This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Domain (joining) problems after up2date to 9.713-19

Hi everybody,

yesterday I updated our UTM to 9.713-19 via up2date. After that, every two hours I got a message

[WARN-531] Directory Services synchronization: There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.
Error was:
failed to get base dn of domain myfoo.bardomain.tld

Authentication Services -> Servers -> (my AD connection): both tests of the "bind dn" as well as the "base dn" were successful.

I then tried to re-join our domain via Authentication Services -> Single Sign On -> Active Directory SSO and now I always get "joining the domain failed"

I went through the domain joining checklist (DNS forwarders, request routing etc.), did internal and external DNS tests via the Sophos UTM support tools, checked the hostname DNS settings in our AD DNS and even deleted the old computer object created by the last successful domain join years ago.

I reapplied the latest up2date and rebooted the UTM.

No luck. I'm not able to join our UTM to our domain anymore.

Any pointers?

Kind regards



This thread was automatically locked due to age.
  • Hi  ,

    Thanks for reaching out to Sophos Community and hope you are well

    In addition to the DNS requirements on your checklist that has been tested, any chance you checked the time and date configured on the UTM and the AD server as well?

    use 'date' command for date and time - for UTM

    net ads info -I <IPofAD> - For AD 

    You could also check more details on this KB: https://support.sophos.com/support/s/article/KB-000035211?language=en_US

    Thanks for your time and patience and Thank you for choosing Sophos

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Raphael,

    thank you very much for your answer and the suggestions. Yes, I have checked the time and date settings and they're OK.

    Thank you also for the link you provided. At this point I believe it has something to to with the NTLM version being used. I temporarily set it to the required value and it still doesn't work; but I might have made an error there.

    Three questions:

    1.Where in the UTM logs can I find a full error message about the UTM not being able to join a domain? "Failed to join the domain" is not helpfull.

    2. Are the required NTLM settings only required for joining and can be set to the default values afterwards?

    3. What does the original error message mean/why did it appear only after the UTM update?

    Thanks & kind regards
    Ken

  • You are using a FQDN aren't you?  If that is truncated or incorrect, it can cause that error.  Could be a DNS issue as well.  Are you joining it using an account that has domain admin access?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi  ,

    Good day and hope all is well

    Thanks for the provided details. Kindly create a support ticket for this to be further checked, also kindly let us know of the would be generated case number through DM or by replying to this thread so we can follow progress and make notes internally accordingly.

    Many thanks

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi,

    I was wondering if there were any further updates to this thread. I was going to update our SG330 UTM and came across this discussion. We have our UTM connected to our local AD, so wondered if this was a common problem, or how it would affect us if I performed the update.

    Thanks,

    Pat.

  • Hi  ,

    I found a solution for me with this problem (I hope, which helps on your end too).

    I strictly followed the AD-Guide (KBA000035211 @ sophos.support) with the NTLM rights.
    Those were already disabled, because I hardened my domain by MS best-practices.
    These "Best-Practices" also changed Session-Security-Settings (force 128-Bit Session-Security & force NTLMv2-Sec).
    Those Settings also had to be reverted! (create Reverse-GPO for those 3!!! settings) & temporarily disable the seperate "Hardening-GPO".
    If you've changed those settings in the "default DC-Policy" I'd recommend to only set those switches to "non defined" and create a Reverse-GPO for those 3 settings only.

    BUT

    I also had to make sure, that the domain-user for my "Firewall-SSO" has a Password no longer than 12-digits (Capitals, Lowers, Numbers & Special).
    I'm from Germany, so i also made sure that i only use Special-Characters, that i know are on the same key on an american key-layout (which effectively reduces them to "!" and "$".

    Created the SSO-User in AD ran a gpupdate on the modified DC, replicated everything to the second DC with gpupdate and also rebooted both of them.

    Then I was able to join the firewall to SSO-Domain.

    Funny fact.

    I changed the GPO-Settings back and ...

    Till now it keeps working *fingers-crossed*

    Have a great one

    Franz

    EDIT:
    Also have a look at those INBOUND Windows-Firewall-Settings "Remote Scheduled Tasks Management (RPC)", "Remote Scheduled Tasks Management (RPC-EPMAP)" & "Windows Management Instrumentation (WMI-In)".
    Here might also be a hickup there. This helped on another customers setup (right now).
    For most consistent result use GPO here aswell. Just fixing up another "lost-SSO" :-)

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009