How to determine what LDAP settings to use when installing Protection Engine 9.x using the Windows Active Directory-based authentication option
search cancel

How to determine what LDAP settings to use when installing Protection Engine 9.x using the Windows Active Directory-based authentication option


Article ID: 270669


Updated On:


Protection Engine for Cloud Services


When installing Symantec Protection Engine for NAS 9.0.x and you choose the option "Windows Active Directory-based authentication" you will be presented with the following box which doesn't fully explain what settings to input.


Release : 9.0.1


Here is a hypothetical domain for this exercise.


Domain Group: {the group the console user must be a member of}:



Active Directory URL: This should be the nearest server with a copy of the directory.

The best way to tell what to put here is to open a command prompt and use the “NLTEST” command to return the best server:

nltest /

Sample Output:

The previous command returned the nearest DC in this example:


Enable Secure Connection: This won’t be covered in this example. If this box is checked then the next box (Active Directory Port) will need to be set to 636 (or whatever the server/domain admin established as the secure port). You will also need to acquire the SSL certificate required to interact with it.


Active Directory Port: The most common is port 389.  If the domain is part of multiple domains with bidirectional trusts established then port 3269 (the Global Catalog port) might also work.


Active Directory Base DN: This is made up of the root elements of your domain.  In this example “” it would be entered in as:  dc=example,dc=com


Active Directory Group DN:  Here is an easy way to get what needs to be put in this box.


From a computer with the “DSQUERY” command installed on it (most servers should have it) run the following command:   dsquery group –name “group name”

In this example:  dsquery group –name “SPEAdmins”

Sample Output:

The above command gives you exactly what to enter into the box.


Based on the previous steps the proper way to fill out the boxes in this exercise are as follows:

Next {provides a summary of what was just entered}


The rest of the installation has nothing to do with AD settings. You can click until the wizard has finished.


HOWEVER: You may have already installed SPE 9 and don’t want to uninstall and reinstall just because you are receiving an error similar to the following when attempting to import the server into the console : Failed to add following server(s): <ip address or name>. Reason: Authentication failed due to invalid LDAP configurations.


All of the settings previously chosen are recorded in the #LDAP section of a text file named “


This file will be located in “C:\Program Files\Symantec\Scan Engine\RestAPI

Sample Content:

You can modify these settings if importing a SPE server is not working and you want to try different settings in order to correct the problem.

Note: Any changes made to this file will require restarting the “Symantec Protection Engine REST API” service in Services Manager, or by running the following command from command box.

net stop symcrestapiservice && net start symcrestapiservice