ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CA Identity Manager - An Active Directory error 0x52 occurred when trying to check the suitability of server

book

Article ID: 239424

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

When trying to provision an exchange account the below error is being thrown:

An Active Directory error 0x52 occurred when trying to check the suitability of server '10.10.100.10'. Error: 'Active directory response: A local error occurred.']: failed to add eTADSAccountName=TestUserName,eTADSOrgUnitName=OUName,eTADSOrgUnitName=OUName,eTADSOrgUnitName=OUName,eTADSDirectoryName=TestAD,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa

Cause

The issue is caused by misconfigured server settings within the endpoint settings to use the IP address. It is recommended by Microsoft to use the FQDN.

Environment

Release : 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Component : CA IDENTITY MANAGER (IDENTITY MANAGER)

Resolution

The eTADSprimaryServer and eTADSServerName attributes need to be updated to both use an FQDN. Please follow the below KB to update these attributes:

How to change the ADS Endpoints hostname and/or clear the failover list of DCs when a DC is decommissioned

This can also be done by opening Jxplorer and connect to the provisioning directory router through 20391. Navigate to:
eTADSDirectoryName=TestAD,eTNamespaceName=ActiveDirectory,dc=im,dc=eta

Review the eTADSprimaryServer and eTADSServerName update both these attributes to use the FQDN. Cycle the IMPS and then update the password through Provisioning Manager. The password must be updated, it does not need to be changed but it will need to be reentered.

 

FQDN Requirement as stated by Microsoft:

https://docs.microsoft.com/en-us/powershell/module/exchange/enable-mailbox?view=exchange-ps

Additional Information

Error 52 under normal circumstances means that you are not able to connect to the destination and it is best to attempt to connect to the destination using an external source, in this case, we used PowerShell.

By using PowerShell on the Connector server machine to test the command being submitted. For example, the original command being sent in this KB was:
Enable-Mailbox -DomainController 10.10.100.10 -Identity 'User DN String' - Alias 'UserAlias'

and this displayed the same error message as what IDM/IMPS were displaying.

To fix the modification 
Enable-Mailbox -DomainController FQDN -Identity 'User DN String' - Alias 'UserAlias'
We were successfully able to create the mailbox.

To find this command within your logs:
set the ADS_AGENTLESS_LOGLEVEL environment variable on the CCS to level 2 > Cycle the connector server > Reproduce the issue
Navigate to CCS/logs/ADS/EndpointName.log 

Search for 'Enable-Mailbox'
This will display the actual command being executed to exchange. The '-DomainController' tag is not a part of the command in the logs as it is appended through the product. It will need to be added as shown in the above examples.