If your organization has several domains, you can monitor computers from the other domain through your main domain. It can be a customer with 2-3 domains and it can be an MSP which is connected to dozens of domains. In order to maintain a successful connection from one AD to the other, some prerequisites are required.
This will be a troubleshooting article. If you simply want to know if ControlUp supports multiple domains, the answer is yes.
- The computer running the console should have LDAP access to the relevant AD forests’ Domain Controllers.
- DNS conditional forwarding should be configured so the computer running the console is able to resolve any relevant AD DNS entry in the external forest.
- The console should have valid AD credentials in the external forest.
- The credentials should be entered at the AD Connection section via the Settings menu.
- The ControlUp agent needs to be pre-installed on the relevant target computers (the agent MSI package can be used to accomplish this).
- Ports \ FW -
- TCP port 40705 (by default) must be opened on the external network to support console–agent communication.
- For Hypervisor support, HTTPS port (443) has to be opened on the external network to support console-Hypervisor communication. If you have a data collector in place, the port should be open from the data collector.
Possible Error message
When adding a domain and the connection is non-successful, the following error message will be displayed (click on the image to enlarge)
In this case, we need to check several aspects of the network to see where it fails.
- A sniffer can be installed (e.g. Wireshark) and see the communication and the DNS response that is being received.
- failed DNS query for example -
- Validate that DNS-wise port 53 is available in TCP and UDP on the DNS server.
- The DNS works mostly in UDP but DNS queries can also use TCP if UDP port 53 is not accepted.
- You can ping the remote AD but since it's another protocol (ICMP) it won't mean that LDAP is operational.
- Use LDP.exe from the Console machine to gain access with the same credentials you've set in the Console. LDP is a GUI tool that acts as an LDAP client so you can test the connection there.
- Check if there is some sort of a coalition between DNS configuration. E.g. if the Conditional Forwarder was configured correctly, maybe Forward Lookup Zone type secondary, hosts file on the AD? (just checking to validate).
- LDAP works on TCP and UDP port 389, or on port 636 for LDAPS.
- Some environments open TCP/389 only. Enable UDP/389 and re-check. (same goes for LDAPS ports).
- LDAP servers typically use the following ports:
- TCP 3268 LDAP connection to Global Catalog
- TCP 3269 LDAP connection to Global Catalog over SSL
- 'nslookup' can also be useful to resolve the other AD by name\IP.
Additional articles about Conditional Forwarders
If you're still experiencing issues with a domain connection, contact us for further assistance at firstname.lastname@example.org