Certain environmental changes cause Active Directory connectivity issues.
To verify you are communicating with Active Directory
- If the DNS server changes, restart the server because the Java Naming and Directory Interface (JNDI) caches information about the Active Directory domain for which that the host is configured at server start up.
- If the Active Directory servers change, restart the servers due to SRV record caching in ActiveDirectoryInfoManager.
- Verify that time is synchronized between the Management Console for Unix server and the Active Directory domain.
Kerberos requires that the Management Console for Unix server and Active Directory domain controller clocks are within five minutes of each other.
You specify the Active Directory configuration (that is, the set of domains, sites, and servers that you want the mangement console to contact) from System Settings | Active Directory | Advanced Settings. To access the Advanced Settings dialog, you must provide Active Directory credentials; then, once the console verifies the configuration, it saves the settings to the database.
There may be an occasion when the Active Directory configuration becomes invalid. Perhaps you set the AD configuration to specifically restrict login to a specific domain. Then later, you receive a network error saying the Active Directory credentials you provided to perform an action have been revoked because that domain no longer exists. If the Active Directory configuration becomes invalid for any reason, you will not be able to access the Advanced Setting dialog to change the AD configuration.
This topic explains how to temporarily set the ad.config.domain or ad.config.site system properties in the custom.cfg file to specify a temporary configuration to use until you can reset the AD configuration from System Settings | Active Directory | Advanced Settings.
- ad.config.domain system property contains the name of a single Active Directory domain. When specified, the mangement console will only contact Active Directory servers in this domain.
Note: Do not configure the console for a domain outside of the current forest.
- ad.config.site system property contains the name of a single Active Directory site. When specified, the mangement console will only contact Active Directory servers in this site.
Note: Do not attempt to change the domain you are joined to with this method. You can only change the configuration within the same domain.
To reset Active Directory domain or site settings
- Stop the Management Console for Unix service.
See Start/stop/restart Management Console for Unix service for details.
- Locate the custom.cfg file.
See Setting custom configuration settings for more information about customizing configuration settings for the mangement console.
- Add one of the following properties:
-Dad.config.domain=<domain>
-OR-
-Dad.config.site=<site>
Note: Only specify the ad.config.domain or the ad.config.site system property. If you specify both, the console will ignore the ad.system.domain setting.
- Save the custom.cfg file.
- Restart the Management Console for Unix service.
- Navigate to System Settings | Active Directory | Advanced Settings to specify which sites, domains, domain controllers, or global catalogs you want the console to contact.
See Configuring advanced settings for details.
- Stop the Management Console for Unix service.
- Locate the custom.cfg file.
- Remove the temporary properties you added in Step #3. Either:
ad.config.domain=<domain>
-OR-
ad.config.site=<site>
- Save the custom.cfg file.
- Restart the Management Console for Unix service.
Kerberos is a time-sensitive protocol and requires that the clocks on the Management Console for Unix server and your Active Directory domain controllers are synchronized within five minutes. If the Management Console for Unix server gets out of sync with the Active Directory domain controller, Active Directory will be disabled temporarily and you will be instructed to check your Active Directory settings.
During the post install process, if you see an error such as "Can't find domain controller for <domain>", verify that the Management Console for Unix server and Active Directory domain controller clocks are synchronized.
If you are logged on as an Active Directory account in the Manage Hosts role and the host is joined to Active Directory, but are not able to perform the Active Directory tasks, ensure that you have sufficient permission in Active Directory to perform the task.
Note: Read-Only domain controllers do not allow modifications. If you are still unable to perform Active Directory tasks, verify if any read-only domain controllers exist in the configured forest.