Responding to analysis results

Depending on the type of warning or error generated in the Analysis Results, you might be able to take corrective action or access additional information by right-clicking a result, then selecting an appropriate action. For example, if a computer account lacks the permission required to update Active Directory with the operating system version currently installed, you can right-click the warning in the Analysis Result then select Grant computer the rights to modify operating system properties.

If right-clicking a result does not provide a responsive action, you should use Access Manager or ADEdit to correct the issue.

The following table describes the warnings and errors you may see in the Analysis Results after running the Analyze wizard and how to resolve potential issues.

Result Responsive action

If there are any computers joined to multiple zones, an error is displayed.

No responsive action can be taken directly within the Analysis Results for this issue.

In general, this issue only occurs if an administrator runs adleave with the --force option then runs adjoin to join the computer to a different domain without removing the old computer profile from Active Directory.

You should identify the appropriate zone for the computer, then use the Access Manager console to delete the computer profile from any additional zones.

If the parent-child relationship of any zones is circular, an error is displayed.

Break the circular relationship.

If there are any duplicate groups in a zone, a warning is displayed.

No responsive action can be taken directly within the Analysis Results for this issue.

In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate group profile to be added to a zone. For example, if two administrators add the same group to a zone using different domain controllers, there will be duplicate group profiles after the domain controllers complete replication.

You should use the Access Manager console or ADSI Editor to delete the duplicate group profiles from the zone.

If any duplicate service principal names (SPNs) are found for users or computers in the forest, a warning is displayed.

No responsive action can be taken directly within the Analysis Results for this issue.

Right-click the warning and click Properties to identify the duplicate SPN. Open the account properties for the user or computer and modify or remove the duplicate servicePrincipalName value.

Alternatively, run the adjoin command with the -d or --forceDeleteObjWithDupSpn option. See the adjoin man page for additional information.

If there are any duplicate users in a zone, a warning is displayed.

No responsive action can be taken directly within the Analysis Results for this issue.

In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate user profile to be added to a zone. For example, if two administrators add the same user to a zone using different domain controllers, there will be duplicate user profiles after the domain controllers complete replication.

You should use the Access Manager console or ADSI Editor to delete the duplicate user profiles from the zone.

If more than one Centrify SFU zone is found in the forest, a warning is displayed.

No responsive action can be taken directly within the Analysis Results for this issue.

Because an SFU zone is associated with an Active Directory SFU schema extension, there should be a maximum of one SFU zone in an Active Directory forest. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate.

You should use the Access Manager console or ADSI Editor to delete any duplicate SFU zones.

If a duplicate default parent container for zones is found, a warning is displayed.

No responsive action can be taken directly within the Analysis Results for this issue.

In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate default container for new zones. Having more than one default parent container for zones can result in an unexpected default value in the Create New Zone wizard.

You should use the ADSI Editor to delete any duplicate Zones parent containers from the forest.

If a computer role does not have any member computers or role assignments, a warning is displayed.

If the computer role has no member computers, right-click the warning in the Analysis Results, then select Add computers to add computers, or Delete Computer Role to remove the computer role. If a computer role has computer members but no role assignments, the only available response from the Analysis Results zone is to delete the computer role. You can, however, select the computer role in the Console, and add role assignments to its Role Assignments node.

If a user or group profile has been added to a zone but has no attributes defined, an error message is displayed.

Right-click the warning in the Analysis Results, then select Delete empty profile to delete the profile from the zone, or Modify profile to define one or more attributes for the user or group.

If any zone does not contain users, groups, or computers, a warning is displayed for each type of object. For example, if a zone has computers and groups, but no users, only the user warning is displayed for that zone.

No responsive action can be taken directly within the Analysis Results for these issues.

In general, this issue occurs early in a deployment before you have populated zones.

You should use the Access Manager console to add missing objects to the zone. If the empty zone is not a valid zone, right-click the zone and select Delete.

If one or more secondary profiles are found for a user but no primary profile is found, a warning message is displayed.

Right-click the warning in the Analysis Results, then select Promote secondary profile to primary to select a secondary profile you want to make the primary profile for the user.

If a user’s UNIX profile is incomplete in the entire zone hierarchy, a warning message is displayed.

Right-click the warning in the Analysis Results, then select Modify zone profile to define additional attributes to complete the user’s profile.

If the Active Directory group zone_nis_servers is not found in a zone configured for agentless authentication, an error is displayed.

Right-click the error in the Analysis Results, then select Create NIS servers group to create the zone_nis_servers group for agentless authentication. Note that your account must have permission to create this object for the operation to be successful.

If the membership of the zone_nis_servers group is not consistent with the computers authorized as NIS servers, a “Membership inconsistent” error is displayed.

Right-click the error in the Analysis Results, then select Fix group membership to modify the membership list for the zone_nis_servers group.

If a zone is configured to support agentless authentication and the zone_nis_servers group exists but does not contain all computers in the zone, an informational alert is displayed.

No responsive action can be taken directly within the Analysis Results for these issues.

You should verify that all of the computers you want to use as NIS servers in the zone are configured to allow agentless authentication.

If there is a discrepancy between the DNS name in AD and the Centrify computer profile name, a warning message is displayed.

Right-click the error in the Analysis Results, then select Fix group membership to

If a computer account does not have permission to write to the keywords attribute, an error is displayed.

Right-click the error in the Analysis Results, then select Grant permission to computer account to update the permissions on the computer account object.

If a computer account does not have permission to modify operating system properties, a warning is displayed.

Right-click the error in the Analysis Results, then select Grant computer permission to modify operating system properties to update the permissions on the computer account object.

If a right for a role is invalid, a warning message is displayed.

Right-click the error in the Analysis Results, then select Delete Right to delete the right from the role.

If a role assignment is invalid, a warning message is displayed.

 

If multiple roles are assigned to a user, a warning message is displayed.

 

If a child zone has an invalid parent zone, an error message is displayed.

 

If an object has no parent object, a warning message is displayed.

 

If a restricted-shell role is assigned a right that cannot be run in a restricted shell, a warning message is displayed.

Right-click the error in the Analysis Results, then select Delete Commands to remove the commands from the role, or select Allow running in restricted role to allow running the command in the restricted role.

If a zone was created using the version 2.x console and includes a Private Groups container, a warning is displayed.

If any computers in the zone are running version 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents.

If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove privateGroupCreation attribute to update the zone format.

If a computer profile was created using the version 2.x console, the warning “Unix computer is in old format” is displayed.

If any computers in the zone are running version 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents.

If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and unix_enabled attribute to update the computer profile in the zone.

If a group profile was created using the version 2.x console, the warning “Unix group is in old format” is displayed.

If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy attribute to update the group profile in the zone.

If a user profile was created using the version 2.x console, the warning “Unix user is in old format” is displayed.

If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and app_enabled attribute to update the user profile in the zone.

If a computer, group, or user profile exists, but no corresponding Active Directory computer, group, or user object is found, the warning “Orphan UNIX data object” is displayed.

In general, this issue occurs if an administrator removes an Active Directory computer, group, or user object manually using ADSI Editor or Active Directory Users and Computers but the corresponding data is not removed for the UNIX profile.

Right-click the warning in the Analysis Results, then select Remove orphan profile to remove all of the UNIX properties associated with the orphan profile.

If a computer, group, or user profile has inconsistent links, an informational “Inconsistent links” alert is displayed.

Computer, group, and user profiles are associated with Active Directory computer, group, and user objects through either the managedBy attribute (agent version 2.x) or a parentLink value in the keywords attribute (agent version 3.x and later). If the links refer to different Active Directory objects, you will see this alert.

Right-click the alert in the Analysis Results, then select Overwrite with the active link to remove outdated links.

If a computer, group, or user profile does not have a parentLink value defined, a “Missing parentLink” warning is displayed.

Right-click the warning in the Analysis Results, then select Missing parentLink to add the parentLink value to the keywords attribute.

If the parent container for a zone is another zone object, an error is displayed.

No responsive action can be taken directly within the Analysis Results for these issues.

You should move the zone to another parent container or delete and recreate the zone in a different location.

The computer ObjectName contains Centrify information but it is not in a zone.

Right-click the warning in the Analysis Results, then select Move to Zone to search for and select the zone you want to place the computer in.