Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Domain Controller Status Listed as Down in Active Directory Agent

Document ID: 113424

Updated: Jan 26, 2012

Contributed by Michael Robertson, Cisco TAC Engineer.

   Print

Introduction

This document describes how to identify and resolve a problem that occurs when you configure the Active Directory Agent software to interact with a Windows Domain Controller.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the ASA Active Directory Software.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

When you use the adacfg dc create command in order to the install the Active Directory (AD) agent on a domain controller (DC) in your Windows domain, connection status between the AD agent and the DC is listed as down.

Use the adacfg dc list command in order to view connection status:

C:\IBF\CLI>adacfg dc list
Name   Host/IP          Username        Domain-Name   Latest Status
----  -------------    -------------    -----------   -------------
dc    192.168.1.100    Administrator                  down

In addition, the adObserver log prints this error:

Mon Jan 23 08:24:23 2012: EXCEPTION OCCURED: .\DcMonitor.cpp:373 getDcVersion: Error with ConnectServer for DC: dc name: 192.168.1.100 hostname: 192.168.1.100 domain: mirober2.lab username: Administrator password: <hidden> Error code: 800706ba

Solution

When you add the AD agent to the DC, ensure that either the host name or the fully qualified domain name (FQDN) of the DC is used with the -host keyword.

Note: The DC IP address should not be used. IP address is not a valid value for the -host keyword. Refer to the adacfg dc create section of the Installation and Setup Guide for the Active Directory Agent for more information.

When the DC is added correctly and visible to the AD Agent, the adacfg dc list command shows the status of the DC as up:

C:\IBF\CLI>adacfg dc list
Name     Host/IP          Username        Domain-Name   Latest Status
----     ---------------  -------------   -----------   -------------
dc       dc.cisco.com     Administrator   CISCO         up

Note: Cisco Bug ID CSCto66192 has been opened as an enhancement request to allow an IP address as a valid value for the -host keyword.

Note: Currently, there are known issues when you use the DC host name. If you experience issues, use the FQDN, and then run the adacfg dc list command in order to check the status of the DC.

Related Information

Updated: Jan 26, 2012
Document ID: 113424