Summary
This article describes some common issues with domain controllers in Cayosoft Guardian and how these issues could be resolved.
How to troubleshoot WinRM connectivity issues
In some cases, Cayosoft Guardian might not be able to connect to a domain controller using WinRM; the collection job fails with error messages (see example below).
Retrying the action execution.
Reason: Connecting to remote server SERVERNAME failed with the following error message :
The client cannot connect to the destination specified in the request.
Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
For more information, see the about_Remote_Troubleshooting Help topic.
Connectivity tests on a Cayosoft Guardian server
1. With PowerShell, check the network connection from a computer where Cayosoft Guardian is installed.
Test-NetConnection -ComputerName {Domain Controller} -port 5985
2. If the connection test fails check that the firewall allows WinRM connections. Learn more about ports used by Cayosoft Guardian.
3. To check if the WinRM connection to a domain controller might be established, run the following command on a computer where Cayosoft Guardian is installed.
Test-WSMan -ComputerName {domain controller} -Credential (Get-Credential) -Authentication default
WinRM service checks on a domain controller
1. Check that service responds by running the below command on a domain controller.
WinRM id
2. If an error is returned, the WinRM service is not running. Usually, error messages include recommendations to run the following command that can help to analyze issues and configure the WinRM service.
WinRM quickconfig
3. Check that the service is running by running the below command on a domain controller.
Get-Service "WinRM"
Additional information
In addition to the above-mentioned checks, information about configuring and troubleshooting WinRM can be found in articles offered by Microsoft:
Installation and configuration for Windows Remote Management
How to configure WINRM for HTTPS
Troubleshooting WinRM with PowerShell
How to enable audit policies required for the initiator detection
1. From the Domain Controller, click Start, point to Administrative Tools, and then Group Policy Management.
2. From the console tree, click the name of your forest > Domains > your domain, then right-click on the relevant Default Domain or Domain Controllers Policy (or create your own policy), and then click Edit.
3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy, then double-click on the relevant policy setting.
The following policies must be enabled for Cayosoft Guardian:
1) Select Logon/Logoff policy and enable Success events for Audit Account Lockout subcategory
2) Select Account Management policy and enable Success events for Audit User Account Management subcategory
3) Select Account Management policy and enable Success events for Audit Security Group Management subcategory
How to test LDAP connection with LDP
Use the Microsoft LDP tool to test the connection:
- Download the LDP tool from here.
- Open Connection > Connect.
- Put either the Domain Controller's name or its IP address.
- Port number is 389 for default LDAP port, or this can be 689 for SSL, in which case you need to check the "SSL" checkbox as well.
- Click OK button to establish the connection.
- Once a successful connection is established, you will see this output.
- Open Connection > Bind.
- Enter a valid domain user credential and password.
- Open View > Tree. The whole Active Directory tree should show up.
How to increase the size of the security event log on a domain controller
To prevent audit data loss due to events getting overwritten and to ensure that Cayosoft Guardian collects all necessary data, event log size and retention settings must be configured.
- Open Group Policy Management Console (GPMC).
- Right-click on Default Domain Controllers Policy and press Edit.
- In the Group Policy Management Editor expand Policies under Computer Configuration.
- Expand Windows Settings.
- Expand Security Settings.
- Select Event Log.
- In the right pane, right-click on the Retention method for security log.
- Open Properties and select Overwrite events as needed.
- Right-click on the Maximum security log size.
- Define size as recommended by Cayosoft Guardian. Ensure the security event log holds a minimum of 24 hours of data.
Comments
0 comments
Please sign in to leave a comment.