While trying to run tests vasd attempted to reach a domain controller but none responded.
CAUSE 1: It can also be caused by an invalid domain controller within DNS or if DNS is not configured
CAUSE 2: Ports blocked
CAUSE 3: Network issues or firewalls issues
CAUSE 4: Product Defect ID 427080 - Decommissioned DC's are not removed from USN_CACHE
1 - Using the output from "/opt/quest/bin/vastool info servers" attempting to determine if the domain controllers are valid and reachable.
2 - Ensure DNS is correctly configured and that name resolution is able to occur to and from the client machine and the domain controllers.
Ensure the /etc/resolv.conf is correct on the client machine
To test name resolution for a particular domain controller, on the host, you can use the dig or nslookup commands, depending on what is installed.
dig dc01.example.com or nslookup dc01.example.com
2.The following commands should return data if not you will need to work with your network admin staff to correct the DNS issue:
a) dig _ldap._tcp.<yourdomain.com> SRV
This command will check for a SRV record for your domain.
b) # nslookup
> set type=srv
Here is output from our lab and your output should look similiar:
[root@leighdev ~]# nslookup
> set type=srv
_ldap._tcp.dc._msdcs.LG.TS.HAL.CA.QSFT service = 0 100 389 dc-plg2.lg.ts.hal.ca.qsft.
Authoritative answers can be found from:
dc-plg2.lg.ts.hal.ca.qsft internet address = 10.5.84.114
3 - After you have corrected your DNS issues try the join once again.
/opt/vas/bin/vastool -u <adminuser> join -f <your domain.com>
RESOLUTION 2 & 3:
1 - Run preflight script to ensure no ports are being blocked.
/opt/quest/bin/preflight <your domain.com>
2 - Correct any missing port communication problems it reports.
Here is an example of messages:
Required port TCP 88 (for Kerberos traffic) MISSING
Required port UDP 389 (for Kerberized LDAP) MISSING
Authentication Services does not go to another DC when a server has been decommissioned.
1 - restart vasd
2 - /opt/quest/bin/vastool flush
Product Defect 427080 - Decommissioned DC's are not removed from USN_CACHE will be fixed in a future release. It is planned to be fixed in Authentication Services 5.0 version.