12 April,16 at 11:09 AM
Applies to: All versions of Centrify DirectControl
Question:
After pre-creating a computer object, how does one verify if a ServiceConnectionPoint (SCP) object was created in Active Directory?
Before doing self-serve join, is it possible to verify if the SCP got created in case self-serve join fails with the message "unable to find precreated extension"?
Answer:
1) Using Centrify's ldapsearch and by specifying the filter for ServiceConnectionPoint
Syntax:
# /usr/share/centrifydc/bin/ldapsearch -x -h <ldaphost> -D <binding-account-dn> -W -b "<zone-dn>" "(&(objectCategory=ServiceConnectionPoint) (cn=<computer-dns-name>))"
Example 1:
[root@vscentos6 init.d]# /usr/share/centrifydc/bin/ldapsearch -x -h win03dc1 -D dcadmin -W -b "CN=Engineering,CN=Universal,CN=Zones,OU=UNIX,DC=vstestcentrify,DC=com" "(&(objectCategory=ServiceConnectionPoint) (CN=vscentos6.vstestcentrify.com))"
Where win03dc1 is the DC, dcadmin is the AD administrator, where vscentos6.vstestcentrify.com is the name of the pre-created computer object.
Example 2:
In case of dis-jointed DNS namespace, in the filter specify the computer name as (cn=<computer name as known in the dns>)
root@abcpdmz01:/home/sjohn# /usr/share/centrifydc/bin/ldapsearch -x -h abcrodc01 -D sjohn@xyzds.com -W -b "cn=prod dmz,ou=zones,ou=xyz,ou=unix servers,dc=xyzds,dc=com" "(&(objectCategory=ServiceConnectionPoint)(cn=abcpdmz01.xyz.com))"
Where abcrodc01 is the DC, dcadmin is the AD administrator, where abcpdmz01.xyz.com is the name of the computer object as seen in DNS (nslookup/dig).
Output Sample for example 1:
[root@vscentos6 init.d]# ldapsearch -x -h localhost -D dcadmin -W -b "dc=vstestcentrify,dc=com" "(&(objectCategory=ServiceConnectionPoint) (CN=vscentos6.vstestcentrify.com))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=vstestcentrify,dc=com> with scope sub
# filter: (&(objectCategory=ServiceConnectionPoint) (CN=vscentos6.vstestcentrify.com))
# requesting: ALL
# with pagedResults control: size=100
#
vscentos6.vstestcentrify.com, Computers, Engineering, Universal, Zones, UNIX, vstestcentrify.com
dn: cn=vscentos6.vstestcentrify.com,cn=Computers,cn=Engineering,cn=Universal,cn=Zones,ou=UNIX,dc=vstestcentrify,dc=com
cn: vscentos6.vstestcentrify.com
displayName: $CimsComputerVersion3
distinguishedName: CN=vscentos6.vstestcentrify.com,CN=Computers,CN=Engineering,CN=Universal,CN=Zones,OU=UNIX,DC=vstestcentrify,DC=com
instanceType: 4
name: vscentos6.vstestcentrify.com
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=vstestcentrify,DC=com
objectClass: top
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
objectGUID:: wu4vRwgc4kGtXvQbUxLSMQ==
showInAdvancedViewOnly: TRUE
uSNChanged: 118864
uSNCreated: 114801
whenChanged: 20130109061555.0Z
whenCreated: 20130108190412.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
In the above output, filtering for SCP object for the pre-created computer 'vscentos6.vstestcentrify.com' returned one entry from the SCP record.
2) Using the Active Directory tool ADSI Edit: (see attachment)
a) Launch the ADSI Edit using adsiedit.msc.
b) Navigate to the Zone where the computer object was pre-created.
c) Look for the object of class called serviceConnectionPoint.
KB-6041: How to show current license type in use by adclient
KB-6040: How to change the license type in use after adclient successful joined to the AD?
KB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role?
KB-6056: How to report the group policy settings that are in effect for the local computer?
KB-6038: How to specify the license type to use when joining the server to AD using adjoin?
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)
KB-3925: How to add Centrify parameter to a group policy
KB-2727: How to migrate SQL databases associated with a Centrify_DirectManage Audit installation from one database server to another
KB-11106: How to protect SCP objects from being deleted in Active Directory?