cancel
Showing results for 
Search instead for 
Did you mean: 
bostjanc
Level 10

Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

When upgraded EPO from 4.6 to 5.0.1 now Sync AD ain't working anymore.

The error message is:

Synchronization point My Organization failed to connect to active directory server

but there's no extra information what's the reason for it. How to get some more log error details?

0 Kudos
55 Replies
bostjanc
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

Orion.log does not give me no good information:

2013-08-30 17:04:06,976 ERROR [mfsSmiley Tongueool-2-thread-4] command.SyncDomainADCommand  - SyncDomainADCommand failed, 0 succeeded, 1 failed

2013-08-30 17:04:06,994 ERROR [mfsSmiley Tongueool-2-thread-4] service.ScheduledTaskManagerImpl  - execution of task Active Directory/NT Domain Synchronization failed

com.mcafee.orion.core.cmd.CommandException: Error, all sync points failed to synchronize

at com.mcafee.epo.computermgmt.ui.command.SyncDomainADCommand.invoke(SyncDomainADC ommand.java:426)

at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1246)

at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:987)

at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:956)

at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:933)

at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:431)

at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:382)

at com.mcafee.orion.scheduler.chainable.Chain.invoke(Chain.java:63)

at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1246)

at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runTask(ScheduledTa skManagerImpl.java:1468)

at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runValidatedTaskInv ocation(ScheduledTaskManagerImpl.java:1446)

at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.execute(ScheduledTa skManagerImpl.java:1245)

at com.mcafee.orion.task.queue.TaskQueueEngine.runTask(TaskQueueEngine.java:806)

at com.mcafee.orion.task.queue.TaskQueueEngine.runTask(TaskQueueEngine.java:788)

at com.mcafee.orion.task.queue.TaskQueueEngine.access$800(TaskQueueEngine.java:41)

at com.mcafee.orion.task.queue.TaskQueueEngine$3.run(TaskQueueEngine.java:757)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)

at java.util.concurrent.FutureTask.run(FutureTask.java:166)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:722)

0 Kudos
mshah
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

Hi,

can you enable the debug logging for orion.log and get the this log after reproducing the issue? you may refer the steps below to enable the orion debug level:

1 Using a text editor, open the Log‑Config.xml file, located at:

C:\PROGRAMFILES\McAfee\ePolicyOrchestrator\Server\conf\orion

2 In the following line of text, replace “warn” with “info” or “debug”:

<root><priority value ="warn"/><appender‑ref

ref="ROLLING" /><appender‑ref ref="STDOUT/></root>

Use debug only when troubleshooting for a short time. Setting the priority value to debug causes

the old log files to be deleted frequently.

3 Save and close the file.

Tomcat automatically adjusts the log level when the ePolicy Orchestrator Application Server services

restart.

0 Kudos
bostjanc
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

Thank you for your reply.

I didn't quite understand if I need or don't need to restart EPO Application server services after changing "log-type"?

With best regards

0 Kudos
mshah
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

1. Stop ePO Application server serivice

2. Open Log‑Config.xml file using notepad

3. Replace the warn and make it as debug in the following line:

<root><priority value ="warn"/><appender‑ref

ref="ROLLING" /><appender‑ref ref="STDOUT/></root>

4. Start the ePO Application server service

5. Log into ePO console

6. Run AD Sync task, if it fails collect orion.log

the default location of orion.log is : C:\PROGRAMFILES\McAfee\ePolicyOrchestrator\Server\Logs


0 Kudos
bostjanc
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

Done the steps you have mentioned.

Here is the orion.log output.

https://skydrive.live.com/redir?resid=F2036D479EC1756D!242&authkey=!APz9tEasVX8mfMU

Are you able to see anything useful why Sync AD isn't working.

With best regards,

0 Kudos
mshah
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

Thanks for sharing the log.

This is the error I can see from the log:

2013-09-03 10:46:40,426 DEBUG [mfsSmiley Tongueool-2-thread-4] services.EPOMultiPointADServices  - Failed to connect to AD

2013-09-03 10:46:40,426 DEBUG [mfsSmiley Tongueool-2-thread-4] services.EPOMultiPointADServices  - Failed to connect to AD, exception: com.mcafee.epo.core.EpoConnectException: Failed to connect to active directory server SERVERNAME.DOMAIN.local on port 389, user: DOMAIN\administrator, possible bad server name, user name, or password

com.mcafee.epo.core.EpoConnectException: Failed to connect to active directory server SERVERNAME.DOMAIN.local on port 389, user: DOMAIN\administrator, possible bad server name, user name, or password

According to above error it seems the ePO server is not able to connect to registered AD server, it might be due to incorrect credentials or due to the port 389. So you can go as per below:

1. Log into ePO console

2. Go to Menu>Configuration>Registered Server

3. Select the registered AD server and click on Actions>Edit>Next

4. Check if the configuration is correct if yes, check the box "Change password" provide the correct credentials

5. Test the connection if it is successful save it

6. Try with running the ADSync task if still fails go to Registered Server setting page and try with check/uncheck "Use SSL" option

Even if issue persist there could be some issue with the LDAP port configured and you can log a ticket with McAfee support.

you may also refer article KB68012 : http://kc.mcafee.com/corporate/index?page=content&id=KB68012


0 Kudos
bostjanc
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

First of all Manish KS, thank you for your reply.

I have done/tried/configured all the possibilites, but unfortunatelly sync still isn't working.

I even opened a case with McAfee support team where they are convincing me this must be network related.

They assume we need to ENABLE network discovery on the domain controller (where EPO is installed) but I don't think that's the reason, because SYNC was working before the upgrade on a lower version and there were no changes on our network between that time.

I believe it must be a bug or a different behaviour in newer version. Let me clarify something about differences and changes which I see were made between EPO 4.5, 4.6 and EPO 5.0.1.

In previous version of EPO (4.5 and 4.6) you had under System Tree/My Organization/Sync two options:

Use registered LDAP server

and: USE A SPECIFIC AD SERVER!

We didn't use any REGISTERED LDAP SERVERS in previous version, we used the second option: USE A SPECIFIC AD SERVER and it worked like a charm!

old.png

Now in new version that option isn't there anymore.

You are still able to choose USE REGISTERED LDAP SERVER, but not instead of USE A SPECIFIC AD SERVER you have: use DOMAIN

new.png

After the EPO upgrade 4.6 to 5.0.1 affcourse under that 2nd option stayed FQDN of our server, which was configured in previous version.

But putting FQDN in that window just does not work anymore, because you recieve an error message Could not locate DNS server (which is by the way on the same DC where EPO is installed).

new3.png

Soo obviously we need to type domain here and not use FQDN of server anymore.

Ok, what's even more interesting now when you wish to type a domain here, wich would be in our case DOMAIN.LOCAL, well EPO 5.0.1 just doesn't like that.

You must type just DOMAIN, no word LOCAL, otherwise you will recieve the same error about not find DNS SERVER AGAIN.

Ok, soo let's just type DOMAIN to satisfy EPO.

new4.png

new5.png

After you type under Use domain only DOMAIN (without any LOCAL), that ugly DNS server error message disappears, then you fill also other windows: Domain, User Name, Enter Password. You are able to click ADD ROOT, and DC=domain,DC=local wil be visible there.

new6.png

But if you wish to click BROWSE instead of ADD ROOT an error message appears:

new8.png

I found out t hat browse only works if you use: USE REGISTER LDAP SERVER. Ok, we stick with ADD ROOT, save the settings and try to SYNC and affcourse SYNC isn't working.

We went creating REGISTERED LDAP SERVERS where we used:

SERVER NAME, with or without SSL turned on, the test connection shows result: Sucessfully connected to the LDAP server:

REGISTER-version1.png

Or if we choose creating registered ldap server with: Domain name (with or without SSL), test connection works ok.

REGISTER-version2.png

But after that when we go back to set up the sync again:

new7.png

and chose register LDAP server (no matter if we had configured them previously with: server name, or domain name, with or without SSL) and filling all the other windows, adding a root, saving the configuration, SYNC just does not work.

There must be some strange difference/behaviour between version If I refer to my 1st picture where they moved option: USE A SPECIFIC AD SERVER which is causing that SYNC stopped working. I think it must be somekind of a BUG! Damn! Soryy for curses.

with best regards,

0 Kudos
bostjanc
Level 10

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

An update, even after enabling network discovery, the problem remains the same.

0 Kudos
tkincher
Level 9

Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

Just to clarify, changing the log level in the log-config.xml does not require a server restart. It will pick up the changes shortly after the file is saved.

0 Kudos