South Africa Security and Compliance User Group

 View Only
  • 1.  AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 01:50 AM

    Hi All,

    We have synched AD with our SEPM. A day ago , we noticed that the AD synch for the entire domain does work and we get an LDAP error.

    The weird thing is that we are able to start a synch on a single OU and it works, but when you try doing it for the entire domain we receive an error message?

    Any ideas - we dont want to disconnect the AD synch as we dont know what will happen.....

     

     



  • 2.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 01:56 AM

    Error msg:

    LDAP Query For All Failed [path=LDAPS://1x.x.x.x:636, baseDn=DC=xxx,DC=xxv,DC=za, filter=] (error code:33, 0x21)  [Site: xxxx]  [Server: xxxxx]



  • 3.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 04:28 AM

    does anything show up in scm-server0.log? enable the logging to FINEST and post the logs

    You need to enable the logging by adding line under etc\conf.properties value being scm.log.loglevel=finest.



  • 4.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 04:46 AM

    Will check and let you know.



  • 5.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 05:15 AM

    sounds more like a permission issue, have you tired to delete the OU and re-add them ?



  • 6.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 07:39 AM

    If you disconnect AD sync then all clients go the Default group.

    Does the error come up when the sync happens automatically?

     



  • 7.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 10:59 AM

    016-02-17 12:32:50.966 THREAD 172 SEVERE: Symantec Endpoint Protection Manager could not connect to the
    target directory server. Check the directory server configuration,
    and try again.
    com.sygate.scm.server.util.ServerException: Symantec Endpoint Protection Manager could not connect to the
    target directory server. Check the directory server configuration,
    and try again.
        at com.sygate.scm.server.util.ldap.LdapManager.login(LdapManager.java:487)
        at com.sygate.scm.server.util.ldap.LdapManager.login(LdapManager.java:396)
        at com.sygate.scm.server.util.ldap.LdapManager.doTestConnection(LdapManager.java:341)
        at com.sygate.scm.server.util.NativeCall.testLdapServerConnection(NativeCall.java:310)
        at com.sygate.scm.server.consolemanager.requesthandler.ConnectDirectoryServerHandler.handleRequest(ConnectDirectoryServerHandler.java:76)
        at com.sygate.scm.server.consolemanager.RequestHandler.handleRequest(RequestHandler.java:521)
        at com.sygate.scm.server.consolemanager.RequestHandler.<init>(RequestHandler.java:155)
        at com.sygate.scm.server.servlet.ConsoleServlet.doPost(ConsoleServlet.java:128)
        at com.sygate.scm.server.servlet.ConsoleServlet.doGet(ConsoleServlet.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at com.sygate.scm.pool.HttpResponseFilters.doFilter(HttpResponseFilters.java:82)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at com.sygate.scm.server.servlet.ConsoleFilter.doFilter(ConsoleFilter.java:84)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)



  • 8.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 11:03 AM

    Havent seen it come up yet - nothing, but it does when you do it manually. Again, not sure why....but when you do a single AD OU it goes through fine.

    Cant disconnect the AD sync as we have 51000+- clients...cant afford to do that.

    Also, I tried to import the AD sync to another lab server with same SEP version that never had it before and we get the same error even before importing the OU domain. It comes back with cant find target server.

    I then configured the server settings using LDAP radio button, I enter credentials and all is ok until

    I start importing, it takes forever to display the AD tree and then when I select I get the error again....
     



  • 9.  RE: AD synch - SEP 12RU6Mp1a - not working correctly

    Posted Feb 17, 2016 11:09 AM

    looks like the credentials that you have provided in the Admin-Severs-Edit server properties-> Active directory is changed or the credentials no longer has preveilage to fetch details from AD. please re-visit those settings.



  • 10.  RE: AD synch - SEP 12RU6Mp1a - not working correctly
    Best Answer

    Posted Feb 23, 2016 02:40 AM

    Somehow the AD team did "changes" , don't know where and what and  it is working now. Thanks to all for your input.