Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1747: adcheck fails on NTP port 123

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl.
When a Domain Controller is up, but port 123 is not open, running adcheck returns:
"No Operational DCs were found"
As a result of this, Deployment Manager fails and does not proceed to the next phase. Since NTP port 123 is not a requirement to join Active Directory, is there any way to bypass this check in adcheck?
Example output:
Host Diagnostics
    uname: Linux lxeusrchdev01 2.6.18-308. #1 SMP Wed Mar 7 11:39:17 EST 2012 x86_64
      OS: EnterpriseEnterpriseServer
      Version: 5.8 (Carthage)
      Number of CPUs: 1
 Domain Diagnostics:
Using specified server
    Probe domain controller:
        LDAP UDP port test OK, response time = 0.0014
        NTP port test timeout, response time = 5.0011
        SMB port test OK, response time = 0.0021
        Kerberos TCP port test OK, response time = 0.0006
DOMNAME  : Check that the domain name is reasonable                    : Pass
ADDNS    : DNS lookup of DC                  : Pass
ADPORT   : Port scan of DC                   : Warning
         : One or more ports failed to respond correctly. Either:
         :   a) the DC is offline
         :   b) a firewall is preventing access to a port
         : The following is a list of failed ports:
         :    ntp(123)/udp - timeout
DCUP     : Check for operational DCs in                  : Failed
         : No working domain controllers were found.
1 serious issue was encountered during check. This must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
Note: You specified a server name on the command line. You must specify this on the adjoin command and in the Centrify configuration file once you have installed DirectControl
Since the Kerberos protocol has strict tolerances on time differences between servers in the domain, adcheck will consider DCs that time out on SNTP/NTP as no good. If no DC answers on SNTP, it will result in a failure.
Although it is recommended to keep port 123 open to allow for accurate clock sync operations, it is not a requirement for adjoin to work.
From Centrify DirectControl 4.4.4 onwards, "--skip-ntp" option was introduced in adcheck for bypassing the NTP port check: 
adcheck [] --skip-ntp
To allow Deployment Manager to run adcheck with this option, use the following steps:
  1. Navigate to: C:\Program Files\Centrify\DirectManage Deployment Manager\Scripts\
  2. Open the "adcheck.lua" file in a text editor (Such as Notepad++) and search for the line:local              installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck"
  3. Edit this to:
     local installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck --skip-ntp"
  4. Save the changes and close and reopen Deployment Manager, the adcheck operation will now run with the "--skip-ntp" option active

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.