Cannot connect to a managed host
When trying to connect to a managed host you may receive the following error: “There was no end-point listening that could accept the message.”
This error indicates that there is an issue with the Data Governance service.
To resolve this issue, open the Services snap-in and restart the One Identity Manager Data Governance Service, then select the managed host in the Navigation view.
DNS error when attempting to add a new managed host
When attempting to deploy a new managed host, the managed host status is "Unresovable" and the following errors are logged to the Data Governance Edition Service log:
- ERROR: The domain in which the operation was attempted is not registered as a managed domain.
- ERROR: Expected DNS Host Name <DNS Host Name>. The value in Active Directory is <DNS Host Name in AD>.
- ERROR: Access is denied.
These errors are caused by a mismatch between the DNS name in Active Directory and the "expected" DNS Host Name. That is, when adding a remote agent or saving a local managed host, Data Governance Edition is comparing the following two values to ensure they are the same:
- DNSHostName property in Active Directory, which should be the same value in One Identity Manager after AD synchronization.
- Machine name of the agent device plus DNS name of the domain.
To resolve this issue:
- Have your Active Directory administrator change the DNSHostName value in Active Directory to the correct DNS name.
- Re-sychronize Active Directory into One Identity Manager.
- Deploy the managed host.
Agent not connecting to the Data Governance server
- The agent has not been able to find a Service Connection Point that points to a valid server.
- A firewall is active on the agent hosting computer, which is preventing the agent from connecting to the server.
- The proxy settings on the agent computer are preventing it from connecting to the server.
- Ensure that the Service Connection Points of the agent computer's managed domain are OK.
Ensure that the following registry value contains the required Deployment ID:
Registry Key: HKEY_LOCAL_MACHINE\Software\One Identity\Broadway\Agent\Services\communication
Registry Value: deploymentId (REG_SZ)
- Configure the firewall on the agent to allow outgoing traffic on TCP port 8721, and incoming traffic on TCP port 18530. Also, ensure that the Data Governance server firewall has the following exceptions configured: incoming TCP 8721, 8722 and outgoing 18530. If the Managed Host is a SharePoint Farm, HTTP port 3149 must be open for incoming traffic from localhost.
- Configure the proxy settings on the agent computer to either store credentials for accessing your corporate HTTP proxy, or allow bypassing of the proxy for local addresses.
Data Governance agents cannot access NAS devices via SMB
After adding an EMC or NetApp host machine to a domain running Windows Server 2012/2012 R2, you may encounter one or both of the following:
- The Data Governance agent cannot access EMC or NetApp shares. For example, you receive a "Windows Cannot Access" network error when trying to access a share on the NAS device using the filer explorer.
- You cannot browse resources or set security index roots for an EMC or NetApp managed host. That is, after adding an EMC or NetApp managed host, the Data Status gets stuck in a "Waiting for scanning to start" state and an error is recorded in the agent log.
Both of these issues are related to known issues with Windows Server 2012/2012 R2 and Windows 8 clients. That is, Windows Server 2012 and later and Windows 8 and later include a newer version of the Server Message Block (SMB) protocol. These newer versions now ship with SMB 3.0 (originally known as SMB 2.2).
- The first problem, where the agent cannot access EMC or NetApp shares, is most likely due to an incompatibility between your NAS device and the SMB protocol.
- The second problem, where the agent cannot scan the NAS device, is due to the "Secure Negotiate" feature that was added to SMB 3.0 for Windows Server 2012 and Windows 8.
To resolve the problem where the agent cannot access EMC or NetApp shares, upgrade the FLARE code on your NAS device with support for SMB 3.0.
WORKAROUND: If upgrading the FLARE code is not an option, disable SMB 2.0 on the agent machine running Windows Server 2012/2012 R2.
See http://www.exaltedtechnology.com/windows-8-access-is-denied-to-network-shares-could-be-an-issue-with-smb-2-2-with-emc-cellera-or-nas-device/ for more information on this known issue and how to disable SMB 2.0.
To resolve the problem where the agent cannot scan the NAS device, use an alternate supported operating system to host the agent to scan the EMC or NetApp filer or contact the file server vendor for an update that enables the file server to support Windows Server 2012 and Windows 8 clients.
WORKAROUND: Set "Secure Negotiate" to "enable if needed" using the following PowerShell command on the agent machine running Windows Server 2012/2012 R2:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 2 -Force
NOTE: Using the "enable if needed" setting means that if the remote client is able to go secure, the Windows Server 2012/2012 R2 will use the secure negotiate feature, but if the remote client cannot go secure (like NetApp and EMC), then it will fallback.
Disabling the secure negotiate feature is NOT recommended by Microsoft.
See https://support.microsoft.com/en-us/kb/2686098 for more details on this known issue.
To determine the SMB version running on your server
Access the remote file server and run the following PowerShell command:
Look at the "Dialect" entry to see what version of SMB the client has negotiated with the file server.
For example, if the entry is 3.0, both the client and the server support that version of the SMB protocol.