Use this information to troubleshoot Workspace ONE Access directory integration issues.

Identifying Domain Controller Latency in Windows Connectors

If end users are unable to log in with their Active Directory credentials and get an Access Denied error, or if login is very slow, follow these steps to determine whether domain controller network latency is causing the issue. Use the information that is applicable for your Workspace ONE Access connector version.

20.01 and 20.10 Connectors

  1. On the connector server, check the krb5.conf and domain_krb.json files, which contain the mapping of the domains to the current domain controllers used for each domain. For the Directory Sync service, the files are located in the INSTALL_DIR\Workspace ONE Access\Directory Sync Service\conf folder. For the User Auth service, the files are located in the INSTALL_DIR\Workspace ONE Access\User Auth Service\conf folder.
  2. Run the following commands from the connector server:

    nltest /dsgetdc:domain /try_next_closest_site (gets the closest domain controller cached by the OS)

    nltest /dsgetdc:domain /force (clears the OS cache and tries to determine the closest domain controller again)

    The connector's Windows OS identifies the nearest domain controller for each domain used by the directory.

  3. From the connector server, run the ping or psping command from the connector server for each domain controller and check if the domain controller responds quickly. Less than 20 ms is a good response time for a ping request.
  4. From the connector server, run the tracert command for each domain controller host for a domain and check the number of hops between the connector node and the domain controller host.
  5. Follow the best practices for domain network latency described in Best Practices to Avoid Network Latency, if the domain controller is slow to respond.

21.08 and Later Connectors

  1. Check the connector log files. For the Directory Sync service, check the DirectorySyncService.out and eds-service.log files, which are available in the INSTALL_DIR\Workspace ONE Access\Directory Sync Service\logs folder. For the User Auth service, check the UserAuthService.out and eas-service.log files, which are available in the INSTALL_DIR\Workspace ONE Access\User Auth Service\logs folder.

    Frequent "Triggering forced windows DC discovery" messages in these files indicate high latency with the listed domain controllers. If this message appears more than three times in an hour, check the network latency for domain controllers. You can set alerts based on connector logs.

  2. On the connector server, check the krb5.conf and domain_krb.json files, which contain the mapping of the domains to the current domain controllers used for each domain. For the Directory Sync service, the files are located in the INSTALL_DIR\Workspace ONE Access\Directory Sync Service\conf folder. For the User Auth service, the files are located in the INSTALL_DIR\Workspace ONE Access\User Auth Service\conf folder.
  3. Run the following commands from the connector server:

    nltest /dsgetdc:domain /try_next_closest_site (gets the closest domain controller cached by the OS)

    nltest /dsgetdc:domain /force (clears the OS cache and tries to determine the closest domain controller again)

    The connector's Windows OS identifies the nearest domain controller for each domain used by the directory.

  4. From the connector server, run the ping or psping command from the connector server for each domain controller and check if the domain controller responds quickly. Less than 20 ms is a good response time for a ping request.
  5. From the connector server, run the tracert command for each domain controller host for a domain and check the number of hops between the connector node and the domain controller host.
  6. Follow the best practices for domain network latency described in Best Practices to Avoid Network Latency, if the domain controller is slow to respond.