09-10-2014 08:52 AM
We have been trying to reconnect our ClearPass server to our AD but we keep getting the same issue. We called TAC but they are stumped as well. Our username and password for the domain are correct, we were able to disconnect the ClearPass server from the AD. Has anyone else come across this issue?
here are a couple of screen captures
Solved! Go to Solution.
09-10-2014 04:47 PM
Can you do an "network nslookup -q host" to that domain? from ClearPass CLI
Also is your clock set correctly ?
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
04-22-2015 08:34 AM
I'm also having the same problem joining Clearpass to the domain.
ClearPass Policy Manager 18.104.22.168346 on CP-VA-25K platform
The domain controller is the primary DNS server.
The clock is set to NTP using the domain controller as the NTP server. Double-checked and the time between the two is spot on.
NSlookup does return the domain controller:
[appadmin@cppm01]# network nslookup -q host dc01.local.customer.ca
unknown query type: HOST
We are using a Domain Admin account. But no matter what we try, the results are the same:
Adding host to AD domain...
INFO - Fetched REALM 'LOCAL.CUSTOMER.CA' from domain FQDN
INFO - Fetched the NETBIOS name 'CC'
INFO - Creating domain directories for 'CC'
Enter da1's password:
Failed to join domain: failed to lookup DC info for domain
'LOCAL.CUSTOMER.CA' over rpc: NT_STATUS_CONNECTION_RESET
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CC'
ERROR - cppm01 failed to join the domain LOCAL.CUSTOMER.CA
with domain controller as dc01.local.customer.ca
Join domain failed
The only thing I can't do is use the default "Administrator" account because they have renamed it on their domain.
04-23-2015 12:21 PM - edited 04-23-2015 12:22 PM
 please start a new thread for a new question.
no direct experience with this error, but if i google for that specific error is see several times solutions like this come up
you could have a look at those. also making a packet capture during the join and looking if there are better hints there might help.
04-23-2015 05:34 PM
Thanks for the reply. I did see that Samba article and forwarded it to the customer, but they are completely opposed to modifying AD. Their opinion is that too many things depend on AD that they can't risk causing issues.
I would have hoped that Aruba would have tested Clearpass on AD 2012 before releasing it to the wild. I have a case open with TAC so hopefully they will come up with a solution.
04-24-2015 10:17 AM
More digging with TAC confirms that Clearpass 6.5.x is running SMB version 3.6.2.x, so the above links about enabling SMB v. 1 on the domain won't work anyway. Important for anyone else out there who may try it as a possible solution.
04-25-2015 04:47 AM
ok that is good to know, will prevent people from trying something that doesn't work.
i would then fallback to making a packet capture and seeing if you can find more information there. pehaps the server sends something with that message that point to a cause.
05-02-2015 05:31 AM
Microsoft support came through with a Registry fix which when applied, enabled the unit to be joined to the domain, with a compromise though.
Their testing identified that the system is using SMB1 (in contradiction with what Aruba TAC told us) to communicate to the Domain Controller, and this registry setting lowers our domain security a bit by allowing this.
It does require a server reboot on the DC. Any communication coming from the ClearPass unit, which is using SMB1, hitting the other 3 DC’s will fail. The default domain controller policy for Network Security is still set to Send NTLMv2 response only. Refuse LM.
This is the Reg Key:
Original Value: SamSS Srv2
Change to : SamSS Srv2 Srv
(where Srv2=SMB2 and Srv=SMB1)
The customer is asking Aruba to change Clearpass to use SMB2 because they aren't happy about lowering the domain security. SMB1 is +10yrs old.