cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10671
Views
5
Helpful
17
Replies

WSA join to AD but can´t fetch AD group information

Hi,

 I can join the WSA to AD, but it can´t get AD-Groups.

 The realm was created but group search found no records.

 

 Do I need another procedure to join a W2012R2 domain?

 

 AsyncOS Version: 8.5.1-021

 Windows 2012 R2

 

Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'mgmt_wsa1.xxx.local' address: x.x.x.115

Checking DNS resolution of Active Directory Server(s)...
Success: Resolved 'x.x.x.11' address: x.x.x.11
Success: Resolved 'x.x.x.12' address: x.x.x.12

Checking DNS resolution of AD Server(s)' full computer name(s)...
Success: Resolved 'SRVDC1.xxx.local' address: x.x.x.11
Success: Resolved 'SRVDC2.xxx.local' address: x.x.x.12

Validating configured Active Directory Domain...
Success: Active Directory Domain Name for 'x.x.x.11' : xxx.LOCAL
Success: Active Directory Domain Name for 'x.x.x.12' : xxx.LOCAL

Attempting to get TGT...
Success: Kerberos Tickets fetched from server 'x.x.x.11' :

Success: Kerberos Tickets fetched from server 'x.x.x.12' :


Checking local WSA time and server time difference...
Success: AD Server time and WSA time difference within tolerance limit
Success: AD Server time and WSA time difference within tolerance limit

Attempting to fetch AD group information...
Failure: Exception on query to server 'x.x.x.11', port 389 failed :
Exception('Inquiry timed out: auth failed: Windows 2008R2 or later requires a User account to create a data store, not a Computer account',)
Failure: Exception on query to server 'x.x.x.12', port 389 failed :
Exception('Inquiry timed out: auth failed: Windows 2008R2 or later requires a User account to create a data store, not a Computer account',)

Test completed: Errors occurred, see details above.

 

Thanks in advance.

Guido

17 Replies 17

oddonepaolo
Level 1
Level 1

We have this identical problem too.

Any suggestions?

Thanks

 

Had the same problem after joining the domain.

just enter ssh write reboot then yes.

toke less than 5 minutes.

Mohamed Khetrish

HI ,

 

The issue your experiencing is more then likely this bug:

 

CSCuu49739

 

Sincerely,

 

Erik Kaiser

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Hi Erik,

I've been facing this bug, that also was confirm by Cisco, and was given some alternatives to solve the problem:

- Wait a new release

- Add groups manually(but didn't work)

- Or downgrade, but we are using a KVM VM so we didn't find a older version(we are using 8.6.0-025 version on Virtual WSA S000)

 

Do you suggest another alternative?

 

Thank you

 

kussriva
Level 1
Level 1

Hi,

 

Could you please try to delete the Ad Realm and add it back again? If possible test with adding only a single DC at one time to test.

 


Regards,

Kush

Cisco PDI TA

 

 

 

Thanks Kush

We have rebooted WSA and problem is disappeared.

But it's the third time that we need to reboot it (for other reason), and when we reboot it, we must switch off and power on again.

Daniele

Didier GREINER
Level 1
Level 1

I have exactly the same issue.

AsyncOS Version: 8.7.0-172

Windows 2012 R2

I have an open case for that.

Did you fix it?

Hi.

Rebooting system fix the problem.... for a while... then it reappears after some times....

It's very annoying.

Please Cisco fix this issue.

Daniele

igbinosuneric
Level 1
Level 1

Hello 

Upgrade the AsyncOS Version to 8.5.2-024 or higher 

then the account details you to join the domain must be an admin account with the right privileges

that was what worked for me 

What is your Active Directory Windows version?

2012 server 

We are currently hosting multiple clients on one physical appliance and are still experiencing this, despite upgrading to 8.5.2-027.

 

This only seems to be affecting one of the domains on the appliance, however.

Someone has any news about the issue?

Massimo

 

if you are still having this issue, Please open a TAC case so we can troubleshoot and assist you with this issue.

 

Regards,

Zack