Users cannot enroll and periodic regrouping fails if the Active Directory server used by Encryption Management Server is unavailable

book

Article ID: 157511

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

If you are using LDAP Directory Synchronization to enroll Encryption Desktop users to Encryption Management Server and group users according to Active Directory security group membership, both enrollment and regrouping will fail if the LDAP server used by Encryption Management Server is unavailable.

The LDAP server is almost always a Windows Server running Active Directory.

When an Active Directory server cannot be reached during client enrollment or during periodic regrouping against Active Directory, Encryption Management Server will log this warning in the Client or Group log: 

ldap operation result: -1, Can't contact LDAP server

Cause

The Active Directory server cannot be reached and there is no secondary Active Directory server configured.

Environment

Encryption Management Server 3.3 and above with LDAP Directory Synchronization enabled.

Resolution

Configure a failover Active Directory server.

In the Encryption Management Server administrative interface under Consumers / Directory Synchronization is a list of LDAP Directories. Click on the name of an existing LDAP Directory and you will see the Active Directory Servers that Encryption Management Server uses for that directory. To add an Active Directory server, simply click on the + button and enter the hostname, port, protocol and priority of the new server.

It is recommended to add a failover Active Directory server in order to provide redundancy. By having a failover LDAP Server configured in Encryption Management Server, you can continue to enroll users and associate users with groups using Active Directory, even if the primary LDAP Server is unavailable.

If there is more than one LDAP Server listed, the server with priority 1 will be used all the time unless it cannot be contacted, in which case the server with priority 2 will be used. If the same priority is used for all servers, Encryption Management Server will attempt to load balance.

It is recommended that the two Active Directory servers are located in different data centers. For maximum speed, the highest priority server should be in the same data center and preferably on the same subnet as Encryption Management Server.

Note that while it is possible to add more than two servers, each additional server adds to the complexity of the Encryption Management Server configuration and may negatively affect speed of enrollment and regrouping while providing little or no discernible benefit.

Specify individual Active Directory servers rather than a round robin DNS name that points to multiple Active Directory servers. This is because Encryption Management Server runs the nscd (name service cache daemon) and this service may not work as expected with DNS round robin. Specifically, nscd may cause the same DNS round robin host being searched all the time by the regrouping and enrollment processes.

In a cluster environment, the LDAP settings will replicate to the other cluster members except for the Priority setting.  You will need to set this on each cluster member and you can, if required, set different priorities on different cluster members.

Be sure to click on the Test Connection button for each server to check that the server can be reached by Encryption Management Server.

Note that client enrolment can take considerably longer when the priority 1 server is unreachable.  This is because Encryption Management Server will try the priority 1 LDAP server prior to trying the priority 2 server each time it tries to bind to Active Directory.  Each failed attempt to bind to the priority 1 server takes between 3 and 20 seconds depending on the issue that is preventing the bind and there are about 5 such attempts in the course of enrollment.

Because the failover server will only be queried when the primary server is unavailable, please be sure to check periodically that the failover server is still available.