Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2589: How to look for Service Connection Point (SCP) object in Active Directory using ldapsearch after doing a precreate

Authentication Service ,  

12 April,16 at 11:09 AM

Applies to: All versions of Centrify DirectControl

After pre-creating a computer object, how does one verify if a ServiceConnectionPoint (SCP) object was created in Active Directory?

Before doing self-serve join, is it possible to verify if the SCP got created in case self-serve join fails with the message "unable to find precreated extension"?

1) Using Centrify's ldapsearch and by specifying the filter for ServiceConnectionPoint

# /usr/share/centrifydc/bin/ldapsearch -x -h <ldaphost> -D <binding-account-dn> -W -b "<zone-dn>" "(&(objectCategory=ServiceConnectionPoint) (cn=<computer-dns-name>))"

Example 1:
[root@vscentos6 init.d]# /usr/share/centrifydc/bin/ldapsearch -x -h win03dc1 -D dcadmin -W -b "CN=Engineering,CN=Universal,CN=Zones,OU=UNIX,DC=vstestcentrify,DC=com" "(&(objectCategory=ServiceConnectionPoint) ("

Where win03dc1 is the DC, dcadmin is the AD administrator, where is the name of the pre-created computer object. 

Example 2:  
In case of dis-jointed DNS namespace, in the filter specify the computer name as (cn=<computer name as known in the dns>)

root@abcpdmz01:/home/sjohn# /usr/share/centrifydc/bin/ldapsearch -x -h abcrodc01 -D -W -b "cn=prod dmz,ou=zones,ou=xyz,ou=unix servers,dc=xyzds,dc=com" "(&(objectCategory=ServiceConnectionPoint)("

Where abcrodc01 is the DC, dcadmin is the AD administrator, where is the name of the computer object as seen in DNS (nslookup/dig). 

Output Sample for example 1:
[root@vscentos6 init.d]# ldapsearch -x -h localhost -D dcadmin -W -b "dc=vstestcentrify,dc=com" "(&(objectCategory=ServiceConnectionPoint) ("
Enter LDAP Password: 
# extended LDIF 

# LDAPv3 
# base <dc=vstestcentrify,dc=com> with scope sub 
# filter: (&(objectCategory=ServiceConnectionPoint) (
# requesting: ALL 
# with pagedResults control: size=100 
#, Computers, Engineering, Universal, Zones, UNIX, 
displayName: $CimsComputerVersion3 
instanceType: 4 
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=vstestcentrify,DC=com 
objectClass: top 
objectClass: leaf 
objectClass: connectionPoint 
objectClass: serviceConnectionPoint 
objectGUID:: wu4vRwgc4kGtXvQbUxLSMQ== 
showInAdvancedViewOnly: TRUE 
uSNChanged: 118864 
uSNCreated: 114801 
whenChanged: 20130109061555.0Z 
whenCreated: 20130108190412.0Z

# search result 
search: 2 
result: 0 Success
# numResponses: 2 
# numEntries: 1

In the above output, filtering for SCP object for the pre-created computer '' returned one entry from the SCP record. 

2) Using the Active Directory tool ADSI Edit: (see attachment)

a) Launch the ADSI Edit using adsiedit.msc.

b) Navigate to the Zone where the computer object was pre-created.

c) Look for the object of class called serviceConnectionPoint.