search cancel

Attempt to import OUs from Active Directory by LDAP results in "Server failed to connect with target directory server."

book

Article ID: 151496

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Unable to import Active Directory (AD) Organizational Units (OUs) through the Lightweight Directory Access Protocol (LDAP) in to the Symantec Endpoint Protection Manager (SEPM). 

The following errors can be observed when encountering this issue: 

"AD URL is malformed" (This error will occur when adding the AD Domain Controller (DC) under SEPM server properties, however the option to continue and add the DC anyway is still available.) 

"Server failed to connect with target directory server." (This error will occur when attempting to import OUs as client groups into the SEPM console.)

Cause

This behavior can result when the SEPM is unable to authenticate with the AD server. The authentication failure can occur when the AD server's local security policy is set to "Require Signing" for the LDAP server signing requirements.

Resolution

In order to resolve this issue, the LDAP server signing requirements must be set to "none."

Edit the Local Security Settings for LDAP on an AD server that is also a Domain Controller (DC).

  1. Click Start> Programs> Administrative Tools> Group Policy Management.
  2. Expand Domain Controllers, then right-click on the Default Domain Controllers Policy and select Edit.
  3. In the Group Policy Management Editor, expand Computer Configuration> Policies> Windows Settings> Security Settings> Local Policies> Security Options.
  4. Right-click on Domain Controller: LDAP server signing requirements.
  5. Select Properties and change the setting from "Require Signing" to "None".
  6. Click Apply> OK.
  7. Click Start> Run.
  8. In the run dialog box type in gpupdate /force and click OK.


Edit the Local Security Settings for LDAP on an AD server that is not a DC.

  1. Click Start> Run.
  2. In the run dialog box type in gpedit.msc.
  3. When the "Group Policy Object Editor" window opens expand Windows Settings> Security Settings> Local Policies> Select Security Options.
  4. Locate "Domain Controller: LDAP server signing requirements" and if the selection is set to "Require Signing" change it to "None"

 

In the event you need to continue using "Require Signing" policy, apply the following changes:

On the AD server:

  1. Open Registry Editor (regedit.exe)
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
  3. Add a DWORD named LdapEnforceChannelBinding with a value equal to 2
  4. Launch mmc.exe and then from the File menu, click Add/Remove Snap-in.
    • In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
    • In the Select Group Policy Object dialog box, click Browse.
    • In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.
    • Click Finish and OK.
  5. Within the newly opened Group Policy Management Editor, expand Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then click Security Options.
  6. Right-click Domain controller: LDAP server signing requirements, and then click Properties.
    • In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
    • In the Confirm Setting Change dialog box, click Yes.

On the SEPM server:

  • Repeat steps 4 through 6 in the 'On the AD server:" section above.
    • Important Note: Instead of enabling Require signing for the Domain controller: LDAP server signing requirements, you will need to enable it for the Network security: LDAP client signing requirements.

​Refer to https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry and https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 for more information.