-
标题
What are the deployment requirements for the Hybrid Agent? -
说明
Getting the following error messages whenever the installation of the Hybrid agent is attempted: -
原因
System and network requirements are missing or the agent is unable to find a Domain Controller. If the DNS is unable to fulfill the lookups requested by the setup process to find a DC it will fall back to NetBIOS over TCP to try and locate a DC. If there is a fallback to SMB that would explain the error as it is a typical error, you see in an SMB session. -
解决办法
Ensure you have carefully reviewed and followed all the prerequisites and instructions in the User Guide topic below:
https://support.quest.com/technical-documents/on-demand-global-settings/current/user-guide/13#TOPIC-2274789
After the agent is configured, review the following:
https://support.quest.com/technical-documents/security-guardian/current/user-guide/2#TOPIC-2155136
The agent setup binary process (setup.exe) requires LDAP connectivity (TCP 389) to the domain/DCs. The authentication mechanism is GSS-SPNEGO (which in turn negotiates Kerberos/NTLM with the DC):
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e7d814a5-4cb5-4b0d-b408-09d79988b550
The following network protocols may be used by the agent (either directly or indirectly by the local system) to attempt to work with the domain either during the setup process or during regular operation:
Within the domain:
TCP 389 (LDAP), UDP 53 (DNS), TCP 445 (SMB), UDP 137 (name resolution)
On-Demand connection 443 (HTTPS) depending on your region:
US:
odjrs-usprod-us-iothub.azure-devices.net
https://odjrsusprodusgrssto.blob.core.windows.net/
Canada:
odjrs-caprod-ca-iothub.azure-devices.net
https://odjrscaprodcagrssto.blob.core.windows.net/
Australia:
odjrs-auprod-au-iothub.azure-devices.net
https://odjrsauprodaugrssto.blob.core.windows.net/
Europe:
odjrs-euprod-eu-iothub.azure-devices.net
https://odjrseuprodeugrssto.blob.core.windows.net/
UK:
odjrs-ukprod-uk-iothub.azure-devices.net
https://odjrsukprodukgrssto.blob.core.windows.net/
Note: Make sure these URLs are reachable and whitelisted, and also that there is no DNS service blackholing in your Azure tenant to something like the blob.core.windows.net site.
Also, the setup will handle domain\username or username@domain.com formats when specifying the identity. Either works.
-
其他信息
Removing your AD Domain from the Tenants section of the On Demand UI and then re-adding it back could also help to resolve issues with the Hybrid agent deployment.