What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

security audit failure when working with different domain

Votes:

0

Your Vote:

Up

Down

We have the PRTG Server installed on a 2008 R2 in one of our domains [Domain A] and it monitors the whole network. When it checks Active Directory Replication Errors on a different domain [Domain B] with the appropriate credentials, the PRTG monitor will report a successful check but the event viewer in the DC will show a lot of audit failure with Event ID 4625 & 4776 (The computer attempted to validate the credentials for an account) showing the server's computer account from Domain A trying to access the DC in Domain B

Apparently the PRTG monitors the DC with a computer account in addition to user account which causes the audit failure Is there a way to make the PRTG not use the server's computer account while monitoring?

audit-failure computer-account different-domain

Created on Feb 7, 2017 7:36:42 AM by  salea (0) 1



5 Replies

Votes:

0

Your Vote:

Up

Down

Is the sensor running on a remote probe that monitors the other AD?

Created on Feb 8, 2017 11:26:12 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

The sensor is running on a remote probe that is not in the same domain as the AD that I am monitoring, they're not even in the same forest

Created on Feb 8, 2017 11:31:05 AM by  salea (0) 1



Votes:

0

Your Vote:

Up

Down

Okay, you'll probably need to copy C:\Program Files (x86)\PRTG Network Monitor\Sensor System\ADSReplFailuresXML.exe ...to C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML ...and create a EXE/Script (Advanced) sensor with the following parameters:

-c=<IP-or-FQDN-of-your-dc> -n=<replication-neighbour> -u=%windowsdomain\%windowsuser -p=%windowspassword

Make sure that the device has the corresponding Windows credentials configured in its settings. Does that do the trick?

Created on Feb 8, 2017 11:44:41 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I'm sorry but what does your solution do?

Just to be clear the sensor works and I receive good results but when I log on the DC and look in the event viewer there is a lot of 'security audit failure' logs from the remote probe and I want to know how to stop getting these log events

Created on Feb 8, 2017 11:54:33 AM by  salea (0) 1



Votes:

0

Your Vote:

Up

Down

This should prevent the sensor to receive any different credentials and may stop those events from being created. If not, you can exclude certain events from being logged.

Created on Feb 8, 2017 12:13:14 PM by  Stephan Linke [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.