Issue description   

After adding a new domain in ADManager Plus, you may find that directory objects such as users, groups, computers, or OUs are not being retrieved. Although the domain appears in the configured list, no data is displayed for management or reporting tasks.

Possible causes   

1. Service account permissions: The account used to add the domain may not have sufficient privileges to fetch directory objects.

2. Connectivity issues: Network or DNS problems between the ADManager Plus server and the newly added domain can prevent data retrieval.

3. Domain settings misconfigured: Incorrect domain controller details or hostnames in ADManager Plus settings can block directory access.

4. LDAPS not configured: If the environment requires LDAP over SSL, missing certificates or configuration may prevent secure directory communication.

Prerequisites   

Before configuring and syncing a new domain in ADManager Plus, ensure the following:

• The ADManager Plus server must be able to resolve and connect to at least one domain controller in the newly added domain using required ports (TCP 389, 636, 88, 135, 139, 445).

• Ensure that the firewall rules allow communication. Use the DMZ Port Analyzer tool to verify connectivity.

• The new domain must have a trust relationship with the domain or forest where ADManager Plus is installed. For cross-forest scenarios, a two-way trust is recommended.

• The configured service account must be a member of the Domain Administrator group or have equivalent delegated permissions. Refer to the list of required privileges here.

Resolution   

Follow these steps to resolve the issue and enable successful data sync from the new domain:

Step 1: Verify domain settings in ADManager   

1. Log in to ADManager Plus and navigate to Directory/Application Settings > Active Directory.

2. Find the newly added domain and click the Edit icon.

3. Confirm that a valid domain controller is specified using its FQDN or hostname.

4. Enter the valid service account Domain Username and Domain Password and click Update to save the configuration.

5. If the update fails:

• Check that the ADManager Plus server can resolve the domain controller via DNS.

• Ensure the necessary TCP ports (389, 636, 88, 135, 139, 445) are open and reachable.

Step 2: Validate service account permissions   

You can verify the service account’s permissions using one of the following methods:

1. Using Active Directory Users and Computers (ADUC):

1. Identify the service account used in domain configuration.

2. Open the Active Directory Users and Computers (ADUC) console.

3. Right-click the domain and select Properties, then go to the Security tab.

4. Review the permissions assigned to the service account:

• Ensure it has at least Read access to the domain and the necessary containers.

• Confirm that permissions are granted either directly or through group membership, following best practices like the AGDLP model.

5. If permissions are insufficient, adjust them in the Security tab or by updating group memberships as needed.

2. Using PowerShell:

1. Launch PowerShell using Run as different user and authenticate with the same service account. Then run the following command:

• Get-ADUser -Filter * -ResultSetSize 1

2. If this returns a result, it confirms the account has permission to query Active Directory. This method is useful for validating access when directory objects are not being retrieved in ADManager Plus after domain addition.

Step 3: Resync the domain in ADManager Plus

1. Navigate to Directory/Application Settings > Active Directory and click the Refresh icon next to the domain name to force a sync.

2. Once the sync completes, check the Management and Reports tabs to see if directory data is now visible.

Tips 

• Make sure the ADManager Plus server can resolve and connect to the domain controllers in the new domain, and that all necessary ports are open.

• If domain controllers aren't discovered automatically, add them manually in the domain configuration settings.

How to reach support  

If the issue persists, contact our support team here.