search cancel

The "machine is domain controller" value is incorrectly reported as FALSE for a domain controller type asset

book

Article ID: 163515

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

While using Control Compliance Suite (CCS) 11.x, during asset import and/or update jobs, the "machine is domain controller" value is incorrectly reported as FALSE for a domain controller type asset.

no error message as such but you could enable verbose logging and review the Symantec.CSM.LDAPDataCollector.{date&time}.csv logs to see the UserAccountControl values it finds for each asset it processes.
 

Cause

CCS determines and sets the "machine is domain controller" value accordingly by looking at the assets LDAP attribute named: "UserAccountControl". By default this value is for a Domain Controller "532480" and finding this value will result in "machine is domain controller" = TRUE. If it finds any other value it will report  "machine is domain controller" = TRUE.

In some instances this value is reported as "532512" on domain controllers - this is an incorrect value and set due to a defect in the DCpromo procedure. 

CCS determines and sets the "machine is domain controller" value accordingly by looking at the systems' LDAP attribute named: "UserAccountControl". By default this value is for a Domain Controller "532480" but for the 4 systems you have identified it's "532512"

Resolution

Contact your Active Directory administrator and discuss the situation, domain controllers should have an"UserAccountControl" value of "532480"  and nothing else. You can use ADSIedit to update the value.