While trying to run tests vasd attempted to reach a domain controller but none responded.
CAUSE 1: It can also be caused by an invalid domain controller within DNS or if DNS is not configured
CAUSE 2: Ports blocked
CAUSE 3: Network issues or firewalls issues
CAUSE 4: Product Defect ID 427080 - Decommissioned DC's are not removed from USN_CACHE
RESOLUTION 1:
1 - Using the output from "/opt/quest/bin/vastool info servers" attempting to determine if the domain controllers are valid and reachable.
2 - Ensure DNS is correctly configured and that name resolution is able to occur to and from the client machine and the domain controllers.
Ensure the /etc/resolv.conf is correct on the client machine
To test name resolution for a particular domain controller, on the host, you can use the dig or nslookup commands, depending on what is installed.
dig dc01.example.com or nslookup dc01.example.com
2.The following commands should return data if not you will need to work with your network admin staff to correct the DNS issue:
a) dig _ldap._tcp.<yourdomain.com> SRV
This command will check for a SRV record for your domain.
b) # nslookup
> set type=srv
> _ldap._tcp.dc._msdcs.<yourdomain.com>
Here is output from our lab and your output should look similiar:
[root@leighdev ~]# nslookup
> set type=srv
> _ldap._tcp.dc._msdcs.LG.TS.HAL.CA.QSFT
Server: 10.4.64.23
Address: 10.4.64.23#53
Non-authoritative answer:
_ldap._tcp.dc._msdcs.LG.TS.HAL.CA.QSFT service = 0 100 389 dc-plg2.lg.ts.hal.ca.qsft.
Authoritative answers can be found from:
dc-plg2.lg.ts.hal.ca.qsft internet address = 10.5.84.114
3 - After you have corrected your DNS issues try the join once again.
/opt/vas/bin/vastool -u <adminuser> join -f <your domain.com>
RESOLUTION 2 & 3:
1 - Run preflight script to ensure no ports are being blocked.
/opt/quest/bin/preflight <your domain.com>
2 - Correct any missing port communication problems it reports.
Here is an example of messages:
Required port TCP 88 (for Kerberos traffic) MISSING
Required port UDP 389 (for Kerberized LDAP) MISSING
RESOLUTION 4:
Authentication Services does not go to another DC when a server has been decommissioned.
1 - restart vasd
2 - /opt/quest/bin/vastool flush
STATUS:
Product Defect 427080 - Decommissioned DC's are not removed from USN_CACHE will be fixed in a future release.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center