Knowledge Management

DSBind Failed

walsborn
Path Finder

ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (5)

We have 22 out of 3000+ hosts sending thousands of errors for this and I can't seem to figure out why. My best guess at this point is the forwarders need to be updated.  We have a distributed environment with multiple DC's.  Any idea if I'm doing something wrong on my end, or do I need to have these forwarders that are causing errors fixed?

I have things set up as follows:

All Windows hosts Universal Forwarders - inputs.conf -

[default]
evt_resolve_ad_obj = 0

Domain Controller UF inputs -

[admon://DefaultTargetDC]
targetDc = 'DC02'
startingNode = LDAP://OU=Computers,DC=ad
index = msad
monitorSubtree = 1
disabled = 0
baseline = 0
evt_resolve_ad_obj = 1

[admon://SecondTargetDC]
targetDc = 'DC03'
startingNode = LDAP://OU=Computers,DC=ad
index = msad
monitorSubtree = 1
disabled = 1
baseline = 0
evt_resolve_ad_obj = 0

[admon://ThirdTargetDC]
targetDc = 'DC01'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://FourthTargetDC]
targetDc = 'DC02'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://FifthTargetDC]
targetDc = 'DC01'
startingNode = LDAP://OU=Computers,DC=adu
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://FifthTargetDC]
targetDc = 'DC01dev'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://SixthTargetDC]
targetDc = 'DC04'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://SeventhTargetDC]
targetDc = 'DC05'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://EighthTargetDC]
targetDc = 'DC06'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://NearestDC]
disabled = 1
baseline = 0
evt_resolve_ad_obj = 0

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...