Cannot connect to a managed host
Probable cause
When trying to connect to a managed host you may receive the following error: “There was no end-point listening that could accept the message.”
This error indicates that there is an issue with the Data Governance service.
Resolution
To resolve this issue, open the Services snap-in and restart the One Identity Manager Data Governance Service, then select the managed host in the Navigation view.
Agent not connecting to the Data Governance server
Probable cause
- The agent has not been able to find a Service Connection Point that points to a valid server.
- A firewall is active on the agent hosting computer, which is preventing the agent from connecting to the server.
- The proxy settings on the agent computer are preventing it from connecting to the server.
Resolution
- Ensure that the Service Connection Points of the agent computer's managed domain are OK.
-
Ensure that the following registry value contains the required Deployment ID:
Registry Key: HKEY_LOCAL_MACHINE\Software\One Identity\Broadway\Agent\Services\communication
Registry Value: deploymentId (REG_SZ)
- Configure the firewall on the agent to allow outgoing traffic on TCP port 8721, and incoming traffic on TCP port 18530. Also, ensure that the Data Governance server firewall has the following exceptions configured: incoming TCP 8721, 8722 and outgoing 18530. If the Managed Host is a SharePoint Farm, HTTP port 3149 must be open for incoming traffic from localhost.
- Configure the proxy settings on the agent computer to either store credentials for accessing your corporate HTTP proxy, or allow bypassing of the proxy for local addresses.
Data Governance agents cannot access NAS devices via SMB
After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2, you may encounter one or both of the following:
- The Data Governance agent cannot access EMC or NetApp shares. For example, you receive a "Windows Cannot Access" network error when trying to access a share on the NAS device using the filer explorer.
- You cannot browse resources or set security index roots for an EMC or NetApp managed host. That is, after adding an EMC or NetApp managed host, the Data Status gets stuck in a "Waiting for scanning to start" state and an error is recorded in the agent log.
Probable cause
Both of these issues are related to known issues with Windows Server 2012/2012 R2 and Windows 8 clients. That is, Windows Server 2012 and later and Windows 8 and later include a newer version of the Server Message Block (SMB) protocol. These newer versions now ship with SMB 3.0 (originally known as SMB 2.2).
- The first problem, where the agent cannot access EMC or NetApp shares, is most likely due to an incompatibility between your NAS device and the SMB protocol.
- The second problem, where the agent cannot scan the NAS device, is due to the "Secure Negotiate" feature that was added to SMB 3.0 for Windows Server 2012 and Windows 8.
Resolution
-
To resolve the problem where the agent cannot access EMC or NetApp shares, upgrade the FLARE code on your NAS device with support for SMB 3.0.
WORKAROUND: If upgrading the FLARE code is not an option, disable SMB 2.0 on the agent machine running Windows Server 2012/2012 R2.
See http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/ for more information on this known issue and how to disable SMB 2.0.
-
To resolve the problem where the agent cannot scan the NAS device, use an alternate supported operating system to host the agent to scan the EMC or NetApp filer or contact the file server vendor for an update that enables the file server to support Windows Server 2012 and Windows 8 clients.
WORKAROUND: Set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force
NOTE: Using the "enable if needed" setting means that if the remote client is able to go secure, the Windows Server 2012/2012 R2 will use the secure negotiate feature, but if the remote client cannot go secure (like NetApp and EMC), then it will fallback.
Disabling the secure negotiate feature is NOT recommended by Microsoft.
See https://support.microsoft.com/en-us/kb/2686098 for more details on this known issue.
Additional information
To determine the SMB version running on your server
-
Access the remote file server and run the following PowerShell command:
Get-SmbConnection
-
Look at the "Dialect" entry to see what version of SMB the client has negotiated with the file server.
For example, if the entry is 3.0, both the client and the server support that version of the SMB protocol.
Agent leases expiring
Probable cause
- The computer on which the agent is running has rebooted.
- The agent service on the hosting computer has been stopped or disabled.
- The Data Governance service has been restarted.
Resolution
- Ensure the One Identity Manager Data Governance Edition Agent service is running on the hosting computer.
- Under normal conditions, agent lease expired messages should resolve themselves; however, it may take the duration of the lease renewal to renew. By default, the lease renewal interval is set to five minutes.