Troubleshooting DNS & Adding Another Domain to ControlUp.

Summary

If your organization has several domains, you can monitor computers from the other domain through your main domain. It can be a customer with 2-3 domains and it can be an MSP which is connected to dozens of domains. In order to maintain a successful connection from one AD to the other, some prerequisites are required. 

This will be a troubleshooting article. If you simply want to know if ControlUp supports multiple domains, the answer is yes.

Prerequisites

  1. The computer running the console should have LDAP access to the relevant AD forests’ Domain Controllers.
  2. DNS conditional forwarding should be configured so the computer running the console is able to resolve any relevant AD DNS entry in the external forest.
  3. The console should have valid AD credentials in the external forest.
    • The credentials should be entered at the AD Connection section via the Settings menu. 
  4. The ControlUp agent needs to be pre-installed on the relevant target computers (the agent MSI package can be used to accomplish this).
  5. Ports \ FW -
    • TCP port 40705 (by default) must be opened on the external network to support console–agent communication.
    • For Hypervisor support, HTTPS port (443) has to be opened on the external network to support console-Hypervisor communication. If you have a data collector in place, the port should be open from the data collector.

Possible Error message

When adding a domain and the connection is non-successful, the following error message will be displayed (click on the image to enlarge) 

2019-05-15_09-16-42.png

 In this case, we need to check several aspects of the network to see where it fails. 

Networking checks

  • A sniffer can be installed (e.g. Wireshark) and see the communication and the DNS response that is being received. 
    • failed DNS query for example -

2019-05-15_09-47-28.png

  • Validate that DNS-wise port 53 is available in TCP and UDP on the DNS server.
    • The DNS works mostly in UDP but DNS queries can also use TCP if UDP port 53 is not accepted.
  • You can ping the remote AD but since it's another protocol (ICMP) it won't mean that LDAP is operational. 
  • Use LDP.exe from the Console machine to gain access with the same credentials you've set in the Console. LDP is a GUI tool that acts as an LDAP client so you can test the connection there.
  • Check if there is some sort of a coalition between DNS configuration. E.g. if the Conditional Forwarder was configured correctly, maybe Forward Lookup Zone type secondary, hosts file on the AD? (just checking to validate).
  • LDAP works on TCP and UDP port 389, or on port 636 for LDAPS.
    • Some environments open TCP/389 only. Enable UDP/389 and re-check. (same goes for LDAPS ports).
  • 'nslookup' can also be useful to resolve the other AD by name\IP. 

Additional articles about Conditional Forwarders

  1. Configure a DNS Server to Use Forwarders (MS TechNet docs)
  2. Using forwarders (MS TechNet docs) 

If you're still experiencing issues with a domain connection, contact us for further assistance at support@controlup.com

 

Powered by Zendesk