11 Replies Latest reply on Aug 8, 2013 10:24 AM by lshunnarah

    Can't manage multiple AD domains with same Netbios name / different FQDNs

    lshunnarah

      I've currently tried to add a new AD domain to our Patch Manager system to inventory and manage their domain computers.  I already had added the WSUS server successfully for this domain and was able to manage Microsoft and 3rd party updates without issue.  In order to start managing more with their Windows systems I've installed the PM Automation role on a server in this domain successfully.  My issue occurs when attempting to add the new AD to my management group.  I am able to go through the Management Group Wizard successfully and add the new AD domain. However, once I finish, the new AD domain I just added is not there.  I'm assuming there is some limitation in the database that is causing it not to allow multiple domains to be managed if they have the same NETBIOS name.  The new AD domain has a different FQDN than the existing one already setup in the system with the same NETBIOS name. 

       

      Is there any way to make this work without renaming one of the AD domains(which may not even be possible since they both have Exchange servers and would require massive amounts of labor that I'm sure the customer will not approve of)?

       

      There are no errors during my attempt to add this additional domain to the existing Management Group.

       

      Louis

        • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
          Lawrence Garvin

          In addition to adding the domain to the Management Group, you will also need to add Credentials to the Credential Rings, so that the Patch Manager console user can enumerate the domain. Most likely the domain is not appearing in the Windows Networking node because there is no authority to query the Domain Controller.

           

          Now... aside from that, there WILL be issues managing two domains that are using the same NETBIOS domain name. At a minimum this will likely require you to always specify domain identies using username@domain.local format rather than DOMAIN\username format, since it will be impossible to distinguish DOMAIN1 from DOMAIN2 using the DOMAIN\username format.

            • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
              lshunnarah

              I was able to specify both credentials when I first attempted to add the second domain because it had a different user name.  However when attempting to add the domain to the management group it would never show up since I assume because the NETBIOS domain was the same as an existing domain already in that mgmt group(possibly an issue with the way this data is stored in the db?).  I don't think the credentials play a role in this procedure however I still tried adding the credentials using the UPN format like you suggested in which it presented me with a warning and asked me to specify the Pre-Windows 2000 format which I did and it entered the credential properly.

               

              Besides this one issue, all other domains work fine.  We have about 24 different domains total and fortunately all but this one have had unique domain names for both formats.

               

              Currently all domains/wsus servers are in one management group and I use one or more automation server per domain.

               

              I use the default credential ring and have one credential per domain added to it.

                • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                  Lawrence Garvin

                  Yikes! You're right. The NETBIOS names also create a conflict within the Management Group itself.

                   

                  If you're up for it, a workaround to that would be to install a second Management Role server just to manage the other domain.

                   

                  There's more information about Management Groups and Management Role Servers in this Product Blog post:

                  Patch Manager Architecture – Deploying Application & Management Role Servers

                  1 of 1 people found this helpful
                    • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                      lshunnarah

                      Good idea and my original plan for all domains, but the way I understand it, adding another management group and assigning a new machine to that group as the mgmt server would cause the data collected for that domain to be stored on that management server.  We have custom reports that were written using our local Eminentware db.  Since all data for that particular domain would be stored on a a server and db I would have to speak with our developer to see if he could still automate our report generation/distribution process using both databases, securely.

                       

                      This would work in a less complex way if there was a way to periodically merge that data from the second management servers db into the main one we store all the rest of the data in.

                       

                      Since I know the built in canned reports are able to combine all the data from the multiple databases spread across the management groups I know it's possible some way or another.

                       

                      Thank you for the suggestions as they seem to have lead me to some new ideas as to how to tackle this.

                        • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                          Lawrence Garvin

                          It is true that the inventory data will be stored in a separate database; however, reports, by default, read from ALL Management Groups, so there would be no impact to your existing custom reports. Only if you wanted to filter those reports by domain would additional customization be necessary.

                           

                          In fact, because the report would be reading from two different Management Role servers (i.e. databases) simultaneously, the reports will actually render faster than they would if all of the data were in a single Management Group database.

                            • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                              lshunnarah

                              Sorry I should of clarified when I said "custom".  We don't use the PM report engine to write the custom reports.  We use Crystal report writer.  The report writing and generation processes are done on the SQL server we use for PM.

                               

                              Again thanks for your help!

                              • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                                lshunnarah

                                Ok, so here's the deal.  I created a new management group.  I attempted to add the second AD domain to this second management group and recieved an error:

                                 

                                The scope is already assigned to Management Group (NAMEOFNEWGROUP). You must delete the scopes current Management Group assignment before attempting to assign to another Management Group.


                                DataPortal_Insert method call failed

                                DataPortal.Update failed

                                 

                                Apparently it's still seeing that identical NETBIOS name for the domain and preventing me from adding the domain to the second mgmt group.

                                 

                                That really sounded like it would work however after trying this I'm still coming back to there being an issue with the database not allowing this.

                                  • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                                    Lawrence Garvin

                                    You'll need to remove that domain from the first management group before it can be added to the second. That may be somewhat tricky if it's not actually showing up in the list of managed objects in the management group. It may require you to remove both domains from the management group, and then add back the first domain. Then you can add the second domain to the second management group.

                                     

                                    But perhaps not... in my console, the "Managed Domains, Workgroups and Update Servers" tab of the management group displays the domain in AD format. If both domains are not listed there, navigate to the Patch Manager System Configuration node, and open "Scope Management" from the center pane. They should all be listed under "Active Directory Domains and Workgroups". Select a domain, and the details pane will display attributes of that entry, including the NetBIOS name and the assigned management group.

                                      • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                                        lshunnarah

                                        I had actually checked the Scope Management section earlier to see and what happens is if I remove both domains, then add one in, it looks fine in the scope management(however they are all listed as the FQDN of the domain not the Pre-Win2k).  When I attempt to add the second domain in a different management group, even though it gives me an error and doesn't seem to make any changes, the Scope Management shows details of the second domain I went to add in the first domains AD FQDN details.  So it somewhat mixes up both domain data into one AD Domain.

                                         

                                        I'm not sure if I'm painting the picture properly here with my post but perhaps I'll start adding some screenshots.

                                          • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                                            Lawrence Garvin

                                            A screenshot might be helpfu ... at least to ensure I'm understanding what you're actually seeing.

                                              • Re: Can't manage multiple AD domains with same Netbios name / different FQDNs
                                                lshunnarah

                                                I know this hasn't been updated in awhile.  I have been pulled in many different directions and this one took a back seat for awhile.  However, I'm revisiting this issue and letting anyone who's interested know I still have no solution for this issue.  I still feel it has to do with the database in some manner.  I've attempted all the options suggested in here from LGarvin which I'm very thankful for his input.  Unfortunately there is still no success here.  I understand that this product isn't the best when it comes to an MSP but from other posts I've read it sounds like the SW people are working hard to turn this product they took over into something with the same standards as products they've built from the ground up.  We also experience the troubles with NAT and WMI/DCOM.  At some point it seemed a host file entry on the PAS would resolve this but recently here we've been seeing systems that did function with this now are not.  Either way, I don't want to get off subject here.  I'm going to contact support and see if there are any options for my original issue which is not being able to add an additional domain to be managed if we had an existing domain with the same Netbios name.

                                                 

                                                Thanks!

                                                Louis