cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dvanhemelryck
Engaged Sweeper

Hi,

I have several domains in my organization and for each domain, I have an error for scanning users. Lsw scans my RODC servers.

Dvanhemelryck_4-1682666336274.png

 

I have for all my domains "Preferred Domain Controllers" and my "Domain Ldaps Config" on the green status

Dvanhemelryck_2-1682666247223.png

Dvanhemelryck_3-1682666298359.png

 

 

 

I can't find it. The Rodc are not announced at the level dns or other ... If anyone can give me answers, assistance.

 

tks,

 

 

 

 

 

1 ACCEPTED SOLUTION
Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

Hello there!

In and of itself, the LDAP error you're receiving doesn't necessarily indicate that AD data cannot be scanned. It does indicate that AD data could not be scanned by connecting to certain DCs. You can configure preferred domain controllers under Scanning\Scanning Targets but do be aware that these are only used for scanning.

For other LDAP connections, such as for performing clean-up, they're not used. Instead, the domain controllers in the domain are enumerated, and the scanning service will attempt to set up LDAP connections to domain controllers until one is successful.

In addition, certain parts of Active Directory scanning necessitate connecting to all available domain controllers, as they query the LastLogon attribute, which does not replicate across domain controllers:

  • Active Directory domain scanning operates by adding computers that were recently logged on to AD and haven't been scanned within a specific interval to your scanning queue. It queries the LastLogon attribute of computer objects.
  • Active Directory User Path scanning also scans the LastLogon attribute of users. Since this attribute does not replicate, we query all available domain controllers for the most recent value.

While the error in and of itself isn't necessarily indicative of an issue, you can cut down on it by doing the following:

  • Disabling the scanning of the LastLogon user attribute under Configuration\Server Options
  • Using Active Directory Computer Path targets rather than Active Directory Domain scanning targets

Again, this may not be necessary, and you may be able to ignore these errors. If you see no discrepancies in retrieved AD data, i.e., all AD attribute data is pulled in, you can ignore these errors.

View solution in original post

1 REPLY 1
Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

Hello there!

In and of itself, the LDAP error you're receiving doesn't necessarily indicate that AD data cannot be scanned. It does indicate that AD data could not be scanned by connecting to certain DCs. You can configure preferred domain controllers under Scanning\Scanning Targets but do be aware that these are only used for scanning.

For other LDAP connections, such as for performing clean-up, they're not used. Instead, the domain controllers in the domain are enumerated, and the scanning service will attempt to set up LDAP connections to domain controllers until one is successful.

In addition, certain parts of Active Directory scanning necessitate connecting to all available domain controllers, as they query the LastLogon attribute, which does not replicate across domain controllers:

  • Active Directory domain scanning operates by adding computers that were recently logged on to AD and haven't been scanned within a specific interval to your scanning queue. It queries the LastLogon attribute of computer objects.
  • Active Directory User Path scanning also scans the LastLogon attribute of users. Since this attribute does not replicate, we query all available domain controllers for the most recent value.

While the error in and of itself isn't necessarily indicative of an issue, you can cut down on it by doing the following:

  • Disabling the scanning of the LastLogon user attribute under Configuration\Server Options
  • Using Active Directory Computer Path targets rather than Active Directory Domain scanning targets

Again, this may not be necessary, and you may be able to ignore these errors. If you see no discrepancies in retrieved AD data, i.e., all AD attribute data is pulled in, you can ignore these errors.