3 Replies Latest reply on Jan 17, 2011 4:33 AM by Namster

    HDLP 9.0.x "Active Directory is Unreachable" and cannot find forest: ' '

    Namster

      I have an ePO 4.5 MR3 server that is not joined to the domain. I just configured DLP on it and for the most part it works with the policies and such. I wanted to add some groups from AD to the rules to allow some access but when I click on Add, a message pop's up the AD is unreachable. Then I proceed to type in the forest name, my username and password and nothing happens. I tried by IP address, short domain name, long dns name and nothing really works... sometimes it kicks back and errors out sooner than later.

       

      I look at the log file and it says cannot find forest: ' ' . I believe that between the single quotes is supposed to be the forest that i typed in.

       

      I think I might have a firewall blocking something. How come nothing is being logged into the log file as what I typed into the field?

       

      Can somebody help point me into the right direction? I can telnet to the ip address that i type into the forest at 389/88/445..etc. But yeah, I'm at a loss as to where to go right now.

       

      I know my current account can view all the objects in AD because I used the AD tools and I cam view computers, OU's and users, etc.

       

      I created an LDAP connection to the server and tested it successfully, when I tried to do an AD import it took a long time and timed out. Maybe that may also have something to do with it.

       

      What ports are required to make this work?

      What format should the forest and credentials be typed in?

      What else should I check?

        • 1. Re: HDLP 9.0.x "Active Directory is Unreachable" and cannot find forest: ' '

          Hi Namster

           

          Not quite sure what Format you are using but I have a server that is attached to the Domain but is not using any AD credentials at the moment for ePO or DLP.

           

          When I get to enter the credentials I use below

           

          forest.co.uk

          Username

          Password

           

          Also something that may help you if I put the wrong username or password in I get the error cannot find forest: ' ' so not sure if that error is really worth chasing.

           

          I've not had chance to check the connection information but I assume that it will be 389 or maybe 636 for Secure LDAP.

           

          Regards,

           

          Ian H

          • 2. Re: HDLP 9.0.x "Active Directory is Unreachable" and cannot find forest: ' '
            Namster

            Thanks for your response Ian. I have done some wireshark testing and found that when I enter the credentials and click on OK, the ePO server makes a UDP port 139 request to find the forestname 1C name (netbios domain name).

             

            So I worked out the lmhost file in my etc folder to make the IP address of one of my dns servers the 1C name. I then clicked Ok again and it failed really quick. In the wireshark packet it said that I failed authentication. It also listed the ROOT Forest, as my current domain is one of the many domains. I don't have an account in the root forest.

             

            So I called someone who did have an account in the Root forest, he entered the root forest name into his own LMHOST file because he was having the exact same issue and his credentials in the root forest. It cranked away and found the root forest and listed the OU's within. He could not traverse back into his domain from there to grab his groups/accounts.

             

            IMO, I really was hoping that this product would have grabbed users and groups the same way ePO did via LDAP.

            • 3. Re: HDLP 9.0.x "Active Directory is Unreachable" and cannot find forest: ' '
              Namster

              Problem has been resolved by accessing the DLP console not from the server but from a client accessing the ePO server via a web console and internet explorer. Apparently there are software restrictions on the server that prevent these com's.