Troubleshooting Active Directory

See the following sections for troubleshooting scenarios and solutions for Active Directory.

Connection Refused Error

This error is the result of the Collector being unable to reach the domain controller designated in the Server field of the event source configuration. Make sure you are using a routable IP address or fully qualified hostname in this field. If the server name is correct, then use the following steps to troubleshoot.

  1. Confirm the IP address or fully qualified hostname matches a domain controller in your environment.
  2. Confirm the Collector is able to route to the domain controller.
  3. Confirm there are no routing rules preventing the Collector and domain controller from communicating over ports 135, 139, 445, TCP 49154 and TCP 49155.

Active Directory Event Source Stopped Logging Without Error

If you notice that your Active Directory Event Source stopped logging data to InsightIDR, but this does not trigger an error across one or multiple collectors, you may want to check your Audit Policy.

When configuring the Group Policy for Windows Logging, please note that implementing both the regular (legacy) Audit Policy settings and Advanced Audit Policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. In order to ensure Advanced Audit Policy settings override the regular Audit Policy settings:

  1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  2. Enable the override policy, i.e., Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Advanced Audit Policy Configurations are only compatible with Windows Vista or later. It is recommended to leverage the Advanced Audit Policy whenever possible because it has over 65 settings compared to the legacy having 8 and allows for more controls and additional visibility. It also unlocks several features including:

  • Honey Files
  • File Integrity Monitoring
  • File Access Activity Monitoring

Note that the Advanced Audit Policy Configuration is located in a different section than Group Policy in Audit Policy.

Unable to Get Current Time Error

Message not found for errorCode: 0xFFFFFFFF

This is the result of the specified account successfully accessing the domain controller, but the DC may not have WMI enabled or configured properly. This may also show up as an exception code (e.g. 0x80041003). In this situation, troubleshoot to see if WMI access is available.

Test WMI Rights

  1. Run wmimgmt, right click WMI Control (Local), go to Properties, then the Security tab.
  2. Open root and highlight CIMV2. Click Security and confirm the rights:
    • Execute Methods
    • Enable Account
    • Remote Enable
  3. If a WMI browsing tool is available, from the collector machine, you should now be able to connect and browse cimv2.
  4. If you do not have a WMI browser, you can skip this testing step and obtain one only if further troubleshooting is needed.

Troubleshoot by Testing DCOM

  1. Run dcomcnfg.exe. Under Component Service, open Computers and right click My Computer. Go to Properties and then into the COM Security tab. Under Launch and Activation Permissions, click Edit Limits.
  2. Confirm Remote Launch and Remote Activation are enabled.

Troubleshoot by Reviewing WMI logs

The WMI logs are extremely useful and detailed. They can be found under the Event Log, in Applications and Services Logs/Microsoft/Windows/WMI Activity.

If you continue to receive errors with the collector about not being able to read time or similar issues, it is likely a WMI permission issue. The collector logs combined with the WMI logs on the server make it pretty easy to pinpoint missing WMI permissions.