Passwords not syncing from AD - Error: [PWD 4156] AddDCKey() domain controller ad.domain.com is not in list

  • 7017146
  • 13-Jan-2016
  • 19-Jun-2018

Environment

NetIQ Identity Manager 4.7
NetIQ Identity Manager 4.6
NetIQ Identity Manager 4.5
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Active Directory
Nsure Identity Manager 2.0

Situation

Problem synchronizing passwords from Active Directory to eDirectory.  
After configuring the remote loader for a trace level 5, you see the following error in the log:

Error: AddDCKey() domain controller dc.domain.com is not in list

DirXML: [12/22/15 14:41:49.32]: ADDriver: [PWD] - AddDCKey() domain controller WIN.ad.domain.com is not in list
DirXML: [12/22/15 14:41:49.32]: ADDriver: [PWD 4156] sPDCName = WIN.ad.domain.com
DirXML: [12/22/15 14:42:01.38]: ADDriver: [PWD] - AddDCKey() domain controller AD01.ad.domain.com is not in list
DirXML: [12/22/15 14:42:01.38]: ADDriver: [PWD 4156] sPDCName = WIN.ad.domain.com

 

Resolution


1.  Make sure you have applied successfully the current engine & remote loader patches for the IDM engine and remote loader you are running from dl.netiq.com

2.   Make sure you are running the current Active Directory Driver from  dl.netiq.com

3.  If this didn't fix the issue, check the way you are authenticating to the domain. Set your authentication ID to "Administrator", put in the password of the Administrator in the application password fields, and make sure you've chosen "Negotiate" as the Authentication Method.   **** IMPORTANT:  We have seen this error when you specify SIMPLE as the authentication method.   Verify it is set to Negotiate  ****

4.  Restart the remote loader and / or the domain controllers running the domain.  This will refresh the list of domain controllers in the domain for the remote loader.  At a minimum, restart the domain controller running the remote loader and the domain controller server running the password filter listed in the error.

5.  Review the DNS configuration of the machine where the driver is running. Make sure you can resolve the name of the domain controllers and that the DNS server that is servicing the domain is listed in the DNS servers list for the LAN Interface of the server (listed on the properties of the TCP/IP Protocol configuration for the LAN card).

6.  Verify communications are open on any routers or firewalls between the domain controller running the password filter and the remote loader server.     Firewall restrictions and blocked ports have been known to cause this issue.

7.  Launch the password sync control panel applet, select the domain, and view the list of servers in the domain.   Does the server in the error show up in the list?   It should.

Cause

When the remote loader starts up it does a query to find out what servers are in the domain.   This list is used to verify that domain controllers sending it password changes are in the domain.

If a server sends it a password change that is not in the list of domain controllers in the domain it knows about, the error:  "domain controller ad.domain.com is not in list" is given.

So either the server running the password filter is not in the domain, or there is a discrepancy in the list the remote loader holds, or there is a discrepancy in domain as to which servers are actually in the domain.

Additional Information

This error is reported by the filter when it's building a list of the available domain controllers. A couple of things could cause this error:

  - The authentication credentials are not valid or incorrect and therefore the driver fails to retrieve the correct information.   Verify Negotiate is the Authentication method.

  - There is a problem with the DNS setup of the machine where the driver is running.

Formerly known as TID# 10093997