Loading...

Knowledge Center


Active Directory Sync fails to Sync Computers from LDAP
Technical Articles ID:   KB88882
Last Modified:  6/11/2019

Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Problem

Active Directory (AD) Sync fails to connect to LDAP despite the following:
  • You can telnet and UDL test to AD without any issues.
  • Under the Registered Servers page, LDAP is registered successfully without any issue, and the Test connection is successful.
  • A third-party tool (such as LDAPAdmin) can show the entire AD structure from the McAfee ePO server using the same credentials used to register LDAP. This fact confirms that there is no issue with connectivity and authentication to LDAP.
  • Under the Group Details section of the System Tree page, you can browse the AD structure and manually add containers.

Orion.log records the following errors:

2016-12-22 11:28:10,698 INFO  [scheduler-TaskQueueEngine-thread-5] command.SyncDomainADCommand  - Syncing 1 groups
2016-12-22 11:28:10,711 DEBUG [scheduler-TaskQueueEngine-thread-5] services.EPOMultiPointADServices  - Connecting to AD
2016-12-22 11:28:10,732 DEBUG [scheduler-TaskQueueEngine-thread-5] services.EPOMultiPointADServices  - Failed to connect to AD
2016-12-22 11:28:10,733 DEBUG [scheduler-TaskQueueEngine-thread-5] services.EPOMultiPointADServices  - Failed to connect to AD, exception: com.mcafee.epo.core.EpoConnectException: Failed to connect to Active Directory server <Real_IP_Address> on port 389, user: Domain\AdminUser, possible bad server name, user name, or password
com.mcafee.epo.core.EpoConnectException: Failed to connect to Active Directory server <Real_IP_Address> on port 389, user: Domain\AdminUser, possible bad server name, user name, or password

    at com.mcafee.epo.core.services.EPOADServices.connect(EPOADServices.java:136)
    at com.mcafee.epo.computermgmt.services.EPOSyncAndImportServices.performADSync(EPOSyncAndImportServices.java:254)
    at com.mcafee.epo.computermgmt.ui.command.SyncDomainADCommand.invoke(SyncDomainADCommand.java:318)
    at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1312)
    at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:1037)
    at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1006)
    at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:983)
    at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:437)
    at com.mcafee.orion.scheduler.chainable.Chain.invokeChain(Chain.java:383)
    at com.mcafee.orion.scheduler.chainable.Chain.invoke(Chain.java:64)
    at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1312)
    at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runTask(ScheduledTaskManagerImpl.java:1556)
    at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runValidatedTaskInvocation(ScheduledTaskManagerImpl.java:1527)
    at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.runValidatedTaskInvocation(ScheduledTaskManagerImpl.java:1481)
    at com.mcafee.orion.scheduler.service.ScheduledTaskManagerImpl.execute(ScheduledTaskManagerImpl.java:1292)
    at com.mcafee.orion.task.queue.TaskQueueEngine.runTask(TaskQueueEngine.java:913)
    at com.mcafee.orion.task.queue.TaskQueueEngine.runTask(TaskQueueEngine.java:895)
    at com.mcafee.orion.task.queue.TaskQueueEngine.access$1000(TaskQueueEngine.java:50)
    at com.mcafee.orion.task.queue.TaskQueueEngine$3.run(TaskQueueEngine.java:864)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
 

 

Problem

EpoApSvr_<server name>.log records the following errors:
 
E #06704  RMANJNI  ActiveDirectoryJNI.cpp(35): Failed to get the Primary Agent Handler Key.
E #06704 NAISIGN naisign.cpp(3036): Failed to decrypt buffer due to invalid parameters.
E #06704 EPOLDAP LDAPServer.cpp(131): Failed to decode and decrypt the LDAP server password
E #06704  EPOLDAP LdapAPI.cpp(244): Bind failed, error = Invalid Credentials (49), user <username>, server <IP Address>, port 389.

Cause

This issue occurs when Server.ini becomes corrupt. The cause of the corruption is unknown.

Sample of corrupted Server.ini:

"[Server]
LastRegisteredServerName=Real_NeyBIOS of ePO Server
LastRegisteredServerIPAddress=Real_IP of ePO Server
LastRegisteredServerDNSName=Real_FQDN of ePO Server
LastRegisteredServerID=1
HTTPPort=80
AgentHttpPort=8081
BroadcastPort=8082
CatalogVersion=20170220185919
EnableGlobalOneHourUpdate=0
GlobalUpdateRandomization=20"


Sample of a correct Server.ini:

"[Server]
Version=5.3.1.188
HTTPPort=80
AgentHttpPort=8081
IsAgentHandlerPrimary=1
FipsMode=0
SecureHttpPort=8443
BroadcastPort=8082
DataSource=EPO-SQL-REAL-SERVER-NAME,1433
UseNTLMv2=1
LastRegisteredServerName=Real_NetBIOS
LastRegisteredServerIPAddress=Real_IP_Address
LastRegisteredServerDNSName=Real_FQDN
LastRegisteredServerID=1
CatalogVersion=20170322191342
EnableGlobalOneHourUpdate=0
GlobalUpdateRandomization=20
[AuditPurgeInfo]
Enabled=no
Ceiling=800000
Frequency=5"


NOTE: The default location for server.ini is C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\server.ini.

Solution

Recover an uncorrupted copy of server.ini. The following are four options you can use to recover the server.ini:

Option 1 - Recover from a previous Certificate Regeneration
If you have taken a backup of ePO folders during 'Certificate Regeneration,' at any time in the past, copy server.ini from the backup and replace it in the ePO folders.
  1. Stop the ePO and Agent Handler services.
  2. Navigate to the ePO install folder (<ePO Install Folder>/DB).
  3. If server.ini exists, copy the file to the ePO install folder (<ePO Install Folder>/DB).
  4. Start the ePO and Agent Handler services.
  5. When the services have started, log on to the ePO console, select System Tree, and try an LDAP sync.

Option 2 - Edit the server.ini in the DB folder
If server.ini exists in the DB folder, it might be possible to edit the file and correct the issue.
  1. Stop the ePO and Agent Handler services.
  2. Navigate to the ePO install folder (<ePO Install Folder>/DB).
  3. If server.ini exists, make a backup copy of that file.
  4. Open server.ini in any editor and:
    • Ensure that the IsAgentHandlerPrimary key is present. If so, ensure that the value is 1.
    • If the IsAgentHandlerPrimary key is NOT present, add the following entry at the bottom of the file:

      IsAgentHandlerPrimary=1
       
  5. Start the ePO and Agent Handler services.
  6. When the services have started, log on to the ePO console, select System Tree, and try an LDAP sync.
 
Option 3 - Recover by updating an old copy of server.ini
An old copy of server.ini can be updated using information from a Remote Agent Handler.
  1. Stop the ePO and Agent Handler services.
  2. Navigate to the ePO install folder (<ePO Install Folder>/DB).
  3. If server.ini exists, make a backup copy of that file.
  4. Open server.ini in any editor and:
    • Ensure that the IsAgentHandlerPrimary key is present. If so, ensure that the value is 1.
    • If the IsAgentHandlerPrimary key is NOT present, add the following entry at the bottom of the file:

      IsAgentHandlerPrimary=1
       
  5. Start the ePO and Agent Handler services.
  6. Install a second Agent Handler on a new computer and configured to communicate to the same ePO server.
  7. Go to the Agent Handlers page and verify that the newly created Agent Handler is added in the list. If it is not, wait a few minutes and refresh the page.
  8. Stop the ePO, local Agent Handler, and the new Remote Agent Handler services.
  9. Navigate to the Remote Agent Handler install folder (<Remote Agent Handler install folder/DB>) and open the server.ini file in any editor.
  10. Copy all following entries into the server.ini file in the ePO install folder (<epo Install folder>/DB/server.ini) and Save:
"[Server]
Version=5.3.1.188
HTTPPort=80
AgentHttpPort=8081
IsAgentHandlerPrimary=1
FipsMode=0
SecureHttpPort=8443
BroadcastPort=8082
DataSource=EPO-SQL-REAL-SERVER-NAME,1433
UseNTLMv2=1
LastRegisteredServerName=Real_NetBIOS
LastRegisteredServerIPAddress=Real_IP_Address
LastRegisteredServerDNSName=Real_FQDN
LastRegisteredServerID=1
CatalogVersion=20170322191342
EnableGlobalOneHourUpdate=0
GlobalUpdateRandomization=20

[AuditPurgeInfo]
Enabled=no
Ceiling=800000
Frequency=5"
  1.  Start the ePO, local Agent Handler, and Remote Agent Handler services.

    NOTE: If you do not want to keep the Remote Agent Handler, you can remove it through the Agent Handler UI page.
 
Option 4 - Disaster Recovery
If none of the previous options resolve the issue, or you are unable to perform the steps, you need to perform standard disaster recovery on the ePO server. See KB66616 for detailed steps to perform disaster recovery.
 

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.