1 2 3 Previous Next 55 Replies Latest reply: Nov 22, 2013 9:58 AM by gdavid RSS

    Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server

    bostjanc

      When upgraded EPO from 4.6 to 5.0.1 now Sync AD ain't working anymore.

      The error message is:

      Synchronization point My Organization failed to connect to active directory server

       

      but there's no extra information what's the reason for it. How to get some more log error details?

        • 1. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
          bostjanc

          Orion.log does not give me no good information:

           

          2013-08-30 17:04:06,976 ERROR [mfs:pool-2-thread-4] command.SyncDomainADCommand  - SyncDomainADCommand failed, 0 succeeded, 1 failed

          2013-08-30 17:04:06,994 ERROR [mfs:pool-2-thread-4] service.ScheduledTaskManagerImpl  - execution of task Active Directory/NT Domain Synchronization failed

          com.mcafee.orion.core.cmd.CommandException: Error, all sync points failed to synchronize

          at com.mcafee.epo.computermgmt.ui.command.SyncDomainADCommand.invoke(SyncDomainADC ommand.java:426)

          at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1246)

          at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:987)

          at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:956)

          at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:933)

          at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:431)

          at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:382)

          at com.mcafee.orion.scheduler.chainable.Chain.invoke(Chain.java:63)

          at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1246)

          at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runTask(ScheduledTa skManagerImpl.java:1468)

          at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runValidatedTaskInv ocation(ScheduledTaskManagerImpl.java:1446)

          at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.execute(ScheduledTa skManagerImpl.java:1245)

          at com.mcafee.orion.task.queue.TaskQueueEngine.runTask(TaskQueueEngine.java:806)

          at com.mcafee.orion.task.queue.TaskQueueEngine.runTask(TaskQueueEngine.java:788)

          at com.mcafee.orion.task.queue.TaskQueueEngine.access$800(TaskQueueEngine.java:41)

          at com.mcafee.orion.task.queue.TaskQueueEngine$3.run(TaskQueueEngine.java:757)

          at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

          at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)

          at java.util.concurrent.FutureTask.run(FutureTask.java:166)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

          at java.lang.Thread.run(Thread.java:722)

          • 2. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
            Manish KS

            Hi,

             

            can you enable the debug logging for orion.log and get the this log after reproducing the issue? you may refer the steps below to enable the orion debug level:

             

            1 Using a text editor, open the Log‑Config.xml file, located at:

            C:\PROGRAMFILES\McAfee\ePolicyOrchestrator\Server\conf\orion

            2 In the following line of text, replace “warn” with “info” or “debug”:

            <root><priority value ="warn"/><appender‑ref

            ref="ROLLING" /><appender‑ref ref="STDOUT/></root>

            Use debug only when troubleshooting for a short time. Setting the priority value to debug causes

            the old log files to be deleted frequently.

            3 Save and close the file.

            Tomcat automatically adjusts the log level when the ePolicy Orchestrator Application Server services

            restart.

            • 3. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
              bostjanc

              Thank you for your reply.

              I didn't quite understand if I need or don't need to restart EPO Application server services after changing "log-type"?

              With best regards

              • 4. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
                Manish KS

                1. Stop ePO Application server serivice

                2. Open Log‑Config.xml file using notepad

                3. Replace the warn and make it as debug in the following line:

                <root><priority value ="warn"/><appender‑ref

                ref="ROLLING" /><appender‑ref ref="STDOUT/></root>

                 

                4. Start the ePO Application server service

                 

                5. Log into ePO console

                6. Run AD Sync task, if it fails collect orion.log

                 

                the default location of orion.log is : C:\PROGRAMFILES\McAfee\ePolicyOrchestrator\Server\Logs


                • 5. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
                  bostjanc

                  Done the steps you have mentioned.

                  Here is the orion.log output.

                  https://skydrive.live.com/redir?resid=F2036D479EC1756D!242&authkey=!APz9tEasVX8m fMU

                   

                  Are you able to see anything useful why Sync AD isn't working.

                  With best regards,

                  • 6. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
                    Manish KS

                    Thanks for sharing the log.

                     

                    This is the error I can see from the log:

                     

                    2013-09-03 10:46:40,426 DEBUG [mfs:pool-2-thread-4] services.EPOMultiPointADServices  - Failed to connect to AD

                    2013-09-03 10:46:40,426 DEBUG [mfs:pool-2-thread-4] services.EPOMultiPointADServices  - Failed to connect to AD, exception: com.mcafee.epo.core.EpoConnectException: Failed to connect to active directory server SERVERNAME.DOMAIN.local on port 389, user: DOMAIN\administrator, possible bad server name, user name, or password

                    com.mcafee.epo.core.EpoConnectException: Failed to connect to active directory server SERVERNAME.DOMAIN.local on port 389, user: DOMAIN\administrator, possible bad server name, user name, or password

                     

                     

                    According to above error it seems the ePO server is not able to connect to registered AD server, it might be due to incorrect credentials or due to the port 389. So you can go as per below:

                     

                    1. Log into ePO console

                    2. Go to Menu>Configuration>Registered Server

                    3. Select the registered AD server and click on Actions>Edit>Next

                    4. Check if the configuration is correct if yes, check the box "Change password" provide the correct credentials

                    5. Test the connection if it is successful save it

                    6. Try with running the ADSync task if still fails go to Registered Server setting page and try with check/uncheck "Use SSL" option

                     

                     

                    Even if issue persist there could be some issue with the LDAP port configured and you can log a ticket with McAfee support.

                     

                    you may also refer article KB68012 : http://kc.mcafee.com/corporate/index?page=content&id=KB68012

                     

                     


                    • 7. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
                      bostjanc

                      First of all Manish KS, thank you for your reply.

                       

                      I have done/tried/configured all the possibilites, but unfortunatelly sync still isn't working.

                       

                      I even opened a case with McAfee support team where they are convincing me this must be network related.

                      They assume we need to ENABLE network discovery on the domain controller (where EPO is installed) but I don't think that's the reason, because SYNC was working before the upgrade on a lower version and there were no changes on our network between that time.

                       

                       

                      I believe it must be a bug or a different behaviour in newer version. Let me clarify something about differences and changes which I see were made between EPO 4.5, 4.6 and EPO 5.0.1.

                       

                       

                      In previous version of EPO (4.5 and 4.6) you had under System Tree/My Organization/Sync two options:

                      Use registered LDAP server

                      and: USE A SPECIFIC AD SERVER!

                       

                      We didn't use any REGISTERED LDAP SERVERS in previous version, we used the second option: USE A SPECIFIC AD SERVER and it worked like a charm!

                      old.png

                       

                      Now in new version that option isn't there anymore.

                      You are still able to choose USE REGISTERED LDAP SERVER, but not instead of USE A SPECIFIC AD SERVER you have: use DOMAIN

                      new.png

                       

                      After the EPO upgrade 4.6 to 5.0.1 affcourse under that 2nd option stayed FQDN of our server, which was configured in previous version.

                      But putting FQDN in that window just does not work anymore, because you recieve an error message Could not locate DNS server (which is by the way on the same DC where EPO is installed).

                      new3.png

                      Soo obviously we need to type domain here and not use FQDN of server anymore.

                       

                      Ok, what's even more interesting now when you wish to type a domain here, wich would be in our case DOMAIN.LOCAL, well EPO 5.0.1 just doesn't like that.

                      You must type just DOMAIN, no word LOCAL, otherwise you will recieve the same error about not find DNS SERVER AGAIN.

                      Ok, soo let's just type DOMAIN to satisfy EPO.

                      new4.png

                       

                      new5.png

                       

                      After you type under Use domain only DOMAIN (without any LOCAL), that ugly DNS server error message disappears, then you fill also other windows: Domain, User Name, Enter Password. You are able to click ADD ROOT, and DC=domain,DC=local wil be visible there.

                      new6.png

                      But if you wish to click BROWSE instead of ADD ROOT an error message appears:

                      new8.png

                       

                      I found out t hat browse only works if you use: USE REGISTER LDAP SERVER. Ok, we stick with ADD ROOT, save the settings and try to SYNC and affcourse SYNC isn't working.

                       

                      We went creating REGISTERED LDAP SERVERS where we used:

                      SERVER NAME, with or without SSL turned on, the test connection shows result: Sucessfully connected to the LDAP server:

                      REGISTER-version1.png

                      Or if we choose creating registered ldap server with: Domain name (with or without SSL), test connection works ok.

                      REGISTER-version2.png

                       

                      But after that when we go back to set up the sync again:

                      new7.png

                       

                      and chose register LDAP server (no matter if we had configured them previously with: server name, or domain name, with or without SSL) and filling all the other windows, adding a root, saving the configuration, SYNC just does not work.

                       

                       

                      There must be some strange difference/behaviour between version If I refer to my 1st picture where they moved option: USE A SPECIFIC AD SERVER which is causing that SYNC stopped working. I think it must be somekind of a BUG! Damn! Soryy for curses.

                       

                      with best regards,

                      • 8. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
                        bostjanc

                        An update, even after enabling network discovery, the problem remains the same.

                        • 9. Re: Epo 5.0.1 - Synchronization point My Organization failed to connect to active directory server
                          deveras

                          I have the exact same problem. Currently working with support to find out what is the issue.

                          1 2 3 Previous Next