05-31-2024 02:48 AM
Trying to join AD but we get this:
Err
or Description:
Support Details...
Error Name: LW_ERROR_LDAP_CONSTRAINT_VIOLATION
Error Code: 40315
Detailed Log:
Error Description :
Cannot Set Attribute DNSHostName , Active Directory Returned Ldap Constraint Error While Trying To Set Attribute
Error Resolution :
Please Check For Sufficient Permissions To Create User Object , If The User Has The Sufficient Permissions Please Try To Join Again.
Join Steps :
09:36:49 Joining To Domain EU.xxxxx.COM Using User Svc-mi-Infraservices@xxxxx.com
09:36:49 Searching For DC In Domain EU.xxxxx.COM
09:36:53 Found DC: xxxx.eu.xxxxx.com , Client Site Is xxxx , Dc Site Is xxxxx
09:36:53 Checking Credentials For User Svc-mi-Infraservices@xxxxx.com
09:36:53 Getting TGT For Account Svc-mi-Infraservices@xxxxx.COM
09:36:53 TGT For Account Svc-mi-Infraservices@xxxxx.COM Was Retrieved Successfully
09:36:53 Credentials For User Svc-mi-Infraservices@xxxxx.com Were Verified
09:36:53 Searching For DC In Domain EU.xxxxx.COM
09:36:56 Found DC: EU-xxxxx.eu.xxxxx.com , Client Site Is xxxxx , Dc Site Is xxxxx
09:36:56 Generating Account Name For ISE Machine In EU.xxxxx.COM
09:36:56 Searching For An Existing Machine Account
09:36:56 Searching Object By Filter : (&(objectCategory=computer)(servicePrincipalName=host/my-cisco-ise01.eu.xxxxx.com))
09:36:56 Account: my-cisco-ise01 Was Not Found
09:36:56 Searching For An Existing Machine Account
09:36:56 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=xxxxx-0GJRLDB$))
09:36:56 Account: xxxxx-0GJRLDB$ Was Found
09:36:56 ISE Machine Account Name Is : xxxxx-0GJRLDB$
09:36:56 Creating Machine Account xxxxx-0GJRLDB$
09:36:56 Connecting To AD Using DC EU-xxxxx.eu.xxxxx.com
09:36:56 Connection To EU-xxxxx.eu.xxxxx.com Established
09:36:57 Opening Domain HM-EU
09:36:57 Domain HM-EU Was Opened Successfully
09:36:57 Machine Account: xxxxx-0GJRLDB$ Already Exists , Opening Account.
09:36:57 Machine Account xxxxx-0GJRLDB$ Was Opened Successfully
09:36:57 Querying Account xxxxx-0GJRLDB$ Info
09:36:57 Account xxxxx-0GJRLDB$ Information Was Retrieved Successfully
09:36:57 Enabling Machine Account : xxxxx-0GJRLDB$
09:36:57 Machine Account xxxxx-0GJRLDB$ Was Enabled Successfully
09:36:57 Setting Password For Account : xxxxx-0GJRLDB$
09:36:57 Password For Account: xxxxx-0GJRLDB$ Was Setted Successfully
09:36:57 Account xxxxx-0GJRLDB$ Was Created Successfully
09:36:57 Verify That Machine Account: xxxxx-0GJRLDB$ Is Accessable
09:36:57 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=xxxxx-0GJRLDB$))
09:36:57 Machine Account xxxxx-0GJRLDB$ Is Accessable With DN: CN=xxxxx-0GJRLDB,CN=Computers,DC=eu,DC=xxxxx,DC=com
09:36:57 Setting Attributes To Object: CN=xxxxx-0GJRLDB,CN=Computers,DC=eu,DC=xxxxx,DC=com
09:36:57 Setting Attribute DNSHostName : my-cisco-ise01.eu.xxxxx.com To Object
09:36:57 Cannot Set Attribute DNSHostName , Active Directory Returned Ldap Constraint Error While Trying To Set Attribute
any idea what's wrong?
05-31-2024 03:21 AM - edited 05-31-2024 03:23 AM
It seems that the user account you are joining the ISE to AD with is unable to edit the machine object.
Note that the user you are adding ISE to AD with is only used during the process of joining. You can hence likely use your regular "admin" credentials for this instead of using a limited permissions service account.
05-31-2024 07:24 AM
06-01-2024 12:11 AM
Are you admin of LDAP - if so suggest to create a Service account which has right to join ISE in to Domain.
Second check any already added Entries of ISE - If so delete and try again.
Cannot Set Attribute DNSHostName - check also is the DNS Entry for the ISE is correct (verify)
06-01-2024 07:02 AM
The error code 40315, known as "LW_ERROR_LDAP_CONSTRAINT_VIOLATION," signifies an issue encountered while configuring the DNSHostName attribute for the machine account in Active Directory. This problem usually arises due to insufficient permissions granted to the user account responsible for the operation or due to limitations within the AD schema. To resolve this, ensure that the user possesses the required permissions to create and modify computer objects within the domain. Additionally, verify that the value assigned to the DNSHostName attribute adheres to the AD schema requirements and that no policies or constraints are impeding the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide