Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Purpose

Understand the workflow of the BusinessObjects servers to obtain the list of users from an Active Directory group and have a list of troubleshooting methods to resolve any issues you might find adding groups to your system.

Configuring the account and adding groups

  • The Central Management Server (CMS) can only run queries to the AD if it is installed in a Windows Machine
  • The CMS queries the AD using the user account indicated in the page CMC > Authentication > Windows AD: AD Administration Name
  • The format is DOMAIN\group_name

Workflow of adding Active Directory groups to the CMS database

  1. The CMS will do is to run a query to the network requesting domain controllers for the domain name indicated in DOMAIN\Group_name.
  2. Once the domain is found, the CMS will connect to the DC obtained in step 1 and request the list of users

Errors resolving domain name

These two simple steps can generate a long list of errors. The first one is resolving the domain given. The error displayed in the CMC page should be:

The secWinAD plugin failed to look up the account for the group "DOMAIN2\ValidGroupName". Please enter non-local groups as DomainName\GroupName and local groups as \\ServerName\GroupName.

By default, the Windows server uses NetBIOS to resolve domain name. For multiple domains, it is recommended to set the registry value UseFQDNForDirectoryServers as indicated in the KBA 1199995

In order to obtain more details, you should enable traces on the CMS server as indicated in the KBA 1335757 .

WINAD: ADNetworkBinding::GetDomainController() -- Looking up DC for DOMAIN2 (FQDN)

WINAD: ADNetworkBinding::GetDomainController() -- Could not locte a DC for domain DOMAIN2 or domain does not exist.

This is a due to an operating system error (Windows) not able to resolve domain names. There is nothing in the configuration of BusinessObjects that can change this behaviour. We need to continue troubleshooting network and OS. Despite being outside the scope of BusinessObjects products, here are some useful tools to help you and your network and AD administrators to find a solution

 

Check what your CMS is requesting

As we have seen, there are only 2 lines in our CMS traces when the domain is not found. Let’s compare with the traces of a system that is working correctly:

WINAD: ADNetworkBinding::GetDomainController() -- Looking up DC for DOMAIN2 (FQDN)

WINAD: ADNetworkBinding::GetDomainController() -- Local site: Europe-UK, DC's site: Europe-UK

|WINAD: ADNetworkBinding::GetDomainController() -- DC for DOMAIN2 is DC1.domain2.com

WINAD: ADNetworkBinding::BindIADsToDomainController() -- Binding to domain controller with LDAP://DC1.domain2.com/ -- hr=0

In the system that is not working, we can capture the network traffic using a tool such as Microsoft Network Monitor or Wireshark.

Basic tools to resolve names

Microsoft provides several tools to troubleshoot your NetBIOS resolution problems:

http://support.microsoft.com/kb/172218

  • No labels