KNOWN ISSUE: Connection delay when using Carbon Copy 6.2.1144 with Active Directory Security

Article:TECH39613  |  Created: 2008-03-12  |  Updated: 2008-10-08  |  Article URL http://www.symantec.com/docs/TECH39613
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution

Issue



After upgrading Carbon Copy Solution to version 6.2.1144, connecting to Carbon Copy agents takes between 30 seconds and 5 minutes. This is not inconsistent with each account used to establish the Carbon Copy connection. Certain accounts used in the connection attempts result in almost immediate connections whereas other accounts used can take an excessive amount of time. All Carbon Copy agents are configured to use "Active Directory" Security.

Environment



-Notification Server 6.0.6074
-Carbon Copy Solution 6.2.1144

-Multiple domains in Active Directory either via External Trusts or Parent-Child Internal Trusts


Cause



Carbon Copy authentication takes an extended amount of time to complete when all of the following conditions exist:

  • When attempting to connect to a Carbon Copy agent using an account that is part of a group within the built-in security container.
  • When the Domain contains child domains.

In this environment, we are trying to translate the SID associated with the Built-In Container the Carbon Copy Console account is a member of and failing. As seen from the log output below, the error 80072117 represents an Active Directory error that indicates the SID associated with more than group. This results in an attempted translation of the unique SID failing. The reason for the perceived duplication is that there is a Child domain present and seeing that groups the Built-In Container is using a standard SID definition, the result is an appearance of the multiple like SID's during this translation attempt. Here is a portion of this from a customer cc-shellker-log file:

[15:18:07.0474] USERPROF-I: *** AuthorizeADUser_tokenGroups(CN=Neil Charles Brown,OU=ADC - Ad Center,OU=USA-USERS,DC=na,DC=ad,DC=sym_test,DC=com)
[15:18:07.0489] USERPROF-I: NameTranslator::GetName(CN=Neil Charles Brown,OU=ADC - Ad Center,OU=USA-USERS,DC=na,DC=ad,DC=sym_test,DC=com) -> NA\BROWNC
[15:18:07.0489] USERPROF-I: EnumerateMemberships_tokenGroups(CN=Neil Charles Brown,OU=ADC - Ad Center,OU=USA-USERS,DC=na,DC=ad,DC=sym_test,DC=com)
[15:18:07.0661] USERPROF-E: [GC] pTrans->Set(S-1-5-32-545) failed, error=80072117
[15:18:07.0661] USERPROF-E: [DC: fin-nadcp1.na.ad.sym_test.com] pTrans->Set(S-1-5-32-545) failed, error=80072117
[15:18:08.0318] USERPROF-E: [Domain: ad.sym_test.com] pTrans->Set(S-1-5-32-545) failed, error=80072117
[15:19:33.0976] USERPROF-E: [Domain: na.ad.sym_test.com] pTrans->Set(S-1-5-32-545) failed, error=80072117
[15:19:33.0976] USERPROF-E: NameTranslator::GetName(S-1-5-32-545) failed to get type: ADS_NAME_TYPE_1779
[15:19:34.0054] USERPROF-E: [GC] pTrans->Set(S-1-5-32-548) failed, error=80072117
[15:19:34.0054] USERPROF-E: [DC: fin-nadcp1.na.ad.sym_test.com] pTrans->Set(S-1-5-32-548) failed, error=80072117
[15:19:34.0320] USERPROF-E: [Domain: ad.sym_test.com] pTrans->Set(S-1-5-32-548) failed, error=80072117
[15:20:58.0848] USERPROF-E: [Domain: na.ad.sym_test.com] pTrans->Set(S-1-5-32-548) failed, error=80072117
[15:20:58.0848] USERPROF-E: NameTranslator::GetName(S-1-5-32-548) failed to get type: ADS_NAME_TYPE_1779

This particular account is a member of the Built-In USERS Group as well as the Built-In ACCOUNT OPERATORS Group. Notice the delay as the translation attempt occurs from the Domain to the Child Domain in each case. This is a total delay of 2 minutes 49 seconds.


Solution



A hotfix has been included in this KB Article that resolves the problem identified in the 6.2.1144 release. The hotfix is "KB40873_hotifx.exe" and is a package which can be rolled out to a Carbon Copy Client base using SWD or Deployment Solution. The Hotfix can only be applied to the 6.2.1144 build of the Carbon Copy Solution.  When run, the hotfix will:

1.  Stop the "Altiris Carbon Copy" service

2.  Copy the updated file, "userprof.dll" into the Carbon Copy Agent installation path

3.  Start "Altiris Carbon Copy" service


In order to determine which machines have had this hotfix applied to them, check the version information of "userprof.dll". The "File version:" should be 6.2.1146.0, and the "Product Version" should be 6.2.1146

Note:  This hotfix does not address all of the built-in Active Directory Security Groups, just the most commonly used. For example, "Remote Desktop Users" is not included, so if your account is a member of this group you may experience slow authentication even after the hotfix has been applied to the client.

Attachments

KB40873_hotfix.exe (289 kBytes)

Supplemental Materials

SourceDEFECT
ValueNOR 15308
DescriptionLogged in alt255 (Altiris - Norwood) database

Legacy ID



40873


Article URL http://www.symantec.com/docs/TECH39613


Terms of use for this information are found in Legal Notices