Hello,
We are having issues with being able to either update an ADOM from 5.2 to 5.4 or be able to delete the ADOM from Fortimanager.
An example. We had a 5.2.x Fortigate associated to a ADOM in Fortimanager and it was, of course, also 5.2. I deleted the fortigate device out from under the ADOM, because the 5.2 device was being removed from production. Then I tried to upgrade the ADOM to 5.4 by right clicking on it under system settings/All ADOM's. It comes back with an error of Fail(errno=-999):cannot be empty - User adgrp "Customer/DOMAIN ADMINS" has empty server-name.
So then I would try to Delete the ADOM completely so I can just re-create the ADOM. When I attempt to delete it from System Settings/All ADOM's it comes back with a message that says "Unable to delete because ADOM is not empty," but I don't see any thing under that ADOM that it could still be seeing. It has been doing this ever since we updated the Fortimanager to 5.4.1.
Anyone have any thoughts? Is it a GUI thing? Is there a command I can use via CLI on the Fortimanager to attempt to delete out the ADOM so I can free up the license and just re-add it as 5.4 so I can add a 5.4 unit under it?
Any help would be appreciated. Thank you.
-Vince
so this is 5.4.1 FMG? and can you help do a check if in that ADOM "Device Manager", any script group still there?
5.4.1 has an extra check for script group, we removed that check in 5.4.2 (but still need to delete device and device group for that ADOM)
For ADOM upgrade issue, I will double check this part, in FMG 5.2, "config user adgrp" is managed in device db and ADOM level just a name, but FMG 5.4 we moved this config management to ADOM / policy package db (for all 5.0/5.2/5.4 ADOM versions), so can you help do a check by "exec fmpolicy print-adom-object" for adgrp config? if only has name, you may need to do a device policy import to import the complete config for adgrp entry (but if device is removed already, you may need to run script to generate the config for them or if you have correct FSSO agent config (IP, password), FMG 5.4 will connect to FSSO agent to retrieve a list similar as FOS side)
Thanks
Simon
Simon,
We are on 5.4.2 on the FM.
There was a single script, not group script, still present and I removed that and attempted to update the ADOM to 5.4 and it still failed with the same message as earlier. No group scripts were present. We found the issue with the upgrade after I tried that. In the Policy and Objects under User and Device there was a group that pointed to an AD user account that we used for LDAP authentication for SSL VPN. We removed that and we were able to upgrade the ADOM to 5.4 with no issues. We attempted to delete it before upgrading it and it still comes back with the same message that it can't delete it because it is not empty. Just wanted to let you know.
Thanks,
Vince
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.