Directory Agent cannot connect to the domain controller
Directory Agent must be able to connect to the domain controller to gather user information from the directory service. If there are communication problems between the Directory Agent machine and the domain controller, the hybrid service’s user data may become outdated, leading to incorrect policy enforcement.
To troubleshoot this problem:
- Make sure that the Directory Agent machine is bound to the domain, and that the firewall permits communication on the directory service port.
Port Used for: 139 NetBIOS communication: Active Directory 389 LDAP communication: Active Directory, Novell eDirectory, Oracle (formerly Sun Java) Directory Server 636 SSL port: Novell eDirectory, Oracle (formerly Sun Java) Directory Server 3268 Active Directory 3269 SSL port: Active Directory - Go to the page in the Forcepoint Security Manager and verify that your directory service configuration has not changed since you last updated your Directory Agent settings.
- Go to the page and verify that Directory Agent is attempting to search a valid context (path) for user and group information. To do this:
- If you are using Windows Active Directory, click a directory server name or IP address, and then click Test Context. Repeat this process for each global catalog server.
- If you are using Oracle (formerly Sun Java) Directory Server or Novell eDirectory, click Test Context.
- On the Shared User Data page, also make sure that the context is not only valid, but appropriate. The context should be limited to include only those users and groups filtered by the hybrid service.
- Still on the Shared User Data page, make sure that the Directory Search option is set correctly, so that Directory Agent is searching only the relevant portion of your directory service.
- Verify that it is possible to connect to the directory service IP address and port from the Directory Agent machine.