Not able to browse Application or Directory Partitions in ADAM

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

When you try to connect and view any application partition or directory (Schema, Configuration) partition in ADAM, you get an error.  The error will be different depending on the tool, see the following:

LDIFDE:

The server side error is: 0x5 Access is denied.

The extended server error is:

00000005: SecErr: DSID-03152029, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

LDP:

No children under the configuration partition are displayed with the exception of the

Schema partition.

 

DSACLS:

"Insufficient access rights to perform the operation."

ADAM ADSI Edit:

You may receive one of the following error messages:

·         "The directory property cannot be found in the cache"

·         "A referral was returned from the server."

Or you may notice that an invalid directory pathname was passed.

 

Dsmgmt:

The Win32 error returned is:  0x208d (Directory object not found)

To work around this problem, use one of the following methods:

Method 1: Using ADAM LDP.exe

Note:  You must use the ADAM version of LDP (1.1.3790.2075 or later version).

1.       Connect or Bind as an administrator to an ADAM instance.

2.       Click on View, select Tree, and then select the partition on which you want to assign permission.  For example: configuration partition.

3.       Right click on Configuration Container, click Advanced, and then click Security Descriptor. A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier, for example: configuration partition.

4.       Click OK.

5.       In the Owner field (which appears as NULL)for the account that your currently running as, make sure the checkbox for Update Owner (at bottom) is checked, click Update, and then click Close.

6.       Right click on Configuration Container again, click Advanced, and then click Security Descriptor. A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier i.e. configuration partition.

7.       Click on OK.

8.       Click on a DACL in the list, and then click on Add ACE. For trustee, enter the userid to which you want to assign permission.

9.       Check all the Access mask checkboxes, and the Inherit ACE flag and then click Update.

10.   Click Close.

11.   Start ADAM ADSIEdit, connect to the configuration container, and expand out Roles.

12.   Click Administrators, and then click Properties.

13.   Select the attribute Member,  and then click Edit.

14.   Click Add Windows Account, enter domain\administrators, and then click OK.

15.   Close ADSIEdit.

16.   Go back in LDP, right click on Configuration Container, click Advanced, and then click Security Descriptor.  A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier. Click on OK.

17.   The Group field should now be populated with:

·         CN=Administrators,

·         CN=Roles,

·         CN=Configuration,CN={GUID}

18.   Copy all the text in the Group field, and paste it into the Owner field (removing

your account).  Make sure the Update Owner checkbox is checked,  click Update, and then click Close.

19.   Right click on Configuration Container, click Advanced, and then click Security Descriptor.  A Security Descriptor Window will appear with DN attribute and the value would be the partition you selected earlier. Click on OK.

20.   Click on your user account in the DACL list, and click Delete ACE (you will have 2

entries, remove both)

21.   Make sure that Update DACL is checked, and then click Update.

22.   Close LDP, and reopen LDP. Connect and Bind.

23.   Click on View, select Tree, and verify that you can access the configuration container and the application partition.

Method 2: Using Dsacls.exe

·         Make sure that userid which is logged on is a member of Administrator group in ADAM.

·         Make sure that instance is a member of readers group in ADAM.

·         Check the permissions on the application partition and config/schema partition of that ADAM instance using following commands:

o   dsacls \\ADAMServerName:portno\DNofApplicationPartitionOfThatAdamInstance

o   dsacls \\ADAMServerName:portno\CN=Configuration,CN={GUID}

·         You can run following commands to take ownership of the partition:

o   dsacls \\ADAMServerName:portno\CN=Configuration,CN={GUID} /takeownership

·         Once you take the ownership, you can run following command to grant permissions to that user:

o   dsacls \\ADAMServerName:portno\CN=Configuration,CN={GUID} /G domainName\userid:GA

For more information on ADAM, please refer following articles:

Active Directory Application Mode

http://technet.microsoft.com/en-us/library/cc779554.aspx (http://technet.microsoft.com/en-us/library/cc779554.aspx)

What Is Active Directory Application Mode

http://technet.microsoft.com/en-us/library/cc738377.aspx (http://technet.microsoft.com/en-us/library/cc738377.aspx)

How Active Directory Application Mode Works

http://technet.microsoft.com/en-us/library/cc706993.aspx (http://technet.microsoft.com/en-us/library/cc706993.aspx)

Active Directory Application Mode Tools and Settings

http://technet.microsoft.com/en-us/library/cc706993.aspx (http://technet.microsoft.com/en-us/library/cc706993.aspx)

Administering ADAM

http://technet2.microsoft.com/WindowsServer/en/Library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx (http://technet2.microsoft.com/WindowsServer/en/Library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx)

ADAM troubleshooting and frequently asked questions (FAQs)

http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx (http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx)   http://technet2.microsoft.com/WindowsServer/en/library/6e1ea3d1-f78b-4a95-afff- 0a475327ddb61033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/6e1ea3d1-f78b-4a95-afff- 0a475327ddb61033.mspx?mfr=true)

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.