Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1747: adcheck fails on NTP port 123

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl.
 
Question:
When a Domain Controller is up, but port 123 is not open, running adcheck returns:
"No Operational DCs were found"
 
As a result of this, Deployment Manager fails and does not proceed to the next phase. Since NTP port 123 is not a requirement to join Active Directory, is there any way to bypass this check in adcheck?
 
Example output:
Host Diagnostics
    uname: Linux lxeusrchdev01 2.6.18-308.1.1.0.1.el5 #1 SMP Wed Mar 7 11:39:17 EST 2012 x86_64
      OS: EnterpriseEnterpriseServer
      Version: 5.8 (Carthage)
      Number of CPUs: 1
[...]
 Domain Diagnostics:
Using specified server yourdc.na.ad.yourdomain.com
    Probe domain controller: yourdc.na.ad.yourdomain.com
        LDAP UDP port test OK, response time = 0.0014
        NTP port test timeout, response time = 5.0011
        SMB port test OK, response time = 0.0021
        Kerberos TCP port test OK, response time = 0.0006
 
[...]
 
DOMNAME  : Check that the domain name is reasonable                    : Pass
ADDNS    : DNS lookup of DC yourdc.na.ad.yourdomain.com                  : Pass
ADPORT   : Port scan of DC yourdc.na.ad.yourdomain.com                   : Warning
         : One or more ports failed to respond correctly. Either:
         :   a) the DC is offline
         :   b) a firewall is preventing access to a port
         : The following is a list of failed ports:
         :    ntp(123)/udp - timeout
[...]
DCUP     : Check for operational DCs in na.ad.yourdomain.com                  : Failed
         : No working domain controllers were found.
 
1 serious issue was encountered during check. This must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
Note: You specified a server name on the command line. You must specify this on the adjoin command and in the Centrify configuration file once you have installed DirectControl
 
Answer:
Since the Kerberos protocol has strict tolerances on time differences between servers in the domain, adcheck will consider DCs that time out on SNTP/NTP as no good. If no DC answers on SNTP, it will result in a failure.
 
Although it is recommended to keep port 123 open to allow for accurate clock sync operations, it is not a requirement for adjoin to work.
 
From Centrify DirectControl 4.4.4 onwards, "--skip-ntp" option was introduced in adcheck for bypassing the NTP port check: 
adcheck [domain.com] --skip-ntp
 
To allow Deployment Manager to run adcheck with this option, use the following steps:
  1. Navigate to: C:\Program Files\Centrify\DirectManage Deployment Manager\Scripts\
  2. Open the "adcheck.lua" file in a text editor (Such as Notepad++) and search for the line:local              installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck"
  3. Edit this to:
     local installed_adcheck_path = "/usr/share/centrifydc/bin/adcheck --skip-ntp"
  4. Save the changes and close and reopen Deployment Manager, the adcheck operation will now run with the "--skip-ntp" option active

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.