Environment
NetIQ Directory & Resource Administrator 8.7.x
Situation
When adding a new Managed Domain using the DRA Delegation and Configuration console the Managed Domain will add as expected but when prompted to perform a Full Account Cache Refresh (FACR) the Managed Domain will display an error for the Account Cache Status, the Full status will also display "Unspecified Error" as below:
The Windows Application Event log will display the following error message:
The Windows Application Event log will display the following error message:
Domain training3.lab(TRAINING3) (Managed,AD) (Customer-requested manual accounts cache refresh) began at 2017-05-24 03:43:16 and ended at 2017-05-24 03:43:49, contents unsuccessfully loaded, hr=80004005=(Unspecified error)
The debug logs for the Cache Loader will also have the following error listed:
"****Error :: Failed domain collection: DRA cannot reach the preferred domain controller WIN2012R2DC.TRAINING3.LAB. Using the domain properties window, specify a domain controller that is reachable."
Resolution
Enable ICMP traffic from the DRA server to the Domain Controllers and vice versa.
or
Upgrade to DRA 9.0.2 and above
or
Upgrade to DRA 9.0.2 and above
Cause
ICMP is blocked by a firewall between the DRA server and the Domain Controllers.
DRA 8.7.x will ping the Domain Controllers for the Managed Domain and if the ping is blocked and no reply is received, the DRA server will not successfully cache all the Managed Domain objects.
DRA 8.7.x will ping the Domain Controllers for the Managed Domain and if the ping is blocked and no reply is received, the DRA server will not successfully cache all the Managed Domain objects.
Additional Information
DRA 8.7.x requires certain ports to be open from the DRA server to the Domain Controllers and even though the DRA server can successfully communicate with the Domain Controllers, attempting to add a Managed Domain and/or performing a Full Account Cache Refresh (FACR) will fail if ICMP is blocked to the Domain Controllers.
DRA requires a list of ports to be available including ICMP, for more information please refer to the DRA documentation section: "Ports and Protocols Used in DRA Communications" https://www.netiq.com/documentation
DRA 9.0.2 and above no longer requires ICMP to be open when adding a new Managed Domain
DRA requires a list of ports to be available including ICMP, for more information please refer to the DRA documentation section: "Ports and Protocols Used in DRA Communications" https://www.netiq.com/documentation
DRA 9.0.2 and above no longer requires ICMP to be open when adding a new Managed Domain