All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

AD Monitor (admon) input not working with errors 0x80004005 and 0x20

guarisma
Contributor
‎05-20-2021 09:55 AM

Hello,

We're trying to get a UF on a Domain Controller to monitor two different OUs in the AD as follows:

 

[admon://AdminAccounts]
targetDc = dc01.mydomain.com
startingNode = OU="Administrative Accounts", DC=mydomain, DC=com
index = admon

[admon://ElevatedPrivs]
targetDc = dc01.mydomain.com
startingNode = "OU=Elevated Privileges", DC=mydomain, DC=com
index = admon

 

 

The UF is running under a Domain Service Account with full read access to the tree.

We're getting the following errors:

 

ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed: (0x80004005)Unspecified error -- attempting to reload server path
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed again with DCName='dc01.mydomain.com': (0x80004005)Unspecified error -- no more retries
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitor::init: Failed to initialize Active Directory usn context.
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://ElevatedPrivs', targedDC='dc01.mydomain.com'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed: (0x80004005)Unspecified error -- attempting to reload server path
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdQuery::OutputStartEvent: Failed to search attributes of root object: err='0x20'
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::OutputStartEvent: Failed in OutputStartEvent,
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - AdEventCollector::InitCollector: LoadContextState failed again with DCName='dc01.mydomain.com': (0x80004005)Unspecified error -- no more retries
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitor::init: Failed to initialize Active Directory usn context.
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://ElevatedPrivs', targedDC='dc01.mydomain.com'

 

We can't figure out what does (0x80004005)Unspecified error, or err='0x20' actually means.

Are we missing something here?

Is there a problem with having a space (" ") character in the OUs?

Please advice

Labels (2)
Tags (2)
0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎06-03-2021 10:45 AM

Also the error 0x20 can be decoded here:  https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/return-values

 

It means "no such object" 

0 Karma
Reply

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎06-03-2021 10:23 AM

Hi @guarisma, Just a quick question, did you happen to get this working?

Was it just the ElevatedPrivs having problems?

I noticed in your example, you have double quotes around the whole key value pair instead of just the value:

e.g. "OU=Elevated Privileges" instead of OU="Elevated Privileges" .

Not sure if that was a typo, or if that's your issue, just wanted to point it out. If you did get this working, would you be able to share what the issue was?

Thanks!

0 Karma
Reply

guarisma
Contributor
‎06-07-2021 08:47 AM

Actually quotations are not needed since the parser looks for a "," between fields 

0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎06-03-2021 10:23 AM

The docs say "fully qualified"


A fully qualified Lightweight Directory Access Protocol (LDAP) name (for example: "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") that specifies where in the AD tree that Splunk Enterprise begins its indexing. The software starts there and enumerates down to sub-containers, depending on the configuration of the monitorSubtree setting.

The value of startingNode must be within the scope of the DC you are targeting for Splunk Enterprise to get AD data.

 

 

0 Karma
Reply

guarisma
Contributor
‎06-07-2021 08:51 AM

You're right but the examples in the documentation ignore the the protocol in the URL, but we'll give it a try.

Monitor Active Directory - Splunk Documentation

# Use the pri01.eng.ad.splunk.com domain controller to get all AD metadata for
# the Computers OU in this forest. We want schema data for the entire AD tree, not
# just this node.

[admon://DefaultTargetDc]
targetDc = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

 

Thanks

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...