Adding Exchange Administrators fails with error 00000525

March 6, 2009 · Filed Under Active Directory, Exchange Server 2007 · Comment 

Just as a quick reminder (because, oh…I forgot myself), if you have Exchange Server 2007 installed in a child domain in a parent/child domain forest then your Exchange security groups are going to be located in the parent (root) domain.  So, if you want to add new Exchange Administrators using the Add Exchange Administrators wizard from the EMC or the Add-ExchangeAdministrator cmdlet in the EMS, you need to be an Enterprise Administrator if you’re trying to perform the add from the child domain.  If not, you’ll get this error:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

Add-ExchangeAdministrator
Failed

Error:
Active Directory operation failed on dc21.root.local. This error is not retriable. Additional information: The specified user does not exist.
Active directory response: 00000525: NameErr: DSID-031A0F80, problem 2001 (NO_OBJECT), data 0, best match of:
 ”

The object does not exist.

Exchange Management Shell command attempted:
Add-ExchangeAdministrator -Identity ‘company.local/SystemUsers/Service Accounts/ServiceAccount42′ -Role ‘ServerAdmin’ -Scope ‘XHT10A’

Elapsed Time: 00:00:00

Here’s one newsgroup post with this error, I’m sure there are others as well.

  • Share/Save/Bookmark

Tags: , , ,

EASY HP iLO Integration with Active Directory

August 12, 2008 · Filed Under Active Directory · 4 Comments 

After fumbling around for a while, and looking over a good number of “Help!  How do I get iLO working with Active Directory without extending the schema” threads on the HP ITRC (IT Resource Center), I’ve gotten Active Directory login working with iLO2 in about 5 minutes.  It’s all really about the ActiveX settings on the client PC you’re using!  Pretty anti-climatic actually.

NOTE:  These steps have been tested in IE 7 on Windows XP SP3 and Windows Vista SP1…IE 6 and older may be a bit different.

NOTE:  Steps 1 - 3 not absolutely required, but I consider them to be good security practice since we’ll be weakening the default ActiveX security policy later…better to do it for the local network and not the Internet or other non-classified locations IMO).

To get things working in five minutes, just follow these steps:

  1. In Internet Explorer, open Internet Options and go the Security tab.  Select Local intranet.

  2.  Click the Sites button to open the Local intranet dialog box.

  3. Click the Advanced button to open the Local intranet (again) dialog box and enter the subnets on your LAN that contain your iLO hosts leaving the last octet as a wild card.  Add all of the subnets you have.

  4. Click Close and then Click OK to return to the Internet Options dialog box.  Click the Custom Level button to open the Security Settings - Local Intranet Zone dialog box.

  5. Change the option “Initialize and script ActiveX controls not marked as safe for scripting” to Prompt.  Click OK to close this dialog box.
  6. Click OK when prompted to change the zone settings.

  7. Now go into the iLO settings for your server (logging in with the default local Admin account on the tag came with the server).  The Directory settings location varies slightly by iLO version, but you want to find something that looks like this.

  8. You need to select “Use Directory Default Schema” and then enter in a IP list or FQDN list of Domain Controllers separated by a comma.  If you have S-LDAP available, leave port 636 (highly recommended) or change to 389 if you don’t have certificates on your Domain Controllers.  Lastly, put the search base LDAP string in Directory User Context 1.  It seems to work well with a higher level search base, but you might find you want multiple search bases.
  9. Save your settings by clicking the Apply Settings button and then click the Administer Groups button go to the group administrator settings.
  10. Select the Administrators group (note you can repeat this step for lower level access groups as well) and click the View/Modify button.
  11. Supply the full LDAP path to the Active Directory security group that contains your iLO users (full administrators in this case) and then enable the features you wish the members of that group to have.  Click the Save Group Information button when you’re done. 

  12. Log out of the iLO as the default Admin and login to the iLO Web page using your Active Directory credentials.

  13. Since you changed the “Initialize and script ActiveX controls not marked as safe for scripting” option to Prompt, you’re asked if you want the ActiveX control to run.  Click OK and you’ve just completed integration of Active Directory and iLO.

You can download a PDF file from HP that discusses this process also (nothing about ActiveX mind you), including some items I’ve not discussed here.   There is also available for download a tool, HP Directories Support for Management Processors, that can supposedly be used to configure the iLO settings on multiple servers over the network.  I know it doesn’t run on Windows Vista, but I’ve not tried it out yet to see if can help with getting the rest of the server’s iLO settings configured. 

See, that was easy…right?  :)

  • Share/Save/Bookmark

Tags: , , ,