topic DSBind Failed in Knowledge Management https://community.splunk.com/t5/Knowledge-Management/DSBind-Failed/m-p/610754#M8975 <P>ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (5)</P><P>We have 22 out of 3000+ hosts sending thousands of errors for this and I can't seem to figure out why. My best guess at this point is the forwarders need to be updated.&nbsp; We have a distributed environment with multiple DC's.&nbsp; Any idea if I'm doing something wrong on my end, or do I need to have these forwarders that are causing errors fixed?</P><P>I have things set up as follows:</P><P>All Windows hosts Universal Forwarders - inputs.conf -</P><P>[default]<BR />evt_resolve_ad_obj = 0</P><P>Domain Controller UF inputs -</P><P>[admon://DefaultTargetDC]<BR />targetDc = 'DC02'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />index = msad<BR />monitorSubtree = 1<BR />disabled = 0<BR />baseline = 0<BR />evt_resolve_ad_obj = 1</P><P>[admon://SecondTargetDC]<BR />targetDc = 'DC03'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />index = msad<BR />monitorSubtree = 1<BR />disabled = 1<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://ThirdTargetDC]<BR />targetDc = 'DC01'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://FourthTargetDC]<BR />targetDc = 'DC02'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://FifthTargetDC]<BR />targetDc = 'DC01'<BR />startingNode = LDAP://OU=Computers,DC=adu<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://FifthTargetDC]<BR />targetDc = 'DC01dev'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://SixthTargetDC]<BR />targetDc = 'DC04'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://SeventhTargetDC]<BR />targetDc = 'DC05'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://EighthTargetDC]<BR />targetDc = 'DC06'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://NearestDC]<BR />disabled = 1<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P> Wed, 24 Aug 2022 20:18:27 GMT walsborn 2022-08-24T20:18:27Z DSBind Failed https://community.splunk.com/t5/Knowledge-Management/DSBind-Failed/m-p/610754#M8975 <P>ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (5)</P><P>We have 22 out of 3000+ hosts sending thousands of errors for this and I can't seem to figure out why. My best guess at this point is the forwarders need to be updated.&nbsp; We have a distributed environment with multiple DC's.&nbsp; Any idea if I'm doing something wrong on my end, or do I need to have these forwarders that are causing errors fixed?</P><P>I have things set up as follows:</P><P>All Windows hosts Universal Forwarders - inputs.conf -</P><P>[default]<BR />evt_resolve_ad_obj = 0</P><P>Domain Controller UF inputs -</P><P>[admon://DefaultTargetDC]<BR />targetDc = 'DC02'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />index = msad<BR />monitorSubtree = 1<BR />disabled = 0<BR />baseline = 0<BR />evt_resolve_ad_obj = 1</P><P>[admon://SecondTargetDC]<BR />targetDc = 'DC03'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />index = msad<BR />monitorSubtree = 1<BR />disabled = 1<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://ThirdTargetDC]<BR />targetDc = 'DC01'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://FourthTargetDC]<BR />targetDc = 'DC02'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://FifthTargetDC]<BR />targetDc = 'DC01'<BR />startingNode = LDAP://OU=Computers,DC=adu<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://FifthTargetDC]<BR />targetDc = 'DC01dev'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://SixthTargetDC]<BR />targetDc = 'DC04'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://SeventhTargetDC]<BR />targetDc = 'DC05'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://EighthTargetDC]<BR />targetDc = 'DC06'<BR />startingNode = LDAP://OU=Computers,DC=ad<BR />disabled = 1<BR />index = msad<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P><P>[admon://NearestDC]<BR />disabled = 1<BR />baseline = 0<BR />evt_resolve_ad_obj = 0</P> Wed, 24 Aug 2022 20:18:27 GMT https://community.splunk.com/t5/Knowledge-Management/DSBind-Failed/m-p/610754#M8975 walsborn 2022-08-24T20:18:27Z