Cached AD Information gets overwritten by AD Connection Error

Hi,

I’m noticing a kind of annoying behavior on 9.5.3 mobile clients.

The BigFix agent caches AD information for users but will overwrite this information whenever the agent samples AD next.

The AD cache gets overwritten regardless of whether or not the new information is valid.

Suppose you had a mobile user who was in the office:

  1. User is in the Office or Connected to VPN
  2. BigFix Agent Queries AD and caches their AD Group Information
  3. User leaves the Office and goes home
  4. BigFix Agent Queries AD and replaces the cached AD Group Information with an error.

The error that gets recorded (and replaces any cached AD info) is:
Failed to get attribute "distinguishedName" : Windows Error 0x8007054b: The specified domain either does not exist or could not be contacted. Domain: myDomain

This would mean anything you’ve got targetting a user’s group membership will stop working when they no longer have a direct connection to AD. In addition, the query: groups of logged on user of active directory will report “Singular Expression refers to non-existent object”

Does anyone know if this is new behavior?

2 Likes

My preferred behavior would be that the cache would be untouched in cases of an error like this.

My guess is that this error is being generated by the API the BigFix client is using and it isn’t doing anything to trap the error and just passing it through, which it shouldn’t in this case.

Examples:

User AD Cache file with error:

Related:


CC: @AlanM

It appears this issue may be resolved in 9.5.4 but we are still testing.

Any fixes in this area are also absent from the release notes :frowning:

2 Likes

I am running 9.5.13, and I am seeing the same behavior when a client cannot reach the domain. The AD Cache is overwritten with the following message.

"The specified domain either does not exist or could not be contacted."

@Strawgate did you find a solution to this problem.

How can I test for the condition where the AD cache has been overwritten and the cache file for the logged on user has the error message:

Failed to get attribute "distinguishedName" : Windows Error 0x8007054b: The specified domain either does not exist or could not be contacted.

It appears that this relevance may work:

concatenation of (unique values of values of components whose (type of it="CN") of distinguished names (distinguished names of (groups of local users of active directory))) != ""

The issue we saw was fixed in 9.5.4. We filed a PMR for it I believe

According to L3 support, it is expected behavior that the AD Cache will be overwritten when the domain cannot be contacted.