Applies to: All versions of Centrify DirectControl.
When a Domain Controller is up, but port 123 is not open, running adcheck returns:
"No Operational DCs were found"
As a result of this, Deployment Manager fails and does not proceed to the next phase. Since NTP port 123 is not a requirement to join Active Directory, is there any way to bypass this check in adcheck?
uname: Linux lxeusrchdev01 2.6.18-308.1.1.0.1.el5 #1 SMP Wed Mar 7 11:39:17 EST 2012 x86_64
Version: 5.8 (Carthage)
Number of CPUs: 1
Using specified server yourdc.na.ad.yourdomain.com
Probe domain controller: yourdc.na.ad.yourdomain.com
LDAP UDP port test OK, response time = 0.0014
NTP port test timeout, response time = 5.0011
SMB port test OK, response time = 0.0021
Kerberos TCP port test OK, response time = 0.0006
DOMNAME : Check that the domain name is reasonable : Pass
ADDNS : DNS lookup of DC yourdc.na.ad.yourdomain.com : Pass
ADPORT : Port scan of DC yourdc.na.ad.yourdomain.com : Warning
: One or more ports failed to respond correctly. Either:
: a) the DC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: ntp(123)/udp - timeout
DCUP : Check for operational DCs in na.ad.yourdomain.com : Failed
: No working domain controllers were found.
1 serious issue was encountered during check. This must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
Note: You specified a server name on the command line. You must specify this on the adjoin command and in the Centrify configuration file once you have installed DirectControl
Since the Kerberos protocol has strict tolerances on time differences between servers in the domain, adcheck will consider DCs that time out on SNTP/NTP as no good. If no DC answers on SNTP, it will result in a failure.
Although it is recommended to keep port 123 open to allow for accurate clock sync operations, it is not a requirement for adjoin to work.
From Centrify DirectControl 4.4.4 onwards, "--skip-ntp" option was introduced in adcheck for bypassing the NTP port check:
adcheck [domain.com] --skip-ntp
To allow Deployment Manager to run adcheck with this option, use the following steps:
- Navigate to: C:\Program Files\Centrify\DirectManage Deployment Manager\Scripts\
- Open the "adcheck.lua" file in a text editor (Such as Notepad++) and search for the line:local installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck"
- Edit this to:
local installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck --skip-ntp"
- Save the changes and close and reopen Deployment Manager, the adcheck operation will now run with the "--skip-ntp" option active