cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

3295
Views
5
Helpful
17
Replies
Highlighted

WSA join to AD but can´t fetch AD group information

Hi,

 I can join the WSA to AD, but it can´t get AD-Groups.

 The realm was created but group search found no records.

 

 Do I need another procedure to join a W2012R2 domain?

 

 AsyncOS Version: 8.5.1-021

 Windows 2012 R2

 

Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'mgmt_wsa1.xxx.local' address: x.x.x.115

Checking DNS resolution of Active Directory Server(s)...
Success: Resolved 'x.x.x.11' address: x.x.x.11
Success: Resolved 'x.x.x.12' address: x.x.x.12

Checking DNS resolution of AD Server(s)' full computer name(s)...
Success: Resolved 'SRVDC1.xxx.local' address: x.x.x.11
Success: Resolved 'SRVDC2.xxx.local' address: x.x.x.12

Validating configured Active Directory Domain...
Success: Active Directory Domain Name for 'x.x.x.11' : xxx.LOCAL
Success: Active Directory Domain Name for 'x.x.x.12' : xxx.LOCAL

Attempting to get TGT...
Success: Kerberos Tickets fetched from server 'x.x.x.11' :

Success: Kerberos Tickets fetched from server 'x.x.x.12' :


Checking local WSA time and server time difference...
Success: AD Server time and WSA time difference within tolerance limit
Success: AD Server time and WSA time difference within tolerance limit

Attempting to fetch AD group information...
Failure: Exception on query to server 'x.x.x.11', port 389 failed :
Exception('Inquiry timed out: auth failed: Windows 2008R2 or later requires a User account to create a data store, not a Computer account',)
Failure: Exception on query to server 'x.x.x.12', port 389 failed :
Exception('Inquiry timed out: auth failed: Windows 2008R2 or later requires a User account to create a data store, not a Computer account',)

Test completed: Errors occurred, see details above.

 

Thanks in advance.

Guido

Everyone's tags (1)
17 REPLIES 17
Beginner

We have this identical

We have this identical problem too.

Any suggestions?

Thanks

 

Beginner

Had the same problem after

Had the same problem after joining the domain.

just enter ssh write reboot then yes.

toke less than 5 minutes.

Mohamed Khetrish

Cisco Employee

HI , The issue your

HI ,

 

The issue your experiencing is more then likely this bug:

 

CSCuu49739

 

Sincerely,

 

Erik Kaiser

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator
Beginner

Hi Erik,I've been facing this

Hi Erik,

I've been facing this bug, that also was confirm by Cisco, and was given some alternatives to solve the problem:

- Wait a new release

- Add groups manually(but didn't work)

- Or downgrade, but we are using a KVM VM so we didn't find a older version(we are using 8.6.0-025 version on Virtual WSA S000)

 

Do you suggest another alternative?

 

Thank you

 

Beginner

Hi, Could you please try to

Hi,

 

Could you please try to delete the Ad Realm and add it back again? If possible test with adding only a single DC at one time to test.

 


Regards,

Kush

Cisco PDI TA

 

 

 

Beginner

Thanks KushWe have rebooted

Thanks Kush

We have rebooted WSA and problem is disappeared.

But it's the third time that we need to reboot it (for other reason), and when we reboot it, we must switch off and power on again.

Daniele

Beginner

I have exactly the same issue

I have exactly the same issue.

AsyncOS Version: 8.7.0-172

Windows 2012 R2

I have an open case for that.

Did you fix it?

Beginner

Hi.Rebooting system fix the

Hi.

Rebooting system fix the problem.... for a while... then it reappears after some times....

It's very annoying.

Please Cisco fix this issue.

Daniele

Beginner

Hello Upgrade the AsyncOS

Hello 

Upgrade the AsyncOS Version to 8.5.2-024 or higher 

then the account details you to join the domain must be an admin account with the right privileges

that was what worked for me 

Beginner

What is your Active Directory

What is your Active Directory Windows version?

Beginner

2012 server 

2012 server 

Beginner

We are currently hosting

We are currently hosting multiple clients on one physical appliance and are still experiencing this, despite upgrading to 8.5.2-027.

 

This only seems to be affecting one of the domains on the appliance, however.

Someone has any news about

Someone has any news about the issue?

Cisco Employee

Massimo if you are still

Massimo

 

if you are still having this issue, Please open a TAC case so we can troubleshoot and assist you with this issue.

 

Regards,

Zack