Last logon information and other domain controller specific query information not available after domain is raised to a different functional level.

Article:TECH116402  |  Created: 2009-01-05  |  Updated: 2009-01-18  |  Article URL http://www.symantec.com/docs/TECH116402
Article Type
Technical Solution

Product(s)

Issue



You have raised your domains functional level and now some queries are no longer gathering information. In particular you can no longer gather Last Login information.

Symptoms
You may or may not be using Support Services installations on your Domain Controllers in the domain. Your Master Query Engine (MQE) in the domain may be on a Windows 2000 server. You discover that your MQE cannot detect all of your domain controllers by one of the following methods.


1. Primary test:

    • Log into your MQE in the domain in question with a domain administrator account good for the domain in question.
    • Run the BVQEConfig.exe file located in the \Symantec\BVNTQE folder.
    • Left Click to highlight the domain in question on the left side of the Bv-Config screen.
    • On the right side of the screen should be listed the various servers in your domain (possibly including your domain controllers)
    • Right Click in a blank area on the right side of the screen and select FILTER COMPUTERS
    • Uncheck all boxes except "Primary Domain Controllers" and "Backup Domain Controllers".
    • You should observe that only one domain controller is observable out of several in the domain. This visible domain controller may be running the PDC emulation flexible single master operations (FSMO).

2. Alternate test:
    • Login to the RMS console with an RMS administrative ID.
    • Launch a new query with the New Query wizard button.
    • Select the BV-control for Windows and it's MACHINES datasource.
    • Go to the Scope tab of the Query Builder dialogue screen.
    • Expand the Active Directory scope and expand the domain in question.
    • Expand the Domain Controllers folder and check to see if the domain controllers in the domain are all listed there (Note: they should not all be displayed if this KB applies to your situation)


Cause



The MQE machine is unable to detect the Domain Controllers in the domain. The MQE may be able to detect the domain controller that is running the PDC emulation FSMO (which should only be on one of the DCs in the domain). This can be due to several reasons such as incorrectly configured domain security settings or the Network Security settings in the Security Options of the Local Security Policy of the MQE machine (e.g. this setting may be set to NTLM v1 or NTLM only).

Solution



Solution 1: Work with your Active Directory administrator(s) and System Administrators to ensure that the MQE server is configured or upgraded appropriately to allow it to locate and talk with the various domain controllers in the domain.
(Note: this is the best solution as your ability to scope to the other domain controllers will not be available until this is fixed at the OS\domain level)

Solution 2: If all you need is the Last Logon information from these domain controllers:
      • Manually deploy the Symantec RMS Support Services onto each of the domain controllers (refer to the Help in the RMS console under the section called "Installing the Bindview Support Service using the Support Service executable").
      • Launch BV-Config from the RMS console.
      • Left click on your MQE in the Bv-config window to highlight the MQE
      • Double click on the "Query Engine Settings" on the right side of the screen
      • Ensure that User Cache section of the Cache tab (on the Query Engines Settings dialogue screen) has the ENABLED check box selected.
      • Click the ADVANCED button on the Cache tab of the Query Engine Settings dialogue screen.
      • Check the ENABLED checkbox for Last Logon Caching on the Advanced user Cache Options dialogue screen.
      • Select the "Search Selected Domain Controllers" radial button and then click the ADD button to the right.
      • Manually input the names of all the domain controllers that you deployed the Support Services on and then click OK
      • Select the "Support Services collect Last Logon data" radial button on the Advanced user Cache Options dialogue screen.
      • Click the OK buttons and then close BV-config.
      • Restart the Bindview Query Engine service on the MQE server in the domain in question.
      • Wait several minutes and then test to see if the Last Logon information is available from the servers.






Legacy ID



2009110509353053


Article URL http://www.symantec.com/docs/TECH116402


Terms of use for this information are found in Legal Notices