Troubleshooting Tips


Known error solution database

Domain Settings

  1. When I start ADAudit Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?
  2. When I add my domains manually, the Domain Controllers are not resolved. Why?
  3. When I add the Domain Controller, I get an error as "The Servers are not operational". What does it mean?
  4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name". What does it mean?
  5. The status column in the domain settings says that the user do not have Admin Privilege?
  6. What is "File Creation Audit Scheduler"?
  7. Eventhough I click on the "Run Now" and collect event logs, reports show "No Data Available" and the Domain Settings page read,
  8. Why?

  1. What does "Last Event Read Time" in ADAudit Plus mean?

Reports

  1. My reports show - "No Data Available". Why?
  2.  For Advanced GPO Reports - GPMC should be installed.
  3. The old and new values are not displayed in the 2003 Servers?

1. When I start ADAudit Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?

ADAudit Plus, upon starting, discovers the domains from the DNS Server associated with the machine running the product. If no domain details are available in the DNS Server, it shows this message.

Questions

2. When I add my domains manually, the Domain Controllers are not resolved. Why?

When the DNS associated with the machine running ADAudit Plus do not contain the necessary information. You need to add the Domain Controllers manually.

Questions

3. When I add the Domain Controller, I get an error as "The Servers are not operational". What does it mean?

This error could be due to any of the following reasons:

  1. DCs are down.
  2. Servers not available.
  3. Firewall has been enabled, and port 389 is closed.
  4. Busy - try after some time?

Questions

4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name". What does it mean?

This error could be due to any of the following reasons:

  1. When the specified user name or the password is invalid.
  2. Anonymous login (when no user name and password is provided)
  3. When IP Address of the Domain Controller is specified instead of its name.

Questions

5.  The status column in the domain settings says that the user do not have Admin Privilege?

This is a warning message to indicate that the specified user do not have administrator privileges i.e, the user is not a member of Domain Admins Group. Hence permissions applicable to Administrator  may not be available to this user.

Questions

6.  What is "File Creation Audit Scheduler"?

Folders/Files newly created are tracked by ADAudit Plus through a periodic scheduler - "File Creation Audit Scheduler". The File Creation Audit Scheduler of ADAudit Plus creates a snapshot of all Folders/Files available in the configured shares during every run.

Details like who created a file, when and from where are deciphered by comparing the time-stamped event log data and the snapshot available. 

Questions

7. Eventhough I click on the "Run Now" and collect event logs, reports show "No Data Available" and the Domain Settings page read,  

  • "Last Event Read Time" column shows - "Yet to Fetch event data" and
  • "Status" column shows - "Troubleshoot"

Why?

  1. Ensure that the required audit policy for corresponding computers (Servers and Domain Controllers) have been enabled.
  1. Ensure that an optimal size of the Security log in the event viewer is maintained.
  2. There might also be a scenario when ADAudit Plus has swept through the security logs but the desired audit events were not available at the time of sweep.

Questions

  1. What does "Last Event Read Time" in ADAudit Plus mean?

The "Last Event Read Time" in ADAudit Plus is the last time that ADAudit Plus has contacted the security log of event viewer and fetched newly logged audit data. i.e) The Last Event Read Time changes only if there is fresh and relevant data complying to the audit policy available in the security logs of corresponding computers.

Questions


Reports

  1. Reports show - "No Data Available". Why?

Possible reasons:

  1. Event collection is yet to happen or needs to be initiated.
  2. "Audit Policy" for corresponding domain/servers are not configured properly.
  3. Proper / Privileged user credentials were not provided in ADAudit Plus.
  4. Your Domain Controller Security Event log settings and ADAudit Plus event fetch interval.

Troubleshooting steps:

1. Event collection is yet to happen or needs to be initiated.

ADAudit Plus has a default "Event Fetch Interval" for it to collect event log data from configured Domain Controllers .  This is used for the collection of event logs periodically.

You can manually initiate this event log collection by clicking on the "Domain Settings" link, at the top right corner of the web console and click on "Run Now" link found adjacent to each Domain Controller. This will initiate event fetch from the configured Domain controller, now check for data in reports.

2. Audit Policy for corresponding domain/servers are not configured properly.

  1. Ensure Audit Policy is properly configured for,
    1. Domain Controllers
    2. File Servers
    3. Member Servers
    4. Workstations.
  2. Sample "Advanced Audit Policy Settings" command prompt after running "auditpol /get /category:*". 
The highlighted audit policy settings are needed for ADAudit Plus to monitor properly.
Advanced Audit Policy Settings

3. Proper / Privileged user credentials were not provided in ADAudit Plus settings.

Proper privileged user credentials are needed for ADAudit Plus to collect event log data from configured Domain Controllers. Steps to provide right user credentials.

    1. Go to "Admin" -> "Domain Settings"
    2. Click on "Modify Credentials" icon(on hovering the domain).
    3. Enter a privileged credential.
        ADAudit Plus instantly starts to audit, when provided with a 'Domain Admin' account. When users' do not want to provide a 'Domain Admin' account, follow the below steps to manually configure the successful working of ADAudit Plus.

4. Your Domain Controller Security Event log settings and ADAudit Plus event Fetch Interval.

If the "Security Event Log size" is set to a smaller value, "Event Fetch interval" of ADAudit Plus remains at the default 2 hrs and "Overwrite events as needed" was enabled on your "Domain Controller Event log settings" there is a higher probability of event log data getting lost.

To overcome this :

Ensure that the size of the Domain controller "Security" event log is large enough. (You may set the value of Security event log to  at-least a default value of 128 MB. )

Security Log Size and Retention Settings.

Questions

2. For Advanced GPO Reports, GPMC should be installed.

Installing GPMC in Windows Server 2003

Group Policy Management Console (GPMC) is needed in the computer where ADAudit Plus is installed for successfull "Advanced GPO Reports" generation. Please visit this page for download details of GPMC. Also visit the "Known Issues and Limitations" page for further details on this.

Installing GPMC using Server Manager (Windows Server 2008 & 2008 R2)

  • Open Server Manager by clicking Start and then point to Administrative Tools. Click on Server Manager.
  • Click on the Action menu and then click Add Features.
  • Select the Group Policy Management checkbox & click Next.
  • Click Install.
  • Click Close.

Installing GPMC from the Command Line

  • Open command prompt.
  • In the command prompt, type ServerManagercmd –install gpmc
  • Start GPMC from the command prompt by typing start gpmc.msc
  • Close the command prompt.

Questions

3. The old and new values are not displayed in the 2003 Servers?

In the 2003 Servers, the Security event logs does not log the Old/New attribute value changes. Thus ADAudit Plus would not be able to report on these changes that run Windows Server 2003 operating system.

Questions

Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link