Recommended workarounds or solutions for the above causes are noted below:
Ignition Server Machine Accounts (MA) Not Registered in Active Directory
- Ensure permissions for the LDAP service account specified in Directory Services has sufficient privileges to Create *AND* Delete computers (child objects / machine accounts) to the domain. This is easily achieved by associating the LDAP service account in Active Directory with the default "Domain Admins" privilege level.
- Security conscious administrators may not wish to create accounts associated with the default "Domain Admins" privilege level. In such cases the account permissions MUST be modified to Allow "Create all child objects" and "Remove all child objects".
Ignition Server Machine Account (MA) "LDAP Constraint Violation" Due To Duplicate CNF (Conflict) Records in Active Directory
- Periodic monitoring of Active Directory machine account registrations for IDE and removal of the primary MAC and CNF records is advised.
- Diagnose and resolve any replication issues that may be present within the Active Directory domain forest.
Ignition Server Machine Account (MA) "LDAP Constraint Violation" In Multi Domain Environments
- Two or more child subdomains are configured under two separate Active Directory services and Ignition Cannot Register the MA in both subdomains due to SPN uniqueness restrictions.
- Configure AD to allow duplicate SPNs to be registered in each child subdomain. Please refer to "SPN uniqueness" on technet.microsoft.com or KB3070083.
The above issue is resolved in software 9.3.0 which is available for download.For more information please refer JUPITER-2323 in the 9.3.0 release notes
Ignition Server Machine Account (MA) "LDAP Constraint Violation" Due To Duplicate DEL (DELeted) Records in Active Directory
-Deleting the DEL record will resolve this issue and also check on other members of Active Directory.
Starting with Identity Engines software release 9.2 (and above) the default Machine Account de-registration / re-registration interval has been changed from once every 24 hours to once every 30 days. It is expected that the frequency of duplicate CNF Machine Accounts will be eliminated.