|
|
When I add my domains manually, the Domain Controllers are not resolved. Why?
The status column in the domain settings says that the user does not have Admin Privilege?
1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?
ADSelfService Plus, upon starting, discovers the domains from the DNS Server associated with the machine running the product. If no domain details are available in that DNS Server, this message is displayed.
2. When I add my domains manually, the Domain Controllers are not resolved. Why?
This happens when the DNS associated with the machine running ADSelfService Plus does not contain the necessary information. In such cases, you must add the Domain Controllers manually.
3. When I add the Domain Controller, I get the "The Servers are not operational" error. What does it mean?
This could mean that either the specified Domain Controller is invalid or it could not be contacted because of network issues.
4. When I add the Domain Controller, I get the "Unable to get domain DNS / FLAT name" error. What does it mean?
This error could be due to any of the following reasons:
The specified user name or the password is invalid.
Anonymous login (when no user name and password is provided)
When the IP Address of the Domain Controller is specified instead of its name.
5. The status column in the domain settings says that the user does not have Admin Privilege?
This is a warning message to indicate that the specified user does not have administrator privileges. That is, the user is not a member of Domain Admins Group. Hence permissions applicable to administrators may not be available to this user.
Error Code - 80070005 / Error Code - 5 : Error In Setting Attributes, Access is denied
I am not able to set the Terminal Services properties for the user.
Email address for user is not showing up or not set properly.
No such user found. Verify the LDAP attribute in search query.
1. Error Code - 80070005 / Error Code - 5 : Error In Setting Attributes, Access is denied
Cause: User account does not have sufficient privileges.
Solution :
Login to ADSelfService Plus with the 'admin' credential.
Click the Domain Settings link found at the right top corner.
Click the edit icon to Edit the Domain Details.
Select the Authentication option, and enter a privileged 'Domain User Name' and 'Domain Password'.
Save the Changes and continue with the operations
2. While resetting user password, I get this error: "Error in setting the Password. The network path not found - Error Code: 80070035".
This error occurs if the target machine could not be contacted while resetting the user password. This could happen when the DNS associated with the machine running ADSelfService Plus does not point to the Domain Controller where the user account is being created (possibly both are in different domains).
3. While resetting user password, I get this error: "Error in setting the Password. There is a naming violation - Error Code: 80072037".
One possible reason for this error is that the password could contain some special characters that are not allowed.
4. While updating user information, I get this error: "The server is unwilling to process the request - Error Code: 80072035".
One possible reason for this error is that, when the SAMAccountName format is modified for multiple users, more than one user could have the same SAMAccountName.
5. While updating user information, I get this error: "Error In Setting Terminal service Properties. The specified user does not exist - Error Code: 525".
One possible reason could be: the user or the system account using which the product runs does not have an account in the target domain. Terminal Service properties can be set only if the user account or the system account using which ADSelfService Plus runs (when it is run as a service) has an account on the target domain.
6. I have updated the Exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server.
ADSelfService Plus modifies the Exchange properties in the Active Directory. The changes may not reflect in the Exchange Server immediately, but it will certainly get updated after some time.
7. I am not able to set the Terminal Services properties for the user.
One possible reason could be: the user or the system account using which the product is run does not have an account in that domain.
Refer this section for starting ADSelfService Plus using a User or System account.
8. When I modify a user, I get this error: " A device attached to the system is not functioning - Error Code: 8007001f ".
The possible reason for this error could be: an unacceptable format is chosen for the naming attributes, while modifying a user. For example, if the format chosen for the Logon Name is LastName.FirstName.Initials, and if the user does not have any of the specified attributes, this error will occur.
9. Email address for user is not showing up or not set properly.
The possible reasons could be:
Email may not be set as per the Recipient Policy; check whether all the ldap attributes in the recipient policy query are set to specific value.
The email attribute might not have been specified properly for the user. For example, the domain might not have been specified while entering the value for the email attribute. That is, if the email address is xyz@company.com, '@company.com' might not have been entered.
10. Error-The server is unwilling to process the request while resetting password which not match the password complexity.
The possible reason could be: The password that you provided might not comply with the specified 'Password Complexity'.
Ex: The password complexity might have specified a specific length, characters that can be used or number of bad login attempts, etc. for the passwords. If the new passwords provided do not meet the specified complexity, it will result in this error.
Reason for this error: the credentials provided are invalid.
Reason for this error: the referenced account is currently locked out and not logged on.
Reason for this error: the password does not meet the password policy requirements. Check whether the password provided meets the minimum password length, password complexity and password history requirements.
14. No such user found. Verify the LDAP attribute in search query.
Reason for this error: There are no matching users in the Active Directory for the criteria provided. Try choosing the correct matching attributes by checking the query provided in the "Match criteria for Users in AD"; this can be obtained by clicking the "Update in AD" button and expanding "Select Attributes".
Active Directory Change Password
When end users try to change password from the self-service portal, they get this error: Problem in changing password. Contact your administrator to troubleshoot.
Check if the following prerequisites are satisfied.
Check if PowerShell 2.0 or higher is present in the machine in which ADSelfService Plus is installed.
Open PowerShell as the administrator.
Check for its version number by running the command $PSVersionTable.
If the version is below 2.0, install a higher version of PowerShell from here.
Ensure that you have at least one domain controller running Windows Server 2008 r2 or above, and make it the first configured domain controller.
Navigate to domain settings in the ADSelfService Plus console.
In the List of Domain Controller(s) box, select the domain controller that is running Windows Server 2008 r2 or above, and click the UP arrow adjacent to make it the first domain controller in the list.
Click Save.
Alternative Solution (NOT recommended)
If you do not have any domain controller running Windows Server 2008 r2 or above, you need to remove the Windows update that caused this issue from the machine where ADSelfService Plus is installed . You can identify the exact update that needs to be uninstalled based on the operating system by visiting this link.
Steps to uninstall the Windows update.
Navigate to Control Panel --> Programs, and then under Programs and Features, select View installed updates.
Search for the specific updates, and then click Uninstall.
Restart the server.
Check if communications through port 5985 are enabled in the first domain controller configured with the product
Open command prompt as the administrator in the machine in which ADSelfService Plus is installed and enter the following command telnet <DC-Name> 5985
If the command returns a connection failed error message, open port 5985 in the domain controller's firewall.
Check if the account used to configure the domain settings account is a non-administrative account.
Steps to be executed in the first domain controller in the domain settings of ADSelfService Plus.
Open services.msc and start the service Windows Remote Management.
Open PowerShell as the administrator.
Enter the following command Set-PSSessionConfiguration Microsoft.Powershell �ShowSecurityDescriptorUI
Enter Y for the next two steps when prompted to confirm.
Click Add.
Search for the user account with which the domain settings has been configured and provide them with permission for Full Control(All Operations).
Execute the following PowerShell cmdlets on the domain controller, preferably the first domain controller in the list, configured in the domain settings of ADSelfService Plus: Enable-PSRemoting -Force Set-Item wsman:/localhost/client/TrustedHosts "ADSelfServicePlus-Server-Name" -Force Restart-Service WinRM
Steps to be executed in the machine where ADSelfService Plus is installed
Execute the following PowerShell cmdlets on the machine where ADSelfService Plus is installed: Enable-PSRemoting �Force Set-Item wsman:/localhost/client/TrustedHosts "DC-Name" �Force Restart-Service WinRM
To check if the cmdlets were executed successfully, run the following command in the machine where ADSelfService Plus is installed:
Invoke-Command -ComputerName DC-Name -ScriptBlock { ipconfig } -credential $CredThis command will print the IP details of the domain controller if the cmdlets were executed successfully.
1. When I specify the details and generate the report, it says "No Result available" or incomplete data.
The possible reasons could be:
ADSelfService Plus could not contact the Domain Controller, either because it is not operational or due to network issues.
In case of multiple Domain Controllers, the data might not be replicated in all the Domain Controllers.
The LastLogonTime that is used to determine the inactive users and computers is not replicated in all the Domain Controllers. Hence, you must specify all the Domain Controllers in the Domain Settings of ADSelfService Plus to enable it to retrieve the data from all the Domain Controllers.
When the password policy is not set (i.e., Max Password Age is set to zero), the Password Expired Users report and Soon to Expire User Passwords reports will not have any data.
2. When I specify the details and generate the service accounts report, it says "No Permission to read".
This occurs when there is no permission for the user account provided in ADSelfService Plus' domain settings to read the LSA policy object of the computers selected..
3. AD Reports shows an object that does not exist in the Active Directory.
This mismatch could occur if ADSelfService Plus' data is not synchronized with the Active Directory data. The data synchronization happens every day at 1:00 hrs. If ADSelfService Plus is not running at that time, you can initiate the data synchronization manually by clicking the icon 
located in the Actions column of the desired domain, in the Domain Settings.
I receive the error message: "Initiating Connection to Remote Service. Failed". Why?
I receive the error message: "Network path not found/Invalid Credential". Why?
I receive the error message: "The network path was not found". Why?.
Couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?
Couldn't connect to the Client Machine, ADMIN$. Access is denied.
Couldn't start remote service. Overlapped I/O operation is in progress.
1. I receive the error message: "Initiating Connection to Remote Service. Failed". Why?
This error could occur if the target computer could not be contacted.
Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.
2. I receive the error message: "Network path not found/Invalid Credential". Why?
This error could occur if the target computer could not be contacted.
Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.
3. I receive the error message: "The network path was not found". Why?
This error could occur if the target computer could not be contacted.
Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.
4. Couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?
Possible reason: Insufficient privileges to access the client machine.
Solution: Update the credentials provided in ADSelfService plus' "Domain Settings", if it is running as an application. If it is running as service, update the service account's credential from the "Logon" Tab by editing "Services.msc".
5. Couldn't connect to the Client Machine, ADMIN$. Access is denied.
Reason : Admin share might not be enabled.
Solution: Enable Admin share in the client computer and configure ADSelfService Plus domain settings using user credentials that has necessary permission to access the Admin share.
Step 1: Enable Admin Share
From the client computer, go to Start --> Run and type gpedit.msc and hit enter
Expand the Administrative Templates -> Network -> Network Connections -> Windows Firewall
Click Domain Profile and double click Windows Firewall: Allow inbound remote administration exception
Select Enabled and click OK
Step 2: Update the domain settings in ADSelfService Plus with a user account that has permission to access the Admin share.
When ADSelfService Plus is running in console mode, update the credential provided under the "Domain Settings" of ADSelfService Plus.
When ADSelfService Plus is running as a service, update service account's credentials from the "Logon" Tab editing the properties of "Services.msc".
6. Logon Failure: The target account name is incorrect.
This error could occur if two computers have the same computer name. One computer is located in the child domain; the other computer is located in the parent domain.
7. Logon failure: unknown user name or bad password.
Reason:Admin share might not be enabled.
Solution:Configure Domain Settings (when run as a console) / Logon Tab (when run as a service) by providing an account with the appropriate administrative credentials
8. Another installation is already in progress.
Solution : Try to install after a few minutes.
9. Couldn't start remote service. Overlapped I/O operation is in progress.
Solution : Try enabling "Remote registry" and "Server" service on the client machine.
Troubleshooting Mac Login Agent
The Computer name to IP resolution works fine, but the computer is not responding.
Check if the target computer is turned on, and can be pinged from the server where ADSelfService Plus has been installed.
Open the Mac client. Go to System Preferences --> Sharing and check if Remote Login is enabled.
Check if the user account provided in the "Domain Settings" has "Remote Login" access enabled.
3. Logon Failure: Unknown user name or bad password
(or)
4. Permission denied.
Check if the credentials provided in the "Domain Settings" has Administrative privileges over the Mac client.
Open the Mac client. Go to System Preferences --> Users & Groups --> Login Options --> Edit --> Open Directory Utility.
Now double click the "Service" by which the Mac client has been joined to Active Directory. Check if the user is listed under "Allow Administration by" list.
Also, go to Directory Editor in the Directory Utility and check if the Active Directory node can be connected using the user credentials provided in the "Domain Settings".
Troubleshooting Push Notification
1.ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF.
These errors occur due to an invalid push notification certificate or problems in the push server side. Please contact ADSelfService Plus support team at support@adselfserviceplus.com for resolution.
2. ERROR_CODE:70050A, ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF
This error will appear if you don't have the necessary ports and IP/Host addresses opened in your Firewall setup.
Open the following ports in your firewall setup so that ADSelfService Plus web server can communicate with the push servers of Apple and Google:
For Apple Server: 5223, 2195, 2196, 443
For Google Server: 5228, 5229, and 5230 , 80/443
For Apple Server: gateway.push.apple.com and feedback.push.apple.com
For Google Server: All outbound IPs with port 80/443 or simply open the Google ASN IPs.
Note: If your organization's policy does not allow unblocking the above IPs, route the requests to these IPs through a proxy server subject as per your organization policy. When you use a proxy server, do not forget to configure the Proxy Settings in the product.
Troubleshooting SMS Server Settings and SSLHandshakeException
Description: This exception occurs when you configure a SMTP mail server or a web server with SSL in ADSelfService Plus, and the server uses a self-signed certificate. The Java Runtime Environment used in ADSelfService Plus will not trust self-signed certificates unless it is explicitly imported.
Solution: You need to import the self-signed certificates used by the server in the JRE package used by ADSelfService Plus. Follow the steps given below:
Step 1: Download the certificate
For SMTP servers:
Note: To download the certificate used by SMTP server, you must have OpenSSL installed. You can download it from here .
For Web Servers:
Step 2: Import the certificates in JRE package of ADSelfService Plus
Description: This error may appear when you have configured SAML Authentication in ADSelfService Plus with an invalid X.509 certificate from the identity provider. The certificate is deemed invalid due to one of the following reasons:
Certificate has expired.
Certificate's start of validity date is yet to come.
You've chosen a different certificate such as a SSL root certificate.
The certificate content is not in PEM format.
Solution: Please download the current X.509 certificate from your identity provider again and upload it in ADSelfService Plus.
|
|