Active Directory Synch is not and has never been functional

B

Berry at JSO

According to the Proj Server 2003 install guide (appendix F, page 340),
"..(I)t is recommended after the installation of Project Server 2003 to
assign to the Log On As permission associated with the Project Server
Scheduled Process Service a domain user account that has permission to read
from the Active Directory."

I consulted with my network admin, and I assigned a given domain acct with
read permissions on the Global Catalog as the identity of the service in
question, but whenever I try to synch any group (much less all groups), the
synch fails.

Here's a sample of the myriad event log errors:
Event Type: Error
Event Source: Microsoft Project Server Tracing Eventlog Provider
Event Category: None
Event ID: 2
Date: 7/11/2005
Time: 5:20:40 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: XXXX
Description:
Component: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[GetGlobalCatalog: -2147016646-Automation
error
The server is not operational. ]]></Description>

ALSO

Event Type: Error
Event Source: Microsoft Project Server Tracing Eventlog Provider
Event Category: None
Event ID: 2
Date: 7/11/2005
Time: 5:20:40 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: XXXX
Description:
Component: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[ADsObject_Get_AsRS - Can't access the
global catalog of domain DOMAINNAME]]></Description>


ALSO

Event Type: Error
Event Source: Microsoft Project Server Tracing Eventlog Provider
Event Category: None
Event ID: 2
Date: 7/11/2005
Time: 5:20:40 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: RES2
Description:
Component: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[Accessing AD group DOMAINNAME\GROUPNAME
failed due to error 20004-FetchGroup: <Error><Component>AD Connector
</Component><File>AutoADProcess</File><Line>-1</Line><Number>0x4e24</Number><Description><![CDATA[Failed
to get record of group DOMAINNAME\GROUPNAME from active directory global
catalog] ]></Description></Error>]]></Description>


Does it appear that the domain account I am using does NOT have read
permissions on the global catalog? And also, why is the user in the event log
listing still showing as NT AUTHORITY\LOCAL SERVICE when I changed the
identity for the service to a domain account?

Any ideas would be much appreciated.
 
D

DenverWaterPM

In my case this was due to the domain and/or group name in AD not being
exactly the same as in Project Server, this includes leading or trailing
spaces.
 
J

J Burford Fields

You might have better luck creating a new domain account and using it. I'm
thinking that an existing account could belong to some group that has a deny
or that is nested into some other group that has a deny. Studying effective
permissions might reveal the source of a problem.
--
J Burford Fields, MCSE, MCT
Manager, Technical Training
Air Force Pentagon Communications Agency
(e-mail address removed).(nospam)


Berry at JSO said:
According to the Proj Server 2003 install guide (appendix F, page 340),
"..(I)t is recommended after the installation of Project Server 2003 to
assign to the Log On As permission associated with the Project Server
Scheduled Process Service a domain user account that has permission to read
from the Active Directory."

I consulted with my network admin, and I assigned a given domain acct with
read permissions on the Global Catalog as the identity of the service in
question, but whenever I try to synch any group (much less all groups), the
synch fails.

Here's a sample of the myriad event log errors:
Event Type: Error
Event Source: Microsoft Project Server Tracing Eventlog Provider
Event Category: None
Event ID: 2
Date: 7/11/2005
Time: 5:20:40 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: XXXX
Description:
Component: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[GetGlobalCatalog: -2147016646-Automation
error
The server is not operational. ]]></Description>

ALSO

Event Type: Error
Event Source: Microsoft Project Server Tracing Eventlog Provider
Event Category: None
Event ID: 2
Date: 7/11/2005
Time: 5:20:40 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: XXXX
Description:
Component: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[ADsObject_Get_AsRS - Can't access the
global catalog of domain DOMAINNAME]]></Description>


ALSO

Event Type: Error
Event Source: Microsoft Project Server Tracing Eventlog Provider
Event Category: None
Event ID: 2
Date: 7/11/2005
Time: 5:20:40 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: RES2
Description:
Component: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[Accessing AD group DOMAINNAME\GROUPNAME
failed due to error 20004-FetchGroup: <Error><Component>AD Connector
</Component><File>AutoADProcess</File><Line>-1</Line><Number>0x4e24</Number><Description><![CDATA[Failed
to get record of group DOMAINNAME\GROUPNAME from active directory global
catalog] ]></Description></Error>]]></Description>


Does it appear that the domain account I am using does NOT have read
permissions on the global catalog? And also, why is the user in the event log
listing still showing as NT AUTHORITY\LOCAL SERVICE when I changed the
identity for the service to a domain account?

Any ideas would be much appreciated.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Res Pool Sync - Internal Res Pool Error 0
Active Directory Sync issue 1
New PMS 2003 Install - AD Connector cant access global catalog 3
Project Server 2003 Errors 0
Assunto: Syncronize Groups from Active Directory 10
Problemas syn Active directory 0
Errors in Application Log of Event Viewer 10
untypical errors in EventLog / Project Server 2003 - SP3 0

Top