Several actions in the Vault Administration Console (VAC) share a selection dialog that allow an administrator to choose accounts from Active Directory. In certain scenarios, this dialog is unable to list the accounts in remote domains.
The following actions in the VAC are affected by this issue:
1. Adding permissions to an archive
2. Adding Windows users or Windows groups as targets to an Exchange Provisioning Group or Client Access Provisioning Group
3. Choosing the Bill Usage To user for an archive
(This list may not be exhaustive, as features added after the time of writing may also utilize this selection dialog.)
Unable to list accounts in <DomainName>.
A domain controller for <DomainName> could not be found.
This may be because your primary domain controller is unavailable or problems with your network connection.
You can try typing the account you wish to grant access to in the add names edit box.
A packet capture from the EV server shows the error from the NetGetAnyDCName Windows API function.
This issue appears in two different scenarios.
On versions of EV prior to 10.0.1, the list of users would fail to populate for any remote domain. This was a defect and was fixed in EV 10.0.1.
On all versions of EV, the list of users will fail to populate for any domain that is not directly trusted by the domain in which EV resides. This is because EV uses the NetGetAnyDCName function from the Windows API to retrieve domain controllers (DCs). As described in the function's documentation, NetGetAnyDCName can only retrieve DCs from domains that are directly trusted by the domain from which it is run,
For clarification on situation 2, consider the Active Directory architecture in this diagram:
The blue arrows are the transitive trusts that are created automatically by the parent-child domain relationship. EV's domain controller discovery can traverse only one of these hops. If EV is installed in the East.Company.com domain as shown, then the selection dialog will be able to list accounts from the Company.com and NH.East.Company.com domains, but will fail with the above error when attempting to list accounts from West.Company.com or Hanover.NH.East.Company.com.
The red dashed arrows are the Shortcut Trusts that could be laid into place in order to remedy the problem. By creating a direct trust relationship between EV's domain and the remote domain, the Shortcut Trust allows NetGetAnyDCName to locate DCs in the remote domain and EV to list accounts from the domain in its selection dialog.
The defect preventing enumeration of accounts in all remote domains (Scenario 1) has been addressed in the following release:
The issue preventing enumeration of accounts in transitively trusted domains (Scenario 2) can be resolved by creating a Shortcut Trust between EV's domain and the remote domain.
In both scenarios, accounts from the affected domain can still be added to the relevant selection by typing their names in DOMAIN\User format. They just cannot be picked from the list.