cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Scott3
Level 7
Report Inappropriate Content
Message 1 of 12
‎02-05-2020 11:54 AM

Registered Servers => LDAP (Active Directory) Failing

When I try to add an LDAP server of type Active Directory, I get the following error message:

"Query returned no domain controller records. Verify that the server has at least one domain controller and the user has required permissions."

I have a sneaking suspicion this issue relates to bullet #1 below. Unfortunately, I cannot change this as security requires the ePO server not be joined to the domain.

There are a couple threads with this same error message and no resolutions. That doesn't bode well, but even if I knew why it didn't work, that would be helpful in determining if this is the right product/solution for our requirements:

  • ePO Server is not joined to a domain
  • I can ping the DC from the ePO server. The DC also resolves forward and backward from the ePO Server.
  • NIC settings has the domain listed in the suffix list.
  • domain\username has permission to query AD
  • Windows Authentication within Server Settings works just fine (meaning, I have my ePO account using Windows Authentication as the Authentication Type)
  • I've tried domain name and server name (also tried IP address of DC)
  • Use SSL is checked

Any insight would be greatly appreciated.

 

0 Kudos
Reply
11 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12
‎02-05-2020 12:13 PM

Re: Registered Servers => LDAP (Active Directory) Failing

Does it work if you uncheck use ssl?  Is the domain controller using ldap channel binding?  Refer to KB92298.  Does the orion log show any connection failures?  Does the domain controller show any connection failures in event logs?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Scott3
Level 7
Report Inappropriate Content
Message 3 of 12
‎02-06-2020 08:19 AM

Re: Registered Servers => LDAP (Active Directory) Failing

I don't see any errors in the DC logs. My DCs require SSL. Unchecking the box gives a different error stating SSL is required. 

There are tons of logs for ePO.  I did find something something relevant in the orion.log file when I try to create the LDAP registered server:

WARN [http-nio-8007-exec-22] internal.LdapConnectionImpl - Unable to retrieve any records using query '(servicePrincipalName=*)'.

WARN [http-nio-8007-exec-22] ldap.LdapAction - com.mcaffeorion.ldap.ldapqueryexception: Query returned no domain controllers records. Verify that the server has at least one domain controller and the user had required permissions.

I receive this error each time I click the "Test Connection" button.

I searched the ePO forums for servicePrincipalName and got no relevant hits.

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 12
‎02-06-2020 08:56 AM

Re: Registered Servers => LDAP (Active Directory) Failing

See if you can test with ldp.exe.

This has instructions (disregard that it is cisco)

https://www.cisco.com/c/en/us/support/docs/unified-communications/jabber/212109-How-to-Use-LDP-EXE-t...

and this is where you can get it from

https://support.microsoft.com/en-gb/help/2693643/remote-server-administration-tools-rsat-for-windows...

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Scott3
Level 7
Report Inappropriate Content
Message 5 of 12
‎02-11-2020 10:22 AM

Re: Registered Servers => LDAP (Active Directory) Failing

Sorry for the delay ...

Yes, I'm able to connect, bind and query the domain/forest using LDP.exe without issue. For Base DN I used DC=<domain>, DC=<com>, for Filter I used (objectClass=*), Scope was set to One Level, and Attributes was set to *.

It returned all data.

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 12
‎02-11-2020 10:42 AM

Re: Registered Servers => LDAP (Active Directory) Failing

What version of epo are you running and any updates installed?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Scott3
Level 7
Report Inappropriate Content
Message 7 of 12
‎02-11-2020 10:48 AM

Re: Registered Servers => LDAP (Active Directory) Failing

I'm running v5.9.1 (Build 251)

 

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 12
‎02-11-2020 11:39 AM

Re: Registered Servers => LDAP (Active Directory) Failing

What do you get when you go through this?

https://support.microsoft.com/en-us/help/816587/how-to-verify-that-srv-dns-records-have-been-created...

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Scott3
Level 7
Report Inappropriate Content
Message 9 of 12
‎02-11-2020 01:53 PM

Re: Registered Servers => LDAP (Active Directory) Failing

If I do it from a domain-joined system, it returns my three domain controllers.

If I do if from the non-domain-joined ePO server, it returns non-existent domain. I'm really beginning to think it has to do with the ePO server being a non-domain joined system (workgroup).

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 12
‎02-11-2020 02:30 PM

Re: Registered Servers => LDAP (Active Directory) Failing

I have seen it work, but you may need to possibly put host file in for domain controller.  Not on the domain, there might not be dns resolution, even if you do have the dc in dns settings.  Does nslookup resolve the domain name?  If not, then try a host file for domain name as well as fqdn of domain controller.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC