CCS Query/DC/CER jobs are getting error "Domain cache does not exists or not valid for domain. Data collection will not proceed"
search cancel

CCS Query/DC/CER jobs are getting error "Domain cache does not exists or not valid for domain. Data collection will not proceed"

book

Article ID: 238241

calendar_today

Updated On:

Products

Control Compliance Suite Control Compliance Suite Standards Server Control Compliance Suite Standards Module

Issue/Introduction

When a job in CCS for Query, Data Collection or Collection-Evaluation-Reporting (CER) scan is performed, you may get the following error:

"Domain cache does not exists or not valid for domain. Data collection will not proceed"

Environment

CCS 12.6.x

Windows Agentless or Agent-based data collection

Cause

Probable causes :

  • Domain cache is disabled.
  • Missing domain cache for the required domain of the Asset on one or more CCS Managers running the job.
    • Domain cache for the said domain (.mdb file) is missing under CCS Manager directory C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\DPS\control\Windows\Cache
  • The ConfigurationSettings.xml file on one or more managers (where Domain cache settings are kept) has become corrupted so the default domain cache settings are used since the XML cannot be applied.  This might also happen if the XML was edited incorrectly and the parameters were misspelled, etc.
  • CCS Managers are not able to connect to a domain controller to build domain cache.

Resolution

Perform the following

  • Verify if Domain Cache is enabled or disabled on each CCS manager.  The ConfigurationSettings.xml on each manager needs to be manually configured to disable the Domain cache. (See the Additional Information section below on how to disable Domain Cache)
  • Verify that each manager has a .mdb file for each domain.  Look in the C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\DPS\control\Windows\Cache folder to make sure that a .mdb file exists for each domain.
  • Verify the credentials for Domain Cache are correct for each Windows domain, and that the user is not disabled so that CCS will be able to build Domain cache for the Windows domain.
  • Verify that the ConfigurationSettings.xml file on the manager running the scan on the asset is not corrupt (this can happen if it is edited to disable domain cache but the syntax was not correctly added so the manager falls back to using default settings), and that the parameters have been entered correctly.  You can copy a ConfigurationSettings.xml from a manager that is not reporting the problem to see if that resolves the issue.
  • Verify that each CCS Manager is able to connect to each applicable domain controller and that all the required ports are opened, review the following documentation.
    Network ports
    • Review the 'Additional ports that must be open' section (under 'If the CCS infrastructure components must traverse a firewall to contact the Domain Controller, you must open additional ports for Windows authentication.' portion.  Make sure that all required ports are open.
  • Verify that not only are the ports open but that DNS is functioning and able to resolve the NetBIOS name of each domain controller but also the FQDN.
  • Use the KB Using Telnet or Powershell to troubleshoot connectivity between CCS components. to assist with troubleshooting the ports and other servers on the network.
  • Verify that you are indeed using Domain Cache and require it to be enabled, if not please refer to how to disable Domain Cache below under "Additional Information".

Additional Information

KB on how to disable Domain Cache is CCS:
How to disable Domain Cache in CCS

NOTE: The predefined CIS Benchmarks provided by Broadcom do not use Domain Cache, so those standards will work correctly with Domain Cache disabled.