AD LDS replication between two untrusted forest not working

I have ADLDS instance in forest A.

I used Network Service as the service account.  Also I opened a port and set the regkey to lock down the RPC port used.  I set up the replica in forest B (both forests are not trusted).  the replica completed with all the objects from instance in forest A.  But then no further changes occurred.  I found errors in the event log complaining of invalid credentials.  After further investigation I found this article about ADAM http://windowsitpro.com/networking/getting-know-adam, that mentions

/////If your system isn't a member of a domain, you need to use a named user account if the instance is a replica or if you intend to create replicas of the instance later; for replication to work, the username and password must be the same for all instances.///

I took this to mean that if the system was not in the same forest..  I created to local accounts same username and password and uninstall both instances and re-installed both instances using this local account as the service account.  Still getting replication issues.

here's an error on the instance in forest B

The directory server has failed to update the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried.

Additional Data

SCP object DN:

[]

Error value:

1326 The user name or password is incorrect.

Server error:

(n/a)

Internal ID:

3390071

AD LDS service account:

server2\svc-ADLDS

Here's an error that I get on the instance in forest A

The directory server has failed to update the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried.

Additional Data

SCP object DN:

[]

Error value:

1326 The user name or password is incorrect.

Server error:

(n/a)

Internal ID:

3390071

AD LDS service account:

server1\svc-ADLDS

User Action

If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account.

If AD LDS is running under a domain user account, make sure this account has sufficient rights to update the serviceConnectionPoint object.

ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.

Any help would be greatly appreciated!

August 25th, 2015 6:57am

Hi,

Thanks for your post.

Based on my knowledge, it requires a account member of domain admin or equally delegate. Try create an unpriveleged domain account and grant it the local permissions and see if that works for you. For the detail step to use domain admin account for syncing AD LDS instance from AD, please check about the link.

https://technet.microsoft.com/en-us/library/Cc733182%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

Best Regards,

Mary

Free Windows Admin Tool Kit Click here and download it now
August 26th, 2015 3:02am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics