Problem:When trying to join a Windows machine to a zone, getting the below error.
Failed to Enable Service
Reason: Directory Object already exists.
Cause:It is very likely that the Windows machine had been previously been joined to the zone in question and the ServiceConnectionPoint (SCP) did not get cleaned up when the machine was initially removed from the zone.
Snippet from logs (
C:\Program Files\Common Files\Centrify Shared\Logs\DirectAuthorizeAgent_<date>_<agentVersion>.txt) showing the error and the location of the SCP object that the error message is referencing.
[2019-03-21 11:56:19.185 -0500] Centrify.WinAgent.ServiceConfig.exe[9980,12] Verbose: DirectoryObject.HandleComException: The object already exists for LDAP://DC1.centrifyimage.vms/cn=win10cdc.centrifyimage.vms,CN=Computers,CN=Windows,CN=Global,CN=Zones,CN=Centrify,DC=centrifyimage,DC=vms: The object already exists.
Resolution:Use ADSI Edit or Active Directory Users and Computers (ADUC) to browse to the location SCP object listed in the log file.
cn=win10cdc.centrifyimage.vms,CN=Computers,CN=Windows,CN=Global,CN=Zones,CN=Centrify,DC=centrifyimage,DC=vms
Right-click on the object and choose 'Delete'.
Re-attempt to join the machine to the zone.
Note:The following Knowledge Base article can be used to increase the logging level to VERBOSE, if only INFO level messages are being seen in the log file.
KB-11101-Enabling-debug-mode-of-Centrify-Privilege-Elevation-Service-Former-DirectAuthorize-for-Windows-without-opening-config-panel