M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Joining MSM760 to domain fails

 
Highlighted
Stephan van Helden
Occasional Advisor

Joining MSM760 to domain fails

We want to join an MSM760 service controller to our Active Directory. When we do that, the log says "Joined successfuly with domain", the computer account in AD is created, but the status remains "Not Joined".

All our our local DCs are running Windows 2008 R2 - can this be the reason? (Domain functional level is still 2003 R2 though.)
9 REPLIES 9
Highlighted
Michael_Breuer
Esteemed Contributor

Re: Joining MSM760 to domain fails

Hello Stephan,

I remember some software issues on the MSM when trying to join to a domain. It is worth checking your software release and have a look at the release notes:

http://cdn.procurve.com/training/Manuals/r534/MSM7xx-534-RN-Sep09-5998-0270.pdf

Cheers,

Michael
Ingentive Networks GmbH
Highlighted
Stephan van Helden
Occasional Advisor

Re: Joining MSM760 to domain fails

Our software version is 5.3.3.0-01-7357. I checked the 5.3.4 release notes, but could not find anything AD-related, except the hint that one cannot join a domain without a time server configured. However, we have a DC configured as SNTP server.
Highlighted

Re: Joining MSM760 to domain fails

Does the web interface give you any error messages under "authentication > Active directory" when you try to join the controller in the domain?

If that there is no error's in the GUI I would recommend doing a packet trace between the controller and your AD (when you try the domain join) to see if there is any communication errors.
Highlighted
Fred!
Trusted Contributor

Re: Joining MSM760 to domain fails

Having a system log of the MSM controller at DEBUG level during the time you are trying to join AD can be very helpful.

In my experience with AD, there is usually a return code (error code) returned by AD if the join is not successful and that can help troubleshooting. The controller throw the error code in the syslog.

Another area of exploration: most generally tracing the exchanges on the network close to your server as well as looking at the server logs can be very helpful as well.
Highlighted
Stephan van Helden
Occasional Advisor

Re: Joining MSM760 to domain fails

Thanks for all your support. In the meantime, we solved our problem by creating an external RADIUS server. Basically, everything works now.

However, we have another problem: The service controller causes a lot of network traffic to the (currently only) access point AND even disconnects our firewall from the network!

The MSM760 and one node of our firewall cluster (Fortinet) are connected to the same switch (Procurve 4208vl). The other firewall node is connected to a Procurve 4108gl; both switches are connected of course.

Now, when the MSM760 is connected to the switch, after some minutes we lose our external connectivity and can't even ping the firewall anymore. All other stations can be pinged. That happens every few minutes, and after some minutes, connectivity comes back. When we disconnect the MSM760 from the network, everything works perfectly again.
Highlighted
Fred!
Trusted Contributor

Re: Joining MSM760 to domain fails

I wouldn't be so sure that it is due to heavy traffic. Your setup sounds pretty simple and beside initial SW synchronization and configuration synchronization, the rest of the exchanges between the controller and the APs are pretty light.

That said, there might be a couple of things that you can do to see if it fixes the issue. I suspect you are getting locked down by your firewall product because of the special behavior of some of the controller features.

For example, turn off the access control functionality at the controller level by unchecking the main check box in the Setvice Controller > Public Access > Access Control page and see if that does any good.

I don't know your exact configuration in terms of VSCs but if you happen to have a VSC using the access control it won't work anymore. The access control functionality is used for guest access/HTML authentication primarily. But definitely worth a try to see if it fixes your issue.

In any cases, let us know the outcome!
Highlighted
Ralf Krause
Frequent Advisor

Re: Joining MSM760 to domain fails

Hi Stephan,

sounds a bit like a duplicate address to me ...

Are you sure your Controller has not configured an address already in use?

Alternatively: The controller is able to act as DHCP server (if configured to do so). You might want to check those settings as well.

The controller's DHCP scope options are configured at two different places:
- Service Controller -> Network -> Address Allocation
(for the Default VSC)
- Service Controller -> VSC's -> VSC_of_Choice
(for all the other VSC's: at the very bottom right of the VSC configuration page)

Ralf
Highlighted
Stephan van Helden
Occasional Advisor

Re: Joining MSM760 to domain fails

Thanks for your tips! Of course, I do not believe that it's a problem of bandwidth utilization, so it seems strange to me that there is constant traffic from service controller to access point at all. (It was around 15 MB per minute when I remember correctly.)

We also do not want to use access control, but I can check whether something is enabled regarding that.

I'm also pretty sure that there are no duplicate addresses as regards assigned IPs or MAC addresses. It could be possible that firewall and service controller use some additional Mac address for clustering or so .. who knows. And DHCP is disabled.

Anyway, since it does happen ONLY in the live environment, I can't test it right now =) ... I will likely do it on Sunday and then post my findings here.
Highlighted
Mike Hydra
Occasional Advisor

Re: Joining MSM760 to domain fails

Make sure you check the Timezone, Time and DNS settings.
If the controller is off by more then 5 hours, it will fail.
Controller will make secure Kerberos connection to your AD.
Best practice would be to use the same DNS server on the controller as the AD server.

Otherwise contact me offline and will try to help you out.
Done this setup a dozen times.

Mike Hydra
2 Fast 4 Wireless