LsaLookupName2 error when creating new SymantecDLP service user, on a new Enforce 15.1 install
search cancel

LsaLookupName2 error when creating new SymantecDLP service user, on a new Enforce 15.1 install

book

Article ID: 172382

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

When installing Enforce via the 15.1 MSI from command line, the wizard fails at the point of creating a new service account for Enforce - called "SymantecDLP" by default.

Error calling LsaLookupNames2: The trust relationship between the primary domain and the trusted domain failed. (HRESULT: 0x6fc)

Environment

15.1 clean install (not upgrade) - Username and Password has been entered for the Service User, and "next" button has been clicked, at the "Create a New Service User" step.

Cause

Not completely known, but there are indications from customer environment that a Domain Controller was recently deleted while still remaining listed in Active Directory forest.

For additional details indicating this issue, this Microsoft Technet may prove useful:

https://social.technet.microsoft.com/Forums/en-US/4d916b60-f182-4406-af95-971de98d3a94/the-trust-relationship-between-the-primary-domain-and-the-trusted-domain-failed?forum=winservergen

Resolution

If the customer cannot confirm the above solution in their Active Directory environment, try creating the DLP Enforce Service User in advance of the 15.1 installation - making sure it has been given "Logon As A Service" rights. Then choose the option for "Existing User" when prompted with the Service User option during the wizard.

Attachments