• State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 12057 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Initial domain sync fails for DC in untrusted domain

pacman_d
over 6 years ago

Hola,

 

Ok so I have AD sync working fine from our integrated domain, but when adding a domain where there is no trust, I am having issues getting the sync to work.

Couple of notes:

  • I am able to configure the connection in the Sync editor and browse the schema
  • When configuring the Job service for the domain controller in the DMZLAB domain, I am using SQL credentials that have the appropriate perms to the OIM SQL server instance in the LAB domain.
    • Assuming that a i have to use a SQL server cred with this being a domain with out a trust to the domain that the OIM DB is installed.
  • I can see the server in the JobQueue editor and get the configuration version and and refresh the time, etc...
  • SQL server is listening on TCPIP and NamedPipes, etc.
  • Not that it should matter, but all of the appropriate SPNs are defined in the directory in the source domain for the SQL instance.

  • The DMZLAB job server is configured with Machine Roles: (Active Directory and Job Server)
  • The DMZLAB Job server is configured with Server Functions: (Active Directory Connector)

So generally, it appears that all is good with this DMZLAB job server, but when I trigger the initial sync, the Full Projection process kicks off, and after several seconds I get the following error in the DMZLAB server log:

2017-10-06 10:05:31 -04:00 - \DMZLABDCL01 - VI.Projector.JobComponent.ProjectorComponent - 533e6817-ffaf-4699-8a16-181671acbd7e: Errors occured
    [2134003] Error executing synchronization.
    [810143] Database error 18452: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
    [System.Data.SqlClient.SqlException] Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
       at StdioProcessor.StdioProcessor._Execute(Job job)
       at VI.Projector.JobComponent.ProjectorComponent.Activate(String task)
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       ---- Start of Inner Exception ----
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       at VI.Projector.JobComponent.ProjectorComponent.get_Session()
       at VI.JobService.JobComponents.DbJobComponent.get_ConnectData()
       at VI.JobService.JobComponents.DbJobComponent._ConnectToDatabase()
       at VI.Base.SyncActions.Do[T](Func`1 function)
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       ---- Start of Inner Exception ----
       at VI.DB.DbApp.<ConnectAsync>d__5.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.Base.TaskExtensions.<Convert>d__1`2.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbSessionFactoryImpl.<CreateAsync>d__3.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<CreateAsync>d__9.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<GetAsync>d__27.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<_CreateNewBucketAsync>d__30.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<CreateAsync>d__11.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<TryInitializeAsync>d__15.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbFactoryBase.<_CreateAndOpenConnectionAsync>d__13.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalMsSqlConnection.<OpenAsync>d__17.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       ---- Start of Inner Exception ----
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Threading.Tasks.Task.Execute()
       at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
       at System.Data.ProviderBase.DbConnectionFactory.<>c__DisplayClass0.<TryGetConnection>b__2(Task`1 _)
       at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken)
       at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
       at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
       at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)
       at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
       at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
2017-10-06 10:07:00 -04:00 - Info: Requesting process steps for queue \DMZLABDCL01.
2017-10-06 10:07:00 -04:00 - Info: Last process step request succeeded.

I have also gone directly to the local server instance and reconfigured the Job service editor with the SQL connection with the local account just in case the push from designer was setting it with an integrated connection even after specifying that I want to use a SQL account.

As always, I am assuming that I am missing something here and that you guys can straighten me out. This is an important use case for us and I plan to work this through the weekend so if I can get any insights from you guys that would be terrific.

Much appreciated!

Parents
  • 0 over 6 years ago
    Ok so no luck,

    I think I am going to need to tear this down and start over. Very frustrating.

    I have gone through every tool and made certain that they are configured to use local SQL auth, have changed every sync job to the same, and even gone back into the job servers and manually configured the job servcice config to use the local SQL account to connect to the DB.

    Seems pretty straight forward but there is definitely something off about this configuration and I can’t seem to get my head around what could be wrong.

    I can still connect to all of the DCs and browse the objects with the editor, and I can execute syncs on the DC that is in the Lab.com domain, but no matter what I do the dmzlab.com DC fails to sync and attempts to connect to the DB using the DMZLAB service account.

    I will give this one more shot in the morning, after which I will stick a fork in it.

    :)

    Thanks for your ideas, each and every one seemed plausible but so far no love.

    Could be that I am losing my war with attrition and need to step away for a bit.

    Thanks again.
Reply
  • 0 over 6 years ago
    Ok so no luck,

    I think I am going to need to tear this down and start over. Very frustrating.

    I have gone through every tool and made certain that they are configured to use local SQL auth, have changed every sync job to the same, and even gone back into the job servers and manually configured the job servcice config to use the local SQL account to connect to the DB.

    Seems pretty straight forward but there is definitely something off about this configuration and I can’t seem to get my head around what could be wrong.

    I can still connect to all of the DCs and browse the objects with the editor, and I can execute syncs on the DC that is in the Lab.com domain, but no matter what I do the dmzlab.com DC fails to sync and attempts to connect to the DB using the DMZLAB service account.

    I will give this one more shot in the morning, after which I will stick a fork in it.

    :)

    Thanks for your ideas, each and every one seemed plausible but so far no love.

    Could be that I am losing my war with attrition and need to step away for a bit.

    Thanks again.
Children
No Data