Hi there, we have implemented LAPS successfully in a single domain TEST environment but have had issues when deploying to a forest.
I believe this is due to replication not working between the sub-domain and the root. Replication between DC's within the domain is fine.
So back to LAPS, I can see the entry for ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime within root and wondered if this could be exported and imported using ldifde....
Initial attempts to import gives the following errors:
An error has occurred in the program
dn: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x20e7 The modification was not permitted for security reasons.
The extended server error is:
000020E7: SvcErr: DSID-03152D2E, problem 5003 (WILL_NOT_PERFORM), data 0
The exported ldif file (domain names removed)
dn: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=<root>,DC=<com>
changetype: add
objectClass: top
objectClass: attributeSchema
cn: ms-Mcs-AdmPwd
distinguishedName: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=<root>,DC=<com>
instanceType: 4
whenCreated: 20190821125635.0Z
whenChanged: 20190821125635.0Z
uSNCreated: 61915468
attributeID:
1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
attributeSyntax: 2.5.5.5
isSingleValued: TRUE
uSNChanged: 61915468
showInAdvancedViewOnly: FALSE
adminDisplayName: ms-Mcs-AdmPwd
oMSyntax: 19
searchFlags: 904
lDAPDisplayName: ms-Mcs-AdmPwd
name: ms-Mcs-AdmPwd
objectGUID:: AaDqLmaexECT9ZzLgHJgkQ==
schemaIDGUID:: RXApA6jLI0OCu6BG7YcuzA==
systemOnly: FALSE
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=<root>,DC=<com>m
dSCorePropagationData: 16010101000000.0Z
msDS-IntId: -1745476022
So obviously repair replication (not going to be easy) but if anyone could shed some light on importing the objects it would be appreciated.
Thanks