"Symantec Endpoint Protection Manager could not validate certificate of target Domain Controller" error when trying to add an Active Directory OU to Endpoint Protection Manager
search cancel

"Symantec Endpoint Protection Manager could not validate certificate of target Domain Controller" error when trying to add an Active Directory OU to Endpoint Protection Manager

book

Article ID: 276892

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When trying to add an Active Directory (AD) OU to the Symantec Endpoint Protection Manager (SEPM) you receive the following error:

Symantec Endpoint Protection Manager could not validate certificate of target Domain Controller. Make sure the computer trusts the Domain Controller's certificate then try again.

Environment

SEPM synced to AD server

Cause

This issue is either caused by one of the following:

1) The AD certificate has expired

2) The AD server address used in the SEPM configuration does not match the Subject or Subject Alternate Name in the AD certificate

3) The OS the SEPM is installed on does not trust the AD certificate

Resolution

Each of the causes listed above would have a different resolution as listed below, it is possible to be affected by more than 1 cause:

 

Issue 1 (The AD certificate has expired):

Renew the certificate on the AD server

 

Issue 2 (The AD server address used in the SEPM configuration does not match the Subject or Subject Alternate Name in the AD certificate):

Ensure that you use a name or IP address in the SEPMs AD server configuration that matches one that is in the AD certificate, for example the FQDN instead of the IP.

 

Issue 3 (The OS the SEPM is installed on does not trust the AD certificate):

If the AD certificate is self-signed or not issued by a trusted root cert authority you would need to install this certificate on the OS the SEPM is installed to as a Trusted Root Cert Authority so the OS, and ultimately SEPM, will trust it.

 

As a final, not recommended, solution if none of the above options are viable you can edit the SEPMs AD configuration to disable certificate verification. This is done in the SEPM under Admin -> Servers -> Select your server -> Edit server properties -> Directory Servers -> Click "Edit" for your AD server entry and check the box to "Disable verification of the directory server certificate". This could lead to security issues as the connection between the SEPM and the AD server is no longer verifying the certificate to ensure that is the proper server and should only be used as a last resort.