locked
OCS Edge Service Account _ Can it be a domain account RRS feed

  • Question

  • My question is _ when activating an edge server can you use a domain service account?

     

    In a lab I have tried but am getting the error message _ "The account name or the password is wrong. Try again."

    This is using an existing account.

     

    For a new account I get "Failure. 0x8007089A The specified username is invalid."

     

    Where I am working there is an isolated domain for perimeter servers. The driver behind it is to help with the administration of servers and apply group policies etc etc.

     

    Thanks for any help

     

    Regards

    Alistair

     

     

     

    Thursday, October 9, 2008 3:23 PM

Answers

  • I have had a response back from MS

     

    No, you cannot use a domain account for Edge services.”

     

    If I hear why, I will post it up.

     

     

    Wednesday, October 29, 2008 10:19 AM

All replies

  • What are you using the domain account for?  If you are talking about the service account, then the default behavior would be to use a local user account (e.g. .\RTCProxyService).  Are you using the DOMAIN\account context when referencing the account?

     

    Wednesday, October 15, 2008 7:49 PM
    Moderator
  • Thanks for the reply _ I have tried domain\account and account@fqdn 

     

     

     

    Thursday, October 16, 2008 10:19 AM
  • I have had a response back from MS

     

    No, you cannot use a domain account for Edge services.”

     

    If I hear why, I will post it up.

     

     

    Wednesday, October 29, 2008 10:19 AM
  • Just to clarify, I'm sure there is no OCS-specific restriction on using domain accounts with the services.  By that statement I'm betting they are saying that you shouldn't use accounts from the same domain that the internal OCS servers are a member of. The configuration required to allow for authentication from a Edge server in the Perimeter network to the internal network's DC/GC server would go against the security recommendations (and purpose of) the Edge server.

     

    But if you have a perimeter network that has it's own forest (which is commonly used for simplified management in large DMZs) then a domain account in that forest's domain could be used to run as service accounts.

     

    That said, ideally the default behavior should be used for the Edge services.

    Friday, November 14, 2008 7:24 PM
    Moderator
  • Thanks for the reply _ there would appear to be a restriction on using a domain account and this is the response I have had back from MS.

    Also in my lab testing I have not been able to get the system to take a domain account.

     

    Yes our DMZ had its own forest as it is quite large.

     

    Alistair

     

     

    Monday, November 17, 2008 8:23 AM