DSBind Failed

walsborn · ‎08-24-2022

ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (5)

We have 22 out of 3000+ hosts sending thousands of errors for this and I can't seem to figure out why. My best guess at this point is the forwarders need to be updated. We have a distributed environment with multiple DC's. Any idea if I'm doing something wrong on my end, or do I need to have these forwarders that are causing errors fixed?

I have things set up as follows:

All Windows hosts Universal Forwarders - inputs.conf -

[default]
evt_resolve_ad_obj = 0

Domain Controller UF inputs -

[admon://DefaultTargetDC]
targetDc = 'DC02'
startingNode = LDAP://OU=Computers,DC=ad
index = msad
monitorSubtree = 1
disabled = 0
baseline = 0
evt_resolve_ad_obj = 1

[admon://SecondTargetDC]
targetDc = 'DC03'
startingNode = LDAP://OU=Computers,DC=ad
index = msad
monitorSubtree = 1
disabled = 1
baseline = 0
evt_resolve_ad_obj = 0

[admon://ThirdTargetDC]
targetDc = 'DC01'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://FourthTargetDC]
targetDc = 'DC02'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://FifthTargetDC]
targetDc = 'DC01'
startingNode = LDAP://OU=Computers,DC=adu
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://FifthTargetDC]
targetDc = 'DC01dev'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://SixthTargetDC]
targetDc = 'DC04'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://SeventhTargetDC]
targetDc = 'DC05'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://EighthTargetDC]
targetDc = 'DC06'
startingNode = LDAP://OU=Computers,DC=ad
disabled = 1
index = msad
baseline = 0
evt_resolve_ad_obj = 0

[admon://NearestDC]
disabled = 1
baseline = 0
evt_resolve_ad_obj = 0

DSBind Failed

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor