AD LDS on Domain Controllers

Hi,

I'm working on a product that installs ADAM/AD-LDS as it's database. It
needs to work on Domain Controllers so following the documentation at:

http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

we're making the ADAM service use the domain account. However, the service
sometimes fails on startup with this error in the system event log "Logon
failure: unknown user name or bad password." Starting it manually succeeds. I
presume this is due to a race condition because AD DS isn't up yet..

So I'm hoping someone here would have advice about what's best to do, or a
deeper understanding about why AD LDS must use a domain account. I'm thinking
of some dependency (on ?) or using the service's Recovery tab to make it
restart.


Thanks for your attention!
Eugene

I believe you could just setup a dependency, I think I would attempt it on
ntfrs.exe. I haven't tried but in theory it should work.

http://support.microsoft.com/kb/193888

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Eug" <> wrote in message
news:12D5B432-6A1E-41EC-A924-...
> Hi,
>
> I'm working on a product that installs ADAM/AD-LDS as it's database. It
> needs to work on Domain Controllers so following the documentation at:
>
> http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
> http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
>
> we're making the ADAM service use the domain account. However, the service
> sometimes fails on startup with this error in the system event log "Logon
> failure: unknown user name or bad password." Starting it manually
> succeeds. I
> presume this is due to a race condition because AD DS isn't up yet..
>
> So I'm hoping someone here would have advice about what's best to do, or a
> deeper understanding about why AD LDS must use a domain account. I'm
> thinking
> of some dependency (on ?) or using the service's Recovery tab to make it
> restart.
>
>
> Thanks for your attention!
> Eugene

Hi

if your DCs are WS08 or later then you could try setting the service startup
for the
AD LDS instance to DelayedAutoStart in the Sevices UI it's an option for
the Startup type of the service.

Lee Flight

"Eug" <> wrote in message
news:12D5B432-6A1E-41EC-A924-...
> Hi,
>
> I'm working on a product that installs ADAM/AD-LDS as it's database. It
> needs to work on Domain Controllers so following the documentation at:
>
> http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
> http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
>
> we're making the ADAM service use the domain account. However, the service
> sometimes fails on startup with this error in the system event log "Logon
> failure: unknown user name or bad password." Starting it manually
> succeeds. I
> presume this is due to a race condition because AD DS isn't up yet..
>
> So I'm hoping someone here would have advice about what's best to do, or a
> deeper understanding about why AD LDS must use a domain account. I'm
> thinking
> of some dependency (on ?) or using the service's Recovery tab to make it
> restart.
>
>
> Thanks for your attention!
> Eugene

Thanks for the suggestion. My problem seems to be that a Global Catalog isn't
available for a little bit of time after AD starts, and I think that just
because the AD services have started doesn't mean that a GC is immediately
available. Thus, even if it's Delayed Start it could still run into this
issue. Delayed Start seems to be mostly about optimising performance..

BTW, I haven't seen this problem on Windows 2003 yet.

"Lee Flight" wrote:

> Hi
>
> if your DCs are WS08 or later then you could try setting the service startup
> for the
> AD LDS instance to DelayedAutoStart in the Sevices UI it's an option for
> the Startup type of the service.
>
> Lee Flight
>
> "Eug" <> wrote in message
> news:12D5B432-6A1E-41EC-A924-...
> > Hi,
> >
> > I'm working on a product that installs ADAM/AD-LDS as it's database. It
> > needs to work on Domain Controllers so following the documentation at:
> >
> > http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
> > http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
> >
> > we're making the ADAM service use the domain account. However, the service
> > sometimes fails on startup with this error in the system event log "Logon
> > failure: unknown user name or bad password." Starting it manually
> > succeeds. I
> > presume this is due to a race condition because AD DS isn't up yet..
> >
> > So I'm hoping someone here would have advice about what's best to do, or a
> > deeper understanding about why AD LDS must use a domain account. I'm
> > thinking
> > of some dependency (on ?) or using the service's Recovery tab to make it
> > restart.
> >
> >
> > Thanks for your attention!
> > Eugene
>
>
>
>

Thanks for your suggestion, but I'm not sure that when a service changes
status to started the GC is fully available to take requests. Indeed, there
is sometimes a message in the event log that goes something like "All
problems preventing updates to the Active Directory Domain Services database
have been cleared...The Net Logon service has restarted.". It'd be nice to
had some guidance from MS..

Also, the ntfrs service is actually stopped on my lone DC, so I'll try NTDS
or maybe KDC.

"Paul Bergson [MVP-DS]" wrote:

> I believe you could just setup a dependency, I think I would attempt it on
> ntfrs.exe. I haven't tried but in theory it should work.
>
> http://support.microsoft.com/kb/193888
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "Eug" <> wrote in message
> news:12D5B432-6A1E-41EC-A924-...
> > Hi,
> >
> > I'm working on a product that installs ADAM/AD-LDS as it's database. It
> > needs to work on Domain Controllers so following the documentation at:
> >
> > http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
> > http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
> >
> > we're making the ADAM service use the domain account. However, the service
> > sometimes fails on startup with this error in the system event log "Logon
> > failure: unknown user name or bad password." Starting it manually
> > succeeds. I
> > presume this is due to a race condition because AD DS isn't up yet..
> >
> > So I'm hoping someone here would have advice about what's best to do, or a
> > deeper understanding about why AD LDS must use a domain account. I'm
> > thinking
> > of some dependency (on ?) or using the service's Recovery tab to make it
> > restart.
> >
> >
> > Thanks for your attention!
> > Eugene
>
>
> .
>