General error codes
RPC server unavailable
Cause:
This error occurs when the RPC ports (static port no.135 and dynamic port no. 49152- 65535) are not opened in the firewall.
Solution:
Ensure that the RPC ports (static port no.135 and dynamic port no. 49152- 65535*) are open so that ADAudit Plus can collect Windows logs from the monitored computers.
Follow this port guide to open the RPC ports required for Windows log collection.
* Note: If you are using Windows Firewall you can open dynamic ports (49152-65535) on the monitored computers by enabling the inbound rules listed below.
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
To enable the above rules: Open Windows Firewall > Advanced settings > Inbound Rules > Right click on respective rule > Enable Rule.
Troubleshooting:
- Ping the target server by name from the ADAudit Plus server.
- Login to your ADAudit Plus web console.
- Identify the server showing the RPC error from the Available Domain Controllers under Domain Settings or under Configured Server(s) in the File Audit tab or under Configured server(s) in the Server Audit tab.
- Note the flat name of the server as found in ADAudit Plus console as well as its DNS name.
- Open Command Prompt in the ADAudit Plus server and ping the target server by its name as noted from ADAudit Plus console to verify that the name resolves to the correct IP address.
- If the ping to the server is successful, name resolution is not likely to be the cause of the issue.
- If the ping to the server fails, try pinging the server by its DNS name; if successful, append the DNS suffix in the Advanced TCP/IP settings, or add a host record in the DNS server, mapping this name to the server's IP address.
- Try to connect to the target server's Event Viewer from the ADAudit Plus server.
- Open Start on the ADAudit Plus server and search for Event Viewer.
- Right click on Event Viewer and click Run as Administrator. Enter your admin credentials and click OK.
- In the Event Viewer window, right click on Event Viewer (Local) on the top left and select Connect to Another Computer.
- Enter the target server name or IP address in the Another Computer field and click OK.
- If you can connect to the target server, check if you are able to access the shares on the target server, next.
- Try to connect to shares on the target server from the ADAudit Plus server.
- Open File Explorer in the ADAudit Plus server and select Network from the left tree.
- In the Network window, double click on the target computer which contains the shared folder.
- Open the shared folder and double click on the share you want to access.
- Alternatively, you can run the UNC path to the shared folder and access the shares.
Access Denied
Cause:
This error occurs when the user account that runs ADAudit Plus does not have sufficient privileges to access the event logs.
Solutions:
- Provide Domain Admin privilege:
ADAudit Plus requires Domain Admin credentials to instantly audit activities in your Active Directory (AD). Ensure that you login to ADAudit Plus with Domain Admin credentials.
- Set up a service account with minimum privileges:
If you do not want to provide Domain Admin credentials, you need to set up a service account with the least privileges required to audit your AD environment.
- Grant the ADAudit Plus user special privileges to read security logs:
If you have given non-administrators the permission to read event logs, grant the same permissions to the user account that runs ADAudit Plus to access the security logs.
Troubleshooting:
Try to connect to the target server's Event Viewer from the ADAudit Plus server.
- Open Start in the ADAudit Plus server and search for Event Viewer.
- Right click on Event Viewer and click Run as Administrator. Enter credentials of the user account that runs ADAudit Plus.
- In the Event Viewer window, right click on Event Viewer (Local) on the top left and select Connect to Another Computer.
- Enter the target computer name or IP address in the Another Computer field and click OK.
- If you are unable to connect to the target computer, the user account that runs ADAudit Plus does not have sufficient privileges.
Remote Procedure Call Failed
Cause:
This error occurs when the RPC ports (static port no.135 and dynamic port no. 49152- 65535*) are not opened in the firewall or when packets are lost due to unstable Wide Area Network (WAN) link.
Solution:
Ensure that the RPC ports (static port no.135 and dynamic port no. 49152- 65535*) are open so that ADAudit Plus can collect Windows logs from the monitored computers.
Follow this port guide to open the RPC ports required for Windows log collection.
* Note: If you are using Windows Firewall you can open dynamic ports (49152-65535) on the monitored computers by enabling the inbound rules listed below.
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
To enable the above rules: Open Windows Firewall > Advanced settings > Inbound Rules > Right click on respective rule > Enable Rule..
Troubleshooting:
- Ping the target server by name from the ADAudit Plus server.
- Login to your ADAudit Plus web console.
- Identify the server showing the RPC error from the Available Domain Controllers under Domain Settings or under Configured Server(s) in the File Audit tab or under Configured server(s) in the Server Audit tab.
- Note the flat name of the target server as found in ADAudit Plus console as well as its DNS name.
- Open Command Prompt in the ADAudit Plus server and ping the target server by its flat name as noted from ADAudit Plus console to verify that the name resolves to the correct IP address.
- If the ping to the server is successful, name resolution is not likely to be the cause of the issue.
- If the ping to the server fails, try pinging the server by its DNS name; if successful, append the DNS suffix in the Advanced TCP/IP settings or add a host record in the DNS server, mapping this name to the server's IP address.
- Try to connect to the target server's Event Viewer from the ADAudit Plus server.
- Open Start in the ADAudit Plus server and search for Event Viewer.
- Right click on Event Viewer and click Run as Administrator. Enter credentials with local admin rights on the remote computer you want to access.
- In the Event Viewer window, right click on Event Viewer (Local) on the top left and select Connect to Another Computer.
- Enter the target computer name or IP address in the Another Computer field and click OK.
- If you can connect to the target server, check if you are able to access the shares on the target server, next.
- Try to connect to shares on the target server from the ADAudit Plus server.
- Open File Explorer in the ADAudit Plus server and select Network from the left tree.
- In the Network window, double click on the target server which contains the shared folder.
- Open the shared folder and double click on the share you want to access.
- Alternatively, you can run the UNC path to the shared folder and access the shares.
Note: If the target server and the ADAP server are connected across a WAN connection, we suggest that you install an agent for smoother data collection.
Network Access Denied
Cause:
This error occurs when the user account that runs ADAudit Plus does not have sufficient privileges to access the event logs.
Solutions:
- Provide Domain Admin privilege:
ADAudit Plus requires Domain Admin credentials to instantly audit activities in your Active Directory (AD). So, ensure that you login to ADAudit Plus with Domain Admin credentials or set up a service account with minimum privileges.
- Set up a service account with minimum privileges:
If you do not want to provide Domain Admin credentials, you need to set up a service account with only the least privileges required to audit your AD environment.
- Follow this service account configuration guide to set-up the service account with minimum privileges required for:
A network adapter hardware error occurred
Cause:
This error occurs when there are any connectivity issues between the ADAudit Plus server and the target computer.
Troubleshooting:
- Try to connect to the target computer's Event Viewer from the ADAudit Plus server.
- Open Start in the ADAudit Plus server and search for Event Viewer.
- Right click on Event Viewer and click Run as Administrator. Enter credentials with local admin rights on the remote computer you want to access.
- In the Event Viewer window, right click on Event Viewer (Local) on the top left and select Connect to Another Computer.
- Enter the target computer name or IP address in the Another Computer field and click OK.
- If you can connect to the target server, check if you are able to access the shares on the target server, next.
- Try to connect to shares on the target computer from the ADAudit Plus server.
- Open File Explorer in the ADAudit Plus server and select Network from the left tree.
- In the Network window, double click on the target computer which contains the shared folder.
- Open the shared folder and double click on the share you want to access.
- Alternatively, you can run the UNC path to the shared folder and access the shares.
The network path was not found
Cause:
This error occurs when the ADAudit Plus server is unable to contact the target computer.
Solution:
Ensure that there are no connectivity issues between the ADAudit Plus server and the target computer.
Troubleshooting:
- Connect to the target computer's Event Viewer from the ADAudit Plus server.
- Open Start in the ADAudit Plus server and search for Event Viewer.
- Right click on Event Viewer and click Run as Administrator. Enter admin credentials and click OK.
- In the Event Viewer window, right click on Event Viewer (Local) on the top left and select Connect to Another Computer.
- Enter the remote computer name or IP address in the Another Computer field and click OK.
- If you are able to connect to the target computer, try connecting to the shares.
- Connect to shares on the target computer by following the steps below:
- Click the File Explorer in the ADAudit Plus server and select Network from the left tree.
- In the Network window, double click on the target computer which contains the shared folder.
- Open the shared folder and double click on the share you want to access. Alternatively, you can run the UNC path to the shared folder and try to access the shares.
The parameter is incorrect
Cause:
This error occurs as a result of events getting overwritten before ADAudit Plus could read them due to insufficient log size. Reading the event logs across Wide Area Network (WAN) connections can also lead to this error.
Solutions:
- Verify whether event log size and retention settings are defined to prevent audit data loss due to events getting overwritten.
- In case you have a large network that operates across WAN connections, deploy a client-side agent for smoother data collection and lower bandwidth utilization.
The handle is invalid
Cause:
This error occurs as a result of events getting overwritten before ADAudit Plus could read them due to insufficient log size. Reading the event logs across Wide Area Network (WAN) connections can also lead to this error.
Solutions:
- Verify whether event log size and retention settings are defined to prevent audit data loss due to events getting overwritten.
- In case you have a large network that operates across WAN connections, deploy a client-side agent for smoother data collection and lower bandwidth utilization.
Not enough memory resources are available to process this command
Cause:
This error occurs if the RAM size is low on the target computer.
Solution:
Ensure that the RAM size on the target computer is sufficient for smooth operation. Also, check the RAM usage.
Reports based error codes
No data available
Cause:
This error occurs when audit policy, or object level auditing, or event log size and retention settings are not configured correctly.
Solutions:
- Verify whether the audit policies are configured on the corresponding servers/domain controllers to ensure that events are logged whenever any activity occurs.
- Check whether object level auditing is configured to ensure that events are logged whenever any Active Directory object-related activity occurs.
- Verify whether event log size and retention settings are defined to prevent audit data loss due to events getting overwritten.
Troubleshooting:
- Check if the report profiles are configured correctly.
- Login to ADAudit Plus > Configuration > Report Profiles.
- Click View/Modify Report Profiles and under each category, verify whether the report profiles are configured correctly.
- Check whether the target server is configured in ADAudit Plus console.
- Login to your ADAudit Plus web console.
- Click Domain Settings on the top right corner, and check if the target server is found under Available Domain Controllers.
- If the target server is not listed under Available Domain Controllers, go to the Server Audit tab and check if the target server is listed under Configured Servers.
- Try to connect to the target server's Event Viewer from the ADAudit Plus server.
- Open Start on the ADAudit Plus server and search for Event Viewer.
- Right click on Event Viewer and click Run as Administrator. Enter your admin credentials and click OK.
- In the Event Viewer window, right click on Event Viewer (Local) on the top left and select Connect to Another Computer.
- Enter the target server name or IP address in the Another Computer field and click OK.
- Once the target server's event viewer is connected, check if events are recorded.
Please install GPMC in the computer where ADAudit Plus is installed. After you install GPMC please Click here
Cause:
ADAudit Plus requires Group Policy Management Console (GPMC) to be installed on the machine in which it is running to generate reports on GPO setting changes.
Solution:
Follow this GPMC installation guide to install GPMC on the server running ADAudit Plus.
User does not have admin privilege
Cause:
This error occurs when the user account that runs ADAudit Plus does not have sufficient privileges to access the event logs.
Solution:
Follow this service account configuration guide to set-up a service account with minimum privileges required to audit your AD environment.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding