cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

Error message in Context Directory Agent, mapping doesn't work correctly.

Martin Ostberg
Beginner
Beginner

Hey guys!

We've started using the AD Agent a year back or so, and now we've migrated to CDA but we're having some issues.

We have 4 domain controllers and they are configured in CDA and show as OK, so all good there.

But the ip to username mapping is not working correctly, only some users get mapped.

And I get this in the log very frequently.

event-text

instance of __InstanceCreationEvent { SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 67, 0, 45, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 53, 0, 49, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 53, 0, 49, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}; TargetInstance = instance of Win32_NTLogEvent { Category = 9; CategoryString = "Account Logon"; ComputerName = "SEGRYDC2"; EventCode = 672; EventIdentifier = 672; EventType = 5; InsertionStrings = {"039s020", "GRYCKSBO.LOCAL", "-", "krbtgt/GRYCKSBO.LOCAL", "-", "0x40810010", "0x6", "-", "-", "192.168.187.213", "", "", ""}; Logfile = "Security"; Message = "Authentication Ticket Request: \n \n\tUser Name:\t\t039s020 \n \n\tSupplied Realm Name:\tGRYCKSBO.LOCAL \n \n\tUser ID:\t\t\t- \n \n\tService Name:\t\tkrbtgt/GRYCKSBO.LOCAL \n \n\tService ID:\t\t- \n \n\tTicket Options:\t\t0x40810010 \n \n\tResult Code:\t\t0x6 \n \n\tTicket Encryption Type:\t- \n \n\tPre-Authentication Type:\t- \n \n\tClient Address:\t\t192.168.187.213 \n \n\tCertificate Issuer Name:\t \n \n\tCertificate Serial Number:\t \n \n\tCertificate Thumbprint:\t \n \n"; RecordNumber = 132903567; SourceName = "Security"; TimeGenerated = "20121106080729.000000+060"; TimeWritten = "20121106080729.000000+060"; Type = "Audit Failure"; User = "NT AUTHORITY\\SYSTEM"; }; TIME_CREATED = "129966592493454297"; };

dc-hostname
segrydc2.grycksbo.local/192.168.187.196

dc-name

segrydc2

event-source
com.cisco.cda.rt.adobserver.adobserver.CurrentEventsThread

event-error
Audit type is not of type 4 (Audit Success)

This message show on all the DC's with a random interval.

Two of the DC's are 2003 SP2 and the other two are 2008 R2 SP1.

They should be configured for all the requirements, and I doubt I missed something on all of them.

"Active Directory Requirements

Cisco CDA relies on Active Directory login audit events to gather mappings. In order for Cisco CDA to

work appropriately, make sure that:

• Ensure that the “Audit Policy” (part of the “Group Policy Management” settings) allows successful

logons to generate the necessary events in the Windows Security Log of that AD domain controller

machine (this is normally the Windows default setting, but you must explicitly ensure that this

setting is correct).

• The Active Directory server administrator account has the following permissions:

– The account must belong to the “Distributed COM Users” Active Directory group.

– The account must have permission to access WMI namespaces (CIMV2 namespace) on the

domain controller machine.

– The account must have permission to read the security event log on the domain controller

machine.

• Each individual domain controller machine running Windows Server 2008 or Windows Server 2008

R2 have the appropriate Microsoft hotfixes installed.

For domain controller machines running Windows Server 2008, the following two Microsoft

hotfixes must be installed:

a. http://support.microsoft.com/kb/958124

This patch fixes a memory leak in Microsoft's WMI, which if left unfixed can prevent the AD Agent

from successfully connecting with that domain controller and achieving an “up” status.

b. http://support.microsoft.com/kb/973995

This patch fixes a memory leak in Microsoft's WMI, which if left unfixed can sporadically prevent

Active Directory from writing the necessary authentication-related events to the Security Log for

that domain controller and would prevent the AD Agent from learning about the mappings

corresponding to some of the user logins that authenticate through that domain controller.

For domain controller machines running Windows Server 2008 R2, the following Microsoft hotfix

must be installed (unless SP1 is installed):

http://support.microsoft.com/kb/981314

This patch fixes a memory leak in Microsoft's WMI, which if left unfixed can sporadically prevent

Active Directory from writing the necessary authentication-related events to the Security Log for

that domain controller and would prevent the AD Agent from learning about the mappings

corresponding to some of the user logins that authenticate through that domain controller."

Any ideas?

Cheers!

Who Me Too'd this topic