-
Title
The Active Directory (AD) agent can not collect data when Windows Firewall is enabled on target DC -
Description
The AD agent cannot be activated when using the Windows firewall even if all ports are opened.
An error message like the following is reported in the agent log:
______________________________________________
2011-11-29 09:46:47.935 ECHO <ActiveDirectory/5.5.8/ActiveDirectory/agent_name> ERROR [RestoreAgent-0] com.quest.agent.ad.ActiveDirectoryAgent - ActiveDirectoryAgent.
The host is unreachable. The server could be down or cannot be resolved.
Make sure you can ping the IP or that the Netbios(DNS) name is resolvable.
The properties for the agent should also be verified; it's possible an address or other property string is incorrect.: []
java.net.UnknownHostException
______________________________________________
-
Cause
Java bug 5061571 causes the function used by the AD agent to verify connectivity to use the Echo service on port 7.
-
Resolution
RESOLUTION:
WORKAROUND 1: Turn off the firewall.
WORKAROUND 2: Enable the Windows feature "Simple TCP/IP Services" and allow incoming connections to tcp port 7. Please see the screen shots in the work-with-firewall.zip file.
STATUS: Waiting for fix in a future release of the Foglight Active Directory cartridge.
-
Defect ID
AD-162 -
Attachments
-
Additional Information
If you choose workaround 2, you still need to configure the firewall to allow traffic between servers in the dynamic port range of 49152 through 65535 (less secure), or limit the port range that is used in each monitored server. Instead of manually specifying a port range you can open the ports by creating a rule in the Windows firewall and using the "RPC Dynamic Ports" selection under the "Protocols and Ports" tab with the following steps: Install Simple/TCP IP Services and create Echo Service Rule (port 7) as per screenprints in the attached .zip file Create an Inbound rule by following the steps in the attached Firewall_rule_properies_Dynamic_RPC.pdf file Under the "Protocols and Ports" tab, select "TCP" as the Protocol type, "RPC Dynamic Ports" for the Local port, and "All Ports" for the Remote port settings Under the "Scope" tab, select "These IP addresses" under Local IP address and enter the IP address of the Domain controller. Select "These IP Addresses" under the Remote IP address and enter the IP address of the FglAM host that is hosting ActiveDirectory agent Leave the default settings under the "Programs and Services" tab, the "Computers" tab, and the "Users" tab Configure the "Advanced" tab as necessary