Applies to: All versions of Centrify DirectControl.
Question:
When a Domain Controller is up, but port 123 is not open, running adcheck returns:
"No Operational DCs were found"
As a result of this, Deployment Manager fails and does not proceed to the next phase. Since NTP port 123 is not a requirement to join Active Directory, is there any way to bypass this check in adcheck?
Example output:
Host Diagnostics
uname: Linux lxeusrchdev01 2.6.18-308.1.1.0.1.el5 #1 SMP Wed Mar 7 11:39:17 EST 2012 x86_64
OS: EnterpriseEnterpriseServer
Version: 5.8 (Carthage)
Number of CPUs: 1
[...]
Domain Diagnostics:
Using specified server yourdc.na.ad.yourdomain.com
Probe domain controller: yourdc.na.ad.yourdomain.com
LDAP UDP port test OK, response time = 0.0014
NTP port test timeout, response time = 5.0011
SMB port test OK, response time = 0.0021
Kerberos TCP port test OK, response time = 0.0006
[...]
DOMNAME : Check that the domain name is reasonable : Pass
ADDNS : DNS lookup of DC yourdc.na.ad.yourdomain.com : Pass
ADPORT : Port scan of DC yourdc.na.ad.yourdomain.com : Warning
: One or more ports failed to respond correctly. Either:
: a) the DC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: ntp(123)/udp - timeout
[...]
DCUP : Check for operational DCs in na.ad.yourdomain.com : Failed
: No working domain controllers were found.
1 serious issue was encountered during check. This must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
Note: You specified a server name on the command line. You must specify this on the adjoin command and in the Centrify configuration file once you have installed DirectControl
Answer:
Since the Kerberos protocol has strict tolerances on time differences between servers in the domain, adcheck will consider DCs that time out on SNTP/NTP as no good. If no DC answers on SNTP, it will result in a failure.
Although it is recommended to keep port 123 open to allow for accurate clock sync operations, it is not a requirement for adjoin to work.
From Centrify DirectControl 4.4.4 onwards, "--skip-ntp" option was introduced in adcheck for bypassing the NTP port check:
adcheck [domain.com] --skip-ntp
To allow Deployment Manager to run adcheck with this option, use the following steps:
- Navigate to: C:\Program Files\Centrify\DirectManage Deployment Manager\Scripts\
- Open the "adcheck.lua" file in a text editor (Such as Notepad++) and search for the line:local installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck"
- Edit this to:
local installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck --skip-ntp" - Save the changes and close and reopen Deployment Manager, the adcheck operation will now run with the "--skip-ntp" option active