Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4852: "server not operational " error when provisioning ZPA

Authentication Service ,  

10 August,18 at 02:31 PM

Applies to:

All versions of Centrify Zone Provisioning agent


ZPA fails to provision users with error "The user name or password is incorrect" or "server not operational"

This happens on a Windows server 2012 with Domain Functional Level 2012.
The ZPA service account has been delegated zone authority and set up to login as a service on the server.

Snippet of the error:

[2014-07-09 03:00:18.946 +0000] Centrify.Provisioning.Agent.exe[1100,6] Error: DomainPoller.Poll: Failed to update zone support.centrify.local/Centrify/Zones/Test01 : System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.

DNS issues were ruled out by pinging the qa.centrify.local and the DCs in root forest.


The log clearly says that we cannot reach the server when trying to bind to RootDSE.

After providing a debug build of ZPA and other logs, it was observed that ADSIEdit/ADUC had trouble using the ZPA service account in the child domain (support.centrify.local) to talk to rootDSE. It just cannot bind to rootDSE. 

The Domain Admin in root has blocked access permission to any user in child domain. They are only 2 choices - either make the DomainAdmin of rootDSE to give permission or use delegation.

When delegation is performed, the following error will appear:

"Failed to get the DC DNS name for the domain centrify.local"


The workaround is to redirect parent domain access to child domain Domain controller.

On the machine where ZPA is installed, the Windows hosts file needs to be edited and the below info needs to be added.
ip address  parent-domain-name
Where ip address is that of the domain controllers for the child domain where ZPA machine joins to.

Reason for this workaround:
1) Contact to the parent domain is a requirement for our product to work.     This works because the things that we need from the parent domain RootDSE should also be able to be found from child domain RootDSE.  

2) Since we are redirecting all parent domain traffic to child domain, this workaround may cause some issues on some other software which require contacting the parent domain.  

3) Customers should thoroughly test it in their sand environment.


Centrify will fix this issue in a future release as this is not a trivial fix. This fix is on Access Manager and ZPA.