Validating Parent/Child Domain Configuration
As demonstrated already, the eG Enterprise system provides administrators with a Validate option that helps them check the correctness of the domain configuration when creating that domain, and enables them to make changes to the configuration on-the-fly. This way, the solution prevents the creation of domains with incorrect/invalid details!
Sometimes however, as part of a routine maintenance exercise or owing to a policy requirement, administrators may make some significant changes in the AD environment post the eG manager-AD integration - for example, the domain name can be changed, the domain can be migrated to another server with a different IP address, the login names of domain users can be modified, and so on. Some changes may also occur inadvertently - for instance, a user account may expire or may be locked out, network connection between the eG manager and the AD server could become flaky, etc. Such changes are bound to affect the AD-eG manager integration, causing issues in manager accesses to the AD server, domain user registration with the eG Enterprise system, and even user logins. Therefore, when users to the eG Enterprise system complaint of issues related to the integration, administrators need to rapidly initiate investigations in order to diagnose the reason for this occurrence.
To facilitate this preliminary prognosis, the eG administrative interface provides the Validate a domain option. Using this option, administrators can quickly check a registered domain's accessibility and the correctness of the connection details provided at the time of domain configuration, from the eG manager itself. In addition, with the help of this page, administrators can quickly view the user groups that are available in a domain and even check the validity of domain user accounts that they intend to add to the eG Enterprise system, without having to physically login to the AD server.
To use this page, do the following:
Select the domain that needs to be investigated from the domain(s) tree, and pick the Validate domain option from the What would you like to do? list in the right panel (see Figure 1).
Figure 1 : Selecting the Validate option from a domain's right-click menu
Figure 2 will then appear. First, from the What would you like to validate? drop-down, select the option that indicates what is that you wish to validate. By default, the Is this domain reachable? option is chosen from this list. When users complaint that they are unable to connect to a domain, then, you can select this option to verify whether the domain name that you had provided at the time of domain configuration is still valid or not. If an auto-discovered domain is chosen for validation from the tree-structure, then, selecting the Is this domain reachable? option displays the Display Name and the fully-configured Domain Name of the selected domain. On the other hand, if a manually added domain is chosen for validation from the tree-structure, then, selecting the Is this domain reachable? option displays the Display Name, the fully-configured Domain Name, the Domain IP, and the Port No of that domain. Click the Connect button to check whether the displayed domain is reachable or not. If the domain is reachable, then a message to that effect will appear. If not, then the reasons for the failure will also be indicated.
Figure 2 : Checking whether or not an auto-discovered domain is reachable
Figure 3 : Checking whether or not a manually added domain is reachable
Sometimes, a domain may be reachable over the network – i.e., the reachability check performed at step 2 above may return positive results – but, one/more users in that domain may still not be able to login to the eG management console. One of the probable reasons for this could be a problem in communication between the eG manager and certain domain controllers configured in specific sites in that domain. To troubleshoot such issues in communication, an administrator can choose the Troubleshoot communication with domain controller option from the What would you like to validate? list. Once this is done, the Display Name and fully-qualified Domain Name of the chosen domain will be displayed (see Figure 4).
Figure 4 : Troubleshooting communication with domain controller
Click on the Fetch Sites button in Figure 4 to know which sites are operating in that domain. This will bring up a Select an Active Directory Site drop-down, which will be automatically populated with the sites configured in the domain (see Figure 5).
To know which domain controllers are configured in a site and to verify communication with each domain controller, select a site from the Selet an Active Directory site list and click the Get IP Addresses for site button (see Figure 5). The IP Address, Host Name, and Port of each domain controller operating within the selected site will then be displayed in a table, as depicted by Figure 6.
To know if the eG manager is able to establish a socket connection with the IP address of a domain controller in the table, click the Bind icon corresponding to that domain controller. If the manager is able to communicate successfully, then a message box shown by Figure 7 will appear confirming the same. If the bind is unsuccessful, it is indicative of an issue in communication between the eG manager and the domain controller.
Figure 7 : A message stating that the Binding was successful
Likewise, you can click on the Reverse Lookup icon corresponding to a domain controller in the table to check whether/not the DNS server is able to correctly resolve the host name of the controller to its IP address. If this lookup is successful, then a message box shown by will appear confirming the same. If the reverse lookup is unsuccessful, it could mean that an improper DNS configuration could be the reason behind the communication issue between the eG manager and the domain controller.
Figure 8 : A message stating the Reverse lookup was successful
If the password of the Domain User is changed post domain configuration, then the eG manager will no longer be able to connect to the AD server for creating/validating domain user logins. If users complaint, then administrators can select the Is this domain connection credential valid? option from the What would you like to validate? list to verify the validity of the Domain User Password. Soon after selecting this option, the Domain User and Domain User’s Password will be displayed. Click the Validate button in Figure 9 to check validity. The resulting message will indicate whether the displayed connection credentials are valid or not.
Figure 9 : Checking the validity of the domain connection credentials
Before attempting to register a domain user with the eG Enterprise system, you may want to check whether the user really exists in that domain. For this, select the Does the user exist in this domain? option from the What would you like to validate? list. Upon selecting this option, the chosen Domain Name will be displayed. Enter the name of the user who needs to be checked in the User Name text box. Finally, click the Validate button. The resulting message will indicate whether the user exists in the domain or not, and if not, suggests a solution for the same (see Figure 10).
Figure 10 : Checking whether the user exists in the domain or not
Domain user logins to the eG Enterprise system may also fail if one of the following is/has become invalid:
- Domain name
- User name
- User password
To know which one of the above parameters is invalid, select the Is the user able to login to domain? option from the What would you like to validate? list. Once the chosen Domain Name is displayed, enter the login credentials of the user to be verified, and click the Login button. The resulting message indicates whether the login was successful or not.
Figure 11 : Checking whether the user is able to login to the domain
The first step to registering a domain user group with the eG Enterprise system is finding which user groups exist in the domain. For this, select the Enumerate domain user groups option from the What would you like to validate? drop-down list and click the Enumerate button. All user groups available in the chosen domain will then be listed (see Figure 12).