[Bug] LDAP Connectivity Fails when AD and Gateway have different DNs
WAC/Gateway Server: 1910.2
Description
Gateway server is located in a site of a corporate domain. When adding security groups AD or local it fails saying that the group was not found in the sub site. Example below
Request:
Allow modification of the LDAP settings or use the FQDN of the domain rather than accepting the domain name of the gateway server.
Note: Please don't ask why it is configured that way or if I can change this. This configuration was in place long before my time and will not be modified.
Example:
AD Domain: na.corp.com
AD NETBIOS Domain: (CORP)
Gateway FQDN: wac.site.corp.com
- Gateway is part of CORP (na.corp.com) domain
Adding a group located in AD (CORP)
Group Name: WACSiteDBAs
- Added as CORP\WACSiteDBAs
- Added as na.corp.com\WACSiteDBAs
Adding a group located on the gateway (wac.site.corp.com)
Group Name: SiteDBAs
- Added as WAC\SiteDBAs
- Added as BUILTIN\SiteDBAs
- Added as SiteDBAs
Error:
Group <GroupName or Domain\GroupName> does not exist in domain site.corp.com or on the gateway machine. Individual users cannot be added to this list.
- This error is the same for each attempt
From Event Log:
Microsoft-ServerManagementExperience
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="SMEGateway" />
<EventID Qualifiers="0">0</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-04-02T17:06:11.258666700Z" />
<EventRecordID>155665</EventRecordID>
<Channel>Microsoft-ServerManagementExperience</Channel>
<Computer>wac.site.corp.com</Computer>
<Security />
</System> - <EventData>
<Data>The server could not be contacted.</Data>
</EventData>
</Event>

11 comments
-
Wojciech commented
I confirm Jon's explanation. In my case, one domain, individual sites have their own DNS prefix. Same domain name.
-
Jon commented
You may have misunderstood. This is the same Active Directory domain for the entire corporation. But each site has a different DNS domain. I would be happy to go further into details over phone or zoom, but in short WAC cannot communicate with an AD domain whose FQDN does not match that of the gateway server.
-
WAC cannot work with multiple domains. It supports only single domain. You must deploy an instance of WAC per each domain.
-
Austin Wall commented
We are investigating deploying this as well, and appear to be encountering the same error.
-
Jon commented
Any update
-
Jon commented
Still broken in WAC 2009
-
Jon commented
This appears to still be broken in WAC2007
-
Wojciech commented
I have published a similar issue and I confirm that the reason may be the same.
I also have a gateway with a different DN.
Gateway: site.domain.com
and DC: domain.com -
Jon commented
Thanks!
-
Thank you for reporting! A bug has been filed on this and I will follow up when I have an update.
-
Jon commented
Thoughts?