Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Active Directory connectivity issues

Certain environmental changes cause Active Directory connectivity issues.

To verify you are communicating with Active Directory

  1. If the DNS server changes, restart the server because the Java Naming and Directory Interface (JNDI) caches information about the Active Directory domain for which that the host is configured at server start up.
  2. If the Active Directory servers change, restart the servers due to SRV record caching in ActiveDirectoryInfoManager.
  3. Verify that time is synchronized between the Management Console for Unix server and the Active Directory domain.

    Kerberos requires that the Management Console for Unix server and Active Directory domain controller clocks are within five minutes of each other.

Unable to configure Active Directory

You specify the Active Directory configuration (that is, the set of domains, sites, and servers that you want the mangement console to contact) from System Settings | Active Directory | Advanced Settings. To access the Advanced Settings dialog, you must provide Active Directory credentials; then, once the console verifies the configuration, it saves the settings to the database.

There may be an occasion when the Active Directory configuration becomes invalid. Perhaps you set the AD configuration to specifically restrict login to a specific domain. Then later, you receive a network error saying the Active Directory credentials you provided to perform an action have been revoked because that domain no longer exists. If the Active Directory configuration becomes invalid for any reason, you will not be able to access the Advanced Setting dialog to change the AD configuration.

This topic explains how to temporarily set the ad.config.domain or ad.config.site system properties in the custom.cfg file to specify a temporary configuration to use until you can reset the AD configuration from System Settings | Active Directory | Advanced Settings.

  • ad.config.domain system property contains the name of a single Active Directory domain. When specified, the mangement console will only contact Active Directory servers in this domain.

    Note: Do not configure the console for a domain outside of the current forest.

  • ad.config.site system property contains the name of a single Active Directory site. When specified, the mangement console will only contact Active Directory servers in this site.

Note: Do not attempt to change the domain you are joined to with this method. You can only change the configuration within the same domain.

To reset Active Directory domain or site settings

  1. Stop the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

  2. Locate the custom.cfg file.

    See Setting custom configuration settings for more information about customizing configuration settings for the mangement console.

  3. Add one of the following properties:
    -Dad.config.domain=<domain>

    -OR-

    -Dad.config.site=<site>

    Note: Only specify the ad.config.domain or the ad.config.site system property. If you specify both, the console will ignore the ad.system.domain setting.

  4. Save the custom.cfg file.
  5. Restart the Management Console for Unix service.
  6. Navigate to System Settings | Active Directory | Advanced Settings to specify which sites, domains, domain controllers, or global catalogs you want the console to contact.

    See Configuring advanced settings for details.

  7. Stop the Management Console for Unix service.
  8. Locate the custom.cfg file.
  9. Remove the temporary properties you added in Step #3. Either:
    ad.config.domain=<domain>

    -OR-

    ad.config.site=<site>
  10. Save the custom.cfg file.
  11. Restart the Management Console for Unix service.

Active Directory is disabled

Kerberos is a time-sensitive protocol and requires that the clocks on the Management Console for Unix server and your Active Directory domain controllers are synchronized within five minutes. If the Management Console for Unix server gets out of sync with the Active Directory domain controller, Active Directory will be disabled temporarily and you will be instructed to check your Active Directory settings.

During the post install process, if you see an error such as "Can't find domain controller for <domain>", verify that the Management Console for Unix server and Active Directory domain controller clocks are synchronized.

Active Directory tasks are disabled

If you are logged on as an Active Directory account in the Manage Hosts role and the host is joined to Active Directory, but are not able to perform the Active Directory tasks, ensure that you have sufficient permission in Active Directory to perform the task.

Note: Read-Only domain controllers do not allow modifications. If you are still unable to perform Active Directory tasks, verify if any read-only domain controllers exist in the configured forest.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating