Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
5
Helpful
1
Replies

CDA stopped getting mappings after AD patching

Go to solution
captkloss
Level 1
Level 1

‎03-28-2017 03:01 PM

Hello, have anyone experienced this? I have patched AD servers over the weekend and ever since then we have lost all the user/ip mappings. I have went over AD settings for the CDA user, all is in order... we have discovered this by accident, because strangely enough WSA works fine (detects identity transparently) even though TUISTATUS shows no mappings....

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎03-28-2017 11:21 PM

It is a known issue for now. A recent Microsoft security update has caused issues in several customer environments wherein their domain controllers stop logging these 4768 event IDs.  The offending KBs are listed below:

 

KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)

As a current workaround, users should be able to uninstall the above mentioned KBs and the 4768 event IDs should resume logging.  As of the date of this initial publication (3/28/2017), we do not yet know of a permanent fix from Microsoft.  There are several threads tracking this issue below:

 

Reddit:

https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

 

UltimateWindowsSecurity.com:

http://forum.ultimatewindowssecurity.com/Topic7340-276-1.aspx

 

Microsoft TechNet:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/4136ade9-d287-4a42-b5cb-d6042d227e4f/...

View solution in original post

1 Reply 1

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎03-28-2017 11:21 PM

It is a known issue for now. A recent Microsoft security update has caused issues in several customer environments wherein their domain controllers stop logging these 4768 event IDs.  The offending KBs are listed below:

 

KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)

As a current workaround, users should be able to uninstall the above mentioned KBs and the 4768 event IDs should resume logging.  As of the date of this initial publication (3/28/2017), we do not yet know of a permanent fix from Microsoft.  There are several threads tracking this issue below:

 

Reddit:

https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

 

UltimateWindowsSecurity.com:

http://forum.ultimatewindowssecurity.com/Topic7340-276-1.aspx

 

Microsoft TechNet:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/4136ade9-d287-4a42-b5cb-d6042d227e4f/...

Customers Also Viewed These Support Documents