All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

AD Monitor (admon) input not working with errors 0x80004005 and 0x20

guarisma
Contributor
‎05-20-2021 09:55 AM

Hello,

We're trying to get a UF on a Domain Controller to monitor two different OUs in the AD as follows:

 

[admon://AdminAccounts]
targetDc = dc01.mydomain.com
startingNode = OU="Administrative Accounts", DC=mydomain, DC=com
index = admon

[admon://ElevatedPrivs]
targetDc = dc01.mydomain.com
startingNode = "OU=Elevated Privileges", DC=mydomain, DC=com
index = admon

 

 

The UF is running under a Domain Service Account with full read access to the tree.

We're getting the following errors:

 

ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed: (0x80004005)Unspecified error -- attempting to reload server path
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed again with DCName='dc01.mydomain.com': (0x80004005)Unspecified error -- no more retries
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitor::init: Failed to initialize Active Directory usn context.
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://ElevatedPrivs', targedDC='dc01.mydomain.com'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed: (0x80004005)Unspecified error -- attempting to reload server path
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed again with DCName='dc01.mydomain.com': (0x80004005)Unspecified error -- no more retries
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitor::init: Failed to initialize Active Directory usn context.
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://ElevatedPrivs', targedDC='dc01.mydomain.com'

 

We can't figure out what does (0x80004005)Unspecified error, or err='0x20' actually means.

Are we missing something here?

Is there a problem with having a space (" ") character in the OUs?

Please advice

Labels (2)
Tags (2)
0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎06-03-2021 10:45 AM

Also the error 0x20 can be decoded here:  https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/return-values

 

It means "no such object" 

0 Karma
Reply

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎06-03-2021 10:23 AM

Hi @guarisma, Just a quick question, did you happen to get this working?

Was it just the ElevatedPrivs having problems?

I noticed in your example, you have double quotes around the whole key value pair instead of just the value:

e.g. "OU=Elevated Privileges" instead of OU="Elevated Privileges" .

Not sure if that was a typo, or if that's your issue, just wanted to point it out. If you did get this working, would you be able to share what the issue was?

Thanks!

0 Karma
Reply

guarisma
Contributor
‎06-07-2021 08:47 AM

Actually quotations are not needed since the parser looks for a "," between fields 

0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎06-03-2021 10:23 AM

The docs say "fully qualified"


A fully qualified Lightweight Directory Access Protocol (LDAP) name (for example: "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") that specifies where in the AD tree that Splunk Enterprise begins its indexing. The software starts there and enumerates down to sub-containers, depending on the configuration of the monitorSubtree setting.

The value of startingNode must be within the scope of the DC you are targeting for Splunk Enterprise to get AD data.

 

 

0 Karma
Reply

guarisma
Contributor
‎06-07-2021 08:51 AM

You're right but the examples in the documentation ignore the the protocol in the URL, but we'll give it a try.

Monitor Active Directory - Splunk Documentation

# Use the pri01.eng.ad.splunk.com domain controller to get all AD metadata for
# the Computers OU in this forest. We want schema data for the entire AD tree, not
# just this node.

[admon://DefaultTargetDc]
targetDc = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

 

Thanks

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top