Control Compliance Suite (CCS)
When running CCS scans, if you do not need CCS to report on information about users or groups, or you use the predefined benchmarks released by Symantec you can disable Domain Cache for data collection jobs.
NOTE: The predefined CIS benchmarks released by Symantec do not require domain cache when run, so domain cache can be disabled.
Release : CCS 12.6.x and CCS 12.7 Managers
Component : Needs to be manually configured on each CCS manager that you want to disable Domain Cache.
Domain Cache is enabled by default and needs to be collected by each manager for each domain. The Domain Cache is pushed down to each agent to use in scans that need information about users, groups, or some computer components.
On each CCS manager in your environment, perform the following steps:
<!--Disable Domain Cache-->Example:
<PlatformSetting>
<Key>BuildDomainCache</Key>
<Value><![CDATA[FALSE]]></Value>
<Metadata><![CDATA[]]></Metadata>
</PlatformSetting>
Note for Agent-based Collection:
When you disable Domain Cache on any CCS Manager, the changes will not be pushed out to the agent until the next domain cache synchronization interval with the agent, which is by default 72 hours. (This setting can be set in Settings > Deployment View > Common Tasks > Configure Platform Settings > Windows. The setting is under the Cache Settings tab, and the setting is Cache refresh interval (Hrs):). That means that once you disable the domain cache on your Manager(s), you may have to wait up to 72 hours until those parameters are pushed out to the agent. Running data collection or CER jobs will not push out those settings to the agent, so you may still get domain cache errors on your agent(s) if the domain cache synchronization interval has not yet been reached.
If you continue to see the error "Domain cache does not exist or not valid for domain [ Domain ]. Data collection will not proceed" after the domain cache has been disabled on the manager and you have waited past the 72-hour (default) domain cache synchronization interval so the agent is updated, then from the Agent rename the following file "<InstallDir>\ESM\bin\dcmodules\AgentManifestFile.xml" to something like AgentManifestFile.xml_OLD or something similar. This file will then be recreated when the manager runs the next data collection on that agent with the new parameters. Data Collection will now proceed without issue.
If you just want to disable collecting domain cache for specific domains, but not all domains, you can edit the ConfigurationSettings.xml file and enable domain cache (BuildDomainCache=True), but then specify which domains you want to disable domain cache for by listing the domain(s) in the DomainCacheExclusionList parameter. Remember these settings will need to be added to each manager's ConfigurationSettings.xml file (make a backup of the file before editing), and restart the 'Symantec CCS Manager' and 'Symantec Data Processing Service' for the new configuration to take effect.
Example of the entries needed to have domain cache enabled, but DomainA, DomainB, or DomainC will be excluded and domain cache will not be collected on those 3 domains.
<PlatformSetting>
<Key>BuildDomainCache</Key>
<Value><![CDATA[TRUE]]></Value>
<Metadata><![CDATA[]]></Metadata>
</PlatformSetting>
<PlatformSetting>
<Key>DomainCacheExclusionList</Key>
<Value><![CDATA[domainA,domainB,domainC]]></Value>
<Metadata><![CDATA[]]></Metadata>
</PlatformSetting>
In the 'DomainCacheExclusionList' parameter, list the domain(s) for which you do not want cache to be created. If you want to list more than one domain, provide a comma-separated list of domains.