords, add
users to groups. But the memeber of table is empty. Also, if I check the
Incremental Accounts Cache
unspecified error
Time of last successfull sync: (this morning)
Time of last attempt: (half an hour ago)

Possible reason for my troubles could be the DNS and that some of the
customer netword segments are not accessible.
If I use our own domain controller as the DNS, then I could use the Host
file for name resolution for the customer domain? Also, if I set the
customer's PDC as the DNS server, it sometimes returns one of the
customer domain controllers that we cannot reach because of the
firewalls. So I suppose host file will be the way to go?
at the moment I've added the following lines to the host file:
10.x.x.x customer.local dc3.customer.local
10.x.x.x dc4.customer.local

I'm just getting confused here, since it seems to work, and not work at
the same time. Any ideas? I suppose someone must have set this is in a
multiforest enviroment.
And yes, I'm totally new to DRA 🙂


--
oksanto
------------------------------------------------------------------------
oksanto's Profile: https://forums.netiq.com/member.php?userid=6507
View this thread: https://forums.netiq.com/showthread.php?t=49513

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Connecting DRA to an different domain


Hi!

I'm still hving some trouble managing another non-trusted domain via
DRA.

What I've realized is that problems start when DRA makes a full sync to
the domain.
I guess the full sync first empties the cache then:
Syncs the users, ous and groups to cache, then checks if the domain has
any trusts to other domains, and after it has passed that, it will sync
the users to groups. But 99% of the time, the Full Account Cache Refresh
fails at the same place:


Start collecting FPS data
Exception occurred GetTrustedDomainInfo while getting trusted domain
information for customer.local domain. Error message: Logon Failure:
Unknown username or bad password.
****Unhandled exception occurred in AddADObjectsToMongoDB method,Error
Message: Logon failure: unknown username or bad password...
Exception **** occured in CollectData Method, Exception message: logon
failure...
And cache loader exists after this.


If i check the event logs from the customers domain conrtoller, there
arent any failed login attempts. I've tried recreating a new service
account, didnt help. I've checked the network traffic with wireshark,
the DRA server is only communicating with the specified DC and there are
no failed logins in teh event log.
On those rare occasions, that the Full Cache Sync actually syncs the
groups users belong to, that part in the logs seems a bit different.

Start collecting FPS Data
Getting trusted forest information for customer.local forest
getting trusted domain information for customer.local domain
Exception GetDomainCredential Message: There is no such object on the
server...
Warning:: Exception occured in getting domain credentials. Cache loader
will continue processing...
No access credentials supplied for trusted doamin customerdmz.net and no
default access credentials...

After that it syncs the groups for users to cache.
The custeomerdmz.net has the "Ignore this trusted domain" set in the DRA
Delegations and Configuration, so it shouldnt even do anything to that
trusted domain.


--
oksanto
------------------------------------------------------------------------
oksanto's Profile: https://forums.netiq.com/member.php?userid=6507
View this thread: https://forums.netiq.com/showthread.php?t=49513

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.