Share via

MIM PAM: New-PAMGroup: Unable to create shadow group - the server cannot handle directory requests

  • Article

Introduction

When deploying MIM PAM in an environment where corp forest has child domains, New-PAMGroup fails for groups that exist in a child domain.  For this example, priv.local is the bastion forest where MIM PAM is deployed, and an attempt is made to create a New-PAMGroup for a group in the child domain.

Error

For more information on the error cause, use the -verbose flag.
New-PAMGroup -SourceDisplayName 'test' -SourceDomain 'child.contoso.com' -verbose
VERBOSE: Type:Information, Msg:Group 'test' was accessed successfully in domain 'child.contoso.com'.
VERBOSE: Type:Information, Msg:Group 'CHILD.test' was not found PAM MIM
VERBOSE: Type:Information, Msg:Add new group test from domain child.contoso.com to PAM system.
VERBOSE: Type:Warning, Msg:Unable to create shadow group 'CHILD.test'  in domain 'priv.local'. Exception:
'System.DirectoryServices.Protocols.DirectoryOperationException:The server cannot handle directory requests.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation,
ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.ResourceManagement.Utilities.ActiveDirectoryHelper.CreateShadowPrincipal(AdGroup shadowPrincipalGroup)
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamGroupManager.CreateShadowObjectInPrivAD()'.
VERBOSE: Type:Information, Msg:Group 'test' could not be added to the PAM system. Starting rollback.
VERBOSE: Type:Information, Msg:Group 'test' rollback completed.
VERBOSE: Type:Information, Msg:Group 'test' from domain 'child.contoso.com' could not be added to the PAM system.
Exception: The server cannot handle directory requests.
VERBOSE: Type:Warning, Msg:Unable to create shadow group 'test'  in domain 'child'. Exception:
'System.DirectoryServices.Protocols.DirectoryOperationException: The server cannot handle directory requests.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation,
ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.ResourceManagement.Utilities.ActiveDirectoryHelper.CreateShadowPrincipal(AdGroup shadowPrincipalGroup)
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamGroupManager.CreateShadowObjectInPrivAD()
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamGroupManager.NewPamGroup(String corpGroupName, Boolean
clonesid, Boolean privOnly)
   at Microsoft.IdentityManagement.AdminPamCmdlets.NewPamGroupUserCommand.ProcessRecord()'.

Additionally, opening Active Directory Users and Computers as a Priv user and changing the domain to the subdomain fails with incorrect username and/or password. 

Cause

When a new forest trust is created, it is not aware of child domains unless the trust is validated, and the Name Suffix Routing is working properly.  This is nothing new introduced by New-PAMTrust, but a legacy feature of forest trusts.  Since most (including myself) don't create new forest trusts every day, this step is often missed. 

Solution

  1. Log on to the Priv domain controller and run domain.msc
  2. Right-click on the Priv domain, click Properties
  3. On the Trusts tab, right click on Corp under Domains that Trust this Domain (incoming trusts)
  4. In Corp properties, click Name Suffix Routing tab. Notice there are no name suffixes in the Corp forest.
  5. Click Refresh and verify Routing is enabled for Corp forest.

Note: Screenshot below is for forest corp.contoso.com (differs slightly from contoso.com forest in the diagram above).

Conclusion

MIM PAM is unique among Just-in-Time (JIT) privileged account management products because it takes advantage of features built deep into Active Directory and Windows.  This lets it work with existing Active Directory environments but sometimes makes deployment challenging.  Most "issues" run into with PAM deployments have nothing to do with MIM PAM itself, but more to do with getting the environment right, to begin with.