Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dave
Contributor
Jump to solution

Identity Collector - Identity Sources configuration

So i'm preparing to move from AD query to Identity Collector.

Installed the software on 2 domain controllers for redundancy.

All working fine for the domain controller on which the software is installed, but the other one is not.

Identity Sources.jpg

 "Unable to connect, please check connectivity ....."

Actually, i added our 4 DC as identity sources but only planning to install IC on 2 of them since this is enough for redundancy purpose.

 

Are you supposed to only add the DC where Identity Collector has been installed on, as identity source?

 

1 Solution

Accepted Solutions
Dave
Contributor

Got it figured out 🙂

 

The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.

 

Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.

View solution in original post

12 Replies
the_rock
Legend
Legend

You should be able to add all of them actually. Did you check connectivity with other 3?

Andy

Dave
Contributor

They are all in the same subnet so i would assume this would have been a no brainer. Seems not 😊

So on one DC, let's say DC4 in my case, i should be able to see events from all 4 DC, that's what you are saying?

Then i'm asking myself what is blocking this.....

the_rock
Legend
Legend

Agree, specially if its same subnet : - ). How did you add them? Manually or option "fetch automatically"?

Dave
Contributor

"fetch automatically" is how i added them

If i double click on the identity source where IC is installed, it passes the test and connection is fine.

If i double click on any other identity source where IC is not installed on, it fails the test with the message "unable to connect, please check"

the_rock
Legend
Legend

Let me confirm with client we did this for, as they also have 4 DCs I believe and all shows fine, but IC is only installed on one of them.

the_rock
Legend
Legend

This is what customer told me as the answer to my question if he remembered if we did automatic or manual...

 

"I can’t recall but I think it found all of them.  I know it pulled the wrong info (site name) and I had to manually enter that."

Dave
Contributor

Got it figured out 🙂

 

The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.

 

Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.

_Val_
Admin
Admin

Thanks for sharing the solution, @Dave 

the_rock
Legend
Legend

Good old Windows : - ). Thanks a lot for letting us know, it will help others, for sure!!

Dave
Contributor

Unfortunately, the story doesn't end here because another issue popped up.

So i had foreseen to run identity collector as a service under another service account, freshly created and with the domain user permissions, user is part of group 'Event Log Readers' group.

As soon as i run cpidc.exe as a service and under this new service account, everything stops working, all identity sources are yellow and no identities are collected anymore.

When i remove the service account and let the service run under my domain admin account, everthing changes instantly to green again and identities are collected.

This for sure has to do with user rights in Windows, but it seems like having a domain user with group membership of 'Event Log Readers' group is not enough?

Please help me understand what i'm missing 🙂

_Val_
Admin
Admin

Most probably the permissions mismatch. If you looked through sk108235 and sk179544 and did not find the trigger for the issue, I would advise engaging with TAC to drill down.

Dave
Contributor

Yes permission issue most probably, only hard to find what's missing...

This simple domain user account, should it also need to be part of the 'Distributed DCOM users' group?

Or the 'Event Log Readers' group should be enough?

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events